[Bug 293876] NAT PF Wireguard

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 293876] NAT doesn't work in PF when using wireguard with the route-to command"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 17 Mar 2026 11:44:28 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=293876

            Bug ID: 293876
           Summary: NAT PF Wireguard
           Product: Base System
           Version: 15.0-RELEASE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: d@voronin.it

NAT doesn't work in PF when using wireguard with the route-to command. 

wg2: flags=80c1<UP,RUNNING,NOARP,MULTICAST> metric 0 mtu 1420
        options=80000<LINKSTATE>
        inet 10.0.0.2 netmask 0xffffff00
        groups: wg
        nd6 options=109<PERFORMNUD,IFDISABLED,NO_DAD>

[root@gw /etc]# ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1): 56 data bytes
64 bytes from 10.0.0.1: icmp_seq=0 ttl=64 time=26.168 ms
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=26.420 ms

pf.conf
nat pass on wg2 from 10.14.3.249 -> wg2
pass in quick on em1 route-to (wg2 10.0.0.1) from 10.14.3.249

[root@gw /etc]# tcpdump -ni wg2 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wg2, link-type NULL (BSD loopback), capture size 262144 bytes
14:20:03.030068 IP 10.14.3.249 > 8.8.8.8: ICMP echo request, id 1, seq 292,
length 40
14:20:04.037212 IP 10.14.3.249 > 8.8.8.8: ICMP echo request, id 1, seq 293,
length 40
14:20:05.052840 IP 10.14.3.249 > 8.8.8.8: ICMP echo request, id 1, seq 294,
length 40

-- 
You are receiving this mail because:
You are the assignee for the bug.