opnsense_firewall_nat (Resource)
Network Address Translation (abbreviated to NAT) is a way to separate external and internal networks (WANs and LANs), and to share an external IP between clients on the internal network.
~> This resource requires the os-firewall plugin to be installed. It will not behave correctly if it is not installed.
Example Usage
resource "opnsense_firewall_nat" "example_one" {
disable_nat = true
interface = "wan"
protocol = "TCP"
target = {
ip = "wanip"
}
log = true
description = "Example"
}
resource "opnsense_firewall_nat" "example_two" {
enabled = false
interface = "wan"
protocol = "TCP"
source = {
net = "wan" # This is equiv. to WAN Net
}
destination = {
net = "10.8.0.1"
port = "443"
}
target = {
ip = "wanip"
port = "http"
}
log = true
description = "Example"
}
resource "opnsense_firewall_nat" "example_three" {
interface = "wan"
protocol = "TCP"
source = {
net = "192.168.0.0/16" # This is equiv. to WAN Net
invert = true
}
destination = {
net = "examplealias"
port = "80-443"
}
target = {
ip = "wanip"
port = "443"
}
description = "Example"
}
Schema
Required
interface(String) Choose on which interface(s) packets must come in to match this rule.protocol(String) Choose which IP protocol this rule should match.target(Attributes) (see below for nested schema)
Optional
description(String) Optional description here for your reference (not parsed). Must be between 1 and 255 characters. Must be a character in set[a-zA-Z0-9 .].destination(Attributes) (see below for nested schema)disable_nat(Boolean) Enabling this option will disable NAT for traffic matching this rule and stop processing Outbound NAT rules. Defaults tofalse.enabled(Boolean) Enable this firewall NAT rule. Defaults totrue.ip_protocol(String) Select the Internet Protocol version this rule applies to. Available values:inet,inet6. Defaults toinet.log(Boolean) Log packets that are handled by this rule. Defaults tofalse.sequence(Number) Specify the order of this NAT rule. Defaults to1.source(Attributes) (see below for nested schema)
Read-Only
id(String) UUID of the resource.
Nested Schema for target
Required:
ip(String) Specify the IP address or alias for the packets to be mapped to. For<INT> address, enter<int>ip(e.g.lanip).
Optional:
port(String) Destination port number or well known name (imap, imaps, http, https, ...), for ranges use a dash. Defaults to"".
Nested Schema for destination
Optional:
invert(Boolean) Use this option to invert the sense of the match. Defaults tofalse.net(String) Specify the IP address, CIDR or alias for the destination of the packet for this mapping. For<INT> net, enter<int>(e.g.lan). For<INT> address, enter<int>ip(e.g.lanip). Defaults toany.port(String) Destination port number or well known name (imap, imaps, http, https, ...), for ranges use a dash. Defaults to"".
Nested Schema for source
Optional:
invert(Boolean) Use this option to invert the sense of the match. Defaults tofalse.net(String) Specify the IP address, CIDR or alias for the source of the packet for this mapping. For<INT> net, enter<int>(e.g.lan). For<INT> address, enter<int>ip(e.g.lanip). Defaults toany.port(String) Specify the source port for this rule. This is usually random and almost never equal to the destination port range (and should usually be""). Defaults to"".
Import
In Terraform v1.5.0 and later, use an import block to import opnsense_firewall_nat using the id. For example:
import {
to = opnsense_firewall_nat.example
id = "<opnsense-resource-id>"
}
Using terraform import, import opnsense_firewall_nat using the id. For example:
% terraform import opnsense_firewall_nat.example <opnsense-resource-id>