wompmacho/docs-public
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
docs-public/projects/opnsense/index.md
wompmacho f1444739fe
All checks were successful
deploy-docs / build-and-deploy (push) Successful in 1m23s
Details
adding opnsense notes for forwarding ports
2026-04-05 21:45:23 +00:00

3.4 KiB
Raw Permalink Blame History

title, description, author, date, lastmod, tags
title description author date lastmod tags
OPNsense Port Forwarding Detailed guide for enabling ports using Aliases and NAT Reflection in OPNsense wompmacho 2026-04-05T15:30:00-04:00 2026-04-05
opnsense
networking
firewall
port-forwarding
pterodactyl

Overview

This guide covers the "Pro" method for managing port forwarding in OPNsense using Aliases. This approach simplifies management by grouping ports together, ensuring that firewall rules and NAT entries stay synchronized automatically.

1. Create a Port Alias

Instead of creating individual rules for every port, we group them into an Alias.

  1. Navigate to Firewall → Aliases.
  2. Click the + (plus icon) to add a new alias.
  3. Name: e.g., Pterodactyl_Ports.
  4. Type: Select Port(s).
  5. Content: Enter your required ports (e.g., 7777, 27015). You can also enter ranges like 7778:7780.
  6. Click Save and then Apply.

2. Configure Destination NAT (Port Forward)

The NAT rule tells the firewall where to redirect incoming external traffic.

  1. Navigate to Firewall → NAT → Port Forward.
  2. Click Add to create a new rule.
  3. Interface: WAN.
  4. TCP/IP Version: IPv4.
  5. Protocol: TCP/UDP (common for game servers like Unreal Engine/Steam).
  6. Destination: WAN address.
  7. Destination port range: Select your alias (e.g., Pterodactyl_Ports) for both the "from" and "to" boxes.
  8. Redirect target IP: The internal IP of your server (e.g., 10.0.0.110).
  9. Redirect target port: Select the same alias (Pterodactyl_Ports). This ensures a 1:1 mapping for all ports in the group.
  10. Firewall rule: Select register rule. This is critical as it automatically creates and manages the corresponding WAN firewall permission.
  11. Click Save.

3. Enable NAT Reflection (Hairpin NAT)

To access your server using the external IP or domain while inside your local network, you must enable NAT Reflection.

Global Configuration

  1. Navigate to Firewall → Settings → Advanced.
  2. Under Network Address Translation:
    • Check Reflection for port forwards.
    • Check Reflection for 1:1.
    • Check Automatic outbound NAT for Reflection.
  3. Click Save.

Per-Rule Overrides (Optional)

If the global setting is not desired, you can enable it on the specific NAT rule:

  1. Edit your NAT rule in Firewall → NAT → Port Forward.
  2. Scroll to NAT reflection and select Enable.
  3. Click Save.

4. Static Port (Outbound NAT)

Many game servers (especially those using Steam Query) require "Static Port" to be enabled so that their source port isn't randomized by the firewall.

  1. Navigate to Firewall → NAT → Outbound.
  2. Select Hybrid outbound NAT rule generation and click Save.
  3. Click Add to create a manual rule at the top.
  4. Interface: WAN.
  5. Source address: Your server's internal IP (e.g., 10.0.0.110/32).
  6. Static Port: Check YES.
  7. Click Save and Apply Changes.

Summary of Settings

Setting Value
Alias Type Port(s)
Firewall Rule Association register rule
NAT Reflection Enabled (Global or Per-Rule)
Outbound NAT Static Port: YES
Reference in New Issue View Git Blame Copy Permalink