Have we any OPNsense gurus out there?

I have just one. I’ll split up the ports after lunch and try working like that, it will simplyfy debugging.

If you make a nore of my ip and serevr addresses, I will edit my last post and remove the info

So you’ll most likely have .231 as your WAN IP interface then, and route configured, so since you have internet access, then this will be fine.

I would use an IP from the .231 subnet, and configure this as a VIP, with the same gateway than your wan interface uses in the VIP configuration. Then put this as the destination in the port forward and see if you can telnet to your webserver. If yes, then that means the main ISP network is fine.

I’m guessing the second subnet is also from your same ISP, as otherwise it’s not really going to work.

Yes only one ISP and one subnet. My mail server is on one of the IP’s that works just fine. I’m off for a quick lunch.

Yes, the WAN interface is pppoe0
IPV4 configuration type is PPPOE
We don’t use IPV6
The only other two fields are Username and Password.

We have never had a gateway between the firewall and the outside world. I do see, however, that the VIP gateway field has the following info: “For some interface types a gateway is required to configure an IP Alias (ppp/pppoe/tun), leave this field empty for all other interface types.” Since we’re using pppoe (and you’ve also referenced using a gateway), is there anything I should put in here?

I also saw a setting on the WAN interface to use a dynamic gateway policy. " This interface does not require an intermediate system to act as a gateway

If the destination is directly reachable via an interface requiring no intermediary system to act as a gateway, you can select this option which allows dynamic gateways to be created without direct target addresses. Some tunnel types support this."

I did try enabling this but it made no difference.

We have an INTERNAL gateway, but not an external one.

Smoothwall worked without any problens at all for > 10 years already. Seems my best bet is to dump OPNsense and go back to what worked for all these years. It will be a pity because OPNsense has a lot of nice things that Smoothwall doesn’t but all these features are a waste of time if it doesn’t work.

Well this is where it gets complicated. But let’s break it down a bit. I’ll use some random public IP’s as an example here.

So, my ISP gives me something like as a subnet. The gateway for that subnet is, so that leaves me with all the rest to use.

I configure my opnsense WAN port with and give the uplink gateway as So pretty simple, basically what you have with that .231 segment right now.

I could use that in the port forward by just choosing the wan address option, and redirecting it to my webserver on the LAN. And that works. But, let’s assume I want to use a different IP from that subnet.

So I go to the Interfaces → VIP section, and in here I add an IP So what you want in that instance is:

Interface: WAN

Now this is simple enough because it’s bound to the WAN segment anyway pretty much. So if you were to choose an IP address from the .231 segment that is available (not being used yet), you could do the same in your VIP.

In the port forward configuration, you would set destination to the VIP address and redirect to the webserver alias. And that would work fine.

What is going to get more complicated is the second IP range .58/29. Although it could be just a case of doing a VIP like this:

Interface: WAN
IP: 7x.x.x.60/32
Gateway: 7x.x.x.xx (whatever the gateway IP you have for that subnet).

that then should in theory work for you. Not sure if it would require some other config doing, but basically to make your server accessible you have to use a destination of the WAN address or one of your other IP’s configured under VIP and redirect this to the webserver. There really is not much else to it.

we have:

We have 8 addresses, but only 6 are useable. I have two conflicting emails. 1 says 57/29 is the Gateway for the other 5 and the next email says 62/29 is the Gateway for the otther 5. I’ve tried both. Still the same.

To be honest I think your best bet is forget about the second subnet right now, grab one of the available IP’s from the first subnet (.231), and configure this on the VIP. Then on the port forward rule, use this as the destination for your webserver rule. Then test with that using telnet and curl like I did in my example in a previous post.

Only then you need to think about the second subnet, but you will need to make sure you have the correct info from your ISP, and also the fact that this should be related to your internet connection else it is never going to be accessible from your opnsense box.

I’ve only ever grabbed a handful of IP’s from my ISP and we put them on the firewall without issues as VIP addresses - like in my previous examples above.

As I said, the mechanism is basically how I outlined and it just works. If it doesn’t then you have issues with your ISP. Maybe also need to check/ensure they aren’t actually blocking access.

Not much else I can do to help really, in all the tests I made, providing the networking is correct, it works.

We have a misunderstanding here. There is only ONE subnet and that is the /29.
The other IP address is my ISP and we MUST use that IP for the WAN interface as I have to enter my username and password to get a connection from my Fritz!Box. This is where we are getting confused. There is only ONE subnet. That’s the one we pay for from EDPNet the other IP is THEIR IP address.

If I go to google and look up whatismyipaddress I get the address of my ISP (the .231) It isn’t a subnet.
That’s why I would have prferred to PM you. It’s not easy to explaim something when you can’t put in the numbers.

Forget 2 subnets, we have only ONE subnet that’s the /29 one.

Sure you can pm me here on the forum

Nope you have no envelope on your profile. I did ask and I did look first.


is enabled, other people have DM’d me, so it should be possible. Could be trust level though if new user, then pm not possible I guess.

Just sent you a PM, see if you got it.

Thanks to all your hours of hard work helping me, I finally got it working. I would NEVER have managed without your help. I can’t thank you enough.

1 Like