I have a NAT rule forwarding port 3389 hitting the external interface to an internal address 192.168.1.5 for RDP. This rule works fine, however I also have an IPSEC vpn tunnel between offices, and when trying to establish an RDP session to any internal address (1.2, 1.7, etc.) over the tunnel I always get forwarded to 192.168.1.5. Now I realize that the vpn tunnel uses the external IP for the end point, but I didn’t expect the NAT rule to affect traffic flowing through the tunnel as I am using the private ip address for the session, not the external. Any thoughts?
After decryption the packet is processed from scratch starting in prerouting just like any other packet.
Simple fix: add src-address=!a.b.c.d/n to the NAT rule, where that is your private network at the other end of the tunnel. That excludes those addresses from being matched by that rule. If you have several NAT rules to exempt yourself from, add action=accept rules for that subnet and move them to the top of the rule set.