Firewall: NAT: Destination NAT: Coexist Destination NAT and Port Forward terminology (#830)

* Firewall: NAT: Destination NAT: Coexist Destination NAT and Port Forward terminology * Update source/manual/firewall_settings.rst Co-authored-by: Ad Schellevis <AdSchellevis@users.noreply.github.com> * Update source/manual/firewall_settings.rst Co-authored-by: Ad Schellevis <AdSchellevis@users.noreply.github.com> * Update source/manual/how-tos/nat_reflection.rst Co-authored-by: Ad Schellevis <AdSchellevis@users.noreply.github.com> * Update source/manual/how-tos/nat_reflection.rst Co-authored-by: Ad Schellevis <AdSchellevis@users.noreply.github.com> * Update source/manual/how-tos/sfr_red_fr_ftth.rst Co-authored-by: Ad Schellevis <AdSchellevis@users.noreply.github.com> * Update source/manual/how-tos/nat_reflection.rst * Update source/manual/firewall.rst --------- Co-authored-by: Ad Schellevis <AdSchellevis@users.noreply.github.com>
2026-05-28 04:02:12 -04:00 · 2026-01-07 09:03:13 +01:00 · 2026-01-07 09:03:13 +01:00 · 192cc3248d
commit 192cc3248d
parent 0adffaafdf
14 changed files with 43 additions and 45 deletions
--- a/source/manual/captiveportal.rst
+++ b/source/manual/captiveportal.rst
@ -266,7 +266,7 @@ All traffic going to port 80 or 443 is redirected to localhost, ports 9000 + <zo
 and ports 8000 + <zone id> for HTTPS.

 ============================ ===============================
- **Type**                     Port forward
+ **Type**                     Destination NAT (Port Forward)
 **Interface**                <Zone interface>
 **Protocol**                 TCP
 **Source Invert**            Yes
@ -281,7 +281,7 @@ and ports 8000 + <zone id> for HTTPS.
 ============================ ===============================

 ============================ ===============================
- **Type**                     Port forward
+ **Type**                     Destination NAT (Port Forward)
 **Interface**                <Zone interface>
 **Protocol**                 TCP
 **Source Invert**            Yes
--- a/source/manual/firewall.rst
+++ b/source/manual/firewall.rst
@ -165,7 +165,7 @@ Our default deny rule uses this property for example (if no rule applies, drop t
 .. Warning::

    **NAT rules are always processed before filter rules!**
-    So for example, if you define a `NAT : port forwarding rules <nat.html#port-forwarding>`__  *without a associated rule*, i.e. **Filter rule association** set to **Pass**, this has the consequence, that no other rules will apply!
+    So for example, if you define a `NAT : Destination NAT (Port Forwarding) rules <nat.html#port-forwarding>`__  *without a associated rule*, i.e. **Filter rule association** set to **Pass**, this has the consequence, that no other rules will apply!

 .. Tip::

--- a/source/manual/firewall_settings.rst
+++ b/source/manual/firewall_settings.rst
@ -22,18 +22,18 @@ Network Address Translation
    
 .. Note::
    * Examine the automatic Reflection rules either in the shell with ``pfctl -s nat`` or in the GUI at :menuselection:`Firewall --> Diagnostics --> Statistics --> rules`.
-    * :code:`rdr` means redirection. Redirection rules are :menuselection:`Firewall --> NAT --> Port Forward` rules, also known as *Destination NAT*. *Destination NAT* changes the destination IP of a packet.
+    * :code:`rdr` means redirection. Redirection rules are :menuselection:`Firewall --> NAT --> Destination NAT (Port Forward)` rules, also known as *Destination NAT*. *Destination NAT* changes the destination IP of a packet.
    * :code:`nat` rules are :menuselection:`Firewall --> NAT --> Outbound` rules, also known as *Source NAT*. *Source NAT* changes the source IP of a packet.
    * *Reflection NAT* is just :code:`rdr`. *Hairpin NAT* is a combination of :code:`rdr` and :code:`nat`.


-Reflection for port forwards
+Reflection for Destination NAT (Port Forwards)
 .....................................

