rule order questionJust started with OPNsense and have a question about firewall rule matching and logging.
Setup:
- NAT + IPv4 only
- Swapped physical interfaces to match actual LAN/WAN
- Changed internal network to 192.168.0.0/24 with OPNsense at .1 as default gateway
- Everything functions correctly
Issue/Question:Most (if not all) outbound traffic from internal LAN clients is matching the automatic rule "let out anything from firewall host itself (force gw)" or "let out anything from firewall host itself". In the live log view, source address always shows the WAN IP even though I know the traffic originates from LAN clients.
I understand NAT rules are processed before firewall rules, but want to confirm this behavior is normal. Since outbound traffic passes by default anyway, it would be preferable to see the internal LAN IPs as source rather than the OPNsense IP address in the logs.
Questions:- Is this setup correct, or did I misconfigure something during the interface swap and network change?
- Should I have modified firewall rules manually after these changes?
- Is there a way to log the original LAN source IPs instead of the NATed WAN IP?
Current status:- Everything works fine functionally
- Dashboard shows ~90% of traffic hitting "let out anything from firewall host" rule
- Live log (DNS filtered) shows this rule being triggered constantly when clients access internet
Any guidance on whether this is expected behavior or if I need to adjust my configuration would be appreciated.
The standard, automatically created 'Default LAN allow' firewall rules does not log, that is why you don't see that traffic. If you enable it - and keep the default logging for blocked and passed packets - you will see two matching rules, one on the LAN interface and one on the WAN interface.