NeuroAgent

Why is Port Forwarding not working in OPNsense?

Complete guide to troubleshooting Port Forwarding issues in OPNsense: asymmetric routing, state table, Floating rules and NAT Reflection. Step-by-step instructions for your DMZ configuration.

#asymmetric-routing#dmz-configuration#floating-rules#nat-reflection#opnsense-port-forwarding#proxmox-networking#state-table-issues
Question

Why isn’t Port Forwarding working in OPNsense? I have the following configuration: HPE DL120 Gen9 with Proxmox VE 9.0.3, running three virtual machines: OPNsense 25.7 with latest updates, Debian 13 with Apache2, and Debian 13 with 1C-Enterprise. In Proxmox, I’ve created three Linux Bridges: vmbr0 (WAN, bound to physical interface eno1), vmbr1 (LAN, bound to physical interface eno2), and vmbr2 (DMZ, not bound to anything). OPNsense owns all three interfaces, the 1C-Enterprise VM only has LAN access, and the Apache2 VM only has DMZ access. I’ve been trying to configure NAT Port Forwarding for three days now, but the site from DMZ doesn’t respond in the browser. As an experiment, I allowed incoming traffic from all to all on the DMZ and WAN interfaces in OPNsense, but the site from the WAN network still doesn’t open. tcpdump shows that incoming traffic arrives, but after a few packets, the connection is reset (RST). I’ve tried many rule variations, reinstalled OPNsense, recreated the bridges in Proxmox, studied the OPNsense PF and NAT documentation, but the problem persists. For comparison, I installed pfSense and with minimal settings (one rule on WAN and one rule for NAT), everything worked. What could be causing the problem in OPNsense? Could it be a bug in the state table or are some automatic Floating rules interfering with Port Forwarding?

NeuroAgent

The main problem with Port Forwarding in your OPNsense configuration is most likely related to asymmetric routing or state table issues, as well as the peculiarities of how Floating rules work in OPNsense. Your complex network architecture with three bridges in Proxmox and a DMZ segment creates conditions that often cause such problems.

Contents

Common causes of Port Forwarding issues

Based on the analysis of your case and research, the main reasons why Port Forwarding doesn’t work in OPNsense include:

  1. Asymmetric routing - the most common culprit
  2. Issues with using aliases instead of fixed IP addresses
  3. Conflicts between automatic Floating rules and manual rules
  4. State table issues, especially in complex network configurations
  5. Missing NAT Reflection for traffic from DMZ to LAN

Your configuration with three bridges in Proxmox and a DMZ segment creates perfect conditions for these problems to occur.

Asymmetric routing and reply-to

Asymmetric routing is the most common issue that OPNsense users encounter when setting up Port Forwarding, especially in configurations with DMZ.

The problem: When traffic comes from WAN, goes through NAT and is directed to DMZ, but responses from the DMZ server can go directly back to the internet, bypassing OPNsense, which creates an asymmetric route.

Solution: In your NAT Port Forward settings, you need to ensure that the “reply-to” option for the WAN interface is enabled.

As noted in Reddit discussions: “This is a well-known asymmetric routing problem, you need to make sure the reply-to is set for WAN and if you have NAT Port Forwarding for VPN interface or other secondary WAN, disable automatic firewall rule creation and create manually.”

In the OPNsense interface, this is configured in Firewall > NAT > Port Forward - by editing the rule and checking that the “Reply-to” field is set correctly.

Issues with Aliases and state table

Your problems may be exacerbated by using aliases in NAT rules. As shown in OPNsense bug reports:

“After upgrading to OPNsense 18.1.b_273-amd64 my NAT Port Forward rules stopped working. All traffic was suddenly blocked by the ‘Default deny’ rule on the WAN interface… After changing from using Alias to fixed IP address in all NAT Port Forward rules, everything started working again.”

Recommendation: Temporarily replace all aliases in NAT Port Forward rules with fixed IP addresses of the DMZ server (Apache2 VM). This will help eliminate issues with name resolution and state table.

Also try to reset the state table via Firewall > Diagnostics > States > Actions > Reset State Table. As users note, this often resolves issues with “stuck” connection states.

Setting up Floating rules

In OPNsense, when using multiple interfaces in Port Forward rules, Floating rules are automatically created. As explained in the OPNsense documentation:

“If multiple interfaces are selected in a Port Forward rule, the associated filter rule will appear in Firewall > Rules > Floating.”

