pfSense to OPNSense difference: Outbound NAT with Multi-VPN issues

[NCC-1031]

Hi, I hope you’re all fine if I get straight to the point.

EDIT: After some more digging in the pf source code , I think I might have run into an edge case with OPNSense's way to establish NAT rules by using the (ifname:0) syntax instead of an IP address (as pfSense does). If I understand the code correctly, this particular way of creating NAT rules runs into a problem when multiple point-to-point interfaces (i.e. VPN and similar ones) sit in the same subnet. In this case, only one of these interfaces will have proper routes established. Because of a  workaround for ppp connections implemented in pf_if.c pf will fail to do NAT properly for the other point-to-point interfaces as they lack the routes. As a starting point, see https://github.com/HardenedBSD/hardenedBSD-stable/blob/4b7aa7e714f8e605d92664b99043ea558da56bfb/sys/netpfil/pf/pf_if.c#L532 and the end of this post for more details.

If you have a setup with Mutliple VPN connections / Multi-WAN and trouble getting policy based routing and outbound NAT to work properly, have a look at the GitHub issue below, maybe you're running into that edge case.

I have opened a properly documented bug report for OPNsense on GitHub which can be found here: https://github.com/opnsense/core/issues/3936 and therefore remove the original description as it would be redundant.