Better Home Networking with OPNsense and VLANsThere are many reasons for opening a port on an Internet facing firewall. One might want to view the video feed from an IP security camera from outside the home, or one might want to access a home automation server, a NAS or any other type of server. The best way to learn how to configure port forwarding in the OPNsense firewall is to work through an example or three.
The Port forwarding section of the OPNsense manual basically repeats the help shown on the port forwarding edit page. It is rather terse and not all that helpful for us newbies. Consequently, the explanation below is based on tutorials found on the Web:
- [Tutorial] How I do port forwarding - simple and straightforward by theogravity ( May 29, 2018).
- How to Configure WAN and NAT Port Forward Rules in OPNsense by Dustin Casto (May 29, 2021).
- How to Port Forward in OPNsense by WunderTech (May 11, 2024).
Many thanks to those authors and, of course, I am most grateful for the work done by the OPNsense creators, contributors and community at large. Without their work, this would not have been possible. The proof is left to the reader as is often said in mathematics.
Table of Contents
- Port Forwarding - Domoticz
- Port Forwarding - MQTT Broker
- Aliases
- Testing and Port Forwarding Reflection
- Port Forwarding - WireGuard
Port Forwarding - Domoticz
Let's start with accessing a Domoticz home automation server running on a converted TV box on the home network that will be accessed remotely. Here is the pertinent information about that server.
- IP address of the TV box on which Domoticz is running :
192.168.7.45which is on the IOT (virtual) network. - TCP port used by Domoticz:
9090. This is an unsecured HTTP connection.
To configure the port forwarding rule go to Firewall » NAT » Port Forward in the OPNsense Web configuration page. Note that the list of rules already contains an anti-lockout rule
Click on the [+] Add button. Change or ensure that the following fields have the correct values. Fields not listed below should be left at their default values.
| Field | Value |
|---|---|
| Interface | WAN |
| TCP/IP Version | IPv4 |
| Protocol | TCP |
| Source | Advanced |
| Destination | any |
| Destination Port range from | (other) 9090 |
| Destination Port range to | (other) 9090 |
| Redirect target IP | (Single host or Network) 192.168.7.45 |
| Redirect target port | (other) 9090 |
| Description | To Domoticz on domo / IOT |
Screen capture of Firewall:NAT:Port Forward configuration page (OPNsense 24.1.8).
That's almost as simple as what I have done many times with consumer grade routers. The rule says TCP IPv4 packets destined to port 9090 coming into the WAN interface (from the Internet in other words) is redirected to IP 192.168.7.45:9090 which is the HTTP port to which Domoticz listens.
To complete the procedure, click on the [Save] button at the bottom of the page and then click on the [Apply changes] in the blue banner above the list of port forwarding rules.
You may notice that the last field of the configuration page
| Filter rule association | Add associated filter rule |
|---|
will be automagically changed to
| Filter rule association | Rule To Domoticz on domo / IOT |
|---|
Obviously that value is Rule prefixed to the description. Just when the rule association is changed is not clear, but I would guess it occurs when the [Save] button is clicked. I don't really know what that field does. Perhaps it's only informative; saying that the forwarding rule is added as a firewall rule for the WAN interface. See Firewal » Rules » WAN where the rule will show up.
Port Forwarding - MQTT Broker
Sometimes I would like access to the MQTT broker that is an integral part of our home automation system. It runs on the same converted TV box as the Domoticz server. Setting up port forwarding to that service is pretty much a repetition of the previous step, but let's add a bit of obfuscation.
- IP address of the TV box on which Mosquitto MQTT is running :
192.168.7.45which is on the IOT (virtual) network. - TCP port used by Mosquitto MQTT:
1883. This is the default uncrypted port.
As before, go to Firewall » NAT » Port Forward and click on the [+] Add button. Change or ensure that the following fields have the correct values. Fields not listed below should be left at their default values.
| Field | Value |
|---|---|
| Interface | WAN |
| TCP/IP Version | IPv4 |
| Protocol | TCP |
| Source | Advanced |
| Destination | any |
| Destination Port range from | (other) 9983 |
| Destination Port range to | (other) 9983 |
| Redirect target IP | 192.168.7.45 |
| Redirect target port | (other) 1883 |
| Description | To Mosquitto MQTT on domo / IOT |
Disable this rule as soon as it has been tested. A quick way to disable the rule is to click on the green linked rule double arrow beside its interface name.
