Issue with masquerading on OPNSense #5253
Description
Describe the problem
We are trying to establish a site-to-site connection using two OPNSense relays using the networks feature.
Both peers have masquerading enabled but pings do not reach clients on the other side, nor can the clients reach the peers on the netbird net.
When capturing the paket traffic we noticed that no matter the masquerading setting the source IP is not replaced on the netbird interface side, as we would have expected.
When creating our own NAT rule, the traffic can be routed successfully.
To Reproduce
- Set up two OPNSense with netbird plugin
- Configure a private networks behind eachOPNSense
- Assign each OPNSenses as routing peers for their network
- Grant access for both networks to each other (and their peer)
- Try to ping a client on the other network
Expected behavior
I should get an ICMP response
Are you using NetBird Cloud?
No
NetBird version
MGMT 64.2
OPNSense 60.7
Is any other VPN software installed?
No
Debug output
ea53fa0b2958303c3589bca6e3b321a80da8ebdb6c57193017262bd407a5841a/3e839bcb-0fca-47b8-bbb7-71afc37788c7
Screenshots
Paket trace of ICMP. Masquerade enabled.
Additional context
No
Have you tried these troubleshooting steps?
- Reviewed client troubleshooting (if applicable)
- Checked for newer NetBird versions
- Searched for similar issues on GitHub (including closed ones)
- Restarted the NetBird client
- Disabled other VPN software
- Checked firewall settings