-Disabled by default, when enabled the system will generate :code:`rdr` rules to reflect port forwards on internal interfaces automatically (interfaces without a gateway set).
+Disabled by default, when enabled the system will generate :code:`rdr` rules to reflect Destination NAT (Port Forwards) on internal interfaces automatically (interfaces without a gateway set).


-If you create a :menuselection:`Firewall --> NAT --> Port Forward` rule with the interface as :code:`wan`, the automatic :code:`rdr` rules will be created for any of your other connected interfaces (e.g. :code:`lan`, :code:`opt1`, :code:`lo0`). 
+If you create a :menuselection:`Firewall --> NAT --> Destination NAT (Port Forward)` rule with the interface as :code:`wan`, the automatic :code:`rdr` rules will be created for any of your other connected interfaces (e.g. :code:`lan`, :code:`opt1`, :code:`lo0`).


 Reflection for 1:1
--- a/source/manual/how-tos/caddy.rst
+++ b/source/manual/how-tos/caddy.rst
@ -561,7 +561,7 @@ Go to :menuselection:`Services --> Caddy Web Server --> General Settings --> Adv

 From now on, Caddy will run as `www` user and group. This can be verified by checking the user of the Caddy process.

-.. Note:: With this configuration, `Port Forward` should be used to forward port 80 and 443 to the new alternative HTTP and HTTPS Ports. For IPv6 additional steps could be required.
+.. Note:: With this configuration, `Destination NAT (Port Forward)` should be used to forward port 80 and 443 to the new alternative HTTP and HTTPS Ports. For IPv6 additional steps could be required.


 Bind Caddy to Interfaces
@ -851,7 +851,7 @@ FAQ

 * | `Cloudflare` is not required to get automatic certificates.
 * | You can use the os-acme-client plugin to generate wildcard certificates. Set up an automation in the ACME client that reloads Caddy (do not restart it).
-* | `Port Forwards`, `NAT Reflection`, `Split Horizon DNS` or `DNS Overrides in Unbound` are not required. Only create Firewall rules that allow traffic to the default ports of Caddy.
+* | `Destination NAT (Port Forward)`, `NAT Reflection`, `Split Horizon DNS` or `DNS Overrides in Unbound` are not required. Only create Firewall rules that allow traffic to the default ports of Caddy.
 * | Even though internal clients will use the external IP address to access the reverse proxied services, the traffic will not pass over the internet. It will stay inside the OPNsense. Only in rare cases where there is multi WAN, the traffic can be routed from one WAN interface to the other over the internet, due to `reply-to` settings.
 * | Firewall rules to allow Caddy to reach internal services are not required. OPNsense has a default rule that allows all traffic originating from itself to be allowed.
 * | ACME clients on reverse proxied upstream destinations will not be able to issue certificates. Caddy intercepts ``/.well-known/acme-challenge``. This can be solved by using the `HTTP-01 Challenge Redirection` option in the advanced mode of domains. Please check the tutorial section for an example.
--- a/source/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.rst
+++ b/source/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.rst
@ -717,7 +717,7 @@ Firewall rules, Outbound NAT and DNS
 Now that you have configured split or full tunnel mode, you need rules to allow the traffic into your LAN and to the WAN (Internet). For IPv4 connection to the WAN (Internet) you need an Outbound NAT rule for IP-Masquerading. If you want the OPNsense to handle DNS, you can to configure Unbound so your roadwarriors use it as DNS server to prevent DNS leaks.

 .. Tip::
-    If you have internal IPv4 services (like a mailserver) that have external IPs in their DNS A-Records, you should configure Reflection NAT. There is a tutorial in the How-To section of Network Address Translation. If you follow it, add the ``ipsec`` interface in the Port Forward rules you create.
+    If you have internal IPv4 services (like a mailserver) that have external IPs in their DNS A-Records, you should configure Reflection NAT. There is a tutorial in the How-To section of Network Address Translation. If you follow it, add the ``ipsec`` interface in the Destination NAT (Port Forward) rules you create.