When the linked rule is gray it is disabled as explained in the legend. Even better, when creating it, check the Disable this rule box at the very top of the configuration page. This rule is a terrible idea because it gives unsecured public access to the MQTT broker. Setting the outside port to 9983 will not slow down attacks significantly.
Aliases
There is a third server running on my home automation appliance, ha-bridge which enables voice control of many of our Tasmota based devices and also Domoticz scenes and groups. I might want to access the Web GUI of this server from outside and for that I would create a third rule much like the previous rules except its destination TCP port would be 80.
I would never do that given that clear warning, but it illustrates the idea. Three times the IP address of the converted TV box appears in the rules. What happens if that IP address has to be changed. I would have to find where it appears and manually change the address to its new value. OPNsense provides a useful mechanism to avoid this problem which could also make the rules easier to understand later on. We can create an alias for that IP address and use it wherever an IP address is needed.
Creating Aliases
To create an alias go to Firewall » Aliases and click on the [+] Add button.
Values for only two fields must be entered
| Field | Value |
|---|---|
| Name | domo |
| Content | 192.168.7.45 |
| Description | domo.local on IOT |
I also provided an optional description. Click on [Save] and then click on [Apply] under the list of aliases. I am not actually sure that this last step is necessary but it doesn't hurt.
The table contains two aliases, domo just created and voute to be used in the last port forwarding example.
Using Aliases
Unfortunately, once an alias has been created, OPNsense will not go through rules and substitute the alias name for any matching IP address. We will have to edit the Redirect target IP for
each port forward rule in Firewall » NAT » Port Forward.
When that is done, the alias, domo, can be picked from the drop-down list as shown above.
Obviously the proper way of using aliases is to define them before defining rules just as suggested by theogravity.
Deleting Aliases
An alias cannot be deleted if it is used anywhere. Which makes sense, it would not do to have rules with unspecified targets. So to delete an alias, delete all references to it before hand.
Testing and Port Forwarding Reflection
In the past, I would bring a portable computer or a tablet to an accommodating coffee shop to test the port forward rule. To do the test, I need one piece of information: the public IP address of the home network: 47.53.54.145. It can be found in Interfaces widget of the OPNsense Web page. I could write that down just before leaving for the coffee shop and hope that the ISP does not change it for a while.
As a matter of fact, I do not use the IP address. My home network can be reached with a public host name modomo.twilightparadox.com which the domain name system (DNS) will resolve to the public IP address of our home network. Back in 2018, I explained how to obtain dynamic domain name at FreeDNS. I am still using that name and, as far as I know, the explanation for a obtaining a free DDNS service at freedns.afraid.org has not materially changed.
It has finally dawned on me that I could use my cellular phone to connect to my home network as if I were outside the home. So I turn off the Wi-Fi connection of the so-called smart (Android) phone to the home network and then I turned on cellular data. I opened the 47.53.54.145 URL in the Web browser and after an inordinate amount of time, the login screen from Domoticz opened.
It is possible to do the same from within the home network using reflection for port forwards. This can be done globally or on a rule by rule basis.
The global settings are set in the Network Address Translation in Firewall » Settings » Advanced.
| Field | Value |
|---|---|
| Reflection for port forwards | Check box to enable |
| Reflection for 1:1 | Uncheck box to disable |
| Automatic outbound NAT for Reflection | Check box to enable |
Click on [Save] and the "The changes have been applied successfully." message should appear in the top blue banner. From then on it is possible to access any device for which a port forwarding rule has been established. For example, the wget utility can be used to fetch a file from the Domoticz Web server just as a Web browser would.
