NAT Migration Tool

Started by Burthouse4563, July 03, 2026, 04:40:25 PM

Previous topic - Next topic
I just upgraded to 26.1.11_5 and performed firewall rule migration without issues. I went ahead and started looking at the NAT migration. I'm using manual NAT outbound rule currently. I exported my rules without issue. When I attempt to import, though, I get validation failed for every rule with the following error.

@uuid;"Invalid UUID offered (;1;0;0;1;wan...

I added a single manual rule to see what it was expecting and upon export got

1bdd4169-e821-40ba-98b0-83fdc10c8378;1;0;0;100;lan...

So clearly the new NAT rules are expecting more than what the old ones are exporting with regard to UUID.

Is this a known error, or will it be fixed in an upcoming release? I'd prefer not to manually input all rules; I will if I have to, but if this is going to get fixed, I'll wait.

Thanks to the team for what you do.

July 04, 2026, 09:55:49 AM #1 Last Edit: July 04, 2026, 10:07:44 AM by dseven
The UUID can be empty (otherwise it must be a properly formatted one):

https://github.com/opnsense/core/blob/20070de6fca7fc83605c856bd0b84753a86fa7c2/src/opnsense/mvc/app/models/OPNsense/Base/FieldTypes/ArrayField.php#L334-L348

I wonder if your CSV file somehow got corrupted with unprintable characters, or something. Did you do anything with the file other than let your browser save it during export, then open it for import? Try a different browser maybe?

Edit: ... actually, looking at your error message again, it looks like it's considering the whole line to be the UUID, so parsing the CSV seems to have failed somehow. I still wonder if something happened to corrupt the file...

Edit 2: Oooh, I have a theory - do any of your rules have a comma (,) or semicolon (;) in their description?

Hi,

Is this only for the Outbound NAT?
What is with Destination NAT?

Thank you

Where do you want to migrate the destination NAT rules to?

The only reason to migrate "Outbound NAT" to "SNAT" (aka "source NAT") was that this is the more common term. "Destination NAT" is already called correctly.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, Leox LXT-010H-D

1100 down / 450 up, Bufferbloat A+

Quote from: dseven on July 04, 2026, 09:55:49 AMThe UUID can be empty (otherwise it must be a properly formatted one):

https://github.com/opnsense/core/blob/20070de6fca7fc83605c856bd0b84753a86fa7c2/src/opnsense/mvc/app/models/OPNsense/Base/FieldTypes/ArrayField.php#L334-L348

I wonder if your CSV file somehow got corrupted with unprintable characters, or something. Did you do anything with the file other than let your browser save it during export, then open it for import? Try a different browser maybe?

Edit: ... actually, looking at your error message again, it looks like it's considering the whole line to be the UUID, so parsing the CSV seems to have failed somehow. I still wonder if something happened to corrupt the file...

Edit 2: Oooh, I have a theory - do any of your rules have a comma (,) or semicolon (;) in their description?

Here's an example rule directly from the export tool from the migration assistant, which throws the same error.

;1;0;0;101;wan;inet;any;lan;0;;any;0;;;;0;0;;;;"LAN to WAN"

No commas or semicolons in descriptions. It all looks correct to me, though.

Quote from: meyergru on July 04, 2026, 04:06:42 PMWhere do you want to migrate the destination NAT rules to?

The only reason to migrate "Outbound NAT" to "SNAT" (aka "source NAT") was that this is the more common term. "Destination NAT" is already called correctly.

In the latests update the current NAT structure is changing based on the patch notes and eventually we'll have to migrate them like the old firewall rules. I'm attempting to use the migration to change from "legacy outbound NAT rules to the new Source NAT rules interface". But the original error is thrown when using the migration tool on all of my current NAT rules.

Quote from: mschaeffler on July 04, 2026, 03:54:52 PMHi,

Is this only for the Outbound NAT?
What is with Destination NAT?

Thank you

Outbound is the old "legacy" style and is going to be changing to source / destination / one to one.

Quote from: Burthouse4563 on July 04, 2026, 06:46:16 PMHere's an example rule directly from the export tool from the migration assistant, which throws the same error.

;1;0;0;101;wan;inet;any;lan;0;;any;0;;;;0;0;;;;"LAN to WAN"

What does the first line (the header line) of the CSV file look like? The only way I can see the failure occurring is if the header line is comma separated but the actual data is semicolon-separated, but I can't imagine how that would happen....

Quote from: dseven on July 04, 2026, 11:27:08 PM
Quote from: Burthouse4563 on July 04, 2026, 06:46:16 PMHere's an example rule directly from the export tool from the migration assistant, which throws the same error.

;1;0;0;101;wan;inet;any;lan;0;;any;0;;;;0;0;;;;"LAN to WAN"

What does the first line (the header line) of the CSV file look like? The only way I can see the failure occurring is if the header line is comma separated but the actual data is semicolon-separated, but I can't imagine how that would happen....

Here's the header line.

@uuid;enabled;nonat;nosync;sequence;interface;ipprotocol;protocol;source_net;source_not;source_port;destination_net;destination_not;destination_port;target;target_port;staticnatport;log;categories;tag;tagged;description

It's semicolon. It's almost like the importer isn't recognizing the delimiting character and is attempting to parse the full line as the UUID instead of creating a new one since it isn't present.