On Wed, Jul 8, 2020 at 12:32 PM Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote: > what about limit your NAT rules to the interface where you need it? on > our nat router we have 3 interfaces > > * lan > * wan > * vpn > > NAT is strictly limited to "wan" and so any wireguard related traffic > would never hit as well as lan-lan forwarding That's what I am IMHO already doing. Only traffic routed to tun252 is NATed. While WAN traffic also needs NATing, this is a different story in my setup as it isn't handled vpn-gw. Regards, Thilo
