Port Forwarding automatic rules

Started by Diggy, March 16, 2026, 10:40:59 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 16, 2026, 10:40:59 PM

I have port forwarding working.  Internet can hit the WAN interface and both HTTP and HTTPS forward to the internal web server.

However, I am concerned that the port forwarding might take precedent over my manual rules including GeoIP blocking.  So I created a manual rule temporarily to see if it would block port forwarding.  It does not.  The docs say that the automatic port forward rules are to be applied last.  That does not appear to be the case.

Ideas?
March 16, 2026, 10:50:04 PM #1
Screenshot of the rules for the WAN interface:
March 17, 2026, 11:43:29 AM #2
What is the meaning of "!" by itself in the Source field of your NAT rules?  Were you just trying to override them with "!any" so that they would never match?

In any case the order of the rules you show here should be working.  Are you sure you are testing from the outside?  If you are trying from an internal address on this interface then the rules would not be evaluated at all.

Otherwise we have a serious bug...
N5105 | 8/250GB | 4xi226-V | Community

https://www.youtube.com/watch?v=XI9NG068TwI
March 17, 2026, 11:48:05 AM #3 Last Edit: March 17, 2026, 12:03:44 PM by OPNenthu
Do you have any other NAT rules set to "Pass" maybe?  Those would override and would not show here.  They are hidden from the UI because they are pass actions on the NAT rule itself, not needing a separate interface rule.
N5105 | 8/250GB | 4xi226-V | Community

https://www.youtube.com/watch?v=XI9NG068TwI
March 17, 2026, 12:16:38 PM #4
> What is the meaning of "!" by itself in the Source field of your NAT rules?

It's a visual bug reported here but haven't had the time to inspect it yet. https://github.com/opnsense/core/issues/9931


Cheers,
Franco
March 17, 2026, 10:33:29 PM #5
Quote from: OPNenthu on March 17, 2026, 11:43:29 AMWhat is the meaning of "!" by itself in the Source field of your NAT rules?

I have no idea the meaning of the "!" by itself and am also wondering its meaning.  It is part of auto-generated rules.
March 17, 2026, 10:37:59 PM #6
Quote from: OPNenthu on March 17, 2026, 11:43:29 AMIn any case the order of the rules you show here should be working.  Are you sure you are testing from the outside?

Yeah, of course I was testing from the internet.

Quote from: OPNenthu on March 17, 2026, 11:48:05 AMDo you have any other NAT rules set to "Pass" maybe?  Those would override and would not show here.

I do not see any rules elsewhere that would affect the desired behavior.
March 17, 2026, 10:41:06 PM #7
Anyways, I disabled the auto-generated rules.  Then created the correct "Pass" rules and placed them after the GeoIP block.  In theory, the GeoIP block should take place when applicable before allowing the Port Forwarding.
Print
Go Up Pages1
User actions