OPNsense Forum

English Forums => General Discussion => Topic started by: tonnoplast on February 24, 2023, 03:46:19 PM

Title: How to do NAT after policy-based routing?
Post by: tonnoplast on February 24, 2023, 03:46:19 PM
I am trying to configure an interface (let's call it vpnLAN) so traffic originating from its network is routed to a VPN gateway (VPNLAN_GW). I did the following:

However, this doesn't work. I inspected the logs and it looks like the NAT rule is never applied. This may be because the NAT rules are applied before the other rules, which means that when NAT happens the policy-based routing didn't happen yet, which means the gw hasn't been set up to VPNWAN_GW and the NAT rule doesn't apply.

I am surprised as this is roughly the setup described here: https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html.

What am I doing wrong? Thanks!
Title: Re: How to do NAT after policy-based routing?
Post by: wotcha on February 25, 2023, 08:19:01 PM
Did you follow the doc closely and also select the gateway in your regular Firewall rules?
if you follow the doc exactly honestly you should be golden.
Title: Re: How to do NAT after policy-based routing?
Post by: tonnoplast on February 27, 2023, 01:44:39 AM
I figured it out. I was doing my testing locally from the router itself doing stuff like curl --interface <iface> <url>. This didn't work as there is no IN step for packages generated by the command, and it is in that stage that the policy routing is applied.

It all works with traffic generated from outside the router.