Basic Information

OPNsense is a FreeBSD based Firewall Software. Port Forwarding is the way to publish a service in the network which is protected by the Firewall to the Internet. Forwarded could be any service like Http, SSH, RDP and so on. I tried to publish a SSH Server to the internet in a lab environment. The Port Forwarding in OPNsense is done by a NAT rule and a firewall rule.

My test network consists in a single subnet with an private IP address space and a OPNsense has a single public WAN IP address assigned.

The Problem

The official way to publish the SSH Server to the internet like it is described in the OPNsense documentation failed. Normally, if an NAT rule is created, an associated Firewall rule is created as well.

In my case, the automatically created Firewall rule didn’t allow access to the SSH service. It seems that there is a bug in the current version of OPNsense.

The Fix

Basically the work around was to just set a NAT rule and not to do “Add associated filter rule”. I use SSH (port 22) as target port. Here are the details:

Interface: WAN 
TCP/IP Version: IPv4
Protocol: TCP
Destination: WAN address
Port Range: 22
Redirection target IP: private IP address of SSH server
Redirection target Port: 22

Most important:

Filter rule association: Pass

Conclusion

Please keep in mind that I did this procedure in a test environment with limited security side effects. It could be the case that in future releases the “Add associated filter rule” will be working again. But at the time of writing this blog post, no other option worked than to do the work around with “Pass” option as described above.