Outbound Nat on WG Tunnels

[jt-socal]

Since I believe 27.7.7, my wireguard tunnels do not work on reboot until I go into GUI/Firewall/NAT/Outbound and hit Save.  I have "Hybrid outbound NAT rule generation" selected by no manual rules

I figured 27.7.8 would fix, but does not.  Maybe it is me though too.

Suggestions, please. 

[Kinerg]

Possibly related to #6909?

[jt-socal]

I don't think it is related, but how do I test?

[Kinerg]

Compare the content of /tmp/rules.debug before and after you hit Save and look if something similar to this is missing before saving:

Code Select Expand

nat on vtnet1 inet from (wg2:network) to any port 500 -> (vtnet1:0) static-port # Automatic outbound rule
nat on vtnet1 inet from (wg1:network) to any port 500 -> (vtnet1:0) static-port # Automatic outbound rule

nat on vtnet1 inet from (wg2:network) to any -> (vtnet1:0) port 1024:65535 # Automatic outbound rule
nat on vtnet1 inet from (wg1:network) to any -> (vtnet1:0) port 1024:65535 # Automatic outbound rule

Does running

Code Select Expand

/usr/local/etc/rc.filter_configure also fix the issue for you?

[marshalleq]

I just wanted to add, in case it helps that I'm having a similar problem since one of the recent updates where my OpenVPN VPN will connect, will allow traffic to the firewall, but doesn't get internet.  So it doesn't seem to be specific to wire guard.

I tried the workaround to click save and in my case that did not solve the issue though, so it may be something else.

This is just a personal firewall and I'm the only VPN user so I will have a look at it later.

[franco]

please refer to https://forum.opnsense.org/index.php?topic=37248.0

I don't think automatic rules are supported here (it implies an IPv4 mode set by wireguard interface but that is not supposed to be supported by tunnels.


Cheers,
Franco