This is quite a bad issue because there is no workaround. When I create an SNAT rule for a host to a different public IP address and select RED as destination it will also apply for IPsec tunnels (because those are routed to red0). Please add something to check if an IPsec policy applies and only enforce this rule then.
Can you please give me a detailed configuration of the rule? If i use SNAT i am only able to assign RED ORANGE or GREEN as Source address.
Created attachment 705 [details] Screenshot of the rule Is this screenshot okay? The particular problem here is that the SNAT rule will match when a packet is being sent from zeiterfassung01.haj.lightningwirelabs.com to a host on an IPsec network. The NAT rule will apply and change the source IP address of the packet which should NOT happen for the VPN. Hence the packet cannot be routed properly and the connection is never being established. Disabling the rule allows that the host can talk to all hosts on the VPN networks.
*** Bug 11937 has been marked as a duplicate of this bug. ***
Patch has been sent to the development mailing list: https://patchwork.ipfire.org/patch/2799/
https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=c4b7692ad942d883dbea8f078b2a5c0c1de125f2
This will be shipped with Core Update 143 although the release notes do not mention it. https://blog.ipfire.org/post/ipfire-2-25-core-update-143-is-available-for-testing
https://blog.ipfire.org/post/ipfire-2-25-core-update-143-released