Messages

Hey sashxp,

I guess I could file a bug report, but I'm not sure anyone would invest much time on such a fringe issue.

I also believe that my problem is related to having two routers cascaded and that I'm port forwarding through the two routers over a static route, in order to avoid double NAT. I think the problem is that the WireGuard instance doesn't know where to send back the packets it receives from the client and the handshake never completes. Why it works perfectly with OpenVPN & IPSec but not WireGuard is the mystery...

A single port forward from the router on which the WireGuard instance is running (not the edge network) works just fine. It's only forwards from the outside over the two routers that fail with WireGuard (though, again, it works perfectly with OpenVPN and IPSec).

ALso, I have a perfectly useable workaround: two port forwards, one on each router.

It's more about me being curious and rather anal than anything else... ;-)

Your issue seems to relate to your commercial VPN provider forwarding a port for you on their VPN network so that you can access your internal networks while connected to their VPN. So I'm not convinced we're experiencing the same issue.

Hey mimugmail,

Sorry but I'm a bit confused. I interpreted your first response as stating that it's an issue with the code somewhere and was not related to my configuration. But your last response makes me think that it is...

Could you clarify what you mean? :-) If it's me, I'll keep trying.

When you say "pf magic", you mean it's an issue with FreeBSD?

Hey there,

Thanks for chiming in.

I'm not in a position where I can install a beta on these systems. So I haven't tried that, no. But, in my opinion, it would have more to do with the WireGuard package than OPNsense itself.

I'm no expert, but there has to be something different in how WireGuard routes traffic. The port forward & firewall rules I've set up are correct (as far as OpenVPN, IPSec and anything else) - just not WireGuard. So I'm at a complete loss.

As far as your case is concerned, are you cascading routers or is it just a "regular" port forward that you can't get to work?

Not the resolution I was hoping for, but at least I know it isn't me... Thanks.

Hello,

I have a strange port forwarding issue.

I'm running two OPNSense routers cascaded together. I know, it's not recommended, but that's the setup I need to work with.

So the WAN IP from the 2nd OPNSense is on the first one's LAN. And everything works.

Initially I was doing double NAT on router 2, but I created a static route on router 1 to reach the networks on router 2. It worked, all good. Disabled Outbound NAT on router 2. Added NAT rules for that traffic on router 1. All good. Everyone can access everything they need to access, according to their firewall rules. Great.

But, on router 2, I have a couple of OpenVPN servers, an IPSec server and a WireGuard "server" running as well. To access these from the outside, I need to set up port forwarding rules. I set up the rules on router 1 like this:

Source: Any / Destination: WAN Address / Source Ports: Any / Destination Port: whatever port the server runs on / NAT IP: IP of the server / NAT Ports / whatever port the server runs on.

And this automatically adds the corresponding Firewall rule on WAN.

So, for OpenVPN & IPSec, it just works. I can connect without issue from outside and access everything the firewall rules allow me to access. But for WireGuard, the traffic doesn't return to the appropriate host and I can't access anything from my client device (no Internet, no local networks). The handshake never completes. I can see the WireGuard instance on router 2 receives the incoming packets but I assume it can't send them back using the appropriate route.

If I do a "double port forward", meaning from router 1 I forward the outside traffic to the LAN IP which is router 2's WAN IP. And then on router 2 forward that traffic to the actual host on router 2, everything works. But if I don't do the double port forward and set the single port forward up as I did with OpenVPN & IPSec, it breaks.

I can see form the Firewall logs that neither router 1 or router 2 is not blocking the WireGuard traffic. I can see the traffic being passed in the logs. But I think it doesn't understand where to send the packets back and that's why it fails.

But I'm pretty much at a loss as to how to figure out where the traffic is going and what I need to do for it to route properly.

Any help would be appreciated - even just hints would be great.

Apologies in advance if I forgot to add important information. Just ask me and I will provide whatever is needed.

Cheers