It's not enough to set fake routes. You have to edit the addresses in the packets, so the end d...

direwolf20 • yesterday at 9:53 PM • 2 replies • view on HN

It's not enough to set fake routes. You have to edit the addresses in the packets, so the end devices will receive them.

Replies

pcarroll • yesterday at 10:39 PM

The problem there is you still need to keep track of the subnets. It works for a while, but it's quite complex. NAT is actually easier when you get into hundreds of sites.

Frotag • yesterday at 10:15 PM

Yeah so instead DNAT, use NETMAP on the gateway device to that LAN. (Sorry if I'm abusing the terminology, I only do this stuff like once a year for homelab.)

eg this is what I'm currently using to alias my home network

    # Rewrite 192.168.150.?? as 192.168.50.??
    PreUp = iptables -t nat -A PREROUTING -d 192.168.150.0/24 -j NETMAP --to 192.168.50.0/24
    PostDown = iptables -t nat -D PREROUTING -d 192.168.150.0/24 -j NETMAP --to 192.168.50.0/24

With other wg peers getting a 192.168.150.0/24 entry in the AllowedIPs for this gateway (if needed).

alt Hacker News

Replies