Hello friends,
TL;DR: After the public IP address of my RB5009 changes, Wireguard tunnels behind the router do not work anymore since they are still source NATed to the old public IP address.
I'm running a RB5009 with ROS 7.18.1 at home, connected to an ISP which offers a public IPv4 address via DHCP. One of my Proxmox VE hosts is connected directly to the router at ether8. This PVE host runs an OPNsense and CHR VM, both VMs are connected with their WAN interfaces to vmbr0, which is a bridge interface directly connected to the ethernet interface of the PVE host itself. Both VMs get a private IP address from the RB5009 through DHCP, which is their default gateway. Both VMs have a wireguard interface configured with a persistent keepalive of 10s, which connects to a VM at a Hetzner datacenter. While this setup works just fine, whenever I get a new public IP address from my ISP, the wireguard tunnels (and only those) do not work anymore.
Starting the packet sniffer at the WAN interface of the RB5009, it shows that connections for the wireguard tunnels are still source NATed to the old IP public address. As soon as I reset the corresponding connections in the tracking table or set the udp-stream-timeout lower than 10s (i.e. lower than the persistent keepalive of the wireguard tunnels), the tunnels come up again and everything works just fine. Since I'm using a masquerade NAT rule for outgoing connections at the WAN interface, a change of the public IP should reset the connection tracking entries, but this seems not to be the case here.
Any ideas?
TL;DR: After the public IP address of my RB5009 changes, Wireguard tunnels behind the router do not work anymore since they are still source NATed to the old public IP address.
I'm running a RB5009 with ROS 7.18.1 at home, connected to an ISP which offers a public IPv4 address via DHCP. One of my Proxmox VE hosts is connected directly to the router at ether8. This PVE host runs an OPNsense and CHR VM, both VMs are connected with their WAN interfaces to vmbr0, which is a bridge interface directly connected to the ethernet interface of the PVE host itself. Both VMs get a private IP address from the RB5009 through DHCP, which is their default gateway. Both VMs have a wireguard interface configured with a persistent keepalive of 10s, which connects to a VM at a Hetzner datacenter. While this setup works just fine, whenever I get a new public IP address from my ISP, the wireguard tunnels (and only those) do not work anymore.
Starting the packet sniffer at the WAN interface of the RB5009, it shows that connections for the wireguard tunnels are still source NATed to the old IP public address. As soon as I reset the corresponding connections in the tracking table or set the udp-stream-timeout lower than 10s (i.e. lower than the persistent keepalive of the wireguard tunnels), the tunnels come up again and everything works just fine. Since I'm using a masquerade NAT rule for outgoing connections at the WAN interface, a change of the public IP should reset the connection tracking entries, but this seems not to be the case here.
Any ideas?
Statistics: Posted by lodex — Thu Mar 27, 2025 10:55 am