[Solved] Port forward WireGuard return traffic through WAN

Started by SebbesApa, April 22, 2021, 08:39:32 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 22, 2021, 08:39:32 PM Last Edit: September 10, 2021, 08:35:25 PM by SebbesApa
Hi,

I've just set up WireGuard on OPNsense, and the firewall is now connected to a VPN-provider. Everything works as intended eg. traffic on my guest-LAN is routed to the VPN-provider and back.
But when i configure a Port Forward, incoming from the VPN, the traffic hits the correct host, on the guest-LAN but the return traffic goes out of the WAN-interface (with the source ip of my VPN-interface) insted of just going out through the VPN.
This only happens for traffic with that specific port, everything else works and gets routed through the VPN.

Perhaps someone can assist me on what i'm missing here. Is seems a bit weird as my inbound and outbound rules works accept traffic with my specific port forward.

I've tried my rules attached below with/without "NAT reflection" on the rule itself, as well as "Reflection for port forwards" and "Automatic outbound NAT for Reflection", but the results are the same.

When i use the "Port Probe" i get a 'success' with a "Source Address" of my VPN-interface.

Anybody knows what i'm missing here?

Br
Robert







April 23, 2021, 05:02:59 PM #1
Can you try to use the -kmod variant? It should work over there ...
April 24, 2021, 10:16:03 AM #2
Quote from: mimugmail on April 23, 2021, 05:02:59 PM
Can you try to use the -kmod variant? It should work over there ...

Unfortunately the results is the same with OPNsense 21.1.5 and wireguard-kmod 0.0.20210415.
May 12, 2021, 11:45:54 AM #3
i guess the problem is related to this ticket: https://github.com/opnsense/core/issues/4389
September 10, 2021, 08:35:01 PM #4
So i finally managed to solve this! Using OPNsense 21.7.2_1 and the reply-to rule as well as NAT described here:

https://github.com/opnsense/core/issues/4389#issuecomment-865349224

Many thanks to amonhk!
October 25, 2021, 06:25:26 PM #5
Quote from: SebbesApa on September 10, 2021, 08:35:01 PM
So i finally managed to solve this! Using OPNsense 21.7.2_1 and the reply-to rule as well as NAT described here:

https://github.com/opnsense/core/issues/4389#issuecomment-865349224

Many thanks to amonhk!

Many thanks to you as well as I stumbled upon this thread whilst pulling my hair out on this issue XD
May 03, 2024, 08:14:48 PM #6 Last Edit: May 03, 2024, 08:18:11 PM by Cerberus
i am sitting here for 6 hours and try to find the reason why a port forward from a wireguard tunnel (that provides me a static wan ip) to my mailserver does respond to requests coming in from wireguard. That manual firewall rule and settings reply-to saved my day.

I almost went insane.
Print
Go Up Pages1
User actions