Hello Forum
NAT Outbound on the VTI interface is not working.
Countless attempts have failed. The task is to establish a connection to the TI Gateway. The connection is established. A ping to the connector resolves.
DNS queries to splitdns.ti-dienste.de are answered.
However, when I try to resolve a query using curl, no rewrite to the local tunnel IP address occurs. Instead, the local client address appears:
IP 192.168.115.199.57949 > 100.102.31.5.443:
"Skip firewall rules" is checked in the virtual interface.
The NAT Outbound rule (hybrid mode) looks like this:
I would be very grateful for any help.
If skip firewall rules for VTI is enabled shouldnt the Outbound NAT rule match on enc0 instead (IPsec Group Interface).
Thank you very much for the quick reply.
I have a second policy-based IPsec connection. Will there be any conflicts if the ENC0 interface has an outbound rule?
Wouldn't it be better to disable the skip firewall rule again?
Do firewall rules need to be defined on the IPsec interface for the outbound rules to take effect?
If you skip firewall rules on VTI interfaces, all NAT and Firewall rules should be defined on the enc0 interface (IPsec).
If you are careful and selective with the scope (source + destination) of these rules they shouldnt affect each other between vti and policy based tunnels.
Please note that the only way to have both VTI + policy at the same time and matching NAT on them is via skip firewall rules and only using the enc0 interface (for rules and NAT)
Thank you so much, I'll try it later. I literally spent the whole night trying frustratingly, trying seemingly every possible combination. I have to go to work now. Thank you again.
Quote from: Monviech (Cedrik) on November 09, 2025, 11:03:14 AMIf you skip firewall rules on VTI interfaces, all NAT and Firewall rules should be defined on the enc0 interface (IPsec).
If you are careful and selective with the scope (source + destination) of these rules they shouldnt affect each other between vti and policy based tunnels.
Please note that the only way to have both VTI + policy at the same time and matching NAT on them is via skip firewall rules and only using the enc0 interface (for rules and NAT)
Thanks again.
Sometimes you can't see the forest for the trees. So the brief reminder was helpful because it brought me back down to earth.
Thanks also for the great work on the OPNsense project.
Dont worry its a little complicated. Hope it works now :)
Does the IPsec interface require firewall rules like all other interfaces, such as (just an example of a rule set on a guest network interface), or does it initially work out of the box and the interface is only used for fine-graining source/destination rules?
You only need rules on the IPsec interface if you want nets on the other side of your ipsec tunnel to connect to your local networks inbound (meaning they initiate connections - not only repond to your initiated connections)
Otherwise no.
In the child configuration, an any-to-any configuration is defined:
0.0.0.0/0 0.0.0.0/0. (Image 1)
As I understand it, all interfaces have the option to use the IPsec tunnel. However, if I want to exclude the guest network, I need to define a firewall rule for IPsec that blocks it, right? (Image 2)
Today was the switchover to the HSK Gateway at TI.
My outbound NAT rule only worked after I created an any to any rule on the enc0 interface (IPsec). I'm just glad the setup is working for now.
I'll check later whether I can better control the firewall's behavior with rules in front of it, so I don't allow access to every local network user.
A final connection problem with a specific service could only be solved by, contrary to my original configuration of only answering local DNS queries via Adguard Home and Unbound as resolvers and blocking external queries, entering a public address (Quad 9) on the server and allowing only that client access to Quad 9.
The reason is likely a block of addresses from the CGNAT range 100.64.0.0/10 (the relevant range for me is addresses 100.102.0.0/15, which are within this range).
Since I have removed DNS rebinding protection for the CGNAT address range in my unbound configuration, I don't understand why the request was blocked. I don't think this is an IPsec problem and therefore probably doesn't belong in this section.