OPNsense Source Nat
This role creates and manages outbound NAT (Source NAT/SNAT) rules on OPNsense via the REST API.
Overview
This role creates and manages outbound NAT (Source NAT/SNAT) rules on OPNsense via the REST API. SNAT translates internal private IP addresses to the WAN IP address, enabling internet access for internal networks. The role creates SNAT rules, applies configuration changes, and provides a summary of configured rules.
What This Role Does
-
Fetches existing SNAT rules via
/api/firewall/source_nat/search_ruleto build a sequence → UUID lookup -
For each rule in
opnsense_source_nat_rules:- Creates new rules (sequence not in OPNsense) via
/api/firewall/source_nat/addRule - Updates existing rules (sequence exists but any field differs) via
/api/firewall/source_nat/setRule
- Creates new rules (sequence not in OPNsense) via
-
Deletes orphaned rules (sequences on the firewall not in vars) via
/api/firewall/source_nat/delRule -
If any changes were made: applies configuration via
/api/firewall/source_nat/apply -
Displays a summary with the total number of configured rules
Role Variables
| Variable | Description |
|---|---|
vault_opnsense_bjoffrey_user_api_key | OPNsense API key (from vault) |
vault_opnsense_bjoffrey_user_api_secret | OPNsense API secret (from vault) |
opnsense_source_nat_rules | List of SNAT rules |
opnsense_source_nat_validate_certs | Validate SSL certificates |
Rule definition fields:
| Field | Description |
|-------|----------|-------------|
| sequence | Rule sequence number (used as idempotency key) |
| interface | Outbound interface (usually wan) |
| source_net | Source network (CIDR or alias) |
| target | Translation target (usually wan_address) |
| description | Rule description |
| enabled | "1" = active, "0" = disabled |
| destination_net | Destination (usually any) |
| log | Log NAT translations |
| staticnatport | Preserve source port |
Notes
wan_addressis a special OPNsense keyword that resolves to the current WAN IP- The WAN interface is connected to my ISP router, which then also does NAT to a public IP address
- Rules are idempotent — matched by sequence number on existing rules
- Configure firewall rules in
opnsense_firewallto allow traffic before NAT applies