Opnsense Minecraft portforwarding

[Pog Bob]

Hello, My brother is running an mc server on his computer and wants to port forward it. We tried to port forward it on the opnsense nat, but it did work. We tried both his computers IP and our public IP. Any tips or advise? The server runs on port 25565 on his computer.

[Crunchy Dragon]

Is Java allowed to communicate on his network through his PC's firewall?

 

Is the port opened in your router as well as OPNSense?

[Pog Bob]

11 minutes ago, Crunchy Dragon said:

Is Java allowed to communicate on his network through his PC's firewall?

 

Is the port opened in your router as well as OPNSense?

yes ports are open on both, but I think I might have a CG nat. SO cant do anything about it. AT&T has been cucking me so much today.

Edit: I do not have a CG NAT

[Donut417]

18 minutes ago, Pog Bob said:

Hello, My brother is running an mc server on his computer and wants to port forward it. We tried to port forward it on the opnsense nat, but it did work. We tried both his computers IP and our public IP. Any tips or advise? The server runs on port 25565 on his computer.

3 things. 

 

1) You need to verify that your ISP provides you with a public IP address, not all do, CGNAT is a thing. If they run CGNAT it makes things way more complicated. 

 

2) You need the port number, protocol (TCP, UDP, or Both) and the IP address of the machine that is acting like the server. That IP address needs to not ever change. Two ways to accomplish this. 1) set a static IP on the machine manually, that falls out side of the DHCP server. 2) See if you can reserve the IP address of this machines IP in the DHCP server, this method is the easiest as you dont have to screw around with figuring out what address's fall out side of the DHCP range. 

 

3) You need to make sure the Windows Firewall has be told to allow the server to access the internet. 

[Pog Bob]

3 minutes ago, Donut417 said:

3 things. 

 

1) You need to verify that your ISP provides you with a public IP address, not all do, CGNAT is a thing. If they run CGNAT it makes things way more complicated. 

 

2) You need the port number, protocol (TCP, UDP, or Both) and the IP address of the machine that is acting like the server. That IP address needs to not ever change. Two ways to accomplish this. 1) set a static IP on the machine manually, that falls out side of the DHCP server. 2) See if you can reserve the IP address of this machines IP in the DHCP server, this method is the easiest as you dont have to screw around with figuring out what address's fall out side of the DHCP range. 

 

3) You need to make sure the Windows Firewall has be told to allow the server to access the internet. 

I set up the router again and the portforward works. When I got behind the opnsense it stops working. Note both are port forwarded

[Donut417]

Just now, Pog Bob said:

I set up the router again and the portforward works. When I got behind the opnsense it stops working. Note both are port forwarded

So you have two routers? Because Opensense is generally run as a router OS. If you have two router setup or two firewalls thats your issue. It's the reason why I said CGNAT would be a problem. 

[Pog Bob]

32 minutes ago, Donut417 said:

So you have two routers? Because Opensense is generally run as a router OS. If you have two router setup or two firewalls thats your issue. It's the reason why I said CGNAT would be a problem. 

I have the ISP router in bridge mode. I can't get rid of it. AT&T Requires me to use their equipment

[Donut417]

Just now, Pog Bob said:

I have the ISP router in bridge mode. I can't get rid of it. AT&T Requires me to use their equipment

Then you shouldn't need to do anything at that box. Bridge mode / IP pass thru mode turns off the router part. My guess you have something miss configured in Open Sense. I have never used Open Sense to know what the firewall settings look like. 

[Pog Bob]

13 minutes ago, Donut417 said:

Then you shouldn't need to do anything at that box. Bridge mode / IP pass thru mode turns off the router part. My guess you have something miss configured in Open Sense. I have never used Open Sense to know what the firewall settings look like. 

I will look into the configs then and see

[Alex Atkin UK]

3 hours ago, Pog Bob said:

I set up the router again and the portforward works. When I got behind the opnsense it stops working. Note both are port forwarded

Can you clarify what you mean here,  was this a test with only the AT&T router in use?  Did you verify OPNsense was correctly getting assigned the public IP address when the main router was in bridge mode?

 

One thing people also often get confused about is when accessing the server from the LAN you should use the LAN IP address of the server to connect, as by default OPNsense probably doesn't do NAT reflection and its also a waste of resources to do so (any traffic over NAT reflection is wasting CPU power on the router and adding latency, though minor) when you can simply connect directly.

