Traffic to wireguard destination gets source NAted with WAN IP :o

Started by TheChosenOne, March 10, 2020, 01:07:03 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 10, 2020, 01:07:03 AM
Hi Forum,

I'm using 20.1.2 and have some trouble with wireguard. I Setup a connection between a Server on the Internet and my OPNsense. The wireguard connection is fine, but OPNsense seems to apply the default outbound NAT rule also to traffic that should be routed via the wireguard interface.

If I check the routing table on OPNsense there is an entry for my wireguard network (10.0.2.0/24) pointing to the wireguard interface (wg0). I also added the necessary firewall rules for wireguard. But if I check the live protocol I can see that traffic from my local subnet (192.168.0.0/24) to my wireguard destination (10.0.2.11) is NATed to my WAN address. Why?

My outbound NAT rules should only apply to destinations reached via WAN interface. 10.0.2.11 is directly connected, so no gateway or outbound NATing needed. Any hints where to look further or what to try?

Thank you!  :)
March 10, 2020, 05:52:32 AM #1
Screenshot of outbound Nat please
March 10, 2020, 07:37:58 AM #2
Here you are
March 10, 2020, 10:38:15 AM #3
It looks like your packets are not going through the tunnel.
Can you do a packet capture via CLI?

tcpdump -n -i wg0

And look for the traffic ...
March 10, 2020, 02:43:17 PM #4
Hi All,

I looked deeper into this and found a Firewall rule setting a Gateway-Group to a quite generic rule. That was the reason traffic got NATet with my WAN address.
Now everything works as expected.

Thanks and Cheers
Print
Go Up Pages1
User actions