[solved] Lost outbound NAT rules on 26.1.11 upgrade

Started by OPNenthu, July 01, 2026, 08:16:08 PM

Previous topic - Next topic
Manual rules in "Firewall->NAT->Source NAT" went missing post upgrade.


26.1.10:

You cannot view this attachment.

root@firewall:~ # cat /tmp/rules.debug| grep Outbound
nat on wg1 inet from (IG_OUT_VPN:network) to any -> (wg1:0) port 1024:65535 # Outbound NAT on WAN_VPN1
nat on wg1 inet6 from (IG_OUT_VPN:network) to any -> (wg1:0) port 1024:65535 # Outbound NAT on WAN_VPN1 (IPv6)
nat on wg2 inet from (IG_OUT_VPN:network) to any -> (wg2:0) port 1024:65535 # Outbound NAT on WAN_VPN2
nat on wg2 inet6 from (IG_OUT_VPN:network) to any -> (wg2:0) port 1024:65535 # Outbound NAT on WAN_VPN2 (IPv6)
nat on igc1 inet6 from $WAN_WARRIORS to any -> (igc1:0) port 1024:65535 # Outbound NAT on WAN for WAN_WARRIORS (IPv6)

26.1.11:

You cannot view this attachment.

root@firewall:~ # cat /tmp/rules.debug| grep Outbound
root@firewall:~ #

Revert to 26.1.10 snapshot restores them.
N5105 | 8/250GB | 4xi226-V | Community

You have Automatic NAT rule generation enabled. You should turn this to manual or hybrid.

That setting isnt new its the same as in Outbound NAT.
Hardware:
DEC740

I have yet to migrate the legacy outbound NAT rules to the new SNAT UI and I'm a bit confused about it.  I thought there would be a migration process for those but it shouldn't affect anything that I created manually in the new UI?  Have they been merged?
N5105 | 8/250GB | 4xi226-V | Community

July 01, 2026, 08:39:58 PM #3 Last Edit: July 01, 2026, 08:41:44 PM by Monviech (Cedrik)
The Outbound NAT mode affects both the old Outbound NAT rules and the new SNAT rules.

There was an issue here for quite a while that SNAT rules didnt take the global Outbound Rule mode into consideration and always rendered into the ruleset regardless.

https://github.com/opnsense/core/pull/10472

If you used both GUIs at the same time with different intentions, thats not going to work anymore. Both GUIs adhere to the same Mode now.

TLDR set your mode to hybrid if you need both automatic and manual rules at the same time.
Hardware:
DEC740

@OPNenthu you need to consider that the UI is the UI and the pf filtering and NAT mechanism is running a couple of layers lower down the stack.

So all rules you create in the legacy (outbound) UI will eventually end up in the kernel and all rules you create in the new (source NAT) UI will just as well end up in the kernel. No idea about the order, but in case of NAT it's not quite as critical as with firewall rules.

Think of two admins both managing a set of rules.

Your task is to review the legacy rules, then one by one create an equivalent one in the source NAT UI, delete the one in the legacy UI, rinse and repeat. The state in the kernel's pf rules will more or less (not considering order) be the same.

HTH,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

Well you dont have to manually migrate them one by one, we enhanced the Firewall Migration assistant to include a download for Outbound NAT rules.

And /all/ NAT rule pages now also have CSV upload and download (you're welcome :))
Hardware:
DEC740

Quote from: Patrick M. Hausen on July 01, 2026, 08:44:37 PMNo idea about the order, [...]
I don't know how they end up in the kernel (good point), but at least in the /tmp/rules.debug file I have seen that the SNAT UI rules take precedence over the outbound NAT rules with different priorities.  For that reason I was putting off migration of the legacy NAT rules until I understood the process better, but it sounds like I created a problem by not changing the mode.

