Return Traffic of port forward goes through the wrong wan interface / gateway

[steven90]

TLDR: Return traffic of portforward goes through wrong gateway (the default gateway) / wan instead of the vpn-wan interface where the original traffic came from.
I stumbled across a short mention of the reply-to option in the docs but not sure how to implement that or if it is the correct thing to fix this issue.

Have been troubleshooting this for hours but cant fully figure it out.
Following setup:
I have a opnsense with two WAN interfaces / Gateways, the physical one called WAN and a Wireguard / VPN one (going to a wireguard running on a vps). The Wireguard VPS has iptable rules that forward incoming traffic on certain ports over the wireguard tunnel to the opnsense. I also set the gateway of some vlans (VLAN 2002 in this example) to the vpn so outbound traffic goes over it.
All that works, if i make an outbound connection like tracepath 9.9.9.9 from the LAN it goes over the vpn and i can also see all the incoming traffic from the wireguard vps on the vpn interface of the opnsense.
Now i tried making a simple port forward from the vpn wan interface to a local webserver.
The traffic arrives correctly and the webserver replies, it goes back to the opnsense where the correct nat for the wireguard wan (172.25.0.2) gets applied, but then the traffic suddenly pops up at the physical WAN interface / gateway instead of the wireguard interface.
Webserver runns on 10.150.x.x port 80, the public ip of the client that  tried to access the webserver on the screenshots is 62.17.x.x and 172.25.0.2 is the opnsense address on the wireguard tunnel.
I have found some documentation regarding the reply-to option in firewall rules https://docs.opnsense.org/manual/how-tos/nat_reflection.html#method-1-creating-manual-port-forward-nat-dnat-manual-outbound-nat-snat-and-automatic-firewall-rules
but i am not really sure how to implement this / what specific rule i need to create.
The first screenshot shows the firewall rules of the LAN. The other ones package captures at the different interface during a curl of the public ip of the wireguard vps on port 20000 by an outside device.
(Will add screenshots of nat, wan and portforward rules below since max 4 attachments)
Thanks for any help :)

[Saarbremer]

> Will add screenshots of nat, wan and portforward rules below since max 4 attachments

Would be really helpful.

[bartjsmit]

Sounds like a case for 1:1 NAT but I'm not sure how that works with a VPN.

[steven90]

Sounds like a case for 1:1 NAT but I'm not sure how that works with a VPN.

I figured it out!
I had to go back to the NAT > Port Forwarding Section and set the "Filter rule association" to None for all the portforwards.
Then go to the Firewall > Rules > VPN Interface and create a new rule with "Pass, direction - in, tcp/udp, source - any, destination - the internal ip and port of the target of the forward, in this case 10.150.x.x port 80 and the most important, go to advanced then set the reply-to to the vpn gateway and also state type to keep state.
Now everything is working perfectly, not as straight forward as i thought but it works :)

Why isnt the default reply to gateway just the on of the interface the port forward is created for by default or there is at least the option to set the reply to during creation of the port forward

[kayhyn]

Created an account just to say thank you, my god thank you so much. I've been banging my head against this same problem for a day and a half and finally I stumble upon the exact solution.

I don't understand why OpnSense doesn't let you set a gateway on a Wireguard interface, but this is a perfectly adequate workaround.