wireguard and nat redirection issue

Mon, 21 Oct 2019 16:20:58 -0700 

Hi, I have setup a Wireguard server on my home network and I can get my phone 
to connect to the WG server over the Internet but from my local lan I am having 
nat issues that I have been unable to resolve and wondered if someone could 
help ?

After reading the NAT man pages I moved my WireGuard server onto it's own 
network / vlan as I though that by doing that I would be able to get a combo of 
nat / rdr rules to redirect the traffic from my default lan onto the wireguard 
vlan but this just doesn't seem to be working. I can see the WG traffic coming 
in on the lan interface but it just keeps heading for public IP address.

  IP 95.x.x.x
  Port 51820
  Proto: UDP
My Wireless access point is 192.168.1.70

Firewall = APU1c, with three interfaces.
re0 = lan
re1 = the wireguard vlan
re2 = pppoe0

tcpdump -n -i re0 port 51820
Oct 21 23:35:16.061166 58:c5:cb:xx:xx:xx 00:0d:b9:yy:yy:yy 0800 190: 
192.168.1.70.42332 > 95.x.x.x.51820: udp 148 (DF)
Oct 21 23:35:21.317678 58:c5:cb:xx:xx:xx 00:0d:b9:yy:yy:yy 0800 190: 
192.168.1.70.42332 > 95.x.x.x.51820: udp 148 (DF)

tcpdump -n -i vlan010 = nothing

...

lan_if    = "re0"
wg_if     = "vlan010"
wg_svr = "192.168.2.2/32"

table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 
172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 192.168.0.0/16 
198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 }
set block-policy drop
set loginterface egress
set skip on lo0
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)
antispoof quick for { egress $lan_if $wg_if }
block in quick on egress from <martians> to any
block return out quick on egress from any to <martians>
block log all

###### Egress #######
pass in on egress inet proto udp  from any            to (egress:0)  port 51820 
rdr-to $wg_svr
pass out quick on egress inet

######  LAN #######
pass  in       on $lan_if inet proto udp  from any            to (egress:0)  
port 51820 rdr-to $wg_svr
pass  in       on $lan_if inet
pass out quick on $lan_if inet

######  WG #######
pass  in       on $wg_if inet
pass out quick on $wg_if inet

Thanks for looking.
Keith.

Reply via email to