# [prio: 50]
nat on wg1 inet from (IG_OUT_VPN:network) to any -> (wg1:0) port 1024:65535 # Outbound NAT on WAN_VPN1
nat on wg1 inet6 from (IG_OUT_VPN:network) to any -> (wg1:0) port 1024:65535 # Outbound NAT on WAN_VPN1 (IPv6)
nat on wg2 inet from (IG_OUT_VPN:network) to any -> (wg2:0) port 1024:65535 # Outbound NAT on WAN_VPN2
nat on wg2 inet6 from (IG_OUT_VPN:network) to any -> (wg2:0) port 1024:65535 # Outbound NAT on WAN_VPN2 (IPv6)
nat on igc1 inet6 from $WAN_WARRIORS to any -> (igc1:0) port 1024:65535 # Outbound NAT on WAN for WAN_WARRIORS (IPv6)
binat log on igc1 inet6 from <redacted>::/61 -> (lo1:0)/61
# [prio: 200]
nat on igc1 inet from (vlan0.1030:network) to any port 500 -> (igc1:0) static-port # Automatic outbound rule
nat on igc1 inet from (vlan0.1040:network) to any port 500 -> (igc1:0) static-port # Automatic outbound rule
nat on igc1 inet from (vlan0.1050:network) to any port 500 -> (igc1:0) static-port # Automatic outbound rule
nat on igc1 inet from (vlan0.1060:network) to any port 500 -> (igc1:0) static-port # Automatic outbound rule
... etc

Thanks, both.  Let me try to clean this up...
N5105 | 8/250GB | 4xi226-V | Community

For the record I think this is about https://github.com/opnsense/core/commit/6f3b49f6811 which we discussed and also noted in the release notes.

Conceptually the whole outbound mode switcheroo is a bit over-engineered, but for the sake of consistency it now adheres to the setting for source NAT behaviour as well so that it is a direct replacement for outbound NAT. Eventually, just being able to switch automatic rules on/off and always showing in hybrid mode is probably the best thing to do in the long term, but not before the old component is being completely removed (post its plugin live starting in 27.1).


Cheers,
Franco
"AI has absolutely reduced the cost of creating technical debt." -- ChatGPT

July 01, 2026, 11:03:06 PM #8 Last Edit: July 01, 2026, 11:16:35 PM by OPNenthu
Quote from: Monviech (Cedrik) on July 01, 2026, 08:50:35 PMAnd /all/ NAT rule pages now also have CSV upload and download (you're welcome :))
Are you sure? :)

I changed the Outbound NAT mode to Hybrid and upgraded again to 26.1.11.  For one thing, I'm not seeing an option to download the Outbound NAT rules as CSV.  Even the Migration Assistant UI is empty.

You cannot view this attachment.

You cannot view this attachment.

I also see some weirdness with regard to WG interfaces.  You'll notice in the Outbound NAT UI there are auto generated rules for e.g. WAN_VPN1, WAN_VPN2.  Those do not appear at all in the automatically generated rules list under the SNAT UI.  I only see the rules for the normal (non-WG) interfaces:

You cannot view this attachment.


I might need a little bit of hand holding.  I can create the WG/VPN rules manually, no problem.  Do I need to manually migrate the rules for all other interfaces as Patrick suggested (one by one)?  What do I do about the ISAKMP ones?

Sorry if I'm being a dunce here.


EDIT: I had deleted the manual SNAT rules before the upgrade, btw.  That's not a bug.
N5105 | 8/250GB | 4xi226-V | Community

Marking as solved because I got my manual rules added back and everything's working, but I'm still not sure why some of the automatic rules aren't reflected in the SNAT UI.  Going to leave the automatic rules alone for now.

Thanks all!
N5105 | 8/250GB | 4xi226-V | Community

PPP-related rules may not show up yet in the source NAT GUI but automatic rules were not touched by the change so it's a cosmetic thing:

https://github.com/opnsense/core/issues/10479


Cheers,
Franco
"AI has absolutely reduced the cost of creating technical debt." -- ChatGPT

Thanks for the link.  Re-reading the release notes and also the submitter's comments in that ticket, it sounds like there should have been a SNAT migration option but I am missing it.  Did I overlook something or is there a way I can get it back, so that I can migrate the rest of them (the automatic ones)?
N5105 | 8/250GB | 4xi226-V | Community

You can only migrate outbound NAT manual(or "hybrid") rules. You don't seem to have any. There's nothing to migrate. Automatic rules are automatic and come from the same place for both components just for visibility.


Cheers,
Franco
"AI has absolutely reduced the cost of creating technical debt." -- ChatGPT

Am I right in thinking, after upgrading to 26.1.11, we should switch back to hybrid mode under Outbound NAT?
I had turned this off following migration of my rules to SNAT as I had noticed SNAT rules got generated regardless of the selected mode.

EDIT: I just upgraded and see the mode option also appears on the SNAT page, and is in sync with selection in legacy Outbound page. So question answered.