1
24.1 Production Series / Outbound NAT automatic rules not treating new client wg interface properly
« on: April 06, 2024, 05:23:08 pm »
Hi,
I've been using opnsense for some years with multiple wireguard interfaces and everything was good. Outbound nat rules were being automatically created for all the wireguard (client) interfaces correctly.
But after updating to 24.1.5_3 and adding a new wireguard client interface, I noticed the automatic nat outbound rules are treating it differently (as if it was a server config). I double checked and compared all the existing wg interfaces, gateways and their instance configs to the new one and I can't spot a difference. Perhaps I'm missing something or perhaps there is a bug somewhere. I would appreciate another pair of eyes.
Previously I had 4 wireguard instances as listed below:
1. wgserver (wg0) - a server instance connected to many peers, tunnel address 10.1.13.1/24 (disable routed unchecked, no gateway defined)
2. wgclient-tg (wg3) - client connected to a single remote peer, tunnel address /32 (disable routes checked, gateway address manually defined)
3. wgclient-tg-can (wg4) - client connected to a single remote peer, tunnel address /32 (disable routes checked, gateway address manually defined)
4. wgclient-tg-backup (wg5) - client connected to a single remote peer, tunnel address /32 (disable routes checked, gateway address manually defined)
With those, I had manually created gateways for the 3 client instances with matching IPs, and interfaces assigned and enabled.
Nat outbound rules were automatically created for all three interfaces (2 each, 1 one for ISAKMP and both referencing all the relevant source networks including the wireguard server interface "wg0")
Just now I added a new wireguard client instance "wgclient-tg-nj". This one got a recycled "wg1" (previously used but deleted instance). It has the same settings as the other wg client instances: client connected to a single remote peer, tunnel address /32 (disable routes checked, gateway address manually defined)
I also created a matching gateway and assigned and enabled the interface.
The nat outbound automatic rules are treating it as if it's a wg server instance. Instead of creating new rules for it, it just added that interface to source networks for the other existing rules.
Attached is a screenshot of the new automatic outbound rules where you can see the rules auto created for the 3 wireguard client interfaces but the 4th one is just added as a source network for them instead of getting its own rules.
I know I can create manual rules, but I'm just baffled as to why this new one is treated differently than the other 3 client interfaces that seemingly have the same exact settings.
Thanks
tl;dr
Have 3 existing client wireguard interfaces, auto nat rules are created properly
Added a new client wireguard interface, no new auto nat rules created
I've been using opnsense for some years with multiple wireguard interfaces and everything was good. Outbound nat rules were being automatically created for all the wireguard (client) interfaces correctly.
But after updating to 24.1.5_3 and adding a new wireguard client interface, I noticed the automatic nat outbound rules are treating it differently (as if it was a server config). I double checked and compared all the existing wg interfaces, gateways and their instance configs to the new one and I can't spot a difference. Perhaps I'm missing something or perhaps there is a bug somewhere. I would appreciate another pair of eyes.
Previously I had 4 wireguard instances as listed below:
1. wgserver (wg0) - a server instance connected to many peers, tunnel address 10.1.13.1/24 (disable routed unchecked, no gateway defined)
2. wgclient-tg (wg3) - client connected to a single remote peer, tunnel address /32 (disable routes checked, gateway address manually defined)
3. wgclient-tg-can (wg4) - client connected to a single remote peer, tunnel address /32 (disable routes checked, gateway address manually defined)
4. wgclient-tg-backup (wg5) - client connected to a single remote peer, tunnel address /32 (disable routes checked, gateway address manually defined)
With those, I had manually created gateways for the 3 client instances with matching IPs, and interfaces assigned and enabled.
Nat outbound rules were automatically created for all three interfaces (2 each, 1 one for ISAKMP and both referencing all the relevant source networks including the wireguard server interface "wg0")
Just now I added a new wireguard client instance "wgclient-tg-nj". This one got a recycled "wg1" (previously used but deleted instance). It has the same settings as the other wg client instances: client connected to a single remote peer, tunnel address /32 (disable routes checked, gateway address manually defined)
I also created a matching gateway and assigned and enabled the interface.
The nat outbound automatic rules are treating it as if it's a wg server instance. Instead of creating new rules for it, it just added that interface to source networks for the other existing rules.
Attached is a screenshot of the new automatic outbound rules where you can see the rules auto created for the 3 wireguard client interfaces but the 4th one is just added as a source network for them instead of getting its own rules.
I know I can create manual rules, but I'm just baffled as to why this new one is treated differently than the other 3 client interfaces that seemingly have the same exact settings.
Thanks
tl;dr
Have 3 existing client wireguard interfaces, auto nat rules are created properly
Added a new client wireguard interface, no new auto nat rules created