1:1 NAT to "other" VIP in wireguard routes replies to wrong interface

[nixziz]

I have an OPNSense VM which I used the https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html tutorial on at least partially.

I have customized it a little bit to accommodate for 1:1 NAT as opposed to the outbound NAT designed for a service like Mullvad.

The purpose of this tunnel is to provide access to/from public network addresses directly to devices in a strongly segmented DMZ network within the rest of my environment. As the internet connection at this location is DHCP it is necessary to use a tunnel.

The network environment and desired tunnel configuration are diagrammed in the below image.



The wireguard tunnel operates successfully.
When traffic is initiated from the end behind the OPNSense VM (Router with Firewall in the diagram), I see traffic go through the WG tunnel and come back appropriately. No issues there.

When traffic is initiated from the internet, traffic successfully gets to the endpoint (for example 10.1.8.10) and is replied to. The response, instead of going through the WG interface, instead gets sent out LAN -- to 10.1.3.1's MAC address -- with the source address of the 1:1 NAT that should be bound to the WG interface.

I am using "other" VIPs bound to the WG interface. the WG interface is NOT on the public IPv4 range itself -- instead it, and the other side of the tunnel, have IP Addresses within the CGNAT range. The public IPv4 /29 range is routed through the WG tunnel to the OPNSense VM.

NAT1 refers to 10.1.8.10

Floating rules:

Code Select Expand


  Protocol Source Port Destination Port Gateway Schedule nic Description
                accept IPv4 * OfficeNet * OPT1 net * * * 1 Access From Internal Network
accept IPv4 TCP * * NAT1  80 (HTTP) * * * Matrix_HTTP
accept IPv4 TCP/UDP * * NAT1  443 (HTTPS) * * * Matrix_HTTPS
accept IPv4 TCP/UDP * * NAT1  3478 (STUN) * * * Matrix_Coturn
accept IPv4 TCP/UDP * * NAT1  5349 * * * Matrix_Coturn
accept IPv4 UDP * * NAT1  49152 - 49172 * * * Matrix_Coturn
accept IPv4 TCP/UDP * * NAT1  8448 * * * Matrix_Federation
accept outbound IPv4 * NAT1  * ! FRC_TunLink net * FRC_TUN * *
accept in/out IPv4 ICMP * * NAT1  * * * * ICMP Pass to Matrix

WG rule is a blanket deny to internal networks, which include the 10.1.8.0/24 network, which is set to evaluate last.
Opt1 rules:

Code Select Expand

deny IPv4 * * * Internal  * * *
accept IPv4 * NAT1  * ! Internal  * FRC_TUN *
accept IPv4 * * * * * * *

If I make the ICMP floating accept rule in only; I see TCP traffic (HTTP) on reply @ the lan interface but do not know where the ICMP traffic goes, I do not see the reply packets go anywhere on the pcap (I am checking OPT1, LAN, wg0).

Any ideas on how I can make the reply packets from external traffic go out the wg0 interface?

Thanks, and please let me know if you need any more information.