 Firewall: Aliases
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
--- a/source/manual/how-tos/nat_reflection.rst
+++ b/source/manual/how-tos/nat_reflection.rst
@ -29,10 +29,10 @@ Because there are not enough available IPv4 addresses, a workaround called *NAT*
        * `Firewall --> NAT --> Outbound` using the option *Translation / target* in a rule
    DNAT - Destination Network Address Translation
        *  Changes the destination IP of a packet
-        * `Firewall --> NAT --> Port Forward` using the option *Redirect target IP* in a rule
+        * `Firewall --> NAT --> Destination NAT (Port Forward)` using the option *Redirect target IP* in a rule
    PAT - Port Address Translation
        *  Changes the destination port of a packet
-        * `Firewall --> NAT --> Port Forward` using the option *Redirect target port* in a rule
+        * `Firewall --> NAT --> Destination NAT (Port Forward)` using the option *Redirect target port* in a rule

 If you create a DNAT rule, you enable all clients in the WAN access to an internal IPv4 address. The OPNsense acts like a translator, translating IPv4 addresses between client and server. The OPNsense writes all translations into a file called the NAT table. It knows exactly how traffic should flow back and forth with the translations in place.

@ -83,12 +83,12 @@ Method 1 - Creating manual Port-Forward NAT (DNAT), manual Outbound NAT (SNAT),
 ------------------------------------------------------------------------------------------------------------

 Go to :menuselection:`Firewall --> Settings --> Advanced`
-    Disable *Reflection for port forwards*, *Reflection for 1:1* and *Automatic outbound NAT for Reflection*
+    Disable *Reflection for Destination NAT (Port Forwards)*, *Reflection for 1:1* and *Automatic outbound NAT for Reflection*

 .. _nat-method1-portforward:

-Go to :menuselection:`Firewall --> NAT --> Port Forward`
-    Select **+** to create a new Port Forward rule.
+Go to :menuselection:`Firewall --> NAT --> Destination NAT (Port Forward)`
+    Select **+** to create a new Destination NAT (Port Forward) rule.

    =========================  ================================
    Interface:                  Select ``WAN``, ``DMZ`` and ``LAN`` - Select all interfaces in which clients are that should access the webserver. This will create a linked Firewall rule in :menuselection:`Firewall --> Rules --> Floating` which allows the traffic.
@ -162,14 +162,14 @@ Method 2 - Creating Automatic Port-Forward NAT (DNAT), Manual Outbound NAT (SNAT
 ------------------------------------------------------------------------------------------------------------

 Go to :menuselection:`Firewall --> Settings --> Advanced`
-    Enable *Reflection for port forwards* to create automatic rules for all entries :menuselection:`Firewall --> NAT --> Port Forward` that have ``WAN`` as interface.
+    Enable *Reflection for Destination NAT (Port Forwards)* to create automatic rules for all entries :menuselection:`Firewall --> NAT --> Destination NAT (Port Forward)` that have ``WAN`` as interface.

 .. _nat-method2-portforward:

-Go to :menuselection:`Firewall --> NAT --> Port Forward`
-    Create the NAT rule as in :ref:`Method 1 - Port Forward <nat-method1-portforward>` but change the following things:
+Go to :menuselection:`Firewall --> NAT --> Destination NAT (Port Forward)`
+    Create the NAT rule as in :ref:`Method 1 - Destination NAT (Port Forward) <nat-method1-portforward>` but change the following things:

-    * Make sure that your *Port Forwarding* rule specifies only ``WAN`` as interface.
+    * Make sure that your *Destination NAT (Port Forwarding)* rule specifies only ``WAN`` as interface.

 .. _nat-method2-floating:

@ -193,11 +193,11 @@ Method 3 - Creating Automatic Port-Forward NAT (DNAT), Automatic Outbound NAT (S
 ---------------------------------------------------------------------------------------------------------------

 Go to :menuselection:`Firewall --> Settings --> Advanced`
-    Enable *Reflection for port forwards* to create automatic rules for all :menuselection: `Firewall --> NAT --> Port Forward` that have ``WAN`` as interface.
+    Enable *Reflection for Destination NAT (Port Forward)s* to create automatic rules for all :menuselection: `Firewall --> NAT --> Destination NAT (Port Forward)` that have ``WAN`` as interface.
    Enable *Automatic outbound NAT for Reflection* to create automatic SNAT rules.

