Bug #11289: Wireguard: Automatic outbound NAT rules are applied to the WG interface - pfSense - pfSense bugtracker

Bug #11289

Wireguard: Automatic outbound NAT rules are applied to the WG interface

Added by Steve Wheeler 3 months ago. Updated 3 months ago.

Status:

Resolved

Priority:

Normal

Assignee:

Jim Pingle

Category:

WireGuard

Target version:

2.5.0

Start date:

01/22/2021

Due date:

% Done:

100%

Estimated time:

Affected Version:

2.5.0

Affected Architecture:

All

Release Notes:

Default

Description

It's unexpected that they should be there for a site-to-site setup.

Additionally the WG interface subnet is included in the 'tonatsubnets' table so it NAT's it's own traffic:

WG0     icmp     172.27.116.16:7147 (172.27.116.16:53398) -> 172.27.116.1:7147     0:0     2.955 K / 2.955 K     84 KiB / 84 KiB

Testing in:

21.02-DEVELOPMENT (amd64)
built on Fri Jan 22 00:08:37 EST 2021
FreeBSD 12.2-STABLE

Associated revisions

Revision bc8cf86b (diff)
Added by Jim Pingle 3 months ago

Exclude wg(4) from auto outbound NAT. Fixes #11289

History

#1 Updated by Jim Pingle 3 months ago

It should be excluded from automatic outbound NAT, but it does belong in tonatsubnets (so it gets NAT out WANs).

Commit coming momentarily.

#2 Updated by Jim Pingle 3 months ago

Status changed from New to Feedback
% Done changed from 0 to 100

Applied in changeset bc8cf86b8f1d83677c43ba4501704b9192501495.

#3 Updated by Jim Pingle 3 months ago

Status changed from Feedback to Resolved

OK on current snapshots. The automatic outbound NAT rules are not being applied to WireGuard interfaces (assigned or unassigned). The tunnel network remains in tonatsubnets as expected.

Also available in: Atom PDF

Project

General

Profile

pfSense

Issues

Custom queries