[OPNsense] Need help reaching my DMZ servers from the internet (DynDNS domain)

[Wolven]

Hello.

A few days ago I set up an OPNsense box and split my network into a LAN and a DMZ. And I can't for the life of me reach my two Minecraft servers from the internet. Before I set up OPNsense I had them working fine behind my Netgear router with DynDNS and port forwarding. I'm no stranger to configuring a network and having a segregated LAN and DMZ, but the last time I did this was over 10 years ago, using Smoothwall Express. So I'm rusty...

Anyway. I'll describe my network as best I can.

Hardware:

The OPNsense box has three physical NICs, so I'm not using a VLAN.

NIC0: WAN - 192.168.1.0/24
NIC1: LAN - 192.168.10.0/24
NIC2: DMZ - 10.0.0.0/24

The server (Proxmox) has two physical NICs.

NIC0: LAN - 192.168.10.0/24
NIC1: DMZ - 10.0.0.0/24

I also have two Netgear switches, one 5 ports and one 8 ports, and a Netgear Wi-Fi router with 4 LAN ports.

The 5 port switch connects the DMZ and the 8 port switch connects the LAN and the Wi-Fi router. The WAN is connected to my ISP's router

Configuration:

I'm using Dynamic DNS (No-IP) to host my domain. Let's call it: "mydomain.com" I've set up two subdomains, one for each server: "creative.mydomain.com" and "survival.mydomain.com"

The two virtual servers are configured as follows:
creative - IP: 10.0.0.27 Port: 25565
survival - IP: 10.0.0.26 Port: 25566

Both servers get their IPs from DHCP, but they are static leases. From the game, I can connect to both servers from my LAN using "creative.mydomain.com" and "survival.mydomain.com" And they both respond to ping using their IPs, hostnames and full domain name.

Before I set up the OPNsense box, the servers could be reached from the internet, so as far as I know, both the servers and the No-IP configuration should be. The problem is my OPNsense configuration. I've tried various firewall rules, NAT settings, and DNS settings, but I just can't seem to get it right...

I've reset most of the settings back to the defaults now, to start from scratch and not confuse myself. So at the moment my configuration is very basic and as follows:

Firewall-Rules-DMZ


Services-DHCPv4-Leases


Services-Dynamic-DNS


Services-Unbound-DNS-General


Other than this, the configuration is default, as it is "out of the box". Unless there's something I messed with and forgot to revert back.

There's probably just some obvious basics I don't understand. Any pointers would be appreciated. Let me know if I left out some vital information and I'll provide it.

[Home Network Guy]

What do your NAT port forward rules look like? By default OPNsense doesn’t create the corresponding WAN rule so you will need to either manually add the WAN rule or change the default setting on “Firewall > Settings > Advanced” page. Enable both “Reflection for port forwards” and “Automatic outbound NAT for Reflection”. That should enable behavior similar to consumer based router and some other routers.

[Wolven]

Thanks for your reply.

I've tried different NAT port forwarding rules. At the time of creating the OP I had none, as I revered all the tweaks I'd made to start fresh.

Under Firewall -> Settings -> Advanced I already had Reflection for port forwards” and “Automatic outbound NAT for Reflection" enabled. Not sure I enabled these myself in my attempt to get this working, or if these are enabled by default.

The Port Forwarding rules, that makes sense to me:


Firewall Settings Advanced

[Home Network Guy]

I think I see the problem. You need to select WAN as your destination since you are port forwarding the WAN address to access your servers remotely. Then for the redirect address you would pick your internal server IPs.

[Wolven]

I've tried this also. And I just gave it another go now. Both with destination as WAN address and WAN net.

[Home Network Guy]

Use WAN address rather than WAN net. I forgot to specify earlier. Also do you see a corresponding WAN rule created for those 2 rules? You should have 2 rules created automatically on the WAN interface if you have those options enabled that I mentioned earlier.

[Wolven]

OK. So under Port Forwarding the destination is set to WAN address, not WAN net.

