Have we any OPNsense gurus out there?

Getting an answer from their forum is like waiting for the apocalypse!

I’ve setup Aliases for my mail server, Plex and 2 x virtual websites. and an FTP server.
From INSIDE the firewall everything works fine. My Mail server and Plex work fine, but no one can access my web servers from outside and I can Shftp from INSIDE. but not frok outside. All the ports are open in The CentOS 7 Linux box, all the ports are open in OPNsense (well the rules are the same as the mail server, just different ports.

I host my own 3 x DNS serves and all have entries in the DNS.

If I turn off OPNsense and reload my old SmoothWall Express 3.1 everything works just fine.

I’m missing something stupid. Can anyone help?

Have you set up the port forwarding under Firewall → NAT → Port Forward? Other than rules from for example WAN → LAN for ports 80 and 443, you also need the port forwarding to do the network address translation from the public IP to the internal destination IP.

If you have a single public IP address, then ports 80 and 443 can only be sent to one single machine. Therefore, if you already have these sent to your mail server, it can’t be sent to your web server as well - you would need multiple public IP’s for that, one for the mail server, one for the web server.

If however, you do not redirect ports 80 and 443 to your mail server, and only have a single IP, then you just port forward them to the web server. The remainder, like 25, 587, 465, 110, 143, 993 and 995 for your mail server (SMTP, POP3, IMAP, etc).

Generally irrespective of the firewall, it’s two stage, firewall rules from the zones, and the NAT to redirect from the public IP to the internal IP’s. On some firewalls like Fortigate, they call this VIP for the single IP scenario, and MIP if you want to translate a single public IP to a single internal IP. Or as Opnsense call it one-to-one.

Thanks for the quick response.

I have a bunch of static IP’s One IP for each webserver, one IP for the mail server and an IP for Plex. I still have spare Ip’s not used.
Here’s the setup:

I’ve just installed and setup OPNsense. I THOUGHT I understood how the Virtual IPs, Aliases and Rules work, but I’m missing something here. Moved from Smoothwall Express and everything (still) works perfectly on SE

I have 4 Virtual IPs

Both Webservers are on CentOS (one on CentOS 7 and the other CentOS 8.

Let’s talk about ONE webserver. The bother one is down until I get this one sorted. It has TWO Virtual web servers with different names on the same IP. It also has an FTP server on the same box.

I have 3 x DNS servers all have entries for the servers.

In NET–> Virtual IPs → Settings I have xxx.xxx.xxx.xxx/29 one for each Virtual IP
In Aliases I have:
Mailserver and Mail server Ports
Webserver1 and Webserver1 Ports
Webserver2 and Webserver2 Ports
Plex and Plex Ports

In NAT Port Forward, I have an entry for each of the above
Interface -WAN
Protocol - TCP
Destination - one of the Virtual IP addresses
Destination Port Range - the Alias for Port range
Redirect Target IP - Alias of the server.

In Rules I have an entry Pass for each one.
My Mailserver works fine
Plex works fine.
Both my CentOS Webservers work INTERNAL, but no one can connect to them from EXTERNAL.

A customer tried to ping and tracert. Nada.

What have I missed / done wrong?

If I go to a VPN and try to access the site after a LONG wait I get the message:
write tcp write: connection timed out

Have you checked to see if anything appears on the log files for apache? Assuming that after connecting via the VPN, that is the IP address of the web server? Can you telnet to port 80 or 443 via that IP?

Assuming that everything is the same as the mail server config, then it should work, but could do with some debugging to see what appears in the logs of the web server (if anything), and some telnet tests.

Thanks for the help so far!

Nothing in the apache logs. has nothing to do with us, it’s someone’s Class A ptivate address not mine. we are on a LAN and a /28 WAN from my ISP.

If there’s a way to PM you, I can give you all the necessary info. Much easier, but I’, not putting live data on public display.

I’ve downloaded opnsense 22.1.2 and am going to make a simulation to try and figure this out. I did have a VM a while back when I was testing it out as I was intending on replacing my Juniper SSG5 at home with a Qotom PC and Opnsense. In the end howerver I got a Fortigate instead (mainly for compatibility with my work as they use Fortigate as well so kept things simple). Will get back to you shortly on this.

My entire system runs on 2 x Proliant ML110 G6 servers and ESX 6 (we are VMWare partners). I’m ex-Novell edirectory EMEA support out of Holland. Now retired.
My daughter was also an MCNE and my wife a CNE. It was a bad day for computing when Novell threw in the towel.

Have you got these options enabled? (Firewall → Advanced)

No I didn’t. I just turned them on now.

It made no difference. Get the same message
write tcp write: connection timed out.

It’s 23:30. I need my beauty sleep! I’ll be back on this tomorrow, Thanks very much for all your efforts - much appreciated.

I’m back and ready to either solve this or go back to Smoothwall

OK, well it’s working for me. Those reflection options that I asked about earlier you can disable, as this isn’t necessary. That’s only if you want to redirect internal traffic so that it doesn’t go out of your firewall and then come back in again.

