Getting an answer from their forum is like waiting for the apocalypse!
I’ve setup Aliases for my mail server, Plex and 2 x virtual websites. and an FTP server.
From INSIDE the firewall everything works fine. My Mail server and Plex work fine, but no one can access my web servers from outside and I can Shftp from INSIDE. but not frok outside. All the ports are open in The CentOS 7 Linux box, all the ports are open in OPNsense (well the rules are the same as the mail server, just different ports.
I host my own 3 x DNS serves and all have entries in the DNS.
If I turn off OPNsense and reload my old SmoothWall Express 3.1 everything works just fine.
Have you set up the port forwarding under Firewall → NAT → Port Forward? Other than rules from for example WAN → LAN for ports 80 and 443, you also need the port forwarding to do the network address translation from the public IP to the internal destination IP.
If you have a single public IP address, then ports 80 and 443 can only be sent to one single machine. Therefore, if you already have these sent to your mail server, it can’t be sent to your web server as well - you would need multiple public IP’s for that, one for the mail server, one for the web server.
If however, you do not redirect ports 80 and 443 to your mail server, and only have a single IP, then you just port forward them to the web server. The remainder, like 25, 587, 465, 110, 143, 993 and 995 for your mail server (SMTP, POP3, IMAP, etc).
Generally irrespective of the firewall, it’s two stage, firewall rules from the zones, and the NAT to redirect from the public IP to the internal IP’s. On some firewalls like Fortigate, they call this VIP for the single IP scenario, and MIP if you want to translate a single public IP to a single internal IP. Or as Opnsense call it one-to-one.
I have a bunch of static IP’s One IP for each webserver, one IP for the mail server and an IP for Plex. I still have spare Ip’s not used.
Here’s the setup:
I’ve just installed and setup OPNsense. I THOUGHT I understood how the Virtual IPs, Aliases and Rules work, but I’m missing something here. Moved from Smoothwall Express and everything (still) works perfectly on SE
I have 4 Virtual IPs
Mailserver,
Webserver1
Webserver2
Plex
Both Webservers are on CentOS (one on CentOS 7 and the other CentOS 8.
Let’s talk about ONE webserver. The bother one is down until I get this one sorted. It has TWO Virtual web servers with different names on the same IP. It also has an FTP server on the same box.
I have 3 x DNS servers all have entries for the servers.
In NET–> Virtual IPs → Settings I have xxx.xxx.xxx.xxx/29 one for each Virtual IP
In Aliases I have:
Mailserver and Mail server Ports
Webserver1 and Webserver1 Ports
Webserver2 and Webserver2 Ports
Plex and Plex Ports
In NAT Port Forward, I have an entry for each of the above
Interface -WAN
TCPIP - IPV4
Protocol - TCP
Destination - one of the Virtual IP addresses
Destination Port Range - the Alias for Port range
Redirect Target IP - Alias of the server.
In Rules I have an entry Pass for each one.
My Mailserver works fine
Plex works fine.
Both my CentOS Webservers work INTERNAL, but no one can connect to them from EXTERNAL.
A customer tried to ping and tracert. Nada.
What have I missed / done wrong?
If I go to a VPN and try to access the site after a LONG wait I get the message:
write tcp 10.238.1.122:46489: write: connection timed out
Have you checked to see if anything appears on the log files for apache? Assuming that after connecting via the VPN, that 10.238.1.122 is the IP address of the web server? Can you telnet to port 80 or 443 via that IP?
Assuming that everything is the same as the mail server config, then it should work, but could do with some debugging to see what appears in the logs of the web server (if anything), and some telnet tests.
I’ve downloaded opnsense 22.1.2 and am going to make a simulation to try and figure this out. I did have a VM a while back when I was testing it out as I was intending on replacing my Juniper SSG5 at home with a Qotom PC and Opnsense. In the end howerver I got a Fortigate instead (mainly for compatibility with my work as they use Fortigate as well so kept things simple). Will get back to you shortly on this.
My entire system runs on 2 x Proliant ML110 G6 servers and ESX 6 (we are VMWare partners). I’m ex-Novell edirectory EMEA support out of Holland. Now retired.
My daughter was also an MCNE and my wife a CNE. It was a bad day for computing when Novell threw in the towel.
