Disable masquerade

When I connect to remote host, I see the request is made from firezon server rather then the client IP.

My client IP is 10.3.2.5 and remote ssh server is 10.140.0.2. How can I get to see the client IP on my remote server?

Hello!

And can I ask you to send the firewall settings?

@remy @parmon

Firezone enables NAT / masquerading by default, but these are simply rules added to the nftables ruleset. If you run /opt/firezone/embedded/sbin/nft list ruleset, you should see output something like:

table inet firezone {
	chain forward {
		type filter hook forward priority filter; policy accept;
	}

	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
		oifname "enp1s0" masquerade random,persistent
		oifname "enp6s0" masquerade random,persistent
	}
}

Firezone ensures these entries exist on boot up, but you can temporarily disable this with /opt/firezone/embedded/sbin/nft delete chain inet firezone postrouting without restarting Firezone – does this give the behavior you want?

If that works for you, we could add a flag in the config to disable masquerading so that these rules aren’t loaded on boot up.

1 Like

Hello Jamil,

Yes, I had seen that rule but was not sure how to remove it.

As you said after removing " /opt/firezone/embedded/sbin/nft delete chain inet firezone postrouting" this is working as expected.

Is it possible to add postrouting rule per user?
Adding a config parameter to disable will work.

Hi,

Do you use nftables to manage other firewall rules?

The way I would suggest is adding a post routing chain to your main table. That post routing chain should have a higher/lower (depending on the way you see it) preference than the Firezone one so that it is processed first. You can then skip source NAT for specific destinations/networks.

1 Like

This server is dedicated only for VPN connections, I don’t use separate ntfilter,iptables or firewallD on this. Acls are handled externally by security list and so I need to know the actual client IP.