How to do NAT after policy-based routing?

Started by tonnoplast, February 24, 2023, 03:46:19 PM

Previous topic - Next topic
I am trying to configure an interface (let's call it vpnLAN) so traffic originating from its network is routed to a VPN gateway (VPNLAN_GW). I did the following:


  • added an "allow vpnLAN to any rule" under Firewall > Rules > vpnLAN
  • added a floating rule so that traffic originating from vpnLAN net with destination ! talpaWAN net has gateway VPNWAN_GW
  • added an outbound NAT rule so that traffic on the vpnWAN interface (the VPN interface) with source vpnLAN net has NAT address vpnWAN address
However, this doesn't work. I inspected the logs and it looks like the NAT rule is never applied. This may be because the NAT rules are applied before the other rules, which means that when NAT happens the policy-based routing didn't happen yet, which means the gw hasn't been set up to VPNWAN_GW and the NAT rule doesn't apply.

I am surprised as this is roughly the setup described here: https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html.

What am I doing wrong? Thanks!

Did you follow the doc closely and also select the gateway in your regular Firewall rules?
if you follow the doc exactly honestly you should be golden.

I figured it out. I was doing my testing locally from the router itself doing stuff like curl --interface <iface> <url>. This didn't work as there is no IN step for packages generated by the command, and it is in that stage that the policy routing is applied.

It all works with traffic generated from outside the router.