[Tutorial] How I do port forwarding - simple and straightforward

[theogravity]

Hi there!

After going through quite a few guides on the forums on how to port forward, I felt I was not getting anywhere with getting my port forwards to work.

The following is a guide on how to set up a port forward, as if you were doing it from a consumer grade router using IPv4 on v18.1 of opnsense.

Firewall settings

Firewall -> Settings -> Advanced:

Code Select Expand


- Reflection for port forwards: Enabled
- Reflection for 1:1: Disabled
- Automatic outbound NAT for Reflection: Enabled


Save.

Port Forwarding:

- You have a host with IP 192.168.1.200, with port 3100 open TCP.

- You want to port forward from the outside 3200 to 3100.

Step 1: Set up aliases

Too simple explanation: Aliases are friendly names to IP addresses. If you're managing a bunch of IPs to forward, it's best to give the IP address a label.

Under firewall > aliases > add a new alias

Code Select Expand


- name: A short friendly name for the IP address you're aliasing. I'll call it "media-server"
- type: Host(s)
- Aliases: Input 192.168.1.200


Save.

Step 2: Register the port forward

Firewall > NAT > Port forward > add

Code Select Expand


- Interface: WAN
- TCP/IP Version: IPv4
- Protocol: TCP

Under Source > Advanced:

- Source / Invert: Unchecked
- Source: Any
- Source Port Range: any to any

- Destination / Invert: Unchecked
- Destination: WAN address
- Destination Port range: (other) 3200 to (other) 3200

- Redirect target IP: Alias "media-server"
- Redirect target Port: (other) 3100

- Pool Options: Default
- NAT reflection: Enable
- Filter rule association: Rule NAT


Save, and you now should be able to forward an incoming 3200 to 3100.

Feel free to respond if I should make any corrections or have comments. I'm not an expert at this, BTW.

[zanib]

I tried setting up my dvr following this method and still cannot access it.  Any ideas what I may be doing wrong?

[the-mk]

can you verify that you are not sitting behind a CGN (carrier grade nat)?

[cumtbio]

 :) :)

good job. I can access my server now. thanks

[Dougle]

Thanks for the Reflection settings, which made all the difference here. Nicely done.

[floydian]

Apparently the reflection setting did the trick.  I did select reflection on the bottom of my port forward, but it didn't seem to work until I did it in the global place.  I don't really get why that option would not be enabled by default.

I really found this tutorial helpful, thank you for taking the time to publish it.

[XOIIO]

Does something special need to be done for port 80? I'm hosting a website and I've already changed the admin ui to port 440, and disabled the web gui redirect rule, but I just time out any time I try to connect to it, my dns is already set to the public ip, and I can access all my other stuff that's forwarded just fine.

edit: I changed it from being port 80 in the destination port range to any, redirecting to port 80 and now I can access the site, but for some reason when I click a hyperlink back to the home page it times out, whereas it didn't when I was forwarding port 80 tcp/udp on the isp provided router, hmm

The hyperlink is just set to the same address you type in the url bar, this makes no sense.

edit 2: Ok, it's when you put http:// in front of the url that it times out, any ideas on why opnsense is stopping that from working?

edit 3: now it seems to be working fine. Weird. The only annoying thing is previously I could type the address into a web browser and the site would pull up in my browser just fine while I was on the lan, however now I have to type in the IP instead. Any ideas on getting that to work again? I'd much rather just type the website name as I had been doing.

[XOIIO]

Used hidemyass to try and connect from another country through a vpn and it looks like it's just timing out so it's still not set up right, but it does work if I use the ip address. Uhg.

[HA4g3n]

If im gonna use portforward under OpenVPN that all my clients under DHCP are getting now should i just change the WAN for VPN in this tutorial ?

Dont get it to work.

[rickygm]

Hi , I have some days of struggling to run a port forward rdp for a windows machine, look  my screenshot

any idea?

[vielleicht]

Hi.

I exactly did what you described, because I think this way is obvious. And it works, so thanks for clarification.

But: The packets are forwarded with a SNAT, that is, the source ip will be changed to the OpnSense-IP. That is problematic if you try to analyse the packet source or simply print the source ip adress. How can this behavior be disabled? I did not find any solution or help by searching the internet.

Thanks in advance, Philipp

-- edit: disabling "NAT reflection" did not help

[zibloon]

I am doing port forwards with multiwan on 19.7. On my side, I didn't have to change "Reflection for port forwards" and "Automatic outbound NAT for Reflection" at rules level or global level (in Firewall -> Settings -> Advanced). I only unchecked "sticky connections" but this is mostly because I am using multiwan in a failover mode. The trick was to select all my WAN interfaces as "Interface" and "This Firewall" as "Destination" in all rules.

I understand reflection is necessary if you try to connect through your WAN public IP from your LAN, but it's not necessary if you connect from a different completely different network (from your cell phone on 4G for example). Also, I realized the "Automatic outbound NAT for Reflection" option breaks a multiwan failover configuration (if tier1 is off, it doesn't switch to tier2 automatically).

[meazz1]

I tried setting up my dvr following this method and still cannot access it.  Any ideas what I may be doing wrong?

Thanks. Been looking for a simple tutorial and this one helped.

[gytepr65]

Hey,

I have no such thing:
Under firewall > aliases > add a new alias
use 20.7.7

[Greelan]

Click "+" near the bottom right of the page