Due to some hardware failure I'm starting fresh with 26.1 (I had yet to upgrade from the last 25.x version).
Everything has been straightforward but I'm having a few issues and a little confusion.
LAN is simple, single /24 Subnet.
I have several Destination NAT rules set up for for various services I run from my network. When I create a Destination rule, I'm using "Pass" for my Firewall rules. I also have a few Outbound rules for a couple services. Everything is working really smooth except for one thing.
I'm trying to get WireGuard Road Warrior setup running following the Docs; however, every time I enable WireGuard it causes all my Destination NAT rules to stop working and my services become unavailable from the outside.
Rather than Pass in my Destination NAT rules should I be creating my Firewall rules manually? The Web Interface suggests manual creation is the recommended method but the Docs say that Pass should be okay for most setups.
Or is there something else that I'm missing that could be causing this?
Any advice is very appreciated!
Quote from: devrandom on February 26, 2026, 07:58:27 PMRather than Pass in my Destination NAT rules should I be creating my Firewall rules manually? The Web Interface suggests manual creation is the recommended method but the Docs say that Pass should be okay for most setups.
This seems to be the preferred way : https://docs.opnsense.org/manual/how-tos/nat_reflection.html#method-1-creating-manual-port-forward-nat-dnat-manual-outbound-nat-snat-and-automatic-firewall-rules
As mentioned at the start of that article : https://docs.opnsense.org/manual/how-tos/nat_reflection.html#introduction-to-reflection-and-hairpin-nat
Another reference here : https://docs.opnsense.org/manual/firewall_settings.html
So the
'Automatically Generated Firewall Rules' that are made because of
'Manually Configured Destination/Source NAT Rules' should be perfectly fine!
Can we assume you have always done it like that and never mixed any of the methods ?!
This seems to be the preferred way : https://docs.opnsense.org/manual/how-tos/nat_reflection.html#method-1-creating-manual-port-forward-nat-dnat-manual-outbound-nat-snat-and-automatic-firewall-rules
As mentioned at the start of that article : https://docs.opnsense.org/manual/how-tos/nat_reflection.html#introduction-to-reflection-and-hairpin-nat
Another reference here : https://docs.opnsense.org/manual/firewall_settings.html
So the 'Automatically Generated Firewall Rules' that are made because of 'Manually Configured Destination/Source NAT Rules' should be perfectly fine!
Can we assume you have always done it like that and never mixed any of the methods ?!
[/quote]
That is correct, I haven't mixed any of the methods. At least for this fresh install of 26.1. The good news is I have my replacement hardware and I'm just finishing up the setup on it. Once I drop it back into my network tomorrow I can start over again with the WireGuard setup while I'm home for the weekend and be able to test things without locking myself out of my network while I'm at a remote location (work).
Thank you for clarifying some of this for me. I'll go over all the documentation in these links again and make sure I'm not missing something. And then I'll report back again.