1

I want to forward ICMP and specific TCP and UDP ports on OPNsense but I'm unable to find a concise solution. Specifically I want to forward ICMP, http, https and UDP 32768-65535.

I'm adding a new port forward in the port forwarding section ("Firewall>NAT>Port Forward"). Here if I select "any" protocol, then I can not specify TCP/UDP ports. If I select TCP/UDP in protocol then specified ports will be open for both TCP and UDP and I can not specify ICMP with this. I can create separate rules for separate protocols but it seems unintuitive.

Will be glad to provide any further clarification if required.

Thanks in advance.

Update: I understand only TCP/UDP has concept of ports. I want to forward ICMP port for testing/reachability check and I'm forwarding an IP from my BGP network not one assigned to any interface like WAN. UDP 32768-65535 for a videoconferencing app (BigBlueButton). The UDP ports are not required in my case as my bigbluebutton and coturn instance are both inside the firewall.

I think it would be more intuitive if I could be able to list all ports/forwards for a NAT mapping at a single place. I felt there may be some way to enter a list like the following to a NAT. TCP/80, TCP/443, TCP/22, UDP/100:200, ICMP

From the current answer I think this is not available. I Will submit a feature request.

  • The feature request is likely to be ignored or answered negatively. What you ask fundamentally doesn't make sense; the underlying PF would have to handle this as multiple rules. PFSense (and OPNSense) tries to have a close mapping between underlying rules and what you see (and configure) in the web ui. – vidarlo Jun 22 '21 at 10:00
  • Oh! Thanks for the clarification. We are planning to migrate from Sophos UTM and I found this concept of Sophos a bit more organised. Have to live with the new interface then. – Saumya Kanta Swain Jun 22 '21 at 10:07
  • @vidarlo I don't know the exact internals but we can already specify an alias. In this case PF sense must be looping over the ports in an alias and creating separate rules. So if the aliases could optionally store the protocols along with the port then it can be nice. – Saumya Kanta Swain Jun 22 '21 at 10:28
  • PF can do port ranges as well :) – vidarlo Jun 22 '21 at 11:19
  • @vidarlo Ya, I know about port range. I can set a port range or even an alias range. But my issue is clubbing multiple protocols like 'x' port on TCP but 'y' on UDP. There is a protocol option TCP/UDP but it will open the same ports for both TCP and UDP. Created separate forwards for TCP and UDP at the moment. Will see what best can be done. – Saumya Kanta Swain Jun 22 '21 at 11:39

1 Answers1

1

Only TCP and UDP has the concept of ports. If you specify any as protocol, you can't specify ports, as it's not relevant for most protocols.

You'll have to make multiple forwarding rules:

  • ICMP
  • HTTP and HTTPS (80, 443)
  • UDP ports

This is not a problem; you can have as many forwarding rules as you want, all forwarding to the same destination.

vidarlo
  • 3,775
  • 1
  • 12
  • 25