Manual rules in "Firewall->NAT->Source NAT" went missing post upgrade.
26.1.10:
26.1.10-SNAT.png
root@firewall:~ # cat /tmp/rules.debug| grep Outbound
nat on wg1 inet from (IG_OUT_VPN:network) to any -> (wg1:0) port 1024:65535 # Outbound NAT on WAN_VPN1
nat on wg1 inet6 from (IG_OUT_VPN:network) to any -> (wg1:0) port 1024:65535 # Outbound NAT on WAN_VPN1 (IPv6)
nat on wg2 inet from (IG_OUT_VPN:network) to any -> (wg2:0) port 1024:65535 # Outbound NAT on WAN_VPN2
nat on wg2 inet6 from (IG_OUT_VPN:network) to any -> (wg2:0) port 1024:65535 # Outbound NAT on WAN_VPN2 (IPv6)
nat on igc1 inet6 from $WAN_WARRIORS to any -> (igc1:0) port 1024:65535 # Outbound NAT on WAN for WAN_WARRIORS (IPv6)
26.1.11:
26.1.11-SNAT.png
root@firewall:~ # cat /tmp/rules.debug| grep Outbound
root@firewall:~ #
Revert to 26.1.10 snapshot restores them.
You have Automatic NAT rule generation enabled. You should turn this to manual or hybrid.
That setting isnt new its the same as in Outbound NAT.
I have yet to migrate the legacy outbound NAT rules to the new SNAT UI and I'm a bit confused about it. I thought there would be a migration process for those but it shouldn't affect anything that I created manually in the new UI? Have they been merged?
The Outbound NAT mode affects both the old Outbound NAT rules and the new SNAT rules.
There was an issue here for quite a while that SNAT rules didnt take the global Outbound Rule mode into consideration and always rendered into the ruleset regardless.
https://github.com/opnsense/core/pull/10472
If you used both GUIs at the same time with different intentions, thats not going to work anymore. Both GUIs adhere to the same Mode now.
TLDR set your mode to hybrid if you need both automatic and manual rules at the same time.
@OPNenthu you need to consider that the UI is the UI and the pf filtering and NAT mechanism is running a couple of layers lower down the stack.
So all rules you create in the legacy (outbound) UI will eventually end up in the kernel and all rules you create in the new (source NAT) UI will just as well end up in the kernel. No idea about the order, but in case of NAT it's not quite as critical as with firewall rules.
Think of two admins both managing a set of rules.
Your task is to review the legacy rules, then one by one create an equivalent one in the source NAT UI, delete the one in the legacy UI, rinse and repeat. The state in the kernel's pf rules will more or less (not considering order) be the same.
HTH,
Patrick
Well you dont have to manually migrate them one by one, we enhanced the Firewall Migration assistant to include a download for Outbound NAT rules.
And /all/ NAT rule pages now also have CSV upload and download (you're welcome :))
Quote from: Patrick M. Hausen on July 01, 2026, 08:44:37 PMNo idea about the order, [...]
I don't know how they end up in the kernel (good point), but at least in the /tmp/rules.debug file I have seen that the SNAT UI rules take precedence over the outbound NAT rules with different priorities. For that reason I was putting off migration of the legacy NAT rules until I understood the process better, but it sounds like I created a problem by not changing the mode.
# [prio: 50]
nat on wg1 inet from (IG_OUT_VPN:network) to any -> (wg1:0) port 1024:65535 # Outbound NAT on WAN_VPN1
nat on wg1 inet6 from (IG_OUT_VPN:network) to any -> (wg1:0) port 1024:65535 # Outbound NAT on WAN_VPN1 (IPv6)
nat on wg2 inet from (IG_OUT_VPN:network) to any -> (wg2:0) port 1024:65535 # Outbound NAT on WAN_VPN2
nat on wg2 inet6 from (IG_OUT_VPN:network) to any -> (wg2:0) port 1024:65535 # Outbound NAT on WAN_VPN2 (IPv6)
nat on igc1 inet6 from $WAN_WARRIORS to any -> (igc1:0) port 1024:65535 # Outbound NAT on WAN for WAN_WARRIORS (IPv6)
binat log on igc1 inet6 from <redacted>::/61 -> (lo1:0)/61
# [prio: 200]
nat on igc1 inet from (vlan0.1030:network) to any port 500 -> (igc1:0) static-port # Automatic outbound rule
nat on igc1 inet from (vlan0.1040:network) to any port 500 -> (igc1:0) static-port # Automatic outbound rule
nat on igc1 inet from (vlan0.1050:network) to any port 500 -> (igc1:0) static-port # Automatic outbound rule
nat on igc1 inet from (vlan0.1060:network) to any port 500 -> (igc1:0) static-port # Automatic outbound rule
... etc
Thanks, both. Let me try to clean this up...
For the record I think this is about https://github.com/opnsense/core/commit/6f3b49f6811 which we discussed and also noted in the release notes.
Conceptually the whole outbound mode switcheroo is a bit over-engineered, but for the sake of consistency it now adheres to the setting for source NAT behaviour as well so that it is a direct replacement for outbound NAT. Eventually, just being able to switch automatic rules on/off and always showing in hybrid mode is probably the best thing to do in the long term, but not before the old component is being completely removed (post its plugin live starting in 27.1).
Cheers,
Franco
Quote from: Monviech (Cedrik) on July 01, 2026, 08:50:35 PMAnd /all/ NAT rule pages now also have CSV upload and download (you're welcome :))
Are you sure? :)
I changed the Outbound NAT mode to Hybrid and upgraded again to 26.1.11. For one thing, I'm not seeing an option to download the Outbound NAT rules as CSV. Even the Migration Assistant UI is empty.
Outbound NAT.webp
Migration Assistant.webp
I also see some weirdness with regard to WG interfaces. You'll notice in the Outbound NAT UI there are auto generated rules for e.g. WAN_VPN1, WAN_VPN2. Those do not appear at all in the automatically generated rules list under the SNAT UI. I only see the rules for the normal (non-WG) interfaces:
SNAT.webp
I might need a little bit of hand holding. I can create the WG/VPN rules manually, no problem. Do I need to manually migrate the rules for all other interfaces as Patrick suggested (one by one)? What do I do about the ISAKMP ones?
Sorry if I'm being a dunce here.
EDIT: I had deleted the manual SNAT rules before the upgrade, btw. That's not a bug.
Marking as solved because I got my manual rules added back and everything's working, but I'm still not sure why some of the automatic rules aren't reflected in the SNAT UI. Going to leave the automatic rules alone for now.
Thanks all!