IPSEC vpn policy migration from iptables to nft

I have these:

iptables -t nat -I POSTROUTING -s -o eth1 -j MASQUERADE
iptables -I INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -I OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT

To allow incomming IPSEC from roadwarrior to work. I tried migrating it with iptables-translate but only first row works. The other generates crap.

sudo iptables-translate -t nat -I POSTROUTING -s -o eth1 -j MASQUERADE
nft insert rule ip nat POSTROUTING oifname "eth1" ip saddr counter masquerade

But for the reset it creates this crap:

iptables-translate -I OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
nft # -I OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT

Anyone have any ideas?

All of these rules can be applied with fw3/4, no need for custom iptables/nftables rules.
Masquerade is applied by default to the wan zone.
There are by default rules to allow ESP and ISAKMP forwarding from wan to lan.
4th rule is not needed as the forwarding from lan to wan is allowed by default.
5th rule is not needed as the output policy on wan zone is "allow".

Aha I got the firewall-stuff from this guide:

So I thought it was needed due to it seems to be coming from WAN side when using IPSEC.

Maybe @LuKePicci @andesu can comment as they are maintaining the particular wiki page and I am not using IPSEC on OpenWrt.

Yeah, lets see if someone can comment on those settings. Rather odd tho. In 21.xx it didnt work without it. Now in 22.03 it seems to do fine without it as long as I restart the ipsec/swanctl once after boot.

Hi @xayide,

looks like your iptables rules (your post at the top) are pretty much identical to what I used to have in /etc/firewall.user (see my post here). The only difference is the ip-address (you have where I have

That said, don't worry about the iptables-translate and just use what I proposed in my forum post (here). Specifically, you want to have settings in the following 3 places:

  1. /etc/config/firewall
  2. /etc/nftables.d/20-ipsec.nft
  3. /etc/fwuser.nft

For 1. from above you need to exclude your vpn firewall zone from masquerading (you add list masq_dest '!' to your WAN zone). You also need to incorporate the /etc/fwuser.nft script you created.

config zone
	option name		'wan'
	list network		'WAN'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option masq		1
	option mtu_fix		1
	list masq_dest		'!'

# ...stuff in between that I skipped for this example

config include                        
        option type             'nftables'
        option path             '/etc/fwuser.nft'
        option position         'chain-pre'     
        option chain            'input_wan'
config include                        
        option type             'nftables'
        option path             '/etc/fwuser.nft'
        option position         'chain-pre'
        option chain            'forward_wan'

For 2. you need to create a script (i.e., /etc/nftables.d/20-ipsec.nft) to configure post routing.

chain ipsec_chain {
     type nat hook postrouting priority -1;
     ip daddr counter accept

chain forward {
     type filter hook forward priority 0;
     ip saddr counter drop

For 3. you need to use meta ipsec exists in the nftables rules for the INPUT and FORWARD chain (i.e., create /etc/fwuser.nft for that, but make sure this is the exact script you include in your /etc/config/firewall script).

# /etc/fwuser.nft
meta ipsec exists ip saddr counter accept comment "custom: allow for vpn"

This should do the trick.


Oh my, that was VERY infromative. thank you!
I tried using my VPN without the rules and couldnt reach internal network so this comes in handy!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.