-Go to :menuselection:`Firewall --> NAT --> Port Forward`
-    Create the NAT rule as in :ref:`Method 2 - Port Forward <nat-method2-portforward>`
+Go to :menuselection:`Firewall --> NAT --> Destination NAT (Port Forward)`
+    Create the NAT rule as in :ref:`Method 2 - Destination NAT (Port Forward) <nat-method2-portforward>`

 Go to :menuselection:`Firewall --> Rules --> Floating`
    Create the floating firewall rule as :ref:`Method 2 - Floating <nat-method2-floating>`
@ -208,9 +208,9 @@ One-to-One NAT Reflection

 When :menuselection:`Firewall --> Settings --> Advanced` *Reflection for 1:1* is activated, automatic Reflection NAT rules for all One-to-One NAT rules are generated.

-If you want to create manual Reflection and Hairpin NAT rules, leave *Reflection for 1:1* disabled and follow the steps in :ref:`Method 1 <nat-method1>`. The only change is not adding the WAN interface to the Port Forward rules you create. The resulting Port Forward and Outbound NAT rules are **in addition** to the existing One-to-One NAT rules.
+If you want to create manual Reflection and Hairpin NAT rules, leave *Reflection for 1:1* disabled and follow the steps in :ref:`Method 1 <nat-method1>`. The only change is not adding the WAN interface to the Destination NAT (Port Forward) rules you create. The resulting Destination NAT (Port Forward) and Outbound NAT rules are **in addition** to the existing One-to-One NAT rules.

-If your Port Forward rule has 1 interface selected (e.g. LAN), the resulting *Filter rule association: Add associated filter rule* will appear in :menuselection:`Firewall --> Rules --> LAN`. If you have more than 1 interface selected, it will appear in `Firewall --> Rules --> Floating`.
+If your Destination NAT (Port Forward) rule has 1 interface selected (e.g. LAN), the resulting *Filter rule association: Add associated filter rule* will appear in :menuselection:`Firewall --> Rules --> LAN`. If you have more than 1 interface selected, it will appear in `Firewall --> Rules --> Floating`.

 .. _troubleshooting-nat-rules:

@ -222,7 +222,7 @@ Troubleshooting NAT Rules
    * Open SSH shell:
    * Display all loaded and active NAT rules:
    * ``pfctl -s nat``
-    * "rdr" means :menuselection:`Firewall --> NAT --> Port Forward` rules.
+    * "rdr" means :menuselection:`Firewall --> NAT --> Destination NAT (Port Forward)` rules.
    * "nat" means :menuselection:`Firewall --> NAT --> Outbound` rules.
    * You can also check the rules in the GUI in :menuselection:`Firewall --> Diagnostics --> Statistics`

--- a/source/manual/how-tos/sfr_red_fr_ftth.rst
+++ b/source/manual/how-tos/sfr_red_fr_ftth.rst
@ -281,7 +281,7 @@ Create the configuration for outbound domain:
 **Configuring NAT to redirect SFR/RED BOX calls to NGINX**
 ----------------------------------------------------------

-To allow correct port forwarding, we will configure OPNSense to affect a **static** IP to the SFR/RED Box and we will create an alias for it.
+To allow correct Destination NAT (Port Forwarding), we will configure OPNSense to affect a **static** IP to the SFR/RED Box and we will create an alias for it.

 Services / DHCPv4 / [LAN]
 +++++++++++++++++++++++++
@ -293,10 +293,10 @@ Click on `[+]` to add a static mapping:
 .. image:: images/SFRRED_services_dhcp_lan.png
 	:width: 100%

-Firewall / NAT / Port Forward
+Firewall / NAT / Destination NAT (Port Forward)
 +++++++++++++++++++++++++++++

-Select :menuselection:`Firewall --> NAT --> Port Forward`
+Select :menuselection:`Firewall --> NAT --> Destination NAT (Port Forward)`

 Add a new forwarding rule:

--- a/source/manual/how-tos/sslvpn_instance_roadwarrior.rst
+++ b/source/manual/how-tos/sslvpn_instance_roadwarrior.rst
@ -137,7 +137,7 @@ Redirect gateway        Leave empty :sup:`4`

 .. admonition:: Note  :sup:`1`

-   Leave empty to bind to all addresses assigned to this machine or use a loopback address combined with a port forward when
+   Leave empty to bind to all addresses assigned to this machine or use a loopback address combined with a Destination NAT (Port Forward) when
   the external address is not static.

