[Tutorial] How I do port forwarding - simple and straightforward

[zzy]

Hi, I finally get my LAN -> WAN Port forwarding working by updating this setting (check attachment)

Version: OPNsense 23.1

Question: I read this thread hinting that it has 'Rule NAT' option (only had 'Rule' option) and some other threads that suggested 'add associated filter rule' (i have never seen this option even in this case). The issue I had earlier however was that, there were 2 Rule options in the drop down, and then when I change 80 nat's option to Pass, one of the 'Rule' option disappeared, and then when I change the 443 nat's option to pass, the other 'Rule' option disappeared.

Then I go back to 80's nat config, the only option left were 'None' and 'Pass'. So I chose pass.

Is this normal? or is it a bug?

[pfabi]

Actually I have the same question. Looks that when rule is created, there is a "Rule" option. But when you try to change it - only None and Pass. Is that by design?

[mkozik1]

I am trying to get this to work for my video recorder as well and I have tried all kinds of different configurations with no luck.  I am coming from Ubiquiti Gateway and it was working perfectly on my Ubiquiti system.  Wondering also if there might be an issue with my Ubiquiti Controller interfering with the traffic?  I have disabled all of the original rules but have not changed anything.

Thanks in advance,

Mark

[9axqe]

Hi.

I exactly did what you described, because I think this way is obvious. And it works, so thanks for clarification.

But: The packets are forwarded with a SNAT, that is, the source ip will be changed to the OpnSense-IP. That is problematic if you try to analyse the packet source or simply print the source ip adress. How can this behavior be disabled? I did not find any solution or help by searching the internet.

Thanks in advance, Philipp

-- edit: disabling "NAT reflection" did not help

Hi Philipp, did you solve this problem?

[mkozik1]

I am trying to get this to work for my video recorder as well and I have tried all kinds of different configurations with no luck.  I am coming from Ubiquiti Gateway and it was working perfectly on my Ubiquiti system.  Wondering also if there might be an issue with my Ubiquiti Controller interfering with the traffic?  I have disabled all of the original rules but have not changed anything.

Thanks in advance,

Mark

Good evening,

I was wondering if someone could help me please.  I had to put the project on pause for a minute - I have been using the firewall on another network and it has been working flawlessly.  My UBT Gateway has since bit the dust and I must move that network to the OPNSense device, however, I cannot get port forwarding to work to save my life.  I have completed all of the entries noted in this tutorial as well as many others I have reviewed but I can never seem to get the port checkers to tell me the port is open. 

Interface: WAN
TCP/IP Version: IPv4
Protocol: TCP/UDP
Source: WAN Address
Source port range: (other) 8000 from and to
Destination: WAN Address
Destination Port range: Any Any
Redirect target IP: Single Host with IP address of recorder
Redirect target port: (other) 8000
Allowed the rule to create the associated WAN rule and checked that it is there.

Thoughts please?

Thanks in advance!

[sukerman]

I've just been through this, there's no need to forward ports or change NAT reflection options, just add an alias. select host and enter the static ip of the PS4.  Then set settings->outbound to hybrid and add a rule, select source as your PS4 alias and click static, that's all that's needed.

[yashwanth]

Hi its 2024, this post will help you but you need to perform the additional step.

From "Interfaces>>[WAN]" go to "Generic configuration" section and uncheck the "Block private networks". And it will work.

I found this by watching log files(location: Firewall>>Log Files>> Live View).

[StrataRocha]

The issue below was caused by LAN networking problems. I needed to configure the default gateway on the clients and the switch. After doing that, the port forwarding configuration on the firewall worked perfectly.


I'm working with a network such as the following.

Code Select Expand

             __   _
           _(  )_( )_
          (_   _    _) Internet
            (_) (__)
              |
          .---'--------------.   
          | Company Firewall |
          '---.--------------'
              |
              |
          .---'--------------------------.
          | 192.168.100.0/24 WAN Network |
          '------.-----------------------'
                 |
                 | WAN (WAN_EXTERNAL)
  .--------------'------------------------------.
  |           192.168.100.92                    |
  |          OPNsense Firewall                  |
  | 192.168.1.1                      172.16.0.6 |
  '----.-----------------------------------.----'
       | LAN                               | LAN_ADMIN
       | (LAN_MGMT)                        | (opt1)
.------'---------------------.    .---------------------------------.
| 192.168.1.0/24 LAN Network |    | 172.16.0.0/24 ADMIN-LAN Network |
'----------------------------'    '---------------------------------'


I have an OPNsense Firewall deployed in the lab.

