Show Posts
1
Virtual private networks / 1:1 NAT to "other" VIP in wireguard routes replies to wrong interface
« on: August 03, 2024, 01:59:44 am »
I have an OPNSense VM which I used the https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html tutorial on at least partially.
I have customized it a little bit to accommodate for 1:1 NAT as opposed to the outbound NAT designed for a service like Mullvad.
The purpose of this tunnel is to provide access to/from public network addresses directly to devices in a strongly segmented DMZ network within the rest of my environment. As the internet connection at this location is DHCP it is necessary to use a tunnel.
The network environment and desired tunnel configuration are diagrammed in the below image.
The wireguard tunnel operates successfully.
When traffic is initiated from the end behind the OPNSense VM (Router with Firewall in the diagram), I see traffic go through the WG tunnel and come back appropriately. No issues there.
When traffic is initiated from the internet, traffic successfully gets to the endpoint (for example 10.1.8.10) and is replied to. The response, instead of going through the WG interface, instead gets sent out LAN -- to 10.1.3.1's MAC address -- with the source address of the 1:1 NAT that should be bound to the WG interface.
I am using "other" VIPs bound to the WG interface. the WG interface is NOT on the public IPv4 range itself -- instead it, and the other side of the tunnel, have IP Addresses within the CGNAT range. The public IPv4 /29 range is routed through the WG tunnel to the OPNSense VM.
NAT1 refers to 10.1.8.10
Floating rules:
WG rule is a blanket deny to internal networks, which include the 10.1.8.0/24 network, which is set to evaluate last.
Opt1 rules:
If I make the ICMP floating accept rule in only; I see TCP traffic (HTTP) on reply @ the lan interface but do not know where the ICMP traffic goes, I do not see the reply packets go anywhere on the pcap (I am checking OPT1, LAN, wg0).
Any ideas on how I can make the reply packets from external traffic go out the wg0 interface?
Thanks, and please let me know if you need any more information.
I have customized it a little bit to accommodate for 1:1 NAT as opposed to the outbound NAT designed for a service like Mullvad.
The purpose of this tunnel is to provide access to/from public network addresses directly to devices in a strongly segmented DMZ network within the rest of my environment. As the internet connection at this location is DHCP it is necessary to use a tunnel.
The network environment and desired tunnel configuration are diagrammed in the below image.
The wireguard tunnel operates successfully.
When traffic is initiated from the end behind the OPNSense VM (Router with Firewall in the diagram), I see traffic go through the WG tunnel and come back appropriately. No issues there.
When traffic is initiated from the internet, traffic successfully gets to the endpoint (for example 10.1.8.10) and is replied to. The response, instead of going through the WG interface, instead gets sent out LAN -- to 10.1.3.1's MAC address -- with the source address of the 1:1 NAT that should be bound to the WG interface.
I am using "other" VIPs bound to the WG interface. the WG interface is NOT on the public IPv4 range itself -- instead it, and the other side of the tunnel, have IP Addresses within the CGNAT range. The public IPv4 /29 range is routed through the WG tunnel to the OPNSense VM.
NAT1 refers to 10.1.8.10
Floating rules:
Code: [Select]
Protocol Source Port Destination Port Gateway Schedule nic Description
accept IPv4 * OfficeNet * OPT1 net * * * 1 Access From Internal Network
accept IPv4 TCP * * NAT1 80 (HTTP) * * * Matrix_HTTP
accept IPv4 TCP/UDP * * NAT1 443 (HTTPS) * * * Matrix_HTTPS
accept IPv4 TCP/UDP * * NAT1 3478 (STUN) * * * Matrix_Coturn
accept IPv4 TCP/UDP * * NAT1 5349 * * * Matrix_Coturn
accept IPv4 UDP * * NAT1 49152 - 49172 * * * Matrix_Coturn
accept IPv4 TCP/UDP * * NAT1 8448 * * * Matrix_Federation
accept outbound IPv4 * NAT1 * ! FRC_TunLink net * FRC_TUN * *
accept in/out IPv4 ICMP * * NAT1 * * * * ICMP Pass to Matrix WG rule is a blanket deny to internal networks, which include the 10.1.8.0/24 network, which is set to evaluate last.
Opt1 rules:
Code: [Select]
deny IPv4 * * * Internal * * *
accept IPv4 * NAT1 * ! Internal * FRC_TUN *
accept IPv4 * * * * * * * If I make the ICMP floating accept rule in only; I see TCP traffic (HTTP) on reply @ the lan interface but do not know where the ICMP traffic goes, I do not see the reply packets go anywhere on the pcap (I am checking OPT1, LAN, wg0).
Any ideas on how I can make the reply packets from external traffic go out the wg0 interface?
Thanks, and please let me know if you need any more information.