On 6/5/20 3:56 PM, Tom Eastep wrote: >> *AND* @remote, >> >> /etc/wireguard/wg0 >> >> + PostUp = ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE >> + PostDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE >> > > That rule will be wiped out the next time you 'shorewall6 reload' or > 'shorewall6 restart'.
hm. why's that ? because SW brings down/up ALL its addressed interfaces? or because i'm using a SW-reserved table name, 'nat' here ... ? in either case, I suppose I could either link the wg/vpn service dependency to shorewall, or, move the masquerade rules into SW > The fact that you had to add the rule to eth0 suggests that your IPv6 > traffic is being routed out of that interface rather than out of wg0. it _should_ be, no? that rule is added on the *remote* end. traffic flows @local ----> wg ----> @remote ----> eth0 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