OK, well it’s working for me. Those reflection options that I asked about earlier you can disable, as this isn’t necessary. That’s only if you want to redirect internal traffic so that it doesn’t go out of your firewall and then come back in again.
So, the only things I have done is this.
Firewall → Alias
In here I set up webserver alias with 172.16.0.10 as the IP address content.
Firewall → NAT → Port Forward
In here I create rule like this:
Interface: WAN
TCP/IP: IPv4
Protocol: TCP
Destination: WAN address
Destination port range: HTTP to HTTP
Redirect target IP: webserver
Redirect target port: HTTP
then I just saved that. And it started working. The only other thing I had to do, since I am using internal IP addresses on my WAN port was to go to Interfaces → WAN and make sure Block private networks wasn’t enabled.
Then from my laptop I connected to http://x.x.x.x (where x.x.x.x was WAN IP of my opnsense) and it showed the HTTP page from my Rocky Linux VM behind the firewall.
If you are going to access via VPN, and the traffic is to forward via the WAN you might also have to ensure the private networks are not blocked at the interface level.
Also, another way I have done it rather than use WAN address was to do this:
Interfaces → Virtual IP’s → Settings.
Since, my WAN IP is 10.1.9.254 in my lab, I created a VIP with 10.1.9.253. So for the VIP:
Interface: WAN
Type: Single Address
Address: 10.1.9.253/32
Gateway: 10.1.9.1
and then saved this. I then went back to my NAT rule, and changed Destination from WAN address to the VIP IP. Once the changes were applied, then I could also access my webserver via the VIP IP.
You only need one incoming NAT if they are both on the same server since the vhost will do the rest. In my instance:
LAN: 172.16.0.254
WAN: 10.1.9.254
ROCKY: 172.16.0.10
VIP: 10.1.9.253
So my alias is webserver to 172.16.0.10 - so this is always the internal IP of the server in the LAN segment or wherever it is.
Therefore I would have one port forwarding for webserver. and the vhosts on my rocky machine would do the rest. The only time you need multiple port forward is if you are redirecting your web stuff to different servers with different public IP’s. Having multiple port forwards to the same IP would most likely be a bit confusing to be honest as which one would it choose? On my Fortigate it will only let me have one VIP/alias to the internal host. I cannot create multiple ones.
10.1.9.1 is the way my opnsense gets out to the internet as it’s behind a Fortigate which already serves my network. But the way it works is just the same with public IP’s on the wan.
Remember that in the port forward, the destination is either the firewall IP or one of the VIPS. The redirect is where you choose the alias for the webserver.
here is the setup for my apache virtual named servers
<VirtualHost :80>
ServerName server1.xxxx.mydomainFQDN
DocumentRoot /var/www/server1
RewriteEngine On
RewriteRule ^(/server1/.) /www/server1$1
ServerAdmin myemail address
ServerAlias server1
ErrorLog /var/log/httpd/server1-error_log
TransferLog /var/log/httpd/server1-access_log
DirectoryIndex index.php
Iactually have THREE different named servers all running on the same IP address.
For now I’d just concentrate on the firewall part. My simulation with the alias (webserver 172.16.0.10), VIP 10.1.9.253/32 and port forward using those details:
once you’ve got that part working, you can worry about the apache vhost stuff later. Get the firewall passing your IP and the vhost stuff will be easy. Also, you cannot do these tests from inside your network. For example, from my Rocky machine if I connect to http://10.1.9.253 I get the opnsense web interfaces. This is where I should be using the reflection stuff, but I haven’t configured that bit yet.
So, you need to check the port forward destination, does it use the wan address (eg the wan interface IP) or does it use a different IP? If so, then that means you have to have a VIP configured, and that VIP must be configured with a /32 mask, otherwise, you redirect an entire network segment.
Do you attempt to use more than one alias configured in opnsense for your webservers or do you have just one?
You only need one port forward from WAN to LAN if your server is in the LAN segment. Since you are using a port group. For me I could have done a port group, or created multiple port forwards by separating out the services. Eg, first port forward for http like above, then a second for https, then a third for ftp.
I can try that, it might simplify things. I guess. My ISP address is .231 and I get a /29 subnet. The Public IP for the webserver is .58/29
Most of the USA and China have already tried to hack it so I guess a few more won’t matter.
The one server is techsup.corp.mydomain.com