The one and only OPNsense port forwarding guide you ever need

So you are in the pitty situation that you need to make an IPv4 legacy system or application reachable but your port forwarding rules are not working? And watching a painfully 21 minute long YouTube video from a bearded guy did not help you in any way? Hold back your tears because you have just found the one and only port forwarding guide for OPNsense.

In order for port forwarding to work you need to things:

  1. A WAN rule allowing the traffic to reach your OPNsense
  2. A NAT/port forwarding rule “bending” the traffic to the right device on your network

You think you already did that correctly? You used the OPNsense port forwarding wizard and selected “Add associated filter rule” for the “Filter rule association” option? I’m now 100% certain that I know exactly what your mistake was! Hold back your tears just a little bit longer, because you are not alone with this problem. People just like you post to the OPNsense subreddit on a daily basis asking for help. Here is what you need to do:

Step 1: Create a port forwarding rule and enter the following:

Click “Save”. Don’t forget to click “Apply” afterwards.

Step 2: Create a WAN rule with the following details:

Click “Save”. Don’t forget to click “Apply” afterwards.

And you are done! That’s all it takes. If it works now you area allowed to release all the tears you held back and please tell me how many hours you wasted on this problem.

Interested in what went wrong? The underlying problem with the wizward creating a WAN rule for you is that it sets the wrong destination address. It sets for whatever reason the address of you device you want to forward traffic to. But the IP packets coming in on WAN does not match that rule and are dropped before reaching the port forwarding rule. Maybe you understand better when I explain it with real IPs.


You created this port forwarding rule:

If you let the wizard create a WAN rule for you this is the result:

However the signature of the IP packet received on WAN looks like this:

I’ve highlighted the problematic part with the ⚠️ icon. In your WAN rule the destination IP is the one from your LAN and not from your WAN interface. This generated rule simply never matches and traffic is dropped.

Du hast einen Kommentar, einen Wunsch oder eine Verbesserung? Schreib mir doch eine E-Mail! Die Infos dazu stehen hier.

🖇️ = Link zu anderer Webseite
🔐 = Webseite nutzt HTTPS (verschlüsselter Transportweg)