NAT in OPNsense — Function, Use Cases & Best Practices

1. What is NAT?

NAT (Network Address Translation) is used to translate IP addresses between internal private networks and external public networks. OPNsense documentation explains that outbound traffic from internal clients often requires the source address to be changed so the outside server can return packets. docs.opnsense.org

2. Types of NAT & Their Purpose

• Port Forwarding / Destination NAT (DNAT):
  External‐host initiated connections are redirected to an internal server’s IP/port. docs.opnsense.org
• Outbound NAT / Source NAT (SNAT):
  Internal clients’ source addresses are translated to an external IP so replies return correctly. Zenarmor

3. Why Use NAT?

• Private IP ranges are not routable on the Internet—NAT allows them to communicate externally.
• Multiple clients can share a single public IP for outbound access.
• Internal services can be exposed to the Internet via port‐forwarding.

4. How to Configure in OPNsense

Port Forwarding (DNAT):

• Navigate to Firewall → NAT → Port Forward.
• Choose the interface (usually WAN), define the destination address/port, set the redirect target to internal server IP/port.
• Use Reflection/Hairpin NAT if internal clients must access the service via its public IP. docs.opnsense.org

Outbound NAT (SNAT):

• Navigate to Firewall → NAT → Outbound.
• Choose mode: Automatic, Hybrid or Manual.
  • Automatic is fine for single WAN IP setups. docs.opnsense.org
• Under Manual/Hybrid, define custom rules specifying source networks, translation target IPs, interfaces etc.

5. Practical Use Cases

• Expose an internal web server to the Internet: Port forward WAN:80/443 → internal 192.168.1.x:80/443.
• Internal clients outbound through shared public IP: Use SNAT so LAN devices share the WAN IP for Internet access.
• Dedicated public IP per network segment: For multi‐WAN or VIP setups, Manual Outbound NAT directs specific LAN traffic to specific WAN IP.

6. Best Practices & Notes

• NAT is not a security measure—it only translates addresses. docs.opnsense.org
• NAT rules execute before firewall filter rules—make sure filtering is properly configured post‐NAT. docs.opnsense.org
• Enable Reflection/Hairpin NAT when internal clients access services via the public IP. docs.opnsense.org
• If you have single WAN IP and no special needs, leave Outbound NAT in Automatic mode.
• Double‐check routing and translation logic when using multiple WANs or VIPs to avoid asymmetric routing issues.

7. Conclusion

NAT in OPNsense is essential for enabling internal‐to‐external communications, service exposure, and multi‐network scenarios. Understanding the differences between DNAT and SNAT, and using the correct operational mode, allows you to build robust, manageable network architectures.