pfSense

If a user has the same NAT rule on multiple WANs (e.g. forwarding the same external port on each WAN to the same internal host and port), and they also have NAT reflection enabled in Pure NAT mode, this generates the same identical rule multiple times in the ruleset.

For example, in this scenario there are two WANs, (vtnet0 and vtnet2) and one LAN (vtnet1). Port 222 on both WANs is being forwarded into 10.6.0.10:22. NAT reflection is enabled in Pure NAT mode. This results in the following rules in the rules.debug file:

rdr on vtnet2 inet proto tcp from any to 203.0.113.6 port 222 -> 10.6.0.10 port 22
rdr on { vtnet1  enc0 openvpn } inet proto tcp from any to 203.0.113.6 port 222 -> 10.6.0.10 port 22
nat on vtnet1 proto tcp from 10.6.0.0/24 to 10.6.0.10 port 22 -> 10.6.0.1 port 1024:65535
rdr on vtnet0 inet proto tcp from any to 198.51.100.6 port 222 -> 10.6.0.10 port 22
rdr on { vtnet1  enc0 openvpn } inet proto tcp from any to 198.51.100.6 port 222 -> 10.6.0.10 port 22
nat on vtnet1 proto tcp from 10.6.0.0/24 to 10.6.0.10 port 22 -> 10.6.0.1 port 1024:65535

Note that the two nat on rules are identical.

This used to be silently accepted, but now can result in a PF error at boot:

pf_busy

    PF was wedged/busy and has been reset. @ 2026-04-06 12:16:50

Filter Reload

    There were error(s) loading the rules (nat on vtnet1 inet proto tcp from 10.6.0.0/24 to 10.6.0.10 port = ssh -> 10.6.0.1 port 1024:65535 -- rule was already present): pfctl: DIOCXCOMMIT: Device busy - The line in question reads [0]: @ 2026-04-06 12:16:51

The notice does not happen happen on every boot.

Reloading the rules from the GUI after the system is booted doesn't also result in a notice.

Loading the rules from the CLI still prints the error but it does not appear to be fatal.

: pfctl -f /tmp/rules.debug
nat on vtnet1 inet proto tcp from 10.6.0.0/24 to 10.6.0.10 port = ssh -> 10.6.0.1 port 1024:65535 -- rule was already present