Outbound NAT and outbound interface?

Started by zemanek, January 15, 2025, 01:24:59 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 15, 2025, 01:24:59 PM
Hello,

I have route-based IPsec. Virtual tunnel interface (VTI) has 169.254.68.102/30 local tunnel IP address.
When I initiate traffic from OPNsense to be sent through the IPsec, it uses the internal tunnel IP as its source address.
Now I want the source IP address to be the address of different (WAN) interface.

So I setup Outbound NAT for the VTI, as destination I have CIDR of the target subnet routed via the VTI and selected WAN address as the translation target.

But now the packet is being sent via WAN interface, not via VTI. Like the interface selected for the packet's destination is selected by it source address, not by the routing table.

Any idea how to achieve the desired behavior?
January 15, 2025, 02:35:26 PM #1
Quote from: zemanek on January 15, 2025, 01:24:59 PMI have route-based IPsec. Virtual tunnel interface (VTI) has 169.254.68.102/30 local tunnel IP address.
Why did you use an IP out of the link local range for the tunnel?
This can lead into undesired issues. You can use any private IP subnet for this.

Quote from: zemanek on January 15, 2025, 01:24:59 PMWhen I initiate traffic from OPNsense to be sent through the IPsec, it uses the internal tunnel IP as its source address.
Now I want the source IP address to be the address of different (WAN) interface.
Best practice would be to not nat the source IP at all if the remote site has proper routes to your LAN. But why want you translate it to a WAN address?
This would require, that the remote site routes this address through the tunnel, otherwise connections will fail due to asymmetric routing.

Quote from: zemanek on January 15, 2025, 01:24:59 PMBut now the packet is being sent via WAN interface, not via VTI.
Did you verify this with packet capture?
I don't expect, that the outbound NAT has any impact on the routing of the traffic.
January 16, 2025, 08:47:05 AM #2 Last Edit: January 16, 2025, 08:48:46 AM by zemanek
QuoteWhy did you use an IP out of the link local range for the tunnel?
It's an IPsec to AWS transit gateway and this IP range is assigned automatically by AWS for BGP purposes when creating site-to-site VPN.

QuoteBut why want you translate it to a WAN address?
Because I already have WAN CIDR in routing tables elsewhere in the network and it would simplify routing configuration. Otherwise I would have to include all internal tunnel CIDRs in all routing tables to be able to respond to communication initiated on OPNsense (which I did as a workaround in testing setup).

QuoteDid you verify this with packet capture?
YES.
January 31, 2025, 10:42:57 AM #3
I configured another instance with policy-based VPN and set up SNAT rule for everything to have its src IP replaced with WAN address (the instance is a VM with only one interface). I set this for IPsec interface as I assumed that SNAT rule is applied AFTER routing decision. But with this setup packets are sent through WAN interface!. But when I change the SNAT rule to be associated with WAN interface instead, packets are correctly sent through IPsec interface and SNATed.

Can someone please explain this WTF?
Print
Go Up Pages1
User actions