Hi @xayide,
looks like your iptables rules (your post at the top) are pretty much identical to what I used to have in /etc/firewall.user
(see my post here). The only difference is the ip-address (you have 10.0.2.0/24
where I have 10.10.20.0/29
).
That said, don't worry about the iptables-translate
and just use what I proposed in my forum post (here). Specifically, you want to have settings in the following 3 places:
- /etc/config/firewall
- /etc/nftables.d/20-ipsec.nft
- /etc/fwuser.nft
For 1. from above you need to exclude your vpn firewall zone from masquerading (you add list masq_dest '!10.0.2.0/24'
to your WAN zone). You also need to incorporate the /etc/fwuser.nft
script you created.
/etc/config/firewall
config zone
option name 'wan'
list network 'WAN'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
list masq_dest '!10.0.2.0/24'
# ...stuff in between that I skipped for this example
config include
option type 'nftables'
option path '/etc/fwuser.nft'
option position 'chain-pre'
option chain 'input_wan'
config include
option type 'nftables'
option path '/etc/fwuser.nft'
option position 'chain-pre'
option chain 'forward_wan'
For 2. you need to create a script (i.e., /etc/nftables.d/20-ipsec.nft
) to configure post routing.
/etc/nftables.d/20-ipsec.nft
chain ipsec_chain {
type nat hook postrouting priority -1;
ip daddr 10.0.2.0/24 counter accept
}
chain forward {
type filter hook forward priority 0;
ip saddr 10.0.2.0/24 counter drop
}
For 3. you need to use meta ipsec exists
in the nftables rules for the INPUT
and FORWARD
chain (i.e., create /etc/fwuser.nft
for that, but make sure this is the exact script you include in your /etc/config/firewall
script).
/etc/fwuser.nft
# /etc/fwuser.nft
meta ipsec exists ip saddr 10.0.2.0/24 counter accept comment "custom: allow for vpn"
This should do the trick.