rule order questionJust started with OPNsense and have a question about firewall rule matching and logging.
Setup:
- NAT + IPv4 only
- Swapped physical interfaces to match actual LAN/WAN
- Changed internal network to 192.168.0.0/24 with OPNsense at .1 as default gateway
- Everything functions correctly
Issue/Question:Most (if not all) outbound traffic from internal LAN clients is matching the automatic rule "let out anything from firewall host itself (force gw)" or "let out anything from firewall host itself". In the live log view, source address always shows the WAN IP even though I know the traffic originates from LAN clients.
I understand NAT rules are processed before firewall rules, but want to confirm this behavior is normal. Since outbound traffic passes by default anyway, it would be preferable to see the internal LAN IPs as source rather than the OPNsense IP address in the logs.
Questions:- Is this setup correct, or did I misconfigure something during the interface swap and network change?
- Should I have modified firewall rules manually after these changes?
- Is there a way to log the original LAN source IPs instead of the NATed WAN IP?
Current status:- Everything works fine functionally
- Dashboard shows ~90% of traffic hitting "let out anything from firewall host" rule
- Live log (DNS filtered) shows this rule being triggered constantly when clients access internet
Any guidance on whether this is expected behavior or if I need to adjust my configuration would be appreciated.
The standard, automatically created 'Default LAN allow' firewall rules does not log, that is why you don't see that traffic. If you enable it - and keep the default logging for blocked and passed packets - you will see two matching rules, one on the LAN interface and one on the WAN interface.
I'm sorry, I'm not OP, having the same experience, and I don't think I fully understand the answer given, and whether there is or is not a problem with the OP's setup.
I turned on logging for the rule that I thought was being triggered in the VLAN, and that shows that the PASS was via the "Allow internet only" rule I have in the VLAN, but then immediately after the WAN records the "let out anything from firewall".
Log entries:
WAN 2025-07-29T19:49:25-04:00 192.168.1.242:25430 72.125.64.41:443 tcp let out anything from firewall host itself (force gw)
MY_VLAN_10 2025-07-29T19:49:25-04:00 192.168.110.100:52479 72.125.64.41:443 tcp Allow internet only
And I'm not understanding why the "let out anything from firewall" rule is being triggered when I would have expected that to only trigger when the firewall was directly doing something for its own purpose. And even if it is being triggered by something somewhat expected (like the firewall sending the packet out on behalf of the VLAN), I doubt they would make the default that every VLAN's passing an inbound packet to generate a log message, so it makes me assume my setup must be flawed.
Thanks for any help.
Quote from: ben92043 on July 30, 2025, 02:07:14 AMAnd I'm not understanding why the "let out anything from firewall" rule is being triggered
First, you can disable the logging in Firewall: Settings: Advanced, Default pass.
And second the package does leaves by the firewall WAN interface after being NAT-ed and therefore matches the "let out anything from firewall host itself (force gw)".