Why isn’t Port Forwarding working in OPNsense? I have the following configuration: HPE DL120 Gen9 with Proxmox VE 9.0.3, running three VMs: OPNsense 25.7 with latest updates, Debian 13 with Apache2, and Debian 13 with 1C-Enterprise. In Proxmox, I’ve created three Linux Bridges: vmbr0 (WAN, bound to physical eno1), vmbr1 (LAN, bound to physical eno2), and vmbr2 (DMZ, not bound to anything). OPNsense owns all three interfaces, the 1C-Enterprise VM only has LAN access, and the Apache2 VM only has DMZ access. I’ve been trying to configure NAT Port Forwarding for three days now, but the site from the DMZ doesn’t respond in the browser. I’ve experimented with rules, allowing IN from all to all on DMZ and WAN interfaces, but the site from the WAN network doesn’t open. tcpdump -i ens18 -n port 8080 shows that incoming traffic arrives, but after a few packets the connection gets reset (RST). I’ve tried various settings, reinstalled OPNsense, recreated bridges in Proxmox, studied OPNsense’s PF and NAT documentation, but to no avail. For comparison, I installed pfSense and with one rule on WAN and one NAT rule (8080 WAN to 8080 in DMZ), everything worked. What could be the problem with OPNsense? Could it be a bug in the state table or a feature of automatic Floating rules? I tried configuring SNAT and enabling/disabling Reflection, but that didn’t help.
Your Port Forwarding Issue in OPNsense is Likely Related to Floating Rules, State Table Issues, or Firewall Configuration
Common causes include rule conflicts, improper interface configuration, or connection state processing issues that often manifest as connection resets (RST).
Contents
- Main Causes of Port Forwarding Issues
- Step-by-Step Diagnosis and Solution
- Floating Rules Configuration
- State Table Problems and Solutions
- OPNsense vs pfSense Comparison
- Optimization Recommendations
Main Causes of Port Forwarding Issues
Port forwarding issues in OPNsense typically arise from several main causes:
Firewall rule conflicts
Rules may be blocking traffic before it reaches the NAT rules. In your case, despite allowing IN from all to all, there may be implicit rules or security policies interfering with traffic processing.
Floating rules behavior
In OPNsense, Floating rules have priority over regular rules. If you have a rule blocking all traffic on the WAN interface, it may process before Port Forwarding rules, leading to connection resets.
State table issues
The state table tracks connection states. If conflicts or overflow occur in the state table, connections may be reset regardless of NAT configuration.
Improper interface configuration
With the three bridge configuration (vmbr0 for WAN, vmbr1 for LAN, and vmbr2 for DMZ), routing and interface identification issues may arise, especially if vmbr2 is not bound to a physical interface.
Important: tcpdump showing incoming traffic followed by RST resets indicates the issue is at the OPNsense firewall level, not at the client or server level.
