[Question] Firewall noob vs. port forward

Submitted ⁨⁨9⁩ ⁨months⁩ ago⁩ by ⁨tofubl@discuss.tchncs.de⁩ to ⁨selfhosted@lemmy.world⁩

Hi there, hoping to find some help with a naive networking question.

I recently bought my first firewall appliance, installed Opnsense and am going to use it with my ISP modem in bridge mode, but while I’m learning I added it to my existing LAN with a 192.168.0.0/24 address assigned to the WAN port by my current DHCP. On the firewall’s LAN port I set up a 10.0.0.0/24 network and am starting to build up my services. So far so good, but there’s one thing I can’t get to work: I can’t port forward the firewall’s WAN IP to a service on the firewall’s LAN network and I can’t figure out why.

To illustrate, I would like laptop with IP 192.168.0.161 to be able to reach service on 10.0.0.22:8888 by requesting firewall WAN IP 192.168.0.136:4444.

Private IPs and bogons are permitted on the WAN interface and I have followed every guide I can find for the port forwarding, but the closest I have come to this working is a “connection reset” browser error.

Hope my question is clear and isn’t very dumb. Thanks for the help or any explanation why I might be struggling to get this to work. Am I missing something obvious?

source

Comments

Sort:hotnew top

MangoPenguin@lemmy.blahaj.zone ⁨9⁩ ⁨months⁩ ago
Post a screenshot of your NAT > Port Forward rule if you can, that will be the easiest way to help I think

source
- tofubl@discuss.tchncs.de ⁨9⁩ ⁨months⁩ ago
  1000014418 1000014416 1000014417
  
  The docker01 alias is a host alias with 10.0.0.22 and there’s an apache test container running on port 8888.
  
  I have created a pass any in rule on WAN (just until I figure out what’s wrong)
  
  In firewall > settings > advanced, I have set “reflection for port forwards” and “automatic outbound Nat for reflection” although I’m not sure if that is needed.
  
  Is there any other info I can provide?
  
  source
  - maxwellfire@lemmy.world ⁨9⁩ ⁨months⁩ ago
    Your filter rule association is set to ‘rule’. What is that associated rule, and do things work if you change it to ‘pass’?
    
    reddit.com/…/correct_option_for_filter_rule_assoc…
    
    source
    -> View More Comments
  - tofubl@discuss.tchncs.de ⁨9⁩ ⁨months⁩ ago
    Here’s some more: From behind the firewall (i.e. from a 10.0.0.x IP) the port forward works (which would be a reflection, I suppose?).
    
    From in front of the firewall, I get “connection reset”, which I interpret as somewhat working but then breaking somewhere else. Does that make sense?
    
    1000014421
    
    source
    -> View More Comments
drkt@lemmy.dbzer0.com ⁨9⁩ ⁨months⁩ ago
I’m very uncertain about your network topology. Why is WAN 192.168.x.x?

source
- tofubl@discuss.tchncs.de ⁨9⁩ ⁨months⁩ ago
  I am trying to learn in a safe environment without breaking my existing network. It’s not actually a WAN, except from the firewall’s point of view.
  
  source
  - BCsven@lemmy.ca ⁨9⁩ ⁨months⁩ ago
    I am no expert, but maybe something about 192.168 not being broadcast across wan as it is restricted to local…i coukd be wrong
    
    source
    -> View More Comments
h4xx@sh.itjust.works ⁨9⁩ ⁨months⁩ ago
There is an opensense option that blocks rfc1918 traffic on the wan. your wan ip addeess range matches rfc1918. I do not remember where to disable it exactly, but this is the error.

source
- tofubl@discuss.tchncs.de ⁨9⁩ ⁨months⁩ ago
  I wrote it in reply to another comment, but the traffic reaches the service on 10.0.0.22:8888. The problem seems to be with the return path, i.e. Hairpin NAT, but I don’t know what it is.
  
  source
- tofubl@discuss.tchncs.de ⁨9⁩ ⁨months⁩ ago
  Do you mean these options under Interfaces > WAN? I have them disabled after they did show up as a block in the log.
  
  1000014424
  
  source
Decronym@lemmy.decronym.xyz ⁨9⁩ ⁨months⁩ ago
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

Fewer Letters More Letters

IP Internet Protocol

NAT Network Address Translation

TCP Transmission Control Protocol, most often over IP

[Thread #498 for this sub, first seen 9th Feb 2024, 07:05] [FAQ] [Full list] [Contact] [Source code]

source

Fewer Letters	More Letters
IP	Internet Protocol
NAT	Network Address Translation
TCP	Transmission Control Protocol, most often over IP