Destination NAT (port forwarding) issue after upgrade

Started by EricD, February 09, 2026, 01:39:18 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 09, 2026, 01:39:18 AM
I was a couple major versions behind, and went through many update/upgrades to get to the newest version.

Destination NAT was working correctly before the upgrade.  Afterwards, it no longer works.

Some details I found that I believe are important:
  1) Destination NAT actually works for a few moments after a full reboot, but then stops working.
  2) Logging shows that the Destination NAT entries, and relevant firewall rules, all trigger and allow passage inward as the requests come in from an external source.
  3) I find no mention of anything being blocked in the logs.

What could the issue be?  What should I be looking at that may be causing the issue?
February 09, 2026, 01:47:33 AM #1
Are you using multi wan and are you using the new firewall rule or old?
February 09, 2026, 03:08:35 AM #2
I did have the old rules converted over to the new during the upgrade and had the upgrade process delete the old rules.

I only have one WAN, but do have a semi-permanent VPN, that goes through that WAN, that is used as the external interface for a couple internal networks.  So there are multiple gateways.
February 09, 2026, 04:38:55 AM #3
Thank you for the question about the multi-wan.  That, along with other posts, finally got my attention to what appears to be the detail I needed to update.

The rule for the WAN interface where the external connection was allowed in had to have "Reply-To" set to the WAN interface.  Once I made that change, the issue appears to be fixed (needs more testing, but it appears to work at the moment).


NOTE: I have my Destination NAT set to where I need to manually make the rules ("Manual").  HOWEVER, in the attempting to fix this issue, I did also try "PASS" and "Register rule", both of which should have theoretically fixed this problem if opnsense was setting its own rules appropriately -- but it did not.  It did not work until I manually changed the rule and set the Reply-to option.
February 09, 2026, 11:13:16 AM #4
Quote from: EricD on February 09, 2026, 04:38:55 AMboth of which should have theoretically fixed this problem
Not exactly. Although I am curios how pass is treated without any reply-to. But then, pass is not a "new" rule so it probably has the reply-to still attached.
February 09, 2026, 04:43:57 PM #5 Last Edit: February 09, 2026, 04:47:15 PM by LisaMT
I have a Destination NAT rule on two interfaces to redirect DNS to Opnsense for unbound. 
But it also redirects my camera net which is NOT in the redirect rule.  So all the cameras are sending lots of DNS requests which they don't need. 
Print
Go Up Pages1
User actions