[Tutorial] How I do port forwarding - simple and straightforward

[theogravity]

Hi there!

After going through quite a few guides on the forums on how to port forward, I felt I was not getting anywhere with getting my port forwards to work.

The following is a guide on how to set up a port forward, as if you were doing it from a consumer grade router using IPv4 on v18.1 of opnsense.

Firewall settings

Firewall -> Settings -> Advanced:

Code: [Select]

- Reflection for port forwards: Enabled
- Reflection for 1:1: Disabled
- Automatic outbound NAT for Reflection: Enabled

Save.

Port Forwarding:

- You have a host with IP 192.168.1.200, with port 3100 open TCP.

- You want to port forward from the outside 3200 to 3100.

Step 1: Set up aliases

Too simple explanation: Aliases are friendly names to IP addresses. If you're managing a bunch of IPs to forward, it's best to give the IP address a label.

Under firewall > aliases > add a new alias

Code: [Select]

- name: A short friendly name for the IP address you're aliasing. I'll call it "media-server"
- type: Host(s)
- Aliases: Input 192.168.1.200

Save.

Step 2: Register the port forward

Firewall > NAT > Port forward > add

Code: [Select]

- Interface: WAN
- TCP/IP Version: IPv4
- Protocol: TCP

Under Source > Advanced:

- Source / Invert: Unchecked
- Source: Any
- Source Port Range: any to any

- Destination / Invert: Unchecked
- Destination: WAN address
- Destination Port range: (other) 3200 to (other) 3200

- Redirect target IP: Alias "media-server"
- Redirect target Port: (other) 3100

- Pool Options: Default
- NAT reflection: Enable
- Filter rule association: Rule NAT

Save, and you now should be able to forward an incoming 3200 to 3100.

Feel free to respond if I should make any corrections or have comments. I'm not an expert at this, BTW.

[zanib]

I tried setting up my dvr following this method and still cannot access it.  Any ideas what I may be doing wrong?

[the-mk]

can you verify that you are not sitting behind a CGN (carrier grade nat)?

[cumtbio]

 

good job. I can access my server now. thanks

[Dougle]

Thanks for the Reflection settings, which made all the difference here. Nicely done.

[floydian]

Apparently the reflection setting did the trick.  I did select reflection on the bottom of my port forward, but it didn't seem to work until I did it in the global place.  I don't really get why that option would not be enabled by default.

I really found this tutorial helpful, thank you for taking the time to publish it.

[XOIIO]

Does something special need to be done for port 80? I'm hosting a website and I've already changed the admin ui to port 440, and disabled the web gui redirect rule, but I just time out any time I try to connect to it, my dns is already set to the public ip, and I can access all my other stuff that's forwarded just fine.

edit: I changed it from being port 80 in the destination port range to any, redirecting to port 80 and now I can access the site, but for some reason when I click a hyperlink back to the home page it times out, whereas it didn't when I was forwarding port 80 tcp/udp on the isp provided router, hmm

The hyperlink is just set to the same address you type in the url bar, this makes no sense.

edit 2: Ok, it's when you put http:// in front of the url that it times out, any ideas on why opnsense is stopping that from working?

edit 3: now it seems to be working fine. Weird. The only annoying thing is previously I could type the address into a web browser and the site would pull up in my browser just fine while I was on the lan, however now I have to type in the IP instead. Any ideas on getting that to work again? I'd much rather just type the website name as I had been doing.

[XOIIO]

Used hidemyass to try and connect from another country through a vpn and it looks like it's just timing out so it's still not set up right, but it does work if I use the ip address. Uhg.

[HA4g3n]

If im gonna use portforward under OpenVPN that all my clients under DHCP are getting now should i just change the WAN for VPN in this tutorial ?

Dont get it to work.

[rickygm]

Hi , I have some days of struggling to run a port forward rdp for a windows machine, look  my screenshot

any idea?

[vielleicht]

Hi.

I exactly did what you described, because I think this way is obvious. And it works, so thanks for clarification.

But: The packets are forwarded with a SNAT, that is, the source ip will be changed to the OpnSense-IP. That is problematic if you try to analyse the packet source or simply print the source ip adress. How can this behavior be disabled? I did not find any solution or help by searching the internet.

Thanks in advance, Philipp

-- edit: disabling "NAT reflection" did not help

[zibloon]

Apparently the reflection setting did the trick.  I did select reflection on the bottom of my port forward, but it didn't seem to work until I did it in the global place.

On 19.7, it is mandatory to modify "Firewall -> Settings -> Advanced:" like this:

Code: [Select]

- Reflection for port forwards: Enabled
- Reflection for 1:1: Disabled
- Automatic outbound NAT for Reflection: Enabled
But changing "NAT reflection" in "Firewall > NAT > Port forward > add" doesn't have any effect

By the way, on a Multi Wan installation I had to enter:

- Interface: = all WAN interfaces + the LAN interface!?!
- Destination: = any