Destination NAT 'Register rule' priority

Started by keeka, Today at 05:13:08 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 05:13:08 PM
I upgraded to 26.1. Both the upgrade and rule export/import went without a hitch.

Following the upgrade, all the NAT rules had been switched to 'Manual'. My previously linked NAT fw rules were successfully imported along with everything else. I then disabled all the old rules.

I tried switching some destination NAT rules to the 'Register rule' option. The resulting rules (quick) are visible under the new rules Inspect pane, at the bottom of the list.
Do they therefore run after all other quick rules and before all non-quick rules?

Today at 05:25:06 PM #1 Last Edit: Today at 05:31:15 PM by Monviech (Cedrik)
The registered DNAT rules have the lowest priority group (50000).

https://github.com/opnsense/core/blob/e0f0cbf922ff8ddf688362b78c5bc151f5ff20f3/src/etc/inc/filter.lib.inc#L664

All other priority groups are evaluated before them.

https://docs.opnsense.org/manual/firewall.html#processing-order

40000 are interface groups.

So all (quick) rules (floating, group, interface) come before the 50000 rules at the end of the ruleset.
Hardware:
DEC740
Today at 05:31:59 PM #2
Quote from: Monviech (Cedrik) on Today at 05:25:06 PMSo all rules (floating, group, interface) come before the NAT rules at the end of the ruleset.

Thanks @Monviech. I am still exploring but I think I will stick with the Manual option in that case. The other benefit being the rule is visible in the edit pane.
Print
Go Up Pages1
User actions