Have we any OPNsense gurus out there?

It made no difference. Get the same message
write tcp 10.238.1.179:33703: write: connection timed out.

It’s 23:30. I need my beauty sleep! I’ll be back on this tomorrow, Thanks very much for all your efforts - much appreciated.

I’m back and ready to either solve this or go back to Smoothwall

OK, well it’s working for me. Those reflection options that I asked about earlier you can disable, as this isn’t necessary. That’s only if you want to redirect internal traffic so that it doesn’t go out of your firewall and then come back in again.

So, the only things I have done is this.

  1. Firewall → Alias

In here I set up webserver alias with 172.16.0.10 as the IP address content.

  1. Firewall → NAT → Port Forward

In here I create rule like this:

Interface: WAN
TCP/IP: IPv4
Protocol: TCP
Destination: WAN address
Destination port range: HTTP to HTTP
Redirect target IP: webserver
Redirect target port: HTTP

then I just saved that. And it started working. The only other thing I had to do, since I am using internal IP addresses on my WAN port was to go to Interfaces → WAN and make sure Block private networks wasn’t enabled.

Then from my laptop I connected to http://x.x.x.x (where x.x.x.x was WAN IP of my opnsense) and it showed the HTTP page from my Rocky Linux VM behind the firewall.

If you are going to access via VPN, and the traffic is to forward via the WAN you might also have to ensure the private networks are not blocked at the interface level.

Also, another way I have done it rather than use WAN address was to do this:

Interfaces → Virtual IP’s → Settings.

Since, my WAN IP is 10.1.9.254 in my lab, I created a VIP with 10.1.9.253. So for the VIP:

Interface: WAN
Type: Single Address
Address: 10.1.9.253/32
Gateway: 10.1.9.1

and then saved this. I then went back to my NAT rule, and changed Destination from WAN address to the VIP IP. Once the changes were applied, then I could also access my webserver via the VIP IP.

Sorry I’ve been fighting with180 metres of 1.9m tall privet hedge!

Mine is almost the same I created aliases for centos73 server and ports

destination port range from centos73 ports to centos73 ports
redirect target IP centos73-server
redirect taget port centos73 ports

Block private networks disbled

Alias for centos73_ports is 20,21,22,25,80,137,138,139,443,445.3306, 30000:31000

I guess I should remove the samba ports - don’t need to access then from outside.

Maybe here is the mistake? - Alias for centos73_server is 192.168.0.203 NOT the external.

One other thing. My webservers are both on the same IP address both virtual apache servers only the NAMES are different. NOT the IP addresses.

You only need one incoming NAT if they are both on the same server since the vhost will do the rest. In my instance:

LAN: 172.16.0.254
WAN: 10.1.9.254

ROCKY: 172.16.0.10
VIP: 10.1.9.253

So my alias is webserver to 172.16.0.10 - so this is always the internal IP of the server in the LAN segment or wherever it is.

Therefore I would have one port forwarding for webserver. and the vhosts on my rocky machine would do the rest. The only time you need multiple port forward is if you are redirecting your web stuff to different servers with different public IP’s. Having multiple port forwards to the same IP would most likely be a bit confusing to be honest as which one would it choose? On my Fortigate it will only let me have one VIP/alias to the internal host. I cannot create multiple ones.

10.1.9.1 is the way my opnsense gets out to the internet as it’s behind a Fortigate which already serves my network. But the way it works is just the same with public IP’s on the wan.

Remember that in the port forward, the destination is either the firewall IP or one of the VIPS. The redirect is where you choose the alias for the webserver.

here is the setup for my apache virtual named servers
<VirtualHost :80>
ServerName server1.xxxx.mydomainFQDN
DocumentRoot /var/www/server1
RewriteEngine On
RewriteRule ^(/server1/.
) /www/server1$1
ServerAdmin myemail address
ServerAlias server1
ErrorLog /var/log/httpd/server1-error_log
TransferLog /var/log/httpd/server1-access_log
DirectoryIndex index.php

Iactually have THREE different named servers all running on the same IP address.

For now I’d just concentrate on the firewall part. My simulation with the alias (webserver 172.16.0.10), VIP 10.1.9.253/32 and port forward using those details:

[ian@elise ~]$ telnet 10.1.9.253 80
Trying 10.1.9.253...
Connected to 10.1.9.253.
Escape character is '^]'.
^]
telnet> quit
Connection closed.

[ian@elise ~]$ curl -I http://10.1.9.253
Date: Fri, 08 Jul 2022 11:21:35 GMT
Server: Apache/2.4.37 (rocky)
Last-Modified: Wed, 06 Jul 2022 02:36:37 GMT
ETag: "1dc4-5e319d68ff740"
Accept-Ranges: bytes
Content-Length: 7620
Content-Type: text/html; charset=UTF-8

once you’ve got that part working, you can worry about the apache vhost stuff later. Get the firewall passing your IP and the vhost stuff will be easy. Also, you cannot do these tests from inside your network. For example, from my Rocky machine if I connect to http://10.1.9.253 I get the opnsense web interfaces. This is where I should be using the reflection stuff, but I haven’t configured that bit yet.

So, you need to check the port forward destination, does it use the wan address (eg the wan interface IP) or does it use a different IP? If so, then that means you have to have a VIP configured, and that VIP must be configured with a /32 mask, otherwise, you redirect an entire network segment.

Can you clarify this a bit sounds like you need two rules one on LAN and one on WAN. Is this correct?

The alias is fine, it’s always the internal IP.

Do you attempt to use more than one alias configured in opnsense for your webservers or do you have just one?

