Quote from: paul5012 on June 30, 2026, 03:38:23 PMI was not aware that "Rules [new]" section is possibly not (yet) stuffed with all features of the old system.It is already, as far as I know.
However, it's not recommended to use both, old and new rules.
You should migrate your rule at some point.
Quote from: paul5012 on June 30, 2026, 03:38:23 PMSo far I had tried to live with destination NAT rules and the option "Firewall rule": "Register rule".With "Register rule" OPNsense creates the firewall rule for you and you're able to modify it later. But I'd rather create rule manually instead.
Quote from: paul5012 on June 30, 2026, 03:38:23 PM1) what is the sense of "no RDR (NOT)" (Enabling this option will disable redirection for traffic matching this rule.) Wouldn't make this the rule itself pointless?For a single port forwarding rule, it does.
I guess, this can make sense if you forward multiple / all ports. So using this option you can define an exception.
Quote from: paul5012 on June 30, 2026, 03:38:23 PM2) "NAT reflection"NAT reflection mirrors a NAT rule to internal interface in short.
So if you define a NAT rule on WAN for the WAN IP to forward port 443 to webserver 1 in DMZ. NAT reflection enable you to access the webserver using the WAN IP also from LAN.
Quote from: paul5012 on June 30, 2026, 03:38:23 PM3) "Set tag" I suspected to be what I should use.No, this is for custom tagging.
With this you can instruct OPNsense to tag connection and use this tag by following rule, e.g. outbound rules.
Quote from: paul5012 on June 30, 2026, 03:38:23 PMNow the packets flow as expected, I can reach my services with both published IP addresses.Fine.
Quote from: paul5012 on June 30, 2026, 03:38:23 PMSo I have to define such a rule for every port forwarding for each of the two upstream interfaces?You only need this for incoming traffic from the internet (from source addresses, which OPNsense has no specific route for. This could also be a remote client accessing your resources over VPN).
You can also use aliases for forwarded ports or destination IPs. So don't need one for each NAT rule.
Quote from: paul5012 on June 30, 2026, 03:38:23 PMI'd expect this to be default behaviour, that return packets go back the interface they came in.Yes, it is. But possibly this doesn't work together with a load balancing gateway group.
"