I have port forwarding working. Internet can hit the WAN interface and both HTTP and HTTPS forward to the internal web server.
However, I am concerned that the port forwarding might take precedent over my manual rules including GeoIP blocking. So I created a manual rule temporarily to see if it would block port forwarding. It does not. The docs say that the automatic port forward rules are to be applied last. That does not appear to be the case.
Ideas?
Screenshot of the rules for the WAN interface:
What is the meaning of "!" by itself in the Source field of your NAT rules? Were you just trying to override them with "!any" so that they would never match?
In any case the order of the rules you show here should be working. Are you sure you are testing from the outside? If you are trying from an internal address on this interface then the rules would not be evaluated at all.
Otherwise we have a serious bug...
Do you have any other NAT rules set to "Pass" maybe? Those would override and would not show here. They are hidden from the UI because they are pass actions on the NAT rule itself, not needing a separate interface rule.
> What is the meaning of "!" by itself in the Source field of your NAT rules?
It's a visual bug reported here but haven't had the time to inspect it yet. https://github.com/opnsense/core/issues/9931
Cheers,
Franco
Quote from: OPNenthu on March 17, 2026, 11:43:29 AMWhat is the meaning of "!" by itself in the Source field of your NAT rules?
I have no idea the meaning of the "!" by itself and am also wondering its meaning. It is part of auto-generated rules.
Quote from: OPNenthu on March 17, 2026, 11:43:29 AMIn any case the order of the rules you show here should be working. Are you sure you are testing from the outside?
Yeah, of course I was testing from the internet.
Quote from: OPNenthu on March 17, 2026, 11:48:05 AMDo you have any other NAT rules set to "Pass" maybe? Those would override and would not show here.
I do not see any rules elsewhere that would affect the desired behavior.
Anyways, I disabled the auto-generated rules. Then created the correct "Pass" rules and placed them after the GeoIP block. In theory, the GeoIP block should take place when applicable before allowing the Port Forwarding.
Quote from: Diggy on March 17, 2026, 10:33:29 PMQuote from: OPNenthu on March 17, 2026, 11:43:29 AMWhat is the meaning of "!" by itself in the Source field of your NAT rules?
I have no idea the meaning of the "!" by itself and am also wondering its meaning. It is part of auto-generated rules.
Yep, sorry, I didn't know that was a visual bug. Franco answered it.