Connection refused/reset when trying to reach NAS via FQDN

Move this to wan interface

You are redirecting eveything to the wg tunnel. Do you have some rule to exclude the traffic that is port redirected?


No, I don't have such a traffic rule. NAS-specific traffic rules seem not to work either.

My suggestion is to remove route_allowed_ips from wg peer. Then install pbr package to configure which devices will use the tunnel. You need the router local services to be served from wan.

1 Like

I'd like to avoid a policy-based routing that excludes NAS from VPN tunnel, since Download Station is in use.
The only reason for NAS to get external access is use of calendar as a more reliable (and more privacy-friendly) alternative to Google.

If you port forward traffic from the ISP, then you need to have some rule to return that traffic from the same interface. If you don't want to install pbr, you can try to accomplish that yourself with iptables, ip rules, and ip routes.

1 Like

WAN isn't allowed forwarding, as per VPN configuration.

Could extra arguments be an option for WAN zone?

Port redirect is not connected to zone forwarding.

1 Like

I have (almost) the same config, You can't put your nas over VPN and use portforwarding. If you wan't to use portforwarding to your nas, you have to excude it from the vpn tunnel.
As suggested use policy bases routing for this.

You can use the pbr for specific ports, the ones that you redirect., towards the ISP link, while the rest will be using the vpn. You can match ports/protocols, not just IPs.

1 Like

@trendy, so what you are saying is that I can put my nas in the vpn tunnel, and exlude the ports that I need in portforwarding? Never to old to learn :wink: going to give it a try.
Sorry for hijcking the thread..

1 Like

two other options are multihoming(virtual@alias if need be) the nas/router ( i.e. dmz2-altsubnet ) and tcpproxy...

probably already been mentioned but accessing vpn@wan and keeping your webdav phone settings consistent is a much better option for this kind of thing...


@M4x_P0w3r, welcome to the community!

Currently, a HTTP and HTTPS server respond on port 443...running nginx. The cert is issued to

If that's not your desire, I think you need to fix your firewall ASAP.

OK guys, now my NAS is reachable from Internet.
Following steps were necessary:

  • Installation of VPN Policy Routing

  • FritzBox configured with non-standard HTTPS Port Forwarding to Router WAN Interface

  • VPR Policy configured.

  • NAS to WAN Firewall Rule, any protocol, any destination

  • Port Forwarding Rule from any source host, any port in WAN to NAS, non-standard HTTPS destination port

For now VPR Policy uses all ports (both source and destination) with destination to all networks. Does anybody know which port(s) is/are used for communication between NAS and DDNS?
I'd like to know it in case I would route BT traffic over VPN.

Should be https or worst case http.


I've provided destination port 443 to this VPR rule and set another one for routing DNS traffic from NAS over WAN.
For BT traffic over VPN I've created two rules with the respective port numbers set in Download Station.
Just feel free to suggest me any adjustment, in order to avoid any potential security risk.

Can't Open Port 80 - #11 by vgaetera

1 Like

Sorry, don't seem to get it. What do you mean?

It is the VPN-PBR rule which sends local port 80 and 443 over the wan.

1 Like

Got it. I missed Multiple local and remote addresses/devices/domains and ports can be space separated.
I've merged now the respective multiple port policies into each one.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.