SOLVED OPNSense Port Forward To Jails

[quasi51]

Hello Friends,

I'm struggling to get external (WAN) access to jails like NextCloud or Sonarr. Before you reach for that reply button to write a treatise on why exposing jails directly to the internet is terrible practice, I'm aware and understand that. This isn't the long term plan. I'll put it all behind Nginx/HAProxy or a VPN. But, I can't seem to do a basic port forward to the jails which which makes me think something is wrong. I'd like to see the port forward work for testing purposes before I get started learning how to configure a reverse proxy.

I'm on OPNSense 21.1.2. Let's Encrypt is grabbing a cert for my public IP which is being updated via a DuckDNS FQDN. The Nextcloud jail is currently being assigned a static IP by OPNSense but I've also tried several variations of assigning an IP statically and using NAT with port forwarding in the network settings. I've port forwarded HTTP/HTTPS as well as custom ports to the nextcloud jail without any luck. I can reach the Nextcloud install locally but I can't see it from outside the network. I've also tried port forwarding to a Sonarr jail that is accessible internally but I also can't reach it from the WAN.

I'm wondering if anyone has experience port forwarding to NextCloud (or any jail) from a OPNSense box? What other information do I need to include for this to be a useful question? Perhaps this is a OPNSense issue and not a problem with TrueNAS.

Thanks in advance for any help.

 

[Patrick M. Hausen]

What do ifconfig -a and netstat -nr inside your jail say?

Besides:

to write a treatise on why exposing jails directly to the internet is terrible practice

Why would anyone write that? Running Internet facing services in an isolated environment is one of the reasons, jails exist. Of course you can "publish" your Nextcloud ...

 

[quasi51]

Thanks for the reply. When I was searching earlier I thought I saw a lot of pushback against opening ports directly to services behind the firewall but maybe I misunderstood. Regardless, this is the output of those two commands. I currently have it set to NAT and forward 80/443 to the jail from 8282/9292 on the host. There are 2 nics in the box but I'm only using one at the moment. It seems simpler to me to have the jail grab an IP via DHCP and have the router set that to something static. But, I'm open to any suggestions at this point.

Sorry about the formatting...I'm still trying to figure out how to copy and paste properly from the shell

Code:

root@nextcloud:~ # ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=0<> metric 0 mtu 33160
        groups: pflog
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 92:b1:1c:ba:b5:82
        hwaddr 02:be:a3:e9:47:0b
        inet 172.16.0.2 netmask 0xfffffffc broadcast 172.16.0.3
        groups: epair
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
        nd6 options=1<PERFORMNUD>
root@nextcloud:~ #

Code:

root@nextcloud:~ # netstat -nr
Routing tables

Internet:
Destination      Gateway        Flags      Netif         Expire
default             172.16.0.1      UGS       epair0b
127.0.0.1           link#1           UH         lo0
172.16.0.0/30    link#3           U           epair0b
172.16.0.2         link#3           UHS       lo0

Internet6:
Destination                Gateway       Flags             Netif           Expire
::/96                           ::1                  UGRS            lo0
::1                              link#1            UH                lo0
::ffff:0.0.0.0/96           ::1                  UGRS            lo0
fe80::/10                    ::1                  UGRS            lo0
fe80::%lo0/64            link#1            U                  lo0
fe80::1%lo0               link#1             UHS             lo0
ff02::/16                     ::1                  UGRS            lo0
root@nextcloud:~ #

 

[quasi51]

Just wanted to follow up and say that I've partially figured out my issue. I was testing access outside my LAN on a hotspot on my phone and forgot to turn off the phone WiFi. Basically, I wasn't actually getting outside my own network. Once I got onto the cellular signal the forward to the jail worked right away. So, now I need to figure out split DNS or reflection so I can set NextCloud to my FQDN and have it work inside and outside the firewall.

Thanks for the help.

 

[quasi51]

Last post (hopefully) in case anyone else is struggling to pair NextCloud with OPNSense. Under Firewall --> Settings --> Advanced, I needed to enable "reflection for port forwards". You may also need "Reflection for 1:1" and "Automatic outbound NAT for Reflection". I realize that I haven't actually solved an issue here but this can be marked as SOLVED if an admin wants to do that. Thanks