The WAN side of the OPNSense Firewall is our internal company network that is protected from the Internet by the Company Firewall.

The OPNsense Firewall's LAN interface is only used for management. it's a copper network with basically one computer connected to interface with it.

I've added a LAN_ADMIN interface on OPT1, which is a fiber network.

The LAN_ADMIN interface has all the same firewall rules as the LAN interface, adjusted appropriately. (i.e. Default allow LAN_ADMIN to any for IPv4 and IPv6).

I want to enable port forwarding so that doing ssh from the 192.168.100.0/24 network (WAN) to the OPNsense Firewall is actually port forwarded to doing ssh on 172.16.0.2 in the LAN_ADMIN interface.

i.e.
ssh 192.168.100.92 is port forwarded to ssh 172.16.0.2

I've followed this guide but it's not working for me.

The ssh attempt fails with the message "Connection timed out"

An example of the error follows:

Code Select Expand


C:\Users\rocha\Desktop>ssh -vvvv 192.168.100.92
OpenSSH_for_Windows_8.6p1, LibreSSL 3.4.3
debug3: Failed to open file:C:/Users/rocha/.ssh/config error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_config error:2
debug2: resolve_canonicalize: hostname 192.168.100.92 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> 'C:\\Users\\rocha/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> 'C:\\Users\\rocha/.ssh/known_hosts2'
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug3: ssh_connect_direct: entering
debug1: Connecting to 192.168.100.92 [192.168.100.92] port 22.
debug3: finish_connect - ERROR: async io completed with error: 10060, io:0000020C20C216E0
debug1: connect to address 192.168.100.92 port 22: Connection timed out
ssh: connect to host 192.168.100.92 port 22: Connection timed out



Additional Configuration Information Firewall : Settings : Advanced

Code Select Expand


Reflection for port forwards : Enabled
Reflection for 1:1: Disabled
Automatic outbound NAT for Reflection: Enabled
Disable reply-to: Enabled


Log information Firewall : Log Files : Live View

When the ssh is started I see the following entries in the logs

Code Select Expand


Interface      Time                       Source                Destination          Proto  Label
WAN_EXTERNAL   2024-07-09T13:49:23-07:00  192.168.100.92:123    198.137.202.32:123   udp    let out anything from firewall host itself (force gw)   
LAN_ADMIN      2024-07-09T13:49:14-07:00  192.168.200.44:54263  172.16.0.2:22        tcp    let out anything from firewall host itself   
WAN_EXTERNAL   2024-07-09T13:49:14-07:00  192.168.200.44:54263  172.16.0.2:22        tcp    FORWARD SSH TO NODE ON ADMIN LAN   
WAN_EXTERNAL   2024-07-09T13:49:14-07:00  192.168.200.44:54263  192.168.100.92:22    tcp    rdr rule

Any tips or suggestions for how to proceed would be appreciated.

[cmp828]

Hello,

Oddly I am having the same issue for port forwarding 80 and 443.  I am very new to OpenSense. Was a Sophos UTM user for over 15 years before I exceeded the 50 computer free home license version and could not easily get ahold of a rep to see what a paid version would cost. Bought a $200 plus home gaming router to find out it only supports 30 Static DHCP reservations, so I researched for a rock solid and highly recommended open source firewall, router software to learn and use.

I just set up my Opensense firewall last weekend, and just did the most basic "out of the box" install and started using it. This weekend I am hoping to get the port forwarding up and working, and then look at additional packages / functions to install. I did watch a few Youtube videos, read some forums and dug around a little and still no go.  I found a really great HOW-TO  at https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-opnsense-nat
They have a very good straight forward instructions for port forward 80 and 443.  I do have my WAN  unchecked to allow private networks to pass. But alas still no luck getting it to work. One of the videos noted website ping.eu to use to test to see if the port is open or not.  I thought that be easier than trying to do it from my cell phone to test the ports from an outside source.

