I have setup a pi running Pi OS 11 as a VPN gateway for my local network using Wireguard & Nftables, that all works fine.
However, I wish to switch over to firewalld to be compatible with docker without using iptables.
What I have so far is this:
- internal zone: eth0
- external zone: wg0
I cannot figure out how to get firewalld to forward traffic between eth0 & wg0. With raw nftables I just have the following, my forward chain drops by default:
nft insert rule inet firewall forward iifname "eth0" oifname "wg0" accept
nft insert rule inet firewall forward iifname "wg0" oifname "eth0" ct state related,established accept
But I cannot find out how to conditionally forward between interfaces, as the above rules.
I do not want eth0 in the external zone with wg0 as I want internet access kill-switched if the VPN goes down, plus it sort of goes against the whole idea of zones no? eth0 is just for the LAN & wg0 is for external connectivity.