opnsense NAT rules priority pitfall

A few days I stumbled over a pitfall using opnsense NAT : portforwarding rule in combination with some global block lists rules.

In the opnsense documentation regarding rules processing order and priorities, there is a note regarding the priorities used for floating rules etc. NAT rules have a very low prio number resulting in a higher priority the all floating or interface rules.

This has the consequence that if you define a port forwarding rule with Filter rule association set to Pass, no other rules will be applied to the NAT traffic! So, for example no global block rule defined as floating rule will apply!

So you should define your port forwarding rule using Filter rule association set to Add associated filter rule.

Another option can be to set the source of the NAT:port forwarding rule to the alias containing all the hosts/networks to be blocked and use Source / Invert in order to apply the port forwarding rule to all source addresses except the one you like to keep away:

port forwarding source settings

PR for extending the upstream documentation: https://github.com/opnsense/docs/pull/445