[solved] Lost outbound NAT rules on 26.1.11 upgrade

Started by OPNenthu, July 01, 2026, 08:16:08 PM

Previous topic - Next topic
If you have manual rules to migrate then you will set hybrid or manual, but that is already set for your use case.

If you don't have manual rules nothing needs to be migrated.


Cheers,
Franco

Today at 11:25:57 AM #16 Last Edit: Today at 12:36:21 PM by ProximusAl
Quote from: franco on Today at 10:43:29 AMIf you have manual rules to migrate then you will set hybrid or manual, but that is already set for your use case.

If you don't have manual rules nothing needs to be migrated.


Cheers,
Franco

Sorry Franco.....

I *already* migrated my rules from Outbound NAT to SNAT (At which point Outbound NAT was set to Hybrid)

Once I migrated them to SNAT, I changed outbound NAT back to Automatic.

Is this what I should be doing, or should I change Outbound NAT to something else before upgrading?

EDIT: Figured it out. Set it back to Hybrid after reading the release notes properly :)
Hardware:
DEC750v2

Today at 03:49:21 PM #17 Last Edit: Today at 05:21:33 PM by OPNenthu
Quote from: Patrick M. Hausen on July 01, 2026, 08:44:37 PMThink of two admins both managing a set of rules.

Quote from: franco on Today at 07:34:59 AMYou can only migrate outbound NAT manual(or "hybrid") rules. You don't seem to have any. There's nothing to migrate. Automatic rules are automatic and come from the same place for both components just for visibility.

Ironically, this is what Patrick was telling me but it didn't fully click last night.

I do have manual rules actually, but I guess the migration option might have been hidden from me because my Outbound NAT rules were still set to Automatic before I upgraded.  I should have reverted the upgrade, then changed to hybrid, then upgraded again.  Instead I reverted, changed to hybrid, for some reason deleted the manual rules (mistake), then upgraded and manually re-entered them. 

Apparently sleep does wonders for comprehension  :)

Thanks again

EDIT: oh, and I already had the manual rules in the new SNAT UI to begin with.  Not sure what I expected. 🤦
N5105 | 8/250GB | 4xi226-V | Community

Today at 06:27:03 PM #18 Last Edit: Today at 06:29:07 PM by nero355
Quote from: franco on Today at 07:34:59 AMYou can only migrate outbound NAT manual(or "hybrid") rules.
So if you have only a few then you might as well re-create them and delete the old ones ?
QuoteAutomatic rules are automatic and come from the same place for both components just for visibility.
I will double check if this is the case before I start, because I had Hybrid NAT Mode Enabled long before the new Source NAT section was added to OPNsense and when I checked after it was added I can't remember seeing anything there to be honest...

And just some quick checks about what the 26.1.11 Release Notes mentioned :
QuoteNote that this update brings the outbound to source NAT migration page, but it is only a formality as outbound NAT will stay in 26.7
Does this basically mean that the same "Grace period" that started for the Firewall Rules when 26.1 was released now apply to Outbound NAT and that it will probably be moved to a plug-in starting with 27.1 next year ?
Quotealthough the legacy firewall rules page will move to a plugin during the major upgrade. It is the same process that was employed with ISC-DHCP.
Does this mean that in order to avoid messing around with a plug-in for the Firewall Rules it would be smarter to migrate them to Firewall Rules (New) before the 26.7 upgrade ?

I have done the same when this was announced for ISC-DHCP and moved to KEA before upgrading to 26.x to avoid potential "Core functionality moving to a plug-in issues" that eventually turned out to effect some people who had not done the same, so I would like to do this again for the Firewall Rules now :)

QuoteDue to this addition, however, the source NAT rules entered in the system will no longer work unless the mode is set to either "manual" or "hybrid".
Does that setting sync between Outbound NAT and Source NAT or do you have to confirm both just to be sure nothing goes wrong ?

I will check it myself ofcourse, but I am curious about how it was designed to work so I can report back if anything turns out to be different than expected...

Quote from: Monviech (Cedrik) on July 01, 2026, 08:50:35 PMAnd /all/ NAT rule pages now also have CSV upload and download (you're welcome :))
I would hereby like to thank the OPNsense Team for their .CSV files addiction that makes Importing/Exporting Data and/or Settings of all the sub-sections that have this option SUPER EASY !!! :)
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)

Today at 07:26:58 PM #19 Last Edit: Today at 08:16:18 PM by Bob.Dig
I use hybrid mode. The Automatically generated rules in SNAT are less then in NAT: Outbound. For me, it looks like, wg0 networks and 127.0.0.0/8 are missing.
Also static port is not shown in the summary/has no column.

Edit: Interesting, according to the docs, Step 4(b) - Create an outbound NAT rule, you have to add this manually for WireGuard. Still, for me it was in automatic in outbound and isn't in SNAT.

> Does this basically mean that the same "Grace period" that started for the Firewall Rules when 26.1 was released now apply to Outbound NAT and that it will probably be moved to a plug-in starting with 27.1 next year ?

Yes.

> Does this mean that in order to avoid messing around with a plug-in for the Firewall Rules it would be smarter to migrate them to Firewall Rules (New) before the 26.7 upgrade ?

It doesn't matter. Nothing can go wrong except losing the immediate ability to edit the legacy rules if the plugin is MIA for whatever reason. The rules are still registered and rendered by the backend.

What we can achieve with 26.7, however is to switch rules [new] to rules and rules to rules [legacy] for clarity and that legacy rules can be removed from the system and menu via plugin drop (and actually not being required at all for 26.7 factory defaults).

> I have done the same when this was announced for ISC-DHCP and moved to KEA before upgrading to 26.x to avoid potential "Core functionality moving to a plug-in issues" that eventually turned out to effect some people who had not done the same, so I would like to do this again for the Firewall Rules now :)

Due to the degree of integration and early coding ideas every change away from code that is almost 20 years old is difficult for different reasons. I don't expect the same challenges, but there may be others.

> Does that setting sync between Outbound NAT and Source NAT or do you have to confirm both just to be sure nothing goes wrong ?

Yes, it is the same setting underneath so that source NAT is a full replacement of outbound NAT without behavioural changes. Later we want to change that, but likely not before oubound NAT within a plugin is leaving forever (28, 29?)

> I would hereby like to thank the OPNsense Team for their .CSV files addiction that makes Importing/Exporting Data and/or Settings of all the sub-sections that have this option SUPER EASY !!! :)

Thanks, it seems to be a practical addition for a number of reasons. This pattern will likely continue. :)


Cheers,
Franco