How to create a firewall rule with OPNsense

Learn how to create a NAT firewall rule to route WAN SSH traffic to a specific LAN IP address with OPNsense.

Image: Jack Wallen

So you have OPNsense installed as your firewall appliance in your data center. Now what? With the platform up and running, your next step is to start creating firewall rules, to keep your network and systems protected. How do you do that? Because OPNsense offers a web-based GUI, the task is actually pretty simple.

I'm going to walk you through the creation of a single firewall rule, with the help of the OPNsense GUI. To demonstrate this tool, I will show you how to allow SSH traffic from the WAN to a specific IP address on your network. Let's make this happen.

SEE: Hiring kit: Database administrator (Tech Pro Research)

What you need

The only things you need are a running instance of OPNsense, an administrator account to log in with, and a destination IP address for which to route traffic. (See: How to install the OPNsense Firewall/Router distribution.)

Create the rule

Once you log into OPNsense with the root account, click on Firewall (in the left navigation). From that expanded menu, click NAT (Network Address Translation), which will reveal Port Forward (Figure A).

Figure A

Figure A: We're going to use Port Forwarding for our new rule.

Click Port Forward, which will open the rules for this type (Figure B).

Figure B

Figure B: Our current NAT rules.

To add a new NAT rule, click Add in the top right corner. In the resulting window (Figure C), you configure the rule.

Figure C

Figure C: The OPNsense rule entry window.

Here are the options to use for the new Network Address Translation rule:

  • Interface: WAN
  • TCP/IP Version: IPv4
  • Protocol: TCP
  • Source: Any
  • Source port range: Any
  • Destination: LAN net
  • Destination port range: Any (for both from and to fields)
  • Redirect target IP: Single host or Network (which will then require you to enter the IP address you want to route SSH traffic to)
  • Redirect target port: SSH
  • Description: SSH from WAN to X (Where X is the destination IP address).
  • Set local tag (Optional): SSH_NAT
  • Filter rule association: None

Once you fill out that information, click Save at the bottom of the page and then click Apply changes (so your rule will take effect). After clicking Apply changes, your rule should now be working, and SSH traffic from the WAN will be directed to the redirect target address IP you set.

You can, of course, use this simple rule as a template to direct other types of traffic (such as HTTP) to specific IP addresses. Using the Clone button (in the rule listing), you can then alter the source and target ports from SSH to HTTP(s) to direct traffic from the WAN to your web server.

Once you understand how to create this easy NAT rule, you can then move up to more complicated tasks with OPNsense.

Also see

By Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.