How should this work?
Hm, i thought this should match the masqerading rule? Like for any other Client on the internal side of NAT.
concerning the packet-flow diagramm, i guessed it should go through
local -> output ->postrouting (src-nat/masquerading) -> ... -> out-interface
am i wrong?
@normis: in this particular case there are other subnets inside not allowed for internet. otherwise the rule should of course be (and i tried this too)
chain=srcnat out-interface=to-wan action=masquerade
(btw. its not for fun, this morning we had a support issue where the VPN was working, but no internet access possible. after reboot everything was ok, but i'am still searching for the reason)
thanks (i'll go mad on this... ;-)