All outbound traffic seems to be "let out anything from firewall host itself"

[jonm]

I was looking at the live view of my firewall logs and I notice that all my outbound traffic appears to be Interface:wan, source: my WAN IP address, and label "let out anything from firewall host itself (force gw)".

Is this to be expected or have I somehow messed something up? Everything is working OK, as far as I can tell, but I would have thought that I should see the all the various source devices' IP addresses/hostnames in the log rather than the wan interface, shouldn't I?

[Greelan]

I was looking at the live view of my firewall logs and I notice that all my outbound traffic appears to be Interface:wan, source: my WAN IP address, and label "let out anything from firewall host itself (force gw)".

Is this to be expected or have I somehow messed something up? Everything is working OK, as far as I can tell, but I would have thought that I should see the all the various source devices' IP addresses/hostnames in the log rather than the wan interface, shouldn't I?

Perfectly normal. Traffic destined for the internet from local hosts comes into OPNsense on the LAN/VLAN interface, gets NATed, and then exits OPNsense on the WAN interface with the WAN IP (the automatic floating rule allows the egress)

[jonm]

OK, that makes sense, thanks.

[jonm]

Apologies for replying to an oldish thread but this is still bothering me.

I've been looking at ntopng which is working but exhibits a similar problem - all the active flows show the client as the router itself. This is way less useful than I had hoped, I'd like to see what the individual clients are. Is this normal? Is it related to the way the firewall traffic is showing in the logs as in my root post? Is there any way to show the individual clients?

Thanks

Jon.