Step-by-Step Diagnosis and Solution
1. Basic Configuration Check
Ensure interfaces are properly defined in OPNsense:
# Check active interfaces
ifconfig | grep -E "(ens|em|igb)"
# Check routing
netstat -rn
2. Testing Without Firewall Rules
Temporarily disable all rulesets and check if Port Forwarding works:
- Go to
Firewall > Rulesand disable all rules - Check service availability
- If it works, the issue is with the rules - they need to be configured more carefully
3. Connection State Check
Use utilities to diagnose the state table:
# View state table
pfctl -ss
# Check state table limits
pfctl -si | grep "states"
4. Log Analysis
Check system logs for errors:
tail -f /var/log/system.log | grep -E "(pf|nat|firewall)"
Floating Rules Configuration
Floating rules have the highest priority and can interfere with Port Forwarding. Here’s how to configure them properly:
Correct Rule Sequence
-
First, allow floating rules
- Allow incoming traffic on WAN interface
- Allow traffic from DMZ to LAN
-
Then Port Forwarding rules
- NAT rules for port redirection
-
Finally, blocking rules
- Default deny policy
Floating Rules Configuration Example
# Allow incoming traffic on WAN (ens18)
pass in log quick on ens18 inet proto tcp from any to any port = 8080 flags S/SA keep state
# Allow traffic from DMZ to LAN
pass in log quick on vmbr2 inet from any to any
Disabling Reflection
In your case, Reflection may be interfering. Try disabling it:
- Go to
System > Settings > General - Set
Disable reflection for port forwardstoenabled - Restart the service
State Table Problems and Solutions
State Table Problem Symptoms
- Connections reset after several packets (as in your case with RST)
- High CPU usage when processing traffic
- Limited number of concurrent connections
Solutions
Increasing State Table Limits
# Temporarily increase limits for testing
pfctl -s state | grep "limit"
pfctl -t states -T add 100000
Clearing State Table
# Clear all states
pfctl -Fs
Configuring State Table Parameters
-
Edit
/etc/sysctl.conf:net.inet.ip.portrange.first = 1024 net.inet.ip.portrange.last = 65535 -
Apply changes:
bashsysctl -w net.inet.ip.portrange.first=1024 sysctl -w net.inet.ip.portrange.last=65535
OPNsense vs pfSense Comparison
Key Differences in NAT Processing
pfSense:
- Simpler and more predictable NAT processing
- Fewer options for fine-tuning
- Uses simpler rules by default
OPNsense:
- More complex and flexible rule mechanism
- Automatic Floating rules may conflict
- Requires more careful rule configuration
Why pfSense Worked but OPNsense Doesn’t
- Automatic Floating rules in OPNsense may block traffic before NAT processing
- State tracking works differently - OPNsense performs stricter state checks
- Packet processing - OPNsense may have a stricter default policy
Configuration Compatibility
If pfSense worked with simple rules, try copying the logic to OPNsense:
# Simple rule like in pfSense
pass in on ens18 inet proto tcp from any to any port = 8080 flags S/SA keep state
pass out on vmbr2 inet proto tcp from any to any port = 8080 flags S/SA keep state
Optimization Recommendations
1. Minimal Configuration for Testing
Create a minimal configuration for testing:
- Disable all Firewall rules
- Create only necessary Port Forwarding rules
- Temporarily disable IDS/IPS and other services
2. Step-by-Step Rule Configuration
Step 1: Allow incoming traffic on WAN
Step 2: Allow outgoing traffic from DMZ
Step 3: Configure Port Forwarding
Step 4: Allow return traffic
3. Monitoring and Debugging
Use OPNsense’s built-in tools:
Diagnostics > Statesfor state table monitoringFirewall > Logfor firewall log viewingDiagnostics > Packet Capturefor deep packet analysis
4. Alternative Approaches
If standard Port Forwarding doesn’t work, try:
-
Manual PF Configuration
- Edit
/etc/pf.confdirectly - Add rules manually
- Edit
-
Using Proxy ARP
- Enable Proxy ARP on WAN interface
- Configure redirection at L2 level
-
SNAT instead of DNAT
- Use outgoing NAT instead of port forwarding
Sources
- OPNsense Official Documentation - NAT Port Forwarding
- OPNsense Firewall Rules Configuration Guide
- PF State Table Management
- OPNsense vs pfSense Comparison
- Troubleshooting Port Forwarding Issues
Conclusion
- The main issue is likely related to OPNsense’s automatic Floating rules that block traffic before NAT processing
- The key solution is the correct sequence: first allow rules, then Port Forwarding, then blocking rules
- State table can cause connection resets when overflowing or in conflict
- A step-by-step approach - disable all rules, test with minimal configuration, then add rules one by one
- Alternative methods - manual PF configuration, Proxy ARP, or SNAT may solve the problem if standard Port Forwarding doesn’t work
It’s recommended to start with a minimal configuration and gradually add rules while monitoring each step with logs and tcpdump. If the issue persists, consider manual PF configuration or temporarily using pfSense for critical services.