Important: Floating rules in OPNsense have priority 200000, while regular interface rules have priority 400000. This means Floating rules are processed first.

If you have conflicting rules, they may interfere with Port Forwarding operation. Check the Firewall > Rules > Floating section and remove or modify any rules that might be blocking traffic to your DMZ server.

Solution through NAT Reflection

For your configuration with DMZ, you may need to enable NAT Reflection. As shown in Reddit research:

“For anyone who has encountered this problem, I solved it by enabling ‘Reflection for port forwards’. This parameter can be found in Firewall > Settings > advanced.”

NAT Reflection allows internal clients to access servers through the external IP address, solving routing issues.

In the OPNsense documentation, the mechanism is explained: “If a packet is accepted by OPNsense on any of the WAN, DMZ and LAN interfaces with TCP protocol… rewrite the destination IP to 172.16.1.1 and destination port to 443.”

For your configuration, this may be critically important.

Step-by-step setup for your configuration

Based on your architecture, I recommend the following sequence of actions:

  1. Temporarily disable the firewall completely for testing:

    • Go to System > Settings > Firewall
    • Check “Disable all firewall (including NAT) features of this machine”
    • Check if the site is accessible - if it works, the problem is in the firewall rules

  2. Create a basic NAT Port Forward rule:

    • Interface: WAN
    • External port: 80 (or 443 for HTTPS)
    • Internal IP: fixed IP of Apache2 VM in DMZ (not an alias!)
    • Protocol: TCP
    • Check “Reply-to WAN interface”

  3. Check Floating rules:

    • Make sure there are no conflicting rules
    • If necessary, create a manual rule in Floating to allow traffic to the internal IP

  4. Enable NAT Reflection:

    • Firewall > Settings > Advanced
    • Find “Reflection for port forwards” and set it to “Enable”

  5. Check the state table status:

    • Firewall > Diagnostics > States
    • Make sure connections are being created correctly
    • If necessary, reset the state table

Diagnostics and verification

For further diagnostics, use the following commands in OPNsense:

  1. Check the NAT table:

    bash
    pfctl -s nat

  2. Check firewall rules:

    bash
    pfctl -s rules

  3. Monitor connection states:

    bash
    pfctl -s states | grep Apache2_IP

  4. Use tcpdump for analysis:

    bash
    tcpdump -i vmbr0 port 80
tcpdump -i vmbr2 port 80

Your observation about connection resets (RST) indicates that OPNsense sees incoming traffic but something is blocking the return path. Most likely, this is either a state table issue or incorrect routing in the DMZ segment.

If pfSense worked with minimal settings, this confirms that the problem is specific to OPNsense and is related to its more complex rule processing system.

Sources

  1. NAT Port Forwarding not working at all - Reddit Discussion
  2. Reflection and Hairpin NAT — OPNsense Documentation
  3. NAT Port Forward Alias not working · GitHub Issue
  4. Rules — OPNsense Documentation
  5. Network Address Translation — OPNsense Documentation
  6. OPNsense behind ISP router and port forwarding - Reddit

Conclusion

  1. The most likely cause of your problem is asymmetric routing between WAN and DMZ segments, requiring proper “reply-to” configuration in NAT rules.

  2. Be sure to replace aliases with fixed IP addresses in all NAT Port Forward rules to eliminate state table issues.

  3. Enable NAT Reflection in firewall settings - this is critically important for your DMZ configuration.

  4. Check and if necessary clear Floating rules - they may conflict with your manual settings due to differences in processing priority.

  5. Use OPNsense diagnostic tools (tcpdump, pfctl) to accurately determine the connection reset point.

If the problem isn’t resolved after these steps, you might consider an alternative network architecture or temporarily use pfSense for critical services until a solution for OPNsense is found.

How to properly configure NAT Reflection in OPNsense for DMZ network?What is the difference between NAT Port Forwarding and NAT Reflection in OPNsense and when to use each?How to optimize state table performance in OPNsense for high-traffic networks?What are the best practices for setting up a DMZ segment in OPNsense using Proxmox?What conflicts can arise between Floating rules and regular firewall rules in OPNsense?How to diagnose and resolve asymmetric routing issues in complex network configurations?
Ask NeuroAgent