 .. admonition:: Note  :sup:`2`
--- a/source/manual/how-tos/sslvpn_instance_s2s.rst
+++ b/source/manual/how-tos/sslvpn_instance_s2s.rst
@ -132,7 +132,7 @@ Remote Network          10.0.8.0/24 :sup:`2`

 .. admonition:: Note  :sup:`1`

-   Leave empty to bind to all addresses assigned to this machine or use a loopback address combined with a port forward when
+   Leave empty to bind to all addresses assigned to this machine or use a loopback address combined with a Destination NAT (Port Forward) when
   the external address is not static.

 .. admonition:: Note :sup:`2`
--- a/source/manual/how-tos/stunnel.rst
+++ b/source/manual/how-tos/stunnel.rst
@ -71,7 +71,7 @@ To add a new tunnel, go to :menuselection:`VPN -> Stunnel -> Configuration` and

 :Listen address:

-    The address to listen on, we generally advice to use a loopback interface here and forward traffic to it using a :doc:`port forward <../nat>`.
+    The address to listen on, we generally advice to use a loopback interface here and forward traffic to it using a :doc:`Destination NAT (Port Forward) <../nat>`.
    Leave this default (127.0.0.1) for our example.

 .. Note::
@ -119,7 +119,7 @@ To add a new tunnel, go to :menuselection:`VPN -> Stunnel -> Configuration` and

 .. Tip::

-    To forward traffic to the loopback address from your :code:`wan` interface, go to :menuselection:`Firewall -> NAT -> Port Forward`
+    To forward traffic to the loopback address from your :code:`wan` interface, go to :menuselection:`Firewall -> NAT -> Destination NAT (Port Forward)`
    and add a new rule with the following settings: Interface :code:`WAN`, Protocol :code:`TCP`, Destination :code:`WAN address`,
    Destination port range :code:`31280`, Redirect target IP :code:`127.0.0.1` and Redirect target port :code:`31280`

--- a/source/manual/how-tos/tor.rst
+++ b/source/manual/how-tos/tor.rst
@ -74,7 +74,7 @@ Transparent Forward Proxy

 :Transparent Port:
    This port is the target for your NAT rule.
-    Please create a rule for this port in the "Port Forward" section of the firewall.
+    Please create a rule for this port in the "Destination NAT (Port Forward)" section of the firewall.
 :Transparent DNS Port:
    If you are using Tor transparently, you can resolve .onion addresses
    to IPs of the given pool for example. This also allows to keep DNS secret.
@ -157,7 +157,7 @@ For any port you want to forward, you have to click `+` and fill out the form:
 .. image:: images/tor_hidden_services_route_edit.png

 :Hidden Service:
-    The service on which the port forward applies.
+    The service on which the Destination NAT (Port Forward) applies.
    The entries in this list are the services created in the previous step.
 :Port:
    The virtual Port in the Tor network.
--- a/source/manual/how-tos/wireguard-selective-routing.rst
+++ b/source/manual/how-tos/wireguard-selective-routing.rst
@ -333,7 +333,7 @@ The solutions include:

 1. Force the local DNS server to use the tunnel as well. For a local DNS server that is not OPNsense, include the local IPs of that server in the Alias created in Step 7 for the relevant VPN hosts. For OPNsense itself, configure the DNS server to use the tunnel gateway. Implementing this solution will mean that all DNS traffic for your network will go through the tunnel, not just the DNS traffic for the hosts that are in the Alias (and, indeed, for a local DNS server that is not OPNsense, all traffic from that server, not just DNS traffic, will be forced through the tunnel). This may not be desirable for your circumstances