You only need one port forward from WAN to LAN if your server is in the LAN segment. Since you are using a port group. For me I could have done a port group, or created multiple port forwards by separating out the services. Eg, first port forward for http like above, then a second for https, then a third for ftp.

In your instance this means one rule.

I can try that, it might simplify things. I guess. My ISP address is .231 and I get a /29 subnet. The Public IP for the webserver is .58/29
Most of the USA and China have already tried to hack it so I guess a few more won’t matter.
The one server is techsup.corp.mydomain.com

I have just one. I’ll split up the ports after lunch and try working like that, it will simplyfy debugging.

If you make a nore of my ip and serevr addresses, I will edit my last post and remove the info

So you’ll most likely have .231 as your WAN IP interface then, and route configured, so since you have internet access, then this will be fine.

I would use an IP from the .231 subnet, and configure this as a VIP, with the same gateway than your wan interface uses in the VIP configuration. Then put this as the destination in the port forward and see if you can telnet to your webserver. If yes, then that means the main ISP network is fine.

I’m guessing the second subnet is also from your same ISP, as otherwise it’s not really going to work.

Yes only one ISP and one subnet. My mail server is on one of the IP’s that works just fine. I’m off for a quick lunch.

Yes, the WAN interface is pppoe0
IPV4 configuration type is PPPOE
We don’t use IPV6
The only other two fields are Username and Password.

We have never had a gateway between the firewall and the outside world. I do see, however, that the VIP gateway field has the following info: “For some interface types a gateway is required to configure an IP Alias (ppp/pppoe/tun), leave this field empty for all other interface types.” Since we’re using pppoe (and you’ve also referenced using a gateway), is there anything I should put in here?

I also saw a setting on the WAN interface to use a dynamic gateway policy. " This interface does not require an intermediate system to act as a gateway

If the destination is directly reachable via an interface requiring no intermediary system to act as a gateway, you can select this option which allows dynamic gateways to be created without direct target addresses. Some tunnel types support this."

I did try enabling this but it made no difference.

We have an INTERNAL gateway, but not an external one.

Smoothwall worked without any problens at all for > 10 years already. Seems my best bet is to dump OPNsense and go back to what worked for all these years. It will be a pity because OPNsense has a lot of nice things that Smoothwall doesn’t but all these features are a waste of time if it doesn’t work.

Well this is where it gets complicated. But let’s break it down a bit. I’ll use some random public IP’s as an example here.

So, my ISP gives me something like 92.189.153.0/24 as a subnet. The gateway for that subnet is 92.189.153.1, so that leaves me with all the rest to use.

I configure my opnsense WAN port with 92.189.153.2 and give the uplink gateway as 92.189.153.1. So pretty simple, basically what you have with that .231 segment right now.

I could use that 92.189.153.2 in the port forward by just choosing the wan address option, and redirecting it to my webserver on the LAN. And that works. But, let’s assume I want to use a different IP from that subnet.

So I go to the Interfaces → VIP section, and in here I add an IP 92.189.153.10. So what you want in that instance is:

Interface: WAN
IP: 92.189.153.10/32
Gateway: 92.189.153.1

Now this is simple enough because it’s bound to the WAN segment anyway pretty much. So if you were to choose an IP address from the .231 segment that is available (not being used yet), you could do the same in your VIP.

In the port forward configuration, you would set destination to the VIP address 92.189.153.10 and redirect to the webserver alias. And that would work fine.

What is going to get more complicated is the second IP range .58/29. Although it could be just a case of doing a VIP like this:

Interface: WAN
IP: 7x.x.x.60/32
Gateway: 7x.x.x.xx (whatever the gateway IP you have for that subnet).

that then should in theory work for you. Not sure if it would require some other config doing, but basically to make your server accessible you have to use a destination of the WAN address or one of your other IP’s configured under VIP and redirect this to the webserver. There really is not much else to it.

we have:
57/29
58/29
59/29
60/29
61/29
62/29

We have 8 addresses, but only 6 are useable. I have two conflicting emails. 1 says 57/29 is the Gateway for the other 5 and the next email says 62/29 is the Gateway for the otther 5. I’ve tried both. Still the same.

To be honest I think your best bet is forget about the second subnet right now, grab one of the available IP’s from the first subnet (.231), and configure this on the VIP. Then on the port forward rule, use this as the destination for your webserver rule. Then test with that using telnet and curl like I did in my example in a previous post.

Only then you need to think about the second subnet, but you will need to make sure you have the correct info from your ISP, and also the fact that this should be related to your internet connection else it is never going to be accessible from your opnsense box.

I’ve only ever grabbed a handful of IP’s from my ISP and we put them on the firewall without issues as VIP addresses - like in my previous examples above.

As I said, the mechanism is basically how I outlined and it just works. If it doesn’t then you have issues with your ISP. Maybe also need to check/ensure they aren’t actually blocking access.

Not much else I can do to help really, in all the tests I made, providing the networking is correct, it works.

We have a misunderstanding here. There is only ONE subnet and that is the /29.
The other IP address is my ISP and we MUST use that IP for the WAN interface as I have to enter my username and password to get a connection from my Fritz!Box. This is where we are getting confused. There is only ONE subnet. That’s the one we pay for from EDPNet the other IP is THEIR IP address.

If I go to google and look up whatismyipaddress I get the address of my ISP (the .231) It isn’t a subnet.
That’s why I would have prferred to PM you. It’s not easy to explaim something when you can’t put in the numbers.

Forget 2 subnets, we have only ONE subnet that’s the /29 one.

Sure you can pm me here on the forum