The example you provided I believe does NAT pooling (I think that is the correct term), instead of 1:1 nat. This makes an input .1 address end up with a random .0-.255 destination ip for a /24 block.
This works for me:
- ensure firewall allows access to the zone(s) you are trying to access. For example something like this:
config forwarding
option src 'vpn'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'vpn'
- add the following to
/etc/config/firewall
config include
option type 'nftables'
option path '/etc/firewall_1to1_nat.nft'
option position 'ruleset-post'
- create
/etc/firewall_1to1_nat.nft - this will translate inbound 10.11.0.0/24 to 192.168.0.0/24 and back.
table ip NAT1to1
delete table ip NAT1to1
table ip NAT1to1 {
chain dstnat {
type nat hook prerouting priority dstnat; policy accept;
ip daddr 10.11.0.0/24 iif WIREGUARD counter meta nftrace set 1 dnat ip prefix to ip daddr map { 10.11.0.0/24 : 192.168.0.0/24 }
}
chain srcnat {
type nat hook postrouting priority srcnat; policy accept;
ip saddr 192.168.0.0/24 oif WIREGUARD counter meta nftrace set 1 snat ip prefix to ip saddr map { 192.168.0.0/24 : 10.11.0.0/24 }
}
}
Note: remove the counter and meta nftrace set 1 bits as needed.
Note: this works on ip type nftables but not the inet type. inet tables end with an Error: Could not process rule: Not supported message.
Note: for wireguard, the remote end will need to have 10.11.0.0/24 in allowed IPs for this example.
Source: https://git.netfilter.org/nftables/commit/?id=35a6b10c1bc488ca195e9c641563c29251f725f3
- Also do not forget to update
/etc/sysupgrade.conf so your backups also contain the updated file.
/etc/firewall_defray_1to1_nat.nft
edit: corrected error; you cannot flush a table
