Need help with a specific firewall rule

[Vexz]

I need some help from someone who is experienced with firewall rules and has worked with the advanced features.

Context:
I have a NAS in my home LAN which hosts some docker containers like Vaultwarden and other stuff. Traffic from most of my devices (not my NAS) is routed through a WireGuard VPN tunnel, which is configured on my OPNsense. To achieve this I use firewall rules that use the VPN gateway for outgoing traffic. The reason why my NAS's outgoing traffic is not routed through the VPN tunnel is of course, because connection from the WAN to my NAS won't work anymore (I already tested that).

So I'm looking for a solution like this:

• Connections initiated by my NAS go through the VPN tunnel to the WAN.
• Answers to connection requests from the WAN to my NAS use the gateway, the initiated connection request came from.

I feel like the "reply-to" option in the advanced rule features could be something here, but I think all replies then will use the set gateway, even when the initiated connection from my NAS was routed through the VPN tunnel.

Is this even possible? If the answer is yes: Could you please explain to me how?

[viragomann]

To achieve this I use firewall rules that use the VPN gateway for outgoing traffic. The reason why my NAS's outgoing traffic is not routed through the VPN tunnel is of course, because connection from the WAN to my NAS won't work anymore (I already tested that).

What?

If the NAS is included into the source, its upstream connection should be routed through the tunnel.
Or are you talking about inbound connections?

[Vexz]

Right, and I want that for connections intiated by my NAS.
Dumb example for this, just to make it more clear: Let's say I have a Firefox running in Docker on my NAS. Websites I visit with it should be routed through the VPN tunnel.

But here is what I want at the same time: When I'm not home and I want to synchronize mit Bitwarden vault with Vaultwarden, hosted in Docker on my NAS in my home LAN, the answer from my NAS should be routed through the default gateway (which is not the VPN tunnel gateway).

[Patrick M. Hausen]

Try outbound NAT on the LAN interface for anything coming from "the Internet" towards your NAS.

[viragomann]

But here is what I want at the same time: When I'm not home and I want to synchronize mit Bitwarden vault with Vaultwarden, hosted in Docker on my NAS in my home LAN, the answer from my NAS should be routed through the default gateway (which is not the VPN tunnel gateway).

So it the VPN your default gateway currently and are responses routed to it, even the requests come in on WAN?

[Vexz]

Try outbound NAT on the LAN interface for anything coming from "the Internet" towards your NAS.

Thanks for the tip but that sadly didn't work.   :'(

So it the VPN your default gateway currently and are responses routed to it, even the requests come in on WAN?

The default gateway is my ISP's gateway but I made the NAS's outbound traffic use the VPN gateway with a firewall rule. And yes, request coming in on WAN, routed through the default gateway don't work.

[viragomann]

And yes, request coming in on WAN, routed through the default gateway don't work.

Sure? I don't expect this behavior.

Check System: Routes: Status.

[Vexz]

I'm positive, yes. Tested it twice today. When I make my NAS use the VPN tunnel gateway for outbound traffic, I can't access my hosted services from the internet anymore.

[viragomann]

Ensure that rule, which allows the inbound traffic on WAN is defined on the WAN interface only.
There must no floating or interface group pass rule be applied to the incoming traffic on WAN.

[Vexz]

I uset NAT reflection on the port forward rules for the WAN and LAN interface. The LAN interface is now removed but still no luck accessing my hosted applications from the internet when my NAS is set to use the VPN tunnel gateway. 

Maybe this helps a bit to clarify my setup. Here are my rules, the top three are the floating rules, generated by the NAT port forwards. What I do to make my NAS use the VPN tunnel gateway is to remove my NAS from the "Not_Mullvad_VPN" alias, so it's no longer in the alias, that is meant to use the default gateway.
Maybe you see something I'm too blind to see why it's not working.

[bimbar]

I'm not sure this is even possible. Try to use a different way. You could use a loadbalancer on the firewall to do this, for example.

[viragomann]

The LAN rules shouldn't have any impact on traffic coming from WAN.

Do you have floating rules or interface group rules on WAN?

[Vexz]

The LAN rules shouldn't have any impact on traffic coming from WAN.

Well, looks like they do.

Do you have floating rules or interface group  rules?

You can see the floating rules in the screenshot at the top. They're just the three automatically created entries by the NAT port forwarding rules, as mentioned above. No group rules.

[viragomann]

You can see the floating rules in the screenshot at the top. They're just the three automatically created entries by the NAT port forwarding rules, as mentioned above.

The screenshot shows only the LAN rules. The interesting part would be the WAN rules.

[Vexz]

I think I found the culprit but I can't test right now because I have an appointment. I think it's DynDNS on my NAS. The IP behind its DynDNS domain changes to the public IP of my VPN server. This means clients from the internet try to access my NAS through the VPN tunnel which of course blocks the connection. Gotta do some testing later.