Story
I have a VPN wireguard virtual interface wg0
(can be anything else) and a physical interface eth0
. I want to route packets from the VPN to my LAN, or from an interface to another interface.
Almost all the blogs, articles, tutorials advice using MASQUERADE
or Source NAT
only: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Moreover, IP masquerade
is simply a SNAT (Source NAT), it doesn't change the source port.
Question
- Am I wrong thinking I should use a NAPT/PAT instead?
- For completeness, how can I add a NAPT/PAT rule with iptables and/or nftables?
Thoughts
There might be (source port) conflicts between packets generated by the host and forwarded from wg0
(or any other virtual/physical interfaces). IMHO NAPT must be used to avoid these conflicts.
Best Answer
If the destination can route its traffic to the source, no NAT or PAT is required.
As an example, no NAT/PAT is required if the VPN clients in 10.8.0.0/24 want to talk with your LAN devices in 192.168.1.0/24, as long as the involved devices can route to the other network (through their gateway).
When the source is in a rfc1918 (private IP) network and the destination is a public IP, because rfc1918 networks are not routable over Internet, a NAT is required to replace the private IP by the public IP. This is source address translation. This job can be done by a SNAT, not a PAT.
Furthermore, you are wrong assuming SNAT/MASQUERADE does not change source ports.
https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#SNATTARGET
Note that if you device want to reach a remote server on a given destination port, there are chances that the operating system already assigned a random source port over 1024. Reaching a remote HTTPS server on port 443, does not involve that the source port is 443.