Traffic to wireguard destination gets source NAted with WAN IP :o

[TheChosenOne]

Hi Forum,

I'm using 20.1.2 and have some trouble with wireguard. I Setup a connection between a Server on the Internet and my OPNsense. The wireguard connection is fine, but OPNsense seems to apply the default outbound NAT rule also to traffic that should be routed via the wireguard interface.

If I check the routing table on OPNsense there is an entry for my wireguard network (10.0.2.0/24) pointing to the wireguard interface (wg0). I also added the necessary firewall rules for wireguard. But if I check the live protocol I can see that traffic from my local subnet (192.168.0.0/24) to my wireguard destination (10.0.2.11) is NATed to my WAN address. Why?

My outbound NAT rules should only apply to destinations reached via WAN interface. 10.0.2.11 is directly connected, so no gateway or outbound NATing needed. Any hints where to look further or what to try?

Thank you! 

[mimugmail]

Screenshot of outbound Nat please

[TheChosenOne]

Here you are

[mimugmail]

It looks like your packets are not going through the tunnel.
Can you do a packet capture via CLI?

tcpdump -n -i wg0

And look for the traffic ...

[TheChosenOne]

Hi All,

I looked deeper into this and found a Firewall rule setting a Gateway-Group to a quite generic rule. That was the reason traffic got NATet with my WAN address.
Now everything works as expected.

Thanks and Cheers