Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Return Traffic of port forward goes through the wrong wan interface / gateway
« previous
next »
Print
Pages: [
1
]
Author
Topic: Return Traffic of port forward goes through the wrong wan interface / gateway (Read 412 times)
steven90
Newbie
Posts: 5
Karma: 0
Return Traffic of port forward goes through the wrong wan interface / gateway
«
on:
September 02, 2024, 02:24:22 pm »
TLDR: Return traffic of portforward goes through wrong gateway (the default gateway) / wan instead of the vpn-wan interface where the original traffic came from.
I stumbled across a short mention of the reply-to option in the docs but not sure how to implement that or if it is the correct thing to fix this issue.
Have been troubleshooting this for hours but cant fully figure it out.
Following setup:
I have a opnsense with two WAN interfaces / Gateways, the physical one called WAN and a Wireguard / VPN one (going to a wireguard running on a vps). The Wireguard VPS has iptable rules that forward incoming traffic on certain ports over the wireguard tunnel to the opnsense. I also set the gateway of some vlans (VLAN 2002 in this example) to the vpn so outbound traffic goes over it.
All that works, if i make an outbound connection like tracepath 9.9.9.9 from the LAN it goes over the vpn and i can also see all the incoming traffic from the wireguard vps on the vpn interface of the opnsense.
Now i tried making a simple port forward from the vpn wan interface to a local webserver.
The traffic arrives correctly and the webserver replies, it goes back to the opnsense where the correct nat for the wireguard wan (172.25.0.2) gets applied, but then the traffic suddenly pops up at the physical WAN interface / gateway instead of the wireguard interface.
Webserver runns on 10.150.x.x port 80, the public ip of the client that tried to access the webserver on the screenshots is 62.17.x.x and 172.25.0.2 is the opnsense address on the wireguard tunnel.
I have found some documentation regarding the reply-to option in firewall rules
https://docs.opnsense.org/manual/how-tos/nat_reflection.html#method-1-creating-manual-port-forward-nat-dnat-manual-outbound-nat-snat-and-automatic-firewall-rules
but i am not really sure how to implement this / what specific rule i need to create.
The first screenshot shows the firewall rules of the LAN. The other ones package captures at the different interface during a curl of the public ip of the wireguard vps on port 20000 by an outside device.
(Will add screenshots of nat, wan and portforward rules below since max 4 attachments)
Thanks for any help
Logged
Saarbremer
Sr. Member
Posts: 353
Karma: 14
Re: Return Traffic of port forward goes through the wrong wan interface / gateway
«
Reply #1 on:
September 02, 2024, 05:00:21 pm »
> Will add screenshots of nat, wan and portforward rules below since max 4 attachments
Would be really helpful.
Logged
bartjsmit
Hero Member
Posts: 2016
Karma: 194
Re: Return Traffic of port forward goes through the wrong wan interface / gateway
«
Reply #2 on:
September 02, 2024, 06:38:14 pm »
Sounds like a case for 1:1 NAT but I'm not sure how that works with a VPN.
Logged
steven90
Newbie
Posts: 5
Karma: 0
Re: Return Traffic of port forward goes through the wrong wan interface / gateway
«
Reply #3 on:
September 02, 2024, 06:57:19 pm »
Quote from: bartjsmit on September 02, 2024, 06:38:14 pm
Sounds like a case for 1:1 NAT but I'm not sure how that works with a VPN.
I figured it out!
I had to go back to the NAT > Port Forwarding Section and set the "Filter rule association" to None for all the portforwards.
Then go to the Firewall > Rules > VPN Interface and create a new rule with "Pass, direction - in, tcp/udp, source - any, destination - the internal ip and port of the target of the forward, in this case 10.150.x.x port 80 and the most important, go to advanced then set the reply-to to the vpn gateway and also state type to keep state.
Now everything is working perfectly, not as straight forward as i thought but it works
Why isnt the default reply to gateway just the on of the interface the port forward is created for by default or there is at least the option to set the reply to during creation of the port forward
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Return Traffic of port forward goes through the wrong wan interface / gateway