Does anyone have a very step by step of all the settings, and post them to cross reference, I seen in a earlier post there was a configuration of what settings to set  for a recorder and cross checked against that with no luck. I just updated and am running the latest Firware of Opensense as of August 3, 2024. There has to be something very simple I am missing.

Interfaces WAN I have block private networks unchecked, I have no idea why that should matter, any Private I.P. Scopes are not passed by Internet  / ISP routers to begin with (less it is looking at the outgoing traffice, but that all internal machines would / should be Natted so that as they leave out the wan to have the I.P. of the WAN interface and not the internal 192.168.x.x) I would think it could be checked  so it blocks that.

Interface: WAN
TCP/IP Version: IPV4
Protocol: TCP
Source: Left at default / un touched
Destination / invert: un checked (at default)
Destination: WAN Address
Destination Port range:  From: HTTP        To: Http
Redirect Target IP: Single host or network   and then internal I.P. of webcam server.
Redirect target port: Http
Pool options: Default (never changed)
Log:  I have it logging packets for now.
Category: (left blank / default)
Description: Allow HTTP to Webcam
Set local tag: (empty / at default)
Match local tag:  (empty / at default)
No XML RPC Sync:  (unchecked / at default)
NAT Reflection:  Use system default
Filter rule association:  Rule Allow HTTP to web cam (I had it selected to create the rule so that is what it did and put for description)

My HTTPS port forwarding is also the very same settings with the exception of pointing to the web server and using HTTPS.

Anything jumping out at any one?
Chad

[cmp828]

Hello,  I have figured out the issue as to why my port forwarding was not working. It was nothing to do with what I was doing or setting up in OpenSense. I live in an area called the Quad Cities, Which is Davenport and Bettendorf, Iowa, and Rock Island and Moline, IL. We have a all fiber Internet provider called MetroNet. I have had their service for about 3 months and was not doing much with my camera system and web server so I never knew that port forward was not working. (even with my TP-Link gaming router)

So a generalized F.Y.I.  to all who are / may be having the same issues as I was.  Make a call to your ISP provider to double check to see if it is anything on their end. So in my case with MetroNet, how / what they use to give me my I.P. (WAN) address will not allow any port forwarding of any kind. I even was using NoIP's DDYNS service which I pay for.  I was noticing that what I.P. my WAN was getting was not what was being reported as what my WAN address was as seen by the Outside Internet. In order to fix and resolve the situation, I needed to request a static I.P. from my ISP, and for an extra $10 a month it's worth it.

So after my ISP issued and converted my account over to a Static I.P. address, everything works. When I go to  Ping.EU website and run their utilities for check to see if port 80 and 443 are open, it now reports as open, which each time I tried the other day would report as closed. I watched many videos, and forum posts on how to do port forward, and my settings were exactly as stated in the videos / forum posts but no luck. I even for a time wiped out my Opensense firewall system and just for the heck of it as a control test installed PFSense and got the same results.  I know PFsense is a very , very bad word in this forum, But I am re-installing Opensense now on it.  I must say I do like OpenSense and its GUI much better than Open Sense. 

Just glad to know I was not going nuts and doing something wrong, this forum has very good instructions, so again, if you have configured everything correctly for port forward and noting is working,  place a call to your internet service provider technical support and see if there is something on their end causing the blockage. I was using Mediacom for my previous ISP service and with my NoIP DDYNS service my portforwarding was working fine.

So it was not like I was using a store bought Linksys, or other brand home router / gaming roughter and just switched to using Opensense, I switched providers all together. So if you are using the same ISP provider, and what ever you were using before Opensense, is working fine with port forwarding, and you switch in the Opensense and it does not work, in that case I would assume a configuration might not be set correct.

[HeneryH]

Step 1: Set up aliases

Too simple explanation: Aliases are friendly names to IP addresses. If you're managing a bunch of IPs to forward, it's best to give the IP address a label.

Under firewall > aliases > add a new alias

Code Select Expand


- name: A short friendly name for the IP address you're aliasing. I'll call it "media-server"
- type: Host(s)
- Aliases: Input 192.168.1.200


These are not the options for setting an alias.

They are Enabled: y/n
Name:
Type: Hosts
Categories:?
Content: dropbox selection
Stats:
Desciption: