NAT destination as WAN Address matches for all virtual IPs

satorisage · March 30, 2024, 02:27:53 AM

Hello, I am wondering if this is default behavior.

I have some port forwarding rules set up where in one of the rules the destination is set to WAN Address for port 443 and in another rule I have a virtual IP from my WAN ( I have 5 static IPs and set them up as virtual IPs ) set as the destination.

I discovered that if I have the "WAN Address" destination rule before the rule with the virtual IP as the destination, there is a match and the traffic is forwarded to the wrong server within the LAN, but if I move the virtual IP rules before the WAN Address rule it gets routed correctly.

Is this behavior correct? I would think "WAN Address" would only match the address specifically assigned to the interface, rather than any of the virtual IPs..

If I create an alias for the WAN address with the IP assigned to the interface, the order of the rules doesn't matter and it works as expected.

I also found this post and presume the person was saying the same thing here:
https://forum.opnsense.org/index.php?topic=5501.msg22325#msg22325

zan · March 30, 2024, 05:43:21 AM

QuoteIs this behavior correct? I would think "WAN Address" would only match the address specifically assigned to the interface, rather than any of the virtual IPs..

In pf "<Interface name> Address" means all addresses of the interface, VIPs included.

HTH.

NAT destination as WAN Address matches for all virtual IPs

satorisage

March 30, 2024, 02:27:53 AM

zan

March 30, 2024, 05:43:21 AM #1