The one and only OPNsense port forwarding guide you ever need

Saturday, October 15 2022 · Lesezeit: 3 Minuten · 555 Wörter · Tags: opnsense

So you are in the pitty situation that you need to make an IPv4 legacy system or application reachable but your port forwarding rules are not working? And watching a painfully 21 minute long YouTube video from a bearded guy did not help you in any way? Hold back your tears because you have just found the one and only port forwarding guide for OPNsense.

In order for port forwarding to work you need to things:

1. A WAN rule allowing the traffic to reach your OPNsense
2. A NAT/port forwarding rule “bending” the traffic to the right device on your network

You think you already did that correctly? You used the OPNsense port forwarding wizard and selected “Add associated filter rule” for the “Filter rule association” option? I’m now 100% certain that I know exactly what your mistake was! Hold back your tears just a little bit longer, because you are not alone with this problem. People just like you post to the OPNsense subreddit on a daily basis asking for help. Here is what you need to do:

Step 1: Create a port forwarding rule and enter the following:

• Interface: WAN
• TCP/IP Version: IPv4
• Protocol: You have to choose what you application/game needs
• Destination: WAN address
• Destination port range: You have to choose again
• Redirect target IP: The IP address of your host on your LAN where traffic should be routed
• Redirect target port: Probably the same port as above
• Filter rule association: Pass. I repeat! Select “Pass”!

Click “Save”. Don’t forget to click “Apply” afterwards.

Step 2: Create a WAN rule with the following details:

• Interface: WAN
• Direction: In
• TCP/IP Version: IPv4
• Protocol: The same as from your port forwarding rule
• Source: any
• Destination: WAN address
• Destination port range: The same as from your port forwarding rule

Click “Save”. Don’t forget to click “Apply” afterwards.

And you are done! That’s all it takes. If it works now you area allowed to release all the tears you held back and please tell me how many hours you wasted on this problem.

Interested in what went wrong? The underlying problem with the wizward creating a WAN rule for you is that it sets the wrong destination address. It sets for whatever reason the address of you device you want to forward traffic to. But the IP packets coming in on WAN does not match that rule and are dropped before reaching the port forwarding rule. Maybe you understand better when I explain it with real IPs.

Assumptions:

• The IP address trying to reach you is 212.40.3.1
• Your IP address at home is 90.55.5.5
• The device on your LAN you want to forward traffic to is 192.168.0.40
• Protocol is UDP and port is 20017

You created this port forwarding rule:

• Protocol: UDP
• Destination: WAN address
• Translation target: 192.168.0.40
• Destination port range: 20017

If you let the wizard create a WAN rule for you this is the result:

• Source: any
• Destination: 192.168.0.40 ⚠️
• Protocol: UDP
• Destination port range: 20017

However the signature of the IP packet received on WAN looks like this:

• Source: 212.40.3.1
• Destination: 90.55.5.5 ⚠️
• Destination port: 20017

I’ve highlighted the problematic part with the ⚠️ icon. In your WAN rule the destination IP is the one from your LAN and not from your WAN interface. This generated rule simply never matches and traffic is dropped.

Du hast einen Kommentar, einen Wunsch oder eine Verbesserung? Schreib mir doch eine E-Mail! Die Infos dazu stehen hier.

🖇️ = Link zu anderer Webseite
🔐 = Webseite nutzt HTTPS (verschlüsselter Transportweg) Zurück