NAT / IP Masquerading with firewalld

Hello everyone,

I am trying to get NAT / IP Masquerading with firewalld and so far I cannot get internal devices to access internal.

I use WireGuard on public interface wlan0, internal interfaces are eth0 and wlan1

# firewall-cmd --get-active-zone
interfaces: wlan1 eth0
interfaces: wireguard0
interfaces: wlan0
# firewall-cmd --zone=internal --add-masquerade --permanent
# firewall-cmd --reload
# firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o wireguard0 -j MASQUERADE
# firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eth0 -o wireguard0 -j ACCEPT
# firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i wireguard0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

This did not work.

I have made another attempt with policy

# firewall-cmd --permanent --new-policy int2ext
# firewall-cmd --permanent --policy int2ext --add-ingress-zone internal
# firewall-cmd --permanent --policy int2ext --add-egress-zone external
# firewall-cmd --permanent --policy int2ext --set-target ACCEPT
# firewall-cmd --reload

Which also did not work.

I would appreciate any suggestions on what I got wrong.

Thank you

What is the actual goal?

When you establish a VPN connection, you are connecting to some server somewhere
which then acts as your point of origin as far as any service you access is concerned.

From what I know, you configure the VPN software itself to be able to route traffic destined to the VPN endpoint … back to your machine.

A local firewall configuration is not the place to do it at.

It has to allow incoming connections though - something that is easy to achieve by not having that firewall at all (me thinks). :man_shrugging:

Thank you for your response.

It is edge / access device which allows other devices on eth0 and wlan1 to connect to internet through wireguard/VPN.
The access device also provides DNS filters.
The connection to internet on the access device is fine with as well as without local firewall.

The issue is only with the internal devices connected on eth0 and wlan1 which do not have access to internet. I think that requires some NAT / IP Masquerading to get the traffic between the internal and external zone/interfaces.

… the “device” is running/initiating the VPN (as I understand it)

the device needs to then forward the connection attempts from the outside … to where they are supposed to be arriving

The local firewall can simply allow or deny any connection (in or out)
It can’t do anything about the things that are arriving at the “device” or how it handles these connections.

that is how I understand it …

Yes, it is very simple:

|----> wlan0---wireguard~~~internet

The device has no problem to access the internet through the wireguard, but no traffic from eth0 or wlan1.

The idea for policy rather IP masquerading is from Internet sharing - ArchWiki