I'm currently in the process of migrating an existing old PfSense 2.6.0 installation to OpnSense 25.7.
The guy that was here before me configured multiple manual NAT Outbound rules on the same IP with static Port enabled.
The external IP ending in .199 is used for three internal machines: 10.10.10.199, 10.10.10.241 and 10.10.10.242.
In practice, there don't seem to be any issues, everything seems to work fine. But I suspect that is just because there is not too much traffic on those three machines which will make a source port collision quite unlikely given that there are thousands of source ports.
Is that actually a good idea? What will happen, if those those three machines use the same source port? Since the source port is static, it will lead to collisions, or?
Looks pretty strange to me, but I am no NAT expert. Take this with a grain of salt.
First of all, I am wondering if you don't suffer from many other issues like VoIP not working?
Because you have not set it to auto or hybrid.
Do you have 1:1 NAT under advanced enabled?
Second I would wonder if and why these NAT rules are needed.
If they really are, then I would go with hybrid. That way you get your manual NAT redirects, but other normal devices like an iPhone can do STUN other VoIP stuff.
While OPNsense has an existing state for a certain source port, it cannot create a second using the same port for another device. Hence if a device tries to create a further connection from the same port by chance, it will fail.
Therefore you should only create a single static port rule per source port and public IP.
Your rules with static port don't make any sense to me at all.
There are very rare protocols which need a static source port. If you really are running such programs inside your network, add a static port rule for it, where you specify the source port.
A static port rule with source port = any seems to be nonsense.
Hmm, actually, it's not colliding. After thinking about it, it makes sense: A TCP connection is uniquely identified by the combination of the source IP address, source port number, destination IP address, and destination port number. So no issue there as long as not all four tupels are the same.
x.x.x.199 is the external IP that is configured for both internal IPs 10.10.10.241 and 10.10.10.242.
Started two TCP connections from the same source port 12346 to two different destination IPs on port 80, works:
pfctl -s state | grep 12346
all tcp 193.99.144.85:80 <- 10.10.10.242:12346 ESTABLISHED:ESTABLISHED
all tcp x.x.x.199:12346 (10.10.10.242:12346) -> 193.99.144.85:80 ESTABLISHED:ESTABLISHED
all tcp 142.250.186.35:80 <- 10.10.10.241:12346 ESTABLISHED:ESTABLISHED
all tcp x.x.x.199:12346 (10.10.10.241:12346) -> 142.250.186.35:80 ESTABLISHED:ESTABLISHED