TCP connections work all right, as they’re established sockets, where the kernel does the routing… I assumed you would search for the route yourself ;-)rcu_dereference_bh(rt->dst.dev->ip_ptr) indeed does , as the packet effectively comes in through the uplink.
In the firewall config I need to specify both interfaces (Uplink and Public (eth1 and eth0 in the drawing) to filter
nft add rule ip filter input iif {Uplink,Public} jump public and define my rules in the public chainnft add rule ip filter public ip daddr 134.56.78.5 udp dport 443 accept so a packet coming in on Uplink for the wg gets accepted only if the dst ip matches.
nftables FTW ;-)
That in se is not very important if you have only one uplink, but if you have multiple routes (default gw’s) you really need the ip behind the uplinks.
But anyway, tested and confirmed to work now,
Many thanks for the quick reply
Hi Jan,
Thanks for the drawing. So the issue is that you want packets to exit
through eth1 using the addresses of eth0. I believe applying this
patch should enable that: http://ix.io/z3d Can you apply that and let
me know if it works?
I'm curious: do TCP connections generally work correctly with your
configuration?
Jason