Photo by Adi Goldstein / Unsplash

OPNSense - How to setup Port Forwarding

opnsense Feb 15, 2024

I recently got static IP from my ISP and Bam! Now I can host websites/anything with this. I recently switched from pfSense to OPNSense as my router and now that I have Static IP, I decided to move ahead with Port Forwarding 80 and 443 to my Nginx Proxy Manager. NPM can further proxy to my internal services along with SSL/TLS.

To get started, Firstly I configured Static IP + PPPoE on my WAN Interface (More details here). Now my WAN interface directly has Public IP attached to it.

Further, I went ahead and disabled the WebUI to not listen on WAN interface. This is important!

Go to System > Settings > Administration and in the Listen Interfaces list, untick WAN

I have also disabled it on my WIFI Interface which is the Guest Network. Since I also have Tailscale running, I have enabled to listen on tailscale interface, so I can connect remotely to OPNsense if needed.

I also changed the listen port to 8443 instead of 443. Just making sure even if someone tries to access with default ports, they shouldn't be able to. Once done, Hit Save at bottom of the page.

This should make sure that the OPNsense login is only shown in LAN and not on WAN. Hence making 80 & 443 port on WAN available, which is what we need for port forwarding.

Now, Go to Firewall > NAT > Port Forward (Do not modify the anti-lockout rule)

  1. Create a new rule by pressing '+' at top right of the page
  2. Choose the following here:
    1. Interface - WAN
    2. TCP/IP Version - IPv4
    3. Protocol - TCP/UDP
    4. Destination - WAN Address
    5. Destination port range - HTTP to HTTP
    6. Redirect Target IP - Put IP address of your reverse proxy here
    7. Redirect Target port - HTTP
    8. Description - Port Forward rule to forward traffic from WAN(80) to Proxy(80)
    9. Filter rule association - Make sure you select your rule here. (Important!! As it will automatically add relevant rules in WAN Interface. Else you might need to add them manually)
  3. Click 'Save'

Above configuration is to forward incoming traffic on WAN port 80 to a reverse proxy running in my homelab on port 80. You can modify it as per your needs. I also did the same for HTTPS as well.

That's it! If you type your public IP in your browser, you should be able to hit your reverse proxy or any service you configured above.