When accessing from outside your LAN then obviously you use the public IP address from your ISP.

This can also be replicated with a domain name if you use something like DDNS by overriding it in the DNS resolver/forwarder to spoof the LAN ip for that domain for anything on the LAN asking for DNS for that domain name.

[Pog Bob]

37 minutes ago, Alex Atkin UK said:

Can you clarify what you mean here,  was this a test with only the AT&T router in use?  Did you verify OPNsense was correctly getting assigned the public IP address when the main router was in bridge mode?

 

One thing people also often get confused about is when accessing the server from the LAN you should use the LAN IP address of the server to connect, as by default OPNsense probably doesn't do NAT reflection and its also a waste of resources to do so (any traffic over NAT reflection is wasting CPU power on the router and adding latency, though minor) when you can simply connect directly.

When accessing from outside your LAN then obviously you use the public IP address from your ISP.

This can also be replicated with a domain name if you use something like DDNS by overriding it in the DNS resolver/forwarder to spoof the LAN ip for that domain for anything on the LAN asking for DNS for that domain name.

Yes, it was a test only using the AT&T router. I did check some guides my Opnsense config seems correct, but it took me 2 days to set up Opnsense, and my networking knowledge base is too small. Which btw, if you have any tips on where I can learn about networking, that would be nice. I am getting off point, but, I tried both the public IP of the at&t router with opnsense, and the WAN IP of the opnsense, and neither worked. 

[Alex Atkin UK]

41 minutes ago, Pog Bob said:

Yes, it was a test only using the AT&T router. I did check some guides my Opnsense config seems correct, but it took me 2 days to set up Opnsense, and my networking knowledge base is too small. Which btw, if you have any tips on where I can learn about networking, that would be nice. I am getting off point, but, I tried both the public IP of the at&t router with opnsense, and the WAN IP of the opnsense, and neither worked. 

I don't really know a good resource, my knowledge is 30 years of researching things as I needed them.  Even now I often find most websites do a poor job of explaining things in plain English.

 

Hmmm, they are different?  I'm wondering how the ATT router is doing bridge mode as I'd expect the ATT to no longer HAVE a public IP as its passing it to OPNsense.

 

Also where are you testing this from?  As I mentioned, you need to be on a different connection to test if port forwarding is working.   I use a mobile/cell connection to do this.

From the LAN side of OPNsense, the public IP address effectively does not exist without NAT reflection which as I mentioned is not recommended for performance reasons.  Enabling it wont necessarily prove port forwarding is working from the WAN side anyway.

[Pog Bob]

10 minutes ago, Alex Atkin UK said:

I don't really know a good resource, my knowledge is 30 years of researching things as I needed them.  Even now I often find most websites do a poor job of explaining things in plain English.

 

Hmmm, they are different?  I'm wondering how the ATT router is doing bridge mode as I'd expect the ATT to no longer HAVE a public IP as its passing it to OPNsense.

 

Also where are you testing this from?  As I mentioned, you need to be on a different connection to test if port forwarding is working.   I use a mobile/cell connection to do this.

From the LAN side of OPNsense, the public IP address effectively does not exist without NAT reflection which as I mentioned is not recommended for performance reasons.  Enabling it wont necessarily prove port forwarding is working from the WAN side anyway.

Both local testing and Cell Devices. At&t doesn't have true bridge mode; that is the only problem. I did contact them, and they told me I have to turn off packet filtering and turn on passthrough on my router to the Mac add of the device I want to use(AKA the opnsense box).

[Alex Atkin UK]

1 hour ago, Pog Bob said:

Both local testing and Cell Devices. At&t doesn't have true bridge mode; that is the only problem. I did contact them, and they told me I have to turn off packet filtering and turn on passthrough on my router to the Mac add of the device I want to use(AKA the opnsense box).

Ah so its probably just using some sort of DMZ, should still work.

 

Have you tried doing a port scan from the Internet?  Might be easier to plug the Minecraft PC directly into the AT&T, bridge to that and see if its still showing as the port closed. Be aware the firewall will probably change to Public if you do so make sure that port is opened again on the PC.

[frederikas]

Sorry to revive this, but did you ever get it to work? im having a similar problem