I’m asking this question more as a general theory question - since I think I’ve fought with this before and I don’t know if I’m missing something in practice or if my basic theory is wrong.
IoT device connected to a mAP. IoT uses mAP as gateway.
mAP connected to internet through 3rd-party router.
mAP connects to my Wireguard server (Ubuntu Linux).
So far so good - the above works and I can usually replicate this at other sites. Now…
IoT device needs to access an internet target address/port/protocol (let’s call it TIP) that 3rd-party gateway blocks.
My Wireguard server can freely access TIP and has a srcnat for outbound communication.
Add TIP to mAP Wireguard allowedip.
Attempt to access TIP from mAP - succeeds.
Attempt to access TIP from IoT - fails.
Ok…try a fallback.
Wireguard server - add dstnat rule for a designated port on the Wireguard interface targeting TIP.
IoT configure Wireguard server/port for the desired service via the server dstnat - succeeds.
So, what amounts to double srcnat fails, but an internal dstnat works. Is my configuration broken - or am I applying theory wrong and the double srcnat will never work?
I don’t understand. Are you saying I need to run srcnet on the lan interface of the mAP? The IoT device just receives DHCP from the mAP and there’s nothing else I can configure on it.
when there are 2 routes to the internet in single router : 1 to internet and 1 to wireguard network (which for simplicity - let us call it the second "internet*) made the map lan member (iot) needs to know which route to reply pings.
the symptoms: from tip you can ping map ip - but not to map members (iot).
it simply means that tip network not directly connected to map lan network (or no route back to tip network).
hence - when you do dstnat from your tip to map, the wireguard worked. —> is actually the same thing as srcnat on wireguard interface from tip to map (making tip network the same network as map lan network (reverse nat)).
about nothing to config on the map device - i don’t know, as i don’t have one.