OPNsense 26.1.5 port forwarding solution

TeamSpeak 6 Server
, ,
1

ok i went through this and figured it out so hopefully this helps someone.

disclaimer: this has nothing to do with TS Server or Client, this is firewall configuration if your router uses OPNsense.

on the latest version of opnsense available to my Protectli Vault, so version 26.1.5

There are three sets of settings you need change for each port. stay away from auto generating rules. toggle on advanced and full help when adding each rule. you may want to specify the TCP/IP Version for each rule but it is assumed you will be setting it to IPv4 for this guide. This covers basic access to voice channels, but you can follow the same steps for each port number you want forwarded for access. Just be sure to change UDP to TCP as needed.

  • Firewall → NAT → Destination NAT
  • Firewall → NAT → Outbound
  • Firewall → Rules → Floating

Firewall → NAT → Destination NAT

  • click the orange plus to add a new rule.
  • Description: your rule description (ex: Teamspeak Voice UDP 9987)
  • Interface: Select both LAN & WAN
  • Protocol: Select UDP
  • Destination Address: Select WAN address
  • Destination Port: Select Single port or range, in the below field type the port number ex: 9987
  • Redirect Target IP: Select Single host or network, type in the LAN ip address of the host where your TS server resides. ex:192.168.XXX.XXX
  • Redirect Target Port: Select Single Port, type in the port number ex: 9987
  • Firewall rule: Select Manual
  • Click save, then don’t forget to click apply.

Firewall → NAT → Outbound

  • click the orange plus to add a new rule
  • Interface: Select LAN
  • Protocol: Select UDP
  • Source address: Select LAN net
  • Source port: Select any
  • Destination address: Select Single host or network, type in the LAN ip address of the host where your TS server resides. Set the /XX CIDR notation to 32.
    ex: 192.168.XXX.XXX /32
  • Destination port: Select (other), in the below field type the port number ex: 9987
  • Translation / target: Select Single host or network, type in the ip address of your OPNsense firewall gateway interface as it appears on your LAN. Set the /XX CIDR notation to 32. ex: 192.168.1.1 /32
  • Description: your rule description. (ex: Outbound Teamspeak Voice UDP 9987)
  • Click save, then don’t forget to click apply.

Firewall → Rules → Floating

  • click the orange plus to add a new rule
  • Action: Select Pass
  • Interface: Select both LAN & WAN
  • Direction: Select in
  • Protocol: Select UDP
  • Source: Select any
  • Destination: Select Single host or network, or Select LAN address, type in the LAN ip address of the host where your TS server resides. Then, follow it up immediately with CIDR /32 notation. I will note that there is no drop down box for CIDR notation on this setting for whatever reason. ex:192.168.XXX.XXX/32
  • Destination port range: For both ‘from:’ and ‘to:’ Select (other). Type in the TS server port number for both fields. ex: 9987
  • Description: your rule description. (ex: Allow Teamspeak Voice UDP 9987)
  • Click save, then don’t forget to click apply.

Test, fix, repeat for other ports as necessary.

Note: this guide works for TS 6 over docker. just specify host ip as the host machine ip, not the container ip. (unless you are fancy and use macvlan).

Note2: This is on ATT BGW210 set to ippassthrough → opnsense on fiber. no additional configuration or port forwarding needed on the BGW210.

Note3: My research travels would frequently point me at Firewall → Settings → Advanced to enable any combination of Reflection options at the top of that page. These turn out to be legacy options that hide information. I do not recommend usage of these and want to point out the documentation for Reflection and Hairpin NAT on the opnsense wiki are as of this writing out of date.