From f1444739fe9d8617fc663f022c0b9aeb62ccbf88 Mon Sep 17 00:00:00 2001 From: wompmacho Date: Sun, 5 Apr 2026 21:45:23 +0000 Subject: [PATCH] adding opnsense notes for forwarding ports --- projects/opnsense/index.md | 88 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) create mode 100644 projects/opnsense/index.md diff --git a/projects/opnsense/index.md b/projects/opnsense/index.md new file mode 100644 index 0000000..de75c4a --- /dev/null +++ b/projects/opnsense/index.md @@ -0,0 +1,88 @@ +--- +title: OPNsense Port Forwarding +description: Detailed guide for enabling ports using Aliases and NAT Reflection in OPNsense +author: wompmacho +date: '2026-04-05T15:30:00-04:00' +lastmod: '2026-04-05' +tags: ['opnsense', 'networking', 'firewall', 'port-forwarding', 'pterodactyl'] +--- + +## Overview + +This guide covers the "Pro" method for managing port forwarding in OPNsense using **Aliases**. This approach simplifies management by grouping ports together, ensuring that firewall rules and NAT entries stay synchronized automatically. + +--- + +## 1. Create a Port Alias + +Instead of creating individual rules for every port, we group them into an Alias. + +1. Navigate to **Firewall → Aliases**. +2. Click the **+** (plus icon) to add a new alias. +3. **Name:** e.g., `Pterodactyl_Ports`. +4. **Type:** Select **Port(s)**. +5. **Content:** Enter your required ports (e.g., `7777`, `27015`). You can also enter ranges like `7778:7780`. +6. Click **Save** and then **Apply**. + +--- + +## 2. Configure Destination NAT (Port Forward) + +The NAT rule tells the firewall where to redirect incoming external traffic. + +1. Navigate to **Firewall → NAT → Port Forward**. +2. Click **Add** to create a new rule. +3. **Interface:** `WAN`. +4. **TCP/IP Version:** `IPv4`. +5. **Protocol:** `TCP/UDP` (common for game servers like Unreal Engine/Steam). +6. **Destination:** `WAN address`. +7. **Destination port range:** Select your alias (e.g., `Pterodactyl_Ports`) for both the "from" and "to" boxes. +8. **Redirect target IP:** The internal IP of your server (e.g., `10.0.0.110`). +9. **Redirect target port:** Select the same alias (`Pterodactyl_Ports`). This ensures a 1:1 mapping for all ports in the group. +10. **Firewall rule:** Select **`register rule`**. This is critical as it automatically creates and manages the corresponding WAN firewall permission. +11. Click **Save**. + +--- + +## 3. Enable NAT Reflection (Hairpin NAT) + +To access your server using the external IP or domain while *inside* your local network, you must enable NAT Reflection. + +### Global Configuration +1. Navigate to **Firewall → Settings → Advanced**. +2. Under **Network Address Translation**: + * Check **Reflection for port forwards**. + * Check **Reflection for 1:1**. + * Check **Automatic outbound NAT for Reflection**. +3. Click **Save**. + +### Per-Rule Overrides (Optional) +If the global setting is not desired, you can enable it on the specific NAT rule: +1. Edit your NAT rule in **Firewall → NAT → Port Forward**. +2. Scroll to **NAT reflection** and select **Enable**. +3. Click **Save**. + +--- + +## 4. Static Port (Outbound NAT) + +Many game servers (especially those using Steam Query) require "Static Port" to be enabled so that their source port isn't randomized by the firewall. + +1. Navigate to **Firewall → NAT → Outbound**. +2. Select **Hybrid outbound NAT rule generation** and click **Save**. +3. Click **Add** to create a manual rule at the top. +4. **Interface:** `WAN`. +5. **Source address:** Your server's internal IP (e.g., `10.0.0.110/32`). +6. **Static Port:** Check **YES**. +7. Click **Save** and **Apply Changes**. + +--- + +## Summary of Settings + +| Setting | Value | +| :---------------------------- | :--------------------------- | +| **Alias Type** | Port(s) | +| **Firewall Rule Association** | `register rule` | +| **NAT Reflection** | Enabled (Global or Per-Rule) | +| **Outbound NAT** | Static Port: YES |