← Back to index

opnsense_firewall_nat_one_to_one (Resource)

1:1 NAT maps a public IP or subnet to an internal private IP or subnet. All traffic to the public address is forwarded to the internal host or network. Unlike port forwarding, it exposes the full internal system, useful for servers behind a firewall. BINAT rules enable bidirectional translation for consistent incoming and outgoing connections.

~> This resource requires the os-firewall plugin to be installed. It will not behave correctly if it is not installed.

Example Usage

resource "opnsense_firewall_nat_one_to_one" "example_one" {
  external_net = "220.110.81.9/32"
  source = {
    net = "10.10.2.9/32"
  }
  description = "Example one"
}


resource "opnsense_firewall_nat_one_to_one" "example_two" {
  enabled = false
  log = true
  external_net = "220.110.81.9/32"
  type = "binat"
  
  source = {
    net = "10.10.2.9/32"
    invert = false
  }
  
  destination = {
    net = "any"
    invert = false
  }

  nat_reflection = "enable"
  categories = [ "8cb36e8e-1d72-480a-8268-bbdaf1ec6ed6" ]
  description = "Example two"
}

resource "opnsense_firewall_nat_one_to_one" "example_three" {
  enabled = true
  log = true
  external_net = "220.110.81.9/32"
  type = "nat"
  
  source = {
    net = "__lan_network" # aliases are only allowed in type nat rules
  }

  nat_reflection = "default"
  description = "Example three"
}

Schema

Required

  • external_net (String) Enter the external subnet's starting address for the 1:1 mapping or network. This is the address or network the traffic will translate to/from.
  • source (Attributes) (see below for nested schema)

Optional

  • categories (Set of String) Set of category IDs to apply. Defaults to [].
  • description (String) Optional description here for your reference (not parsed). Must be between 0 and 255 characters. Must be a character in set [a-zA-Z0-9 .].
  • destination (Attributes) (see below for nested schema)
  • enabled (Boolean) Enable this firewall NAT rule. Defaults to true.
  • interface (String) Choose which interface this rule applies to. Defaults to wan.
  • log (Boolean) Log packets that are handled by this rule. Defaults to false.
  • nat_reflection (String) NAT reflection mode. One of default, enable, or disable. default means OPNsense uses the global firewall NAT reflection setting.
  • sequence (Number) Specify the order of this NAT rule. Defaults to 1.
  • type (String) Select binat (default) or nat here, when nets are equally sized binat is usually the best option. Using nat we can also map unequal sized networks. A binat rule specifies a bidirectional mapping between an external and internal network and can be used from both ends, nat only applies in one direction.

Read-Only

  • id (String) UUID of the resource.

Nested Schema for source

Required:

  • net (String) Enter the internal IP address or CIDR for the 1:1 mapping. Aliases are only allowed in nat, not in binat type!

Optional:

  • invert (Boolean) Use this option to invert the sense of the match. Defaults to false.

Nested Schema for destination

Optional:

  • invert (Boolean) Use this option to invert the sense of the match. Defaults to false.
  • net (String) The 1:1 mapping will only be used for connections to or from the specified destination. Hint: this is usually 'any'. Defaults to any.

Import

In Terraform v1.5.0 and later, use an import block to import opnsense_firewall_nat_one_to_one using the id. For example:

import {
  to = opnsense_firewall_nat_one_to_one.example
  id = "<opnsense-resource-id>"
}

Using terraform import, import opnsense_firewall_nat_one_to_one using the id. For example:

% terraform import opnsense_firewall_nat_one_to_one.example <opnsense-resource-id>