Disable NAT on WireGuard interface

[fl4co]

Hello,

I recently bought a Keenetic Skipper router and I’m very pleased with it.

However, there is one problem I can’t seem to be able to fix: I set up a WireGuard connection but I can’t disable NAT translation on the interface. When I connect to a WireGuard peer from a device behind the Skipper, the peer always sees the connection originating from the the Skipper’s WireGuard address and not from the actual device’s IP address.

I tried entering the command “no ip nat Wireguard0” but it has no effect because I think that a NAT rule was not active on the interface to begin with.

So how can I disable NAT on the WireGuard interface?

[ndm]

It may not be quite obvious, but NAT is defined by the source interface:

ip nat Home

That means all packets originating from the Home network are transmitted with a subtituted source address.

You change it like this:

no ip nat Home

ip static Home ISP

The second command enables NAT back on the ISP interface. It can be entered more than once if there are multiple such interfaces.

P.S.

Don't forget to save settings:

system configuration save

 

[fl4co]

1 hour ago, ndm said:

It may not be quite obvious, but NAT is defined by the source interface:

ip nat Home

That means all packets originating from the Home network are transmitted with a subtituted source address.

You change it like this:

no ip nat Home

ip static Home ISP

The second command enables NAT back on the ISP interface. It can be entered more than once if there are multiple such interfaces.

P.S.

Don't forget to save settings:

system configuration save

 

Thank you for clearing this out. Now the the wg interface doesn't do NAT anymore as I intended.

What does doing 

no ip nat Home

imply, anyway?

If I create a L2TP VPN then I will have to manually add

ip static Home <l2tp interface>

to be able to access the Internet through the tunnel?

[ndm]

2 hours ago, fl4co said:

What does doing 

no ip nat Home

imply, anyway?

"Disable NATting all traffic from Home"

2 hours ago, fl4co said:

If I create a L2TP VPN then I will have to manually add

ip static Home <l2tp interface>

to be able to access the Internet through the tunnel?

Right. This way, you can enable NAT for certain in-out interfaces.

[fl4co]

2 minutes ago, ndm said:

"Disable NATting all traffic from Home"

Right. This way, you can enable NAT for certain in-out interfaces.

Thank you!

[Sano]

В 17.04.2021 в 19:36, ndm сказал:

"Disable NATting all traffic from Home"

Right. This way, you can enable NAT for certain in-out interfaces.

А если у меня такая схема. На роутер "А" - сервер WG. Клиенты В и С подключены к серверу А. 

Если интерфейс WG public (по умолчанию), то B видит C с IP-адресом С и соответственно С видит В с IP-адресом В.

При смене WG c public на private B видит C с IP-адресом сервера "А", т.е. работает NAT.

Команда no ip nat Wireguard1 ничего не меняет. 

Как в этом случае убрать NAT ?