[SOLVED] Wireguard site2site NAT / IP of tunnel shown instead of real IP on from other site
-
@ogghi Making a no-NAT rule in hybrid-mode in the outbound-NAT section would be one way to tackle this. It is up to you to configure things the right way. Or don't select a gateway in the interface config screen of that wireguard interface would be another.
-
@Bob-Dig Wouldn't removing the GW in the WG interface config have it use the default GW, which is WAN?
If, then it should be unselected on both sites' WG interface config right? -
@ogghi said in Wireguard site2site NAT / IP of tunnel shown instead of real IP on from other site:
Wouldn't removing the GW in the WG interface config have it use the default GW, which is WAN?
No. Just remove them there on both sides and you will see that there is no more NAT done. You can keep the gateways, just don't put them in the interface config as upstream gateways.
-
@ogghi said in Wireguard site2site NAT / IP of tunnel shown instead of real IP on from other site:
Wouldn't removing the GW in the WG interface config have it use the default GW, which is WAN?
Ok, to be more precise, that will happen if you have internet traffic (any) as source incoming on that wireguard-interface. If this is the case, then you have to have the gateway as an upstream gateway on that interface. If you don't want NAT, then you have to create the no-NAT rule (in hybrid-Mode) yourself.
-
@Bob-Dig Just tried and there were issues accessing some things via web interface, so reverted to those interfaces having an upstream gateway.
Will look up the no-NAT thing after lunch break!
Thanks
-
@Bob-Dig Before I apply the noNAT rule on site2:
As there is a staic route for 172.16.0.0/21 to use the WG GW, I can basically set it like this?
Then any traffic from LAN network (172.16.8.0/21) going to WG interface should have NAT disabled, right?
-
@ogghi Right. But try any if you don't want to NAT in general.
-
@Bob-Dig I tried, it breaks connection, for example I coudn't SSH to a host on site2 anymore!
Are there any possible issues with automatically created NAT rules?
Site2
Site1
-
@ogghi said in Wireguard site2site NAT / IP of tunnel shown instead of real IP on from other site:
for example I coudn't SSH to a host on site2 anymore!
Ok, why is that? Maybe that host only allows access from local subnets?
Are there any possible issues with automatically created NAT rules?
See for yourself. Basically everything is NATed.
There is not more I can tell you.
-
@Bob-Dig
There is no IP limitation on that host, also as soon as I disabled the NAT I loose connection to other hosts, SNMP checks failing, or even web access to some host.Those NAT rules are automatic and can't be disabled.
Maybe somebody else has an idea?
Many thanks for the input though!
-
@ogghi other thing that shows there is NAT where it shouldn't be:
On site 1 I have an internal speedtest ( https://github.com/librespeed/speedtest )
When I open the browser from site 2 it shows the tunnel IP of site 2 instead of the local IP I have with my laptop being in site 2... -
@ogghi Sorry for the spam!
It works just fine now.
I had to remove the upstream gateway from the 2 tunnel interfaces on each site and then it started...
