Messages

This seems to be the preferred way : https://docs.opnsense.org/manual/how-tos/nat_reflection.html#method-1-creating-manual-port-forward-nat-dnat-manual-outbound-nat-snat-and-automatic-firewall-rules
As mentioned at the start of that article : https://docs.opnsense.org/manual/how-tos/nat_reflection.html#introduction-to-reflection-and-hairpin-nat

Another reference here : https://docs.opnsense.org/manual/firewall_settings.html

So the 'Automatically Generated Firewall Rules' that are made because of 'Manually Configured Destination/Source NAT Rules' should be perfectly fine!

Can we assume you have always done it like that and never mixed any of the methods ?!
[/quote]

That is correct, I haven't mixed any of the methods. At least for this fresh install of 26.1. The good news is I have my replacement hardware and I'm just finishing up the setup on it. Once I drop it back into my network tomorrow I can start over again with the WireGuard setup while I'm home for the weekend and be able to test things without locking myself out of my network while I'm at a remote location (work).

Thank you for clarifying some of this for me. I'll go over all the documentation in these links again and make sure I'm not missing something. And then I'll report back again.

[Pass]

Due to some hardware failure I'm starting fresh with 26.1 (I had yet to upgrade from the last 25.x version).

Everything has been straightforward but I'm having a few issues and a little confusion.

LAN is simple, single /24 Subnet.

I have several Destination NAT rules set up for for various services I run from my network. When I create a Destination rule, I'm using "Pass" for my Firewall rules. I also have a few Outbound rules for a couple services. Everything is working really smooth except for one thing.

I'm trying to get WireGuard Road Warrior setup running following the Docs; however, every time I enable WireGuard it causes all my Destination NAT rules to stop working and my services become unavailable from the outside.

Rather than Pass in my Destination NAT rules should I be creating my Firewall rules manually? The Web Interface suggests manual creation is the recommended method but the Docs say that Pass should be okay for most setups.

Or is there something else that I'm missing that could be causing this?

Any advice is very appreciated!

Edit: I was misreading things. This is acting exactly how it should. I think in the past the UI used time ranges but now it's changed to "Granularity" which thinking about it, makes more sense anyway.

It seem to me in the past my Health report data went back months. Now the granularity selection only goes as high as 24 hours. But it appears to me the Actual chart below is displayed as far back as it used to be?

Is this normal or am I reading it wrong? Assuming I'm not crazy, is there a way to either display the correct data or to restore the granularity buttons back to their original numbers?

Thank you very much!

That was exactly what I needed to do and everything is humming along happily now.

I am having issues getting my Subnets (behind a L3 switch) to be able to connect to the internet. I am reasonably sure my switch configuration is good as I've had this exact topology working with my Unifi Security Gateway (what I'm trying to replace) as well as a SonicWall and OpenBSD before that. I've attached a diagram of my topology.

My setup:

OPNsense LAN: 10.1.0.0/24
OPNsense LAN IP: 10.1.0.1
L3 Switch LAN IP: 10.1.0.254
Workstations Subnet: 10.1.1.0/24
Servers Subnet: 10.1.2.0/24
Wireless Subnet: 10.1.3.0/24

What works:
- All subnets can ping each other and ping the OPNsense LAN IP (10.1.0.1)
- Any devices on the OPNsense LAN (10.1.0.0/24) and ping the other subnets behind the L3 switch and ping addresses on the internet.

What doesn't work:
- None of the subnets behind the L3 switch can ping the internet

What I've done:
- Created a gateway to the L3 switch.
- Created static routes for the subnets
- Tried creating firewall rules to allow the subnets through the firewall
- Tried disabling Static Route Filtering

Logs:
- When I try to ping external addresses from the subnets behind the L3 switch, I don't see any corresponding log entries. This makes me think it's a routing or NAT issue even though all those subnets can ping the LAN IP of OPNsense.

The only other thing I haven't tried (after reading another post on VPN) that I will when I get home is creating creating an Outbound NAT rule.

I'm at work and will have to wait until I get home to try this.

But I'm curious if anyone else has any suggestions for things I might be missing.