As can be seen, the index file was downloaded. From the Domoticz point of view, as confirmed by its log, the request came from my desktop machine on the LAN network. Since that network was one of the trusted networks in the Domoticz security setting, a log in was not necessary.
Reflection and Hairpin NAT in the OPNsense manual has useful information on this topic. In particular there's the following warning.
The best way to do Reflection NAT in the OPNsense is not to use the legacy Reflection options in (Advanced) Settings. Creating the NAT rules manually with Method 1 prevents unwanted traffic and makes auditing easy. There will be no hidden rules. All rules will be perfectly visible in the GUI and .xml config exports.
This is not a simple subject, and I did not relish following methods 1, 2 or 3 as outlined in the manual. I did disable Reflection for port forwards, Reflection for 1:1 and Automatic outbound NAT for Reflection in Firewall » Settings » Advanced. Then I took the easy way to enable reflection for the To Domoticz on domo /IOT rule. Going to Firewall » NAT » Port Forward, I could edit the rule by clicking on its pencil icon.
Scrolling down to almost the end of the page, I enabled the reflection setting. The default setting was Use system default.
| NAT Reflection | Enable |
|---|
Click on the [Save] button and then [Apply the changes].
It was immediately possible to get to the Domoticz web server using the external URL http://modomo.twilightparadox.com:9090.
The Domoticz log file reported that the connection was from desktop just as it had with the reflection enabled in the global settings.
Port Forwarding - WireGuard
As recommended by most, it is best to minimize the number of holes punched through the firewall. So the two port forwarding rules defined above were deleted and replace with a rule to a WireGuard VPN server running on the NAS. This instance of Wireguard was the main VPN server before switching to OPNsense. This is the information about that server.
- IP address of the NAS on which WireGuard is running :
192.168.1.17. - UDP port used by the WireGuard server:
55555. - OPNsense alias for
192.168.1.17:voute
As can be seen, there's already an alias for the NAS server. As explained by Dustin Casto, a NAT Port Forward rule will be defined for this instance of Wireguard since it is running on a computer on the local network other than the router. So basically we are doing the same thing as done before for accessing Domoticz.
As before, go to Firewall » NAT » Port Forward and click on the [+] Add button. Change or ensure that the following fields have the correct values. Fields not listed below should be left at their default values.
| Field | Value |
|---|---|
| Interface | WAN |
| TCP/IP Version | IPv4 |
| Protocol | UDP |
| Source | Advanced |
| Destination | WAN address (§) |
| Destination Port range from | (other) 55555 |
| Destination Port range to | (other) 55555 |
| Redirect target IP | voute |
| Redirect target port | (other) 55555 |
| Description | To Wireguard on voute / LAN |
| NAT reflection | Enable (*) |
(*) - I enable NAT reflection only temporarily while testing the rule and once satisfied NAT reflection was reset to Use system default.
(§) - It seems that the destination could be any, Wan address and Wan net. I am assuming that Wan address is the public IP address of the home network, while Wan net would be the complete subnet containing the Wan address. So I chose Wan address being the most restrictive destination.
As before, the [Save] button at the bottom of the configuration page has to be clicked and then the [Apply changes] button in the top blue banner has to be clicked to activate the new rule.
To test the rule, I used a Wireguard client on an Android tablet to open a VPN tunnel. Once it was opened, it was immediately possible to get to the Domoticz web server using the same URL as I do on the home network: http://192.168.7.45:9090. The Domoticz log file reported that the connection was from voute.
This confirms that everything works as intended. However this is not the end of the story, because OPNsense supports three virtual private networking implementations: IPsec, OpenVPN and WireGuard. Since the router must be running when using a VPN, while the NAS could be down for whatever reason, it makes sense to move our WireGuard instance from the NAS to OPNsense. When that is done, the NAT Port Forwarding rule will have to be deleted and replaced with a WAN rule. However you might want to read a short post explaining why there will be a delay.