Re: Creating a DMZ setup

There could be many reasons for that.

As for the VPNs, you would just need to do a destination NAT for those UDP ports to forward the traffic to your OPNsense box.

set security nat destination pool OPNsense address 192.168.1.x/32
set security nat destination rule-set dst-nat from zone untrust
set security nat destination rule-set dst-nat rule OPNsense match destination-address 1.1.1.1/32
set security nat destination rule-set dst-nat rule OPNsense match destination-port 1194 to 1196

set security nat destination rule-set dst-nat rule OPNsense match protocol udp
set security nat destination rule-set dst-nat rule OPNsense then destination-nat pool OPNsense

You would then need to have a source NAT for outbound traffic that originates on the LAN (including OPNsense).

set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface

And security policies for both directions as well.

Configure address book:

set security address-book trust address OPNsense 192.168.1.x/32

Define custom application:

set applications application OPNsense-custom-application protocol udp
set applications application OPNsense-custom-application source-port 0-65535
set applications application OPNsense-custom-application destination-port 1194-1196

Set inbound policy:

set security policies from-zone untrust to-zone trust policy OPNsense match source-address any
set security policies from-zone untrust to-zone trust policy OPNsense match destination-address OPNsense
set security policies from-zone untrust to-zone trust policy OPNsense match application OPNsense-custom-services

set security policies from-zone untrust to-zone trust policy OPNsense then permit

And outbound policy:

set security policies from-zone trust to-zone untrust policy any-policy match source-address any
set security policies from-zone trust to-zone untrust policy any-policy match destination-address any
set security policies from-zone trust to-zone untrust policy any-policy match application any

set security policies from-zone trust to-zone untrust policy any-policy then permit