Wireguard port - public wifi

Started by RamSense, September 18, 2021, 11:49:42 AM

Previous topic - Next topic
Print
Go Down Pages 1 2 3
User actions
September 25, 2021, 06:04:05 PM #30
I don't have this issue (I don't forward ports to services on my firewall). I'm just trying to help the OP with an alternative.

Perhaps show the OP an example of a working rule of yours, so he can compare. Eg what target IP are you using?
September 25, 2021, 07:15:34 PM #31
Yup J posted this already. It goes to the opnsense ip address.
September 26, 2021, 12:09:43 PM #32
I have it working now for port 465. I made a terrible mistake in my earlier port forward using tcp instead of udp...  :-[
Now I can use WG on 465 also. port 53 does not work being blocked by my ISP.
Will try 465 at public wifi to see if it will work....
Deciso DEC850v2
September 26, 2021, 08:29:34 PM #33
See - I told you it had to work.

GG.

Pete
September 27, 2021, 11:23:13 AM #34
I know i can just run Wireguard on a different port but Port Forwarding should work, right? Why doesn't it? I must be doing something wrong and I like to know what. Please see attached images for my NAT and WAN rules.
What am i missing here?

September 27, 2021, 07:54:51 PM #35
MTR you cannot redirect to 'wan address' as this is the external ip of the firewall. Try redirecting it to 192.168.1.1 in your case.
September 27, 2021, 09:12:17 PM #36
Under NAT -> Port Forward i have destination WAN address with port 15821 and NAT 192.168.1.1 with port 15820.

Under WAN the first rule is for normal Wireguard, and the second one is linked by the NAT rule. 

Is this not right?
September 27, 2021, 09:31:26 PM #37 Last Edit: September 27, 2021, 10:03:34 PM by allebone
Under my rules, wan the destination is the internal IP of the firewall not wan address (mine is working so assume correct?). Probably because of stateful inspection the bottom wan rule is never hit (the rule above stops further processing of rules). You could try reorder the bottom rule and move it before the rule that is to wan address in your screenshot.

Im pretty sure this is the issue because I only use nat rules even when forwarding to the router itself (ie as opposed to just opening the wan up directly). The reason for this is in my case I use IDS/IPS on the LAN interface so without making the packet process through the lan the router itself will not have this port protected by any filtering you have in place. Indeed some small cost of a cpu cycle is incurred by the packet having to move across and interface but a faster CPU can mitigate that and probably the cost is so small you will be unable to detect it. The same reason could apply if you used sensei on the LAN.

Also I am pretty sure a nat rule is the default way it was done in the documentation before, but I did just check and it is no longer like that so I think this was changed in the documentation at some point because I assumed everyone did it this way, and at one point Im fairly confident it was the case.
September 28, 2021, 01:16:23 AM #38
I followed the road warrior setup guide, hence the rule with Destination WAN address under Rules->WAN.

Quote from: allebone
Under my rules, wan the destination is the internal IP of the firewall not wan address
Yes, the NAT rule creates a rule under Rules->WAN which says destination <internal_ip>. Destination in the NAT rule is WAN address tho (yours says PPPoEWAN address, according to the screenshot you posted earlier.

Quote from: alleboneProbably because of stateful inspection the bottom wan rule is never hit (the rule above stops further processing of rules). You could try reorder the bottom rule and move it before the rule that is to wan address in your screenshot.
Tried that, no-go.

Quote from: alleboneIm pretty sure this is the issue because I only use nat rules even when forwarding to the router itself (ie as opposed to just opening the wan up directly).
For testing i removed the rule i made in WAN, going only with a NAT rule as you suggested. This works (client connecting to 51820):


But this does not (client connecting to 51821):


Do you have only 1 NAT rule for Wireguard and nothing more (except from the linked rule under Rules->WAN)?
September 28, 2021, 02:03:27 PM #39 Last Edit: September 28, 2021, 02:06:09 PM by allebone
Currently because I was testing for you guys I have 2 rules:

NAT
Rules

However they both work currently. Presumably as mine work and you are wanting to achieve the identical setup (one forwards to same port, the other redirects from a different port) yours should also work (when you have 2).

Dont forget to modify the port on the client connecting afterwards. Thats also a requirement obv.

P
September 28, 2021, 02:14:09 PM #40
Here is the proof it works from an iphone. My iphine gets an ipv6 address so thats why the endpoint looks strange but I assure you this works on ipv4 clients also (just easier to rest from my phone quickly).


September 28, 2021, 09:00:16 PM #41 Last Edit: September 28, 2021, 10:05:26 PM by MTR
Quote from: alleboneHere is the proof it works from an iphone.
No worries, i'm totally convinced your setup works. I appreciate the time you take to try to help me!  :)

So far i tried:

a) One WAN Rule (dest. WAN Addess, port 51820) and one NAT (dest. WAN Address, port 51821 redirect to 192.168.1.1 port 51820)
b) Two NAT (one dest. WAN Address port 51820, redirect to 192.168.1.1 port 51820 and one dest. WAN Address port 51821 redirect to 192.168.1.1 port 51820)
c) One NAT rule only, redirect dest. WAN Address port 51821 to 192.168.1.1 port 51820.

With options a) and b) i can successfully connect to endpoint my.wan.ip:51820 but as soon as i try my.wan.ip:51821 i can't get a handshake.
Option c) also fails handshake when connecting to my.wan.ip:51821

Same problem when i try to redirect a port for OpenVPN; no connection possible.
When i redirect a port to a different machine in my network everything works as it should. Just not when i redirect to a service on the firewall itself.  ???

I even tried less-sensical options like opening 51821 and 51820 from all sources in Rules -> LAN, Loopback and WAN, setting ListenPort in clients [Interface] config and what not. All without success.

I don't know what else i can try to make this work and frankly i'm getting fed up with this. At first i wanted to solve this just because it should work but now i'm ready to throw the towel and just run Wireguard on a different port. Gonna watch me some brilliant CL soccer now, PSG-ManC. Hopefully that match will be good. This one wasn't: FW-MTR 1-0.  ::)


edit: added option c) to things i tried.
September 28, 2021, 09:45:21 PM #42
I cant explain why it doesnt work for you. I mean I am totally stuck on what to look at next. I cant think of a reason what could be causing you an issue :(
September 28, 2021, 10:00:04 PM #43
Me neither. This should work but it doesn't. Thanks again for your help though!

* PSG-ManC is 1-0 at half time. Maybe i should consider my match half time as well. As in i might take another look. Some day. If anybody reading this has anything to add, please do.
Print
Go Up Pages 1 2 3
User actions