I came across the topic below:

Fedora 35: share a network connection with NetworkManager & firewalld

because of the following reason:

WLAN → Laptop → LAN

The LAN is in NetworkManager Shared and works perfect, including IPv6.

But I want to add OpenVPN or Wireguard to come into the LAN, and this fails. Reason is a very restrictive nftables table created by NetworkManager:

chain filter_forward {
type filter hook forward priority filter; policy accept;
ip daddr 192.168.1.0/24 oifname “ens5” ct state { established, related } accept
ip saddr 192.168.1.0/24 iifname “ens5” accept
iifname “ens5” oifname “ens5” accept
iifname “ens5” reject
oifname “ens5” reject

So traffic from LAN subnet is allowed, local is allowed, but everyting
else from or to ens5 is rejected.

I understood that nftables examines every table to see whether it can reject a packet, and if it finds really nothing, it is accepted. So forward policies from firewalld are overruled by this NetworkManager created table. This is probably also the answer of the topic above.

I could find two solutions:
Hacking into the nm-shared-ens5 table to allow forwarding between tun0 and ens5. This works, but I’m not happy with modifying rules created out-of-control.

Duplicate ens5 with a MacVLAN onto it with a /32 IPv4 address. Create zone for it, allow forwarding by policy, and NAT on the MACVLAN zone, so the LAN only sees the MacVLAN address and can route back to it. Use policy based routing to route traffic from OpenVPN via the MacVLAN.
This works too, but it is all fairly complex.

ip rule show
0: from all lookup local
32765: from 10.9.0.0/24 lookup 1000

ip route show table 1000
192.168.1.0/24 dev macvlan.1 scope link

Question is: do I oversee an easier method except switching to manual config of ens5 and dnsmasq for DHCP, and dhcpcd for IPv6 prefix delegation?

Actually the entire firewall configuration can be managed by firewalld:

sudo tee /etc/NetworkManager/conf.d/00-custom.conf << EOF > /dev/null
[main]
firewall-backend=none
EOF
sudo systemctl restart NetworkManager.service

NetworkManager.conf: NetworkManager Reference Manual

IPv6 prefix works when specified statically:

sudo nmcli connection modify CONNECTION \
    ipv6.method shared \
    ipv6.addresses 2001:db8::1/64

You can get a public static prefix for free:
Hurricane Electric Free IPv6 Tunnel Broker

Using a ULA prefix with IPv6 masquerading is also possible:
Internet sharing worked, but something like a DNS problem - #8 by vgaetera

There’s no need for PBR unless you want split routing.

Hi Vladislav,

Thank you very much, that’s a simple and effective solution I did not know. Of course, the Networkmanager implementation of shared is very good, switch to shared and you can do thethering. But if you want to do something special you stumble into the very effective NetworkManager created nftables table which only allows (inter)net access from the shared side.

Now NetworkManager takes care of dhcp, dns and prefix delegation and it’s my responsibility to implement forwarding and masquerading in firewalld.

IPv6 is no problem here, I got a /48 from my provider and their router implements prefix delegation. Works perfectly with NetworkManager.