-2. If possible, intercept DNS traffic coming from the relevant hosts using the tunnel, and forward that traffic (by using a port forward rule in OPNsense) to a DNS server supplied by your VPN provider (see note below), or to a public DNS server. Note that this will break local DNS resolution. Note also that this will not always be possible to do - if the local DNS server that is configured generally for your network is not OPNsense itself and is on the same subnet as the hosts using the tunnel, then DNS requests will not be routed through OPNsense and so a port forward on OPNsense will not work
+2. If possible, intercept DNS traffic coming from the relevant hosts using the tunnel, and forward that traffic (by using a Destination NAT (Port Forward) rule in OPNsense) to a DNS server supplied by your VPN provider (see note below), or to a public DNS server. Note that this will break local DNS resolution. Note also that this will not always be possible to do - if the local DNS server that is configured generally for your network is not OPNsense itself and is on the same subnet as the hosts using the tunnel, then DNS requests will not be routed through OPNsense and so a Destination NAT (Port Forward) on OPNsense will not work

 3. Assuming you have configured DHCP static mappings in OPNsense for the hosts using the tunnel, specify in that configuration either the DNS servers supplied by your VPN provider (see note below), or public DNS servers. This will override the network-wide DNS settings for those hosts

--- a/source/manual/nat.rst
+++ b/source/manual/nat.rst
@ -43,19 +43,17 @@ the internal IP, in order to avoid taking a detour and applying rules meant for
 The default, Round Robin, will simply distribute packets to one server after the other. If you only have one external
 IP, this option has no effect.

---------------
-Port forwarding
---------------
+------------------------------
+Destination NAT (Port Forward)
+------------------------------

 When multiple clients share an external IP address, any connection not initiated by one of the clients will not
 succeed since the firewall will not know where to send the traffic. This can be addressed by creating port
 forwarding rules. For example, for a web server behind the firewall to be accessible, ports 80 and 443 need to
 be redirected to it.

-Port forwarding is also referred to as “Destination NAT” or “DNAT”.
-
-In OPNsense, port forwarding can be set up by navigating to :menuselection:`Firewall --> NAT --> Port Forward`. Here, you will see
-an overview of port forwarding rules. New rules can be added by clicking **Add** in the upper right corner.
+In OPNsense, Destination NAT (Port Forward) can be set up by navigating to :menuselection:`Firewall --> NAT --> Destination NAT (Port Forward)`. Here, you will see
+an overview of Destination NAT (Port Forward) rules. New rules can be added by clicking **Add** in the upper right corner.

 When adding a rule, the following fields are available:

@ -120,7 +118,7 @@ This option controls the creation of linked filter rules in :menuselection:`Fire

       .. Note::

-          If multiple `Interfaces` are selected in the :menuselection:`Firewall --> NAT --> Port Forward` rule, the filter rule will
+          If multiple `Interfaces` are selected in the :menuselection:`Firewall --> NAT --> Destination NAT (Port Forward)` rule, the filter rule will
          appear in :menuselection:`Firewall --> Rules --> Floating`.

    .. tab:: Add unassociated filter rule
@ -130,7 +128,7 @@ This option controls the creation of linked filter rules in :menuselection:`Fire

       .. Note::

-          This option is recommended for more comple setups, like Port Forward rules on VPN interfaces.
+          This option is recommended for more comple setups, like Destination NAT (Port Forward) rules on VPN interfaces.
          The filter rule can be edited and features like `reply-to` disabled.


--- a/source/manual/ndp-proxy-go.rst
+++ b/source/manual/ndp-proxy-go.rst
@ -309,7 +309,7 @@ Option                              Value

 - Press **Save**

-Go to :menuselection:`Firewall --> NAT --> Port Forward` and create a NAT rule that redirects IPv6 DNS. We will use the same firewall aliases
+Go to :menuselection:`Firewall --> NAT --> Destination NAT (Port Forward)` and create a NAT rule that redirects IPv6 DNS. We will use the same firewall aliases
 that have been created in the `Firewall Rules` step:

 ==============================================  ====================================================================================================