Both Reflection for port forwards and Automatic outbound NAT for Reflection are (and where) enabled, but no corresponding rule for WAN appeared under Firewall: Rules: WAN. I did test with allowing traffic through ports 25565 - 25566 in the WAN interface, but still no luck. Not sure if I did this part right, or why no rules got generated automagically.

[Home Network Guy]

That’s odd no WAN rules we’re automatically generated. Did you have those 2 advanced firewall settings enabled before creating the rule? The NAT rule and WAN rule you created looks good at a glance. You can’t see all the details of each rule on the main rule list pages so not sure if some other odd/incorrect settings are set.

Port forwarding should be pretty simple in general. I have some servers in the DMZ with port forwarding am that works well and the rules are auto generated on the WAN. You can tell which rules are auto generated from the NAT rule because you can’t edit those WAN generated rules. You can only remove them.

I’m trying to think of what’s wrong. There are lots of knobs and buttons you can turn and push in OPNsense and if you push the wrong ones then you can get into trouble. You said you started from a clean configuration with minor changes so that may not be the issue. I may try think about this more tomorrow. I was away from home today so I was answering in between doing other things with the family.

[Wolven]

Thanks for all the help so far. I really appreciate it.

Yes, both those firewall setting where enabled when I created the rule. The install is fresh, just a few days old, but I've been trying out different things, so there might be a setting which I've not reverted back to default. I can try to do a fresh install, now that I sort of know what the settings should look like. It doesn't require that much time and effort to do.

[Home Network Guy]

I just learned something today about NAT port forwarding. I had incorrectly assumed the settings under Firewall > Settings > Advanced would cause the corresponding WAN rule to be created. However, it gets created when you select "Add associated filter rule" option at the bottom of the NAT port forward rule. However, if you only have one WAN, you can also select "Pass". If you select "Pass", the corresponding WAN rule will not be displayed but the NAT port forward should still work properly.

[Wolven]

Cool. It's always nice to learn something new.

So I edited my NAT Port Forwarding settings for both the servers to include the "pass" setting for 'Add associated filter rule' and I tried with and without my FW rule for allowing traffic to pass on ports 25565 - 25566 on the WAN interface, but I still can't connect to the servers from outside of my LAN. I only have one WAN interface, so as you said nothing showed up under the FW rules, but the icons changed from > to <->



I try scanning the ports with this tool: https://www.ipfingerprints.com/portscan.php but they're both "filtered"

There must be something really obvious that I'm doing wrong here. How hard could it be to get this configured right...  Anyway. I'm about to set up a new computer for OPNsense, so I'll do a fresh install, just to start from scratch and then see if I can get this working. I'll report back whether I get it working or not.

[C18uj8Ms]

Hello,
A bit of a necrobump but I have kind of a similar problem.
What helped me resolve part of the issue was looking at Log Files -> Live View which will show you which rules are firing.

I think that there might be a bug in the OPNSense NAT -> Port Forward -> Add -> Filter rule association selection.

I have tried Add unassociated filter rule/Add associated filter rule and neither of them work. The only thing that works for me to do a port forward between 2 private networks is to use the Pass option.

On another note when creating an unassociated filter rule, I would expect that I would be able to edit this rule but I can't which makes me suspicious that there might be a bug there.

And finally, one of the reasons why I couldn't forward between private networks is because there was a rule by default to deny from private to private which you can deselect.

[Home Network Guy]

The main difference between associated an unassociated rules is when you make changes to the NAT port forward rule, it will be reflected in the associated rule. The unassociated rules won't get updated. You have to delete them to recreate them. I don't think there is a bug with how that works since it was intentionally designed that way for different purposes. I'm not quite sure when you would want an unassociated rule unless maybe you are worried someone will change the NAT port forward rule. However, if you did make changes and didn't realize you had an unassociated rule, it might make troubleshooting the rules more difficult.

Are your 2 private networks connected to the same OPNsense box or is one network on the ISP router and the other is on the OPNsense router? If they are on 2 separate routers, you should be able to create NAT port forward rules similar to if the WAN was connected directly to the Internet. This of course requires you uncheck blocking of private networks/bogons on the WAN interface (although I'm not sure if unchecking bogons is critical unless you are planning to use those specially reserved IP address ranges in your internal networks).