Typically, our standard default install will have a masquerade rule on the outbound interface of a router. Sometimes, when using static IP's, we can use an explicit src-nat instead of a masquerade. I *think* this isn't terribly controversial.
Now, if I add a tunnel, say Wireguard for argument's sake, we'll add another src-nat or masquerade rule for the tunnel. As this is the more restrictive traffic it goes before the default rule. Feel free to flame me here if this is wrong.
Now - it seems to me this should account for all traffic. Yet, if I add a final "catchall" masquerade rule with no conditions some packets do go through it. Not many - but more than 0 which I don't understand. What would be causing this? This is without (as far as I know) broadcast services like OSPF enabled.
This then makes me wonder - what's wrong with just a generic masquerade rule with no conditions on it?