So, the only things I have done is this.

  1. Firewall → Alias

In here I set up webserver alias with as the IP address content.

  1. Firewall → NAT → Port Forward

In here I create rule like this:

Interface: WAN
Protocol: TCP
Destination: WAN address
Destination port range: HTTP to HTTP
Redirect target IP: webserver
Redirect target port: HTTP

then I just saved that. And it started working. The only other thing I had to do, since I am using internal IP addresses on my WAN port was to go to Interfaces → WAN and make sure Block private networks wasn’t enabled.

Then from my laptop I connected to http://x.x.x.x (where x.x.x.x was WAN IP of my opnsense) and it showed the HTTP page from my Rocky Linux VM behind the firewall.

If you are going to access via VPN, and the traffic is to forward via the WAN you might also have to ensure the private networks are not blocked at the interface level.

Also, another way I have done it rather than use WAN address was to do this:

Interfaces → Virtual IP’s → Settings.

Since, my WAN IP is in my lab, I created a VIP with So for the VIP:

Interface: WAN
Type: Single Address

and then saved this. I then went back to my NAT rule, and changed Destination from WAN address to the VIP IP. Once the changes were applied, then I could also access my webserver via the VIP IP.

Sorry I’ve been fighting with180 metres of 1.9m tall privet hedge!

Mine is almost the same I created aliases for centos73 server and ports

destination port range from centos73 ports to centos73 ports
redirect target IP centos73-server
redirect taget port centos73 ports

Block private networks disbled

Alias for centos73_ports is 20,21,22,25,80,137,138,139,443,445.3306, 30000:31000

I guess I should remove the samba ports - don’t need to access then from outside.

Maybe here is the mistake? - Alias for centos73_server is NOT the external.

One other thing. My webservers are both on the same IP address both virtual apache servers only the NAMES are different. NOT the IP addresses.

You only need one incoming NAT if they are both on the same server since the vhost will do the rest. In my instance:



So my alias is webserver to - so this is always the internal IP of the server in the LAN segment or wherever it is.

Therefore I would have one port forwarding for webserver. and the vhosts on my rocky machine would do the rest. The only time you need multiple port forward is if you are redirecting your web stuff to different servers with different public IP’s. Having multiple port forwards to the same IP would most likely be a bit confusing to be honest as which one would it choose? On my Fortigate it will only let me have one VIP/alias to the internal host. I cannot create multiple ones. is the way my opnsense gets out to the internet as it’s behind a Fortigate which already serves my network. But the way it works is just the same with public IP’s on the wan.

Remember that in the port forward, the destination is either the firewall IP or one of the VIPS. The redirect is where you choose the alias for the webserver.

here is the setup for my apache virtual named servers
<VirtualHost :80>
ServerName server1.xxxx.mydomainFQDN
DocumentRoot /var/www/server1
RewriteEngine On
RewriteRule ^(/server1/.
) /www/server1$1
ServerAdmin myemail address
ServerAlias server1
ErrorLog /var/log/httpd/server1-error_log
TransferLog /var/log/httpd/server1-access_log
DirectoryIndex index.php

Iactually have THREE different named servers all running on the same IP address.

For now I’d just concentrate on the firewall part. My simulation with the alias (webserver, VIP and port forward using those details:

[ian@elise ~]$ telnet 80
Connected to
Escape character is '^]'.
telnet> quit
Connection closed.

[ian@elise ~]$ curl -I
Date: Fri, 08 Jul 2022 11:21:35 GMT
Server: Apache/2.4.37 (rocky)
Last-Modified: Wed, 06 Jul 2022 02:36:37 GMT
ETag: "1dc4-5e319d68ff740"
Accept-Ranges: bytes
Content-Length: 7620
Content-Type: text/html; charset=UTF-8

once you’ve got that part working, you can worry about the apache vhost stuff later. Get the firewall passing your IP and the vhost stuff will be easy. Also, you cannot do these tests from inside your network. For example, from my Rocky machine if I connect to I get the opnsense web interfaces. This is where I should be using the reflection stuff, but I haven’t configured that bit yet.

So, you need to check the port forward destination, does it use the wan address (eg the wan interface IP) or does it use a different IP? If so, then that means you have to have a VIP configured, and that VIP must be configured with a /32 mask, otherwise, you redirect an entire network segment.

Can you clarify this a bit sounds like you need two rules one on LAN and one on WAN. Is this correct?

The alias is fine, it’s always the internal IP.

Do you attempt to use more than one alias configured in opnsense for your webservers or do you have just one?

You only need one port forward from WAN to LAN if your server is in the LAN segment. Since you are using a port group. For me I could have done a port group, or created multiple port forwards by separating out the services. Eg, first port forward for http like above, then a second for https, then a third for ftp.

In your instance this means one rule.

I can try that, it might simplify things. I guess. My ISP address is .231 and I get a /29 subnet. The Public IP for the webserver is .58/29
Most of the USA and China have already tried to hack it so I guess a few more won’t matter.
The one server is techsup.corp.mydomain.com