Portforwarding working only with both destination NAT and old rule activated

Started by thebraz, March 17, 2026, 09:41:56 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 17, 2026, 09:41:56 AM
Hi,
I have updated to Opnsense 26.1.4.
Since the new rule system was introduced my portforwarding rule on WAN only works if is activated both in destination NAT (where it was introduced by the upgrade to 26.1) and in the old rules section.
I have not migrated rules yet, so i was wondering why this behaviour.

Thanks in advance
March 17, 2026, 10:32:41 AM #1
Well you need a firewall rule to allow traffic in (or set the NAT action to "pass"). This never changed.


Cheers,
Franco
March 17, 2026, 10:54:54 AM #2
Hi Franco,
thanks for the answer.
In the past the rule on wan forwarding the port was enough and worked.

Still confused............
March 17, 2026, 11:13:54 AM #3
In the past the WAN rule (WAN_RULE.jpg, attached) was enough.
Now, without making any transfer to new rules mode, it needs also the Destination NAT rule created by the upgrade to 26.1 to be activated.

If one of the two is not activated the port forwarding does not work.



March 17, 2026, 11:39:56 AM #4
I'm not sure I follow but I'll repeat: a port forward / destination NAT rule requires a filter rule to pass the traffic unless the port forward / destionation NAT action is set to "pass" in which case a pass filter rule will be implicit inside pf(4).


Cheers,
Franco
March 17, 2026, 11:52:23 AM #5
The attached WAN rule has pass in the field Action.
But now it requires also that the Destionation NAT rule created by the upgrade is active.

Hope to have cleared my doubt.
March 17, 2026, 12:17:46 PM #6
The upgrade did not create Destination NAT rules.


Cheers,
Franco
March 17, 2026, 01:40:04 PM #7
Let's see if I succeed in explaining:
prior to 26.1 Destination NAT was Firewall --> NAT --> Port Forwarding
and it was renamed so (Destination NAT) by the upgrade (also if the rules were written not exactly as previously, for example the Destination NAT rule that derives from the one I attached had Manual as action and not PASS)

but

in the Legacy Rules Section there are still the old rules made before the upgrade, for example the one I attached (Firewall --> Rules  ---> WAN)

The old WAN rule has pass, the Destination NAT rule is not active...........Why it doesn't work?
March 17, 2026, 03:18:57 PM #8
@thebraz. Hope I am not intruding here, but if I could suggest looking here first:
https://docs.opnsense.org/manual/nat.html

In my system, to gain a better understanding of legacy Rules and Rules[new], I created, from scratch the rules required for legacy. All worked correctly. Note, if you try this step, to avoid all confusion, you need to make sure that you delete all rules and work with either legacy OR Rules[new]. Not that they cannot co-exist, but it will just make it more clear.

Then, after deleting these rules, created them under Rule[new], but with 2 versions:

1. Edit DNAT Rule: Options: Firewall rule: Manual
This is explained in the docs under the section "Filter rule association"
Using "Manual" requires a second rule under WAN to allow the traffic to hit the DNAT rule.

2. Then, I deleted both rules and created one rule in DNAT, setting association to "Register rule". It works correctly.

I switched back to option 1, even though it is 2 rules, only because it gives me better visibility from the GUI.
March 18, 2026, 09:10:21 AM #9
Hi,
not having migrated the rules to new yet I made a few experiments with what I have now and it seems I understood what to do.
Thanks a lot to Franco and Vimage22 for their help.

Best wishes
Print
Go Up Pages1
User actions