I've been trying to get a jail to work as a Wireguard gateway in conjunction with my ipfw kill switch and NAT rules.
I'm able to get one or the other to work, but unfortunately not both.
My ipfw ruleset to block all traffic except traffic destined for the Wireguard server and my two LANs (172.16.2.0/24 - which I want to route through Wireguard via my jail and 192.168.1.0/24 which I just want to access) :
This works fine and when I'm not connected to Wireguard, I can't reach any device outside both of my LANs.
But now, when I want to add the appropriate NAT rules to allow any device on my LAN (172.16.2.0/24) to route traffic through this jail via Wireguard, I added these 3 rules, which work fine without the other rules above:
From this point on, I am able to route all traffic from my LAN (172.16.2.0/24) through Wireguard, which is what I want.
However, when I try to merge these rules with the kill switch rules, I am no longer able to route traffic from my LAN, only the Wireguard jail is able to do so :
I can see from the tcpdump that I'm not able to send traffic back to my LAN:
I thought about removing the deny rule just to see if the connection from my test vm (172.16.2.50) would be able to reach the Internet through the Wireguard jail, but unfortunately that doesn't seem to work either.
So at this point, I'm not sure why NAT stopped working. Without the kill switch rules this works but not together.
Does anyone have any pointers as to what might be causing this as I have run out of ideas?
Thanks.
I'm able to get one or the other to work, but unfortunately not both.
My ipfw ruleset to block all traffic except traffic destined for the Wireguard server and my two LANs (172.16.2.0/24 - which I want to route through Wireguard via my jail and 192.168.1.0/24 which I just want to access) :
00001 allow ip from any to any via lo0
00005 check-state :default
00010 allow ip from any to any via wg0 keep-state :default
00101 allow ip from me to 172.16.2.0/24
00102 allow ip from 172.16.2.0/24 to me
00103 allow ip from me to 192.168.1.0/24
00104 allow ip from 192.168.1.0/24 to me
00110 allow udp from any to any 443 out via epair0b keep-state :default
00115 deny log ip from any to any
65535 allow ip from any to any
This works fine and when I'm not connected to Wireguard, I can't reach any device outside both of my LANs.
But now, when I want to add the appropriate NAT rules to allow any device on my LAN (172.16.2.0/24) to route traffic through this jail via Wireguard, I added these 3 rules, which work fine without the other rules above:
ipfw -q -f flush
ipfw -q nat 1 config if wg0
ipfw -q add 00050 nat 1 all from 172.16.2.0/24 to any via wg0
ipfw -q add 00051 nat 1 all from any to any in via wg0
From this point on, I am able to route all traffic from my LAN (172.16.2.0/24) through Wireguard, which is what I want.
However, when I try to merge these rules with the kill switch rules, I am no longer able to route traffic from my LAN, only the Wireguard jail is able to do so :
00001 allow ip from any to any via lo0
00005 check-state :default
00010 allow ip from any to any via wg0 keep-state :default
00050 nat 1 ip from 172.16.2.0/24 to any via wg0
00051 nat 1 ip from any to any in via wg0
00101 allow ip from me to 172.16.2.0/24
00102 allow ip from 172.16.2.0/24 to me
00103 allow ip from me to 192.168.1.0/24
00104 allow ip from 192.168.1.0/24 to me
00105 allow ip from me to 192.168.196.0/24
00106 allow ip from 192.168.196.0/24 to me
00110 allow udp from any to any 443 out via epair0b keep-state :default
00115 deny log ip from any to any
65535 allow ip from any to any
I can see from the tcpdump that I'm not able to send traffic back to my LAN:
root@jailgw:~ # tcpdump -nni epair0b host 172.16.2.50
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on epair0b, link-type EN10MB (Ethernet), capture size 262144 bytes
20:41:38.727012 IP 172.16.2.50.53714 > 142.251.36.14.443: Flags [ S], seq 1414858473, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 1267885730 ecr 0], length 0
20:41:39.727245 IP 172.16.2.50.53714 > 142.251.36.14.443: Flags [ S], seq 1414858473, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 1267886730 ecr 0], length 0
20:41:41.951914 IP 172.16.2.50.53714 > 142.251.36.14.443: Flags [ S], seq 1414858473, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 1267888955 ecr 0], length 0
I thought about removing the deny rule just to see if the connection from my test vm (172.16.2.50) would be able to reach the Internet through the Wireguard jail, but unfortunately that doesn't seem to work either.
So at this point, I'm not sure why NAT stopped working. Without the kill switch rules this works but not together.
Does anyone have any pointers as to what might be causing this as I have run out of ideas?
Thanks.