I’m currently migrating a site from standalone to a full Omada SDN stack and I’ve hit a bit of a wall with the NAT configuration on an ER7206 v2.0 (Firmware 2.2.3) managed by an  OC200 Controller: v1.0 (Firmware 5.14.2)

The site has a Zen Internet FTTP connection using PPPoE on WAN2. I have a stable IKEv2 IPsec tunnel up and running to a third-party Palo Alto gateway. The tunnel is established using a "Custom IP" local subnet of 172.23.24.0/24 as a transit range, which matches the remote encryption domain perfectly.

The issue is that I need to map my local production VLAN (172.16.0.0/24) to that 172.23.24.0/24 transit range before it enters the tunnel. When I go to Settings > Transmission > NAT > One-to-One NAT to create the rule, the "Interface" dropdown is completely empty. It doesn't show the active WAN2 port, nor does it show the IPsec tunnel as a selectable interface.

I’ve checked for "Multi-Net NAT" as a workaround, but that menu seems to be missing entirely from this firmware version.

This was working fine in standalone mode before the adoption, but the SDN controller seems to be filtering out the PPPoE WAN interface from the NAT menus. Has anyone else seen this where the interface dropdown is blank? Is there a specific toggle I’m missing to expose the WAN or the VPN tunnel to the NAT engine so I can get this mapping in place?

Any help would be appreciated as I'm remote now and need to get this routing finalised.