When I connect to remote host, I see the request is made from firezon server rather then the client IP.
My client IP is 10.3.2.5 and remote ssh server is 10.140.0.2. How can I get to see the client IP on my remote server?
Hello!
And can I ask you to send the firewall settings?
Firezone enables NAT / masquerading by default, but these are simply rules added to the nftables ruleset. If you run /opt/firezone/embedded/sbin/nft list ruleset, you should see output something like:
table inet firezone {
chain forward {
type filter hook forward priority filter; policy accept;
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oifname "enp1s0" masquerade random,persistent
oifname "enp6s0" masquerade random,persistent
}
}
Firezone ensures these entries exist on boot up, but you can temporarily disable this with /opt/firezone/embedded/sbin/nft delete chain inet firezone postrouting without restarting Firezone – does this give the behavior you want?
If that works for you, we could add a flag in the config to disable masquerading so that these rules aren’t loaded on boot up.
1 Like
Hello Jamil,
Yes, I had seen that rule but was not sure how to remove it.
As you said after removing " /opt/firezone/embedded/sbin/nft delete chain inet firezone postrouting" this is working as expected.
Is it possible to add postrouting rule per user?
Adding a config parameter to disable will work.
Hi,
Do you use nftables to manage other firewall rules?
The way I would suggest is adding a post routing chain to your main table. That post routing chain should have a higher/lower (depending on the way you see it) preference than the Firezone one so that it is processed first. You can then skip source NAT for specific destinations/networks.
1 Like
This server is dedicated only for VPN connections, I don’t use separate ntfilter,iptables or firewallD on this. Acls are handled externally by security list and so I need to know the actual client IP.
Hi guys,
is the config parameter to disable masquerade a thing?
Thanks