Quote from: glenb2 on June 30, 2026, 03:00:03 AMcould someone explain why my WAN interface is passing outward traffic to these networks?
Quote from: paul5012 on June 30, 2026, 09:57:00 PMQuoteStill not quite clear to me.Quote1) what is the sense of "no RDR (NOT)" (Enabling this option will disable redirection for traffic matching this rule.) Wouldn't make this the rule itself pointless?For a single port forwarding rule, it does.
I guess, this can make sense if you forward multiple / all ports. So using this option you can define an exception.
Quote from: franco on June 25, 2026, 09:52:03 PMCan you confirm this only happens with divert? It may be an open file descriptor / socket that the kernel doesn't yield.
Cheers,
Franco
Quote from: thelittleblackbird on June 27, 2026, 12:42:34 AMhere you have it, in the attached file.If you have set RSS for that performance, it might need revisiting. Maybe it does not help and is detrimental in your case.
I tried to implement the tunnable described in the opnsense documentation about performance:
https://docs.opnsense.org/troubleshooting/performance.html
if you need something else just ask
thanks
Quote from: thelittleblackbird on June 30, 2026, 09:50:29 PM[...]some other idea? honestly unless somebody is coming with something i am starting to think like a bsd problem, because i can not really udnerstand what is going on...
Quote from: viragomann on June 30, 2026, 04:21:15 PMI had done this.Quote from: paul5012 on June 30, 2026, 03:38:23 PMI was not aware that "Rules [new]" section is possibly not (yet) stuffed with all features of the old system.It is already, as far as I know.
However, it's not recommended to use both, old and new rules.
You should migrate your rule at some point.
Quote from: viragomann on June 30, 2026, 04:21:15 PMwhat I did, finally.Quote from: paul5012 on June 30, 2026, 03:38:23 PMSo far I had tried to live with destination NAT rules and the option "Firewall rule": "Register rule".With "Register rule" OPNsense creates the firewall rule for you and you're able to modify it later. But I'd rather create rule manually instead.
Quote from: viragomann on June 30, 2026, 04:21:15 PMStill not quite clear to me.Quote from: paul5012 on June 30, 2026, 03:38:23 PM1) what is the sense of "no RDR (NOT)" (Enabling this option will disable redirection for traffic matching this rule.) Wouldn't make this the rule itself pointless?For a single port forwarding rule, it does.
I guess, this can make sense if you forward multiple / all ports. So using this option you can define an exception.
Quote from: viragomann on June 30, 2026, 04:21:15 PMgot this. seemed to help me alot, but gave me other troubles when a forward from port 25 to [dmz-server] port 25 suddenly hat a redirection from the DMz system to itself.Quote from: paul5012 on June 30, 2026, 03:38:23 PM2) "NAT reflection"NAT reflection mirrors a NAT rule to internal interface in short.
So if you define a NAT rule on WAN for the WAN IP to forward port 443 to webserver 1 in DMZ. NAT reflection enable you to access the webserver using the WAN IP also from LAN.
Quote from: viragomann on June 30, 2026, 04:21:15 PMI use these aliases excessively.Quote from: paul5012 on June 30, 2026, 03:38:23 PM3) "Set tag" I suspected to be what I should use.No, this is for custom tagging.
With this you can instruct OPNsense to tag connection and use this tag by following rule, e.g. outbound rules.Quote from: paul5012 on June 30, 2026, 03:38:23 PMNow the packets flow as expected, I can reach my services with both published IP addresses.Fine.Quote from: paul5012 on June 30, 2026, 03:38:23 PMSo I have to define such a rule for every port forwarding for each of the two upstream interfaces?You only need this for incoming traffic from the internet (from source addresses, which OPNsense has no specific route for. This could also be a remote client accessing your resources over VPN).
You can also use aliases for forwarded ports or destination IPs. So don't need one for each NAT rule.
Quote from: viragomann on June 30, 2026, 04:21:15 PMI do (not currently) make use of any loadbalancing gateway group.Quote from: paul5012 on June 30, 2026, 03:38:23 PMI'd expect this to be default behaviour, that return packets go back the interface they came in.Yes, it is. But possibly this doesn't work together with a load balancing gateway group.