WireGuard client NAT with alias IP breaks handshake on pfSense 2.8.1
-
Hi all,
I’m running pfSense 2.8.1-RELEASE in an HA setup, and I’m running WireGuard as a client. I need all LAN traffic for certain subnets to be NATed through the WireGuard interface so that the server sees a specific public IP.
Here’s my configuration:
WireGuard Client IP (Tunnel-IP): 10.19.57.2 WireGuard Server IP: 10.19.57.1 Public Alias IP for NAT: 192.168.10.10 (configured as a Virtual IP / IP Alias on the WIREGUARD interface) LAN Subnets: 192.168.1.0/24, 192.168.129.0/24 Destination Subnets behind server: 192.168.10.0 Outbound NAT: Source = LAN subnets, Translation = Alias-IP 192.168.10.10 LAN Firewall rule: Gateway = WIREGUARD_GWProblem:
When the Alias-IP is configured for NAT, WireGuard handshakes stop and no traffic flows.
Tunnel-IP alone works fine → handshakes are stable.
NAT on the Tunnel-IP alone works for traffic, but then the server sees the wrong source IP.
I’ve verified AllowedIPs on the server, MTU, firewall rules, and HA failover – everything else is correct.It seems that pfSense cannot reliably NAT LAN traffic through a WireGuard client interface while keeping the handshake stable if the NAT IP is an alias on the same interface.
Has anyone found a working solution for NATing LAN traffic through WireGuard with a separate “known” public IP while keeping the handshake stable?
TIA.
Bye.
Michael. -
Found a solution:
When using the desired outbound address in the outbound nat rule for translation directly, instead of using an alias ip, it seems to work as desired.