FRITZ!Box, IPsec, Failover (mwan3), accept traffic from VPN, Port Forwardings through VPN

because of sporadic bad link quality of Vodafone Germany Cable Internet via FRITZ!Box 6591 (, wan/eth0.2, Public IPv4) I decided to use mwan3.

I'm using an TP-LINK TL-WR1043ND V2 (OpenWrt 19.07.6) as Failover (

The second wan connection is via LTE/4G 1&1 (Telefonica Germany) using EasyBox 904 LTE (, wwan/wlan0, Shared IPv4).

In the checks I increased the count to max val 5 and enabled the check for link quality.

In the FRITZ!Box 6591 an site-to-site VPN (LAN-LAN-Kopplung) is configured to FRITZ!Box 7490 (, Public IPv4) using MyFRITZ! hostnames (


  1. communicate bi-directional <=> like it's currently working with <=>
  2. create port forwarding in 7490 to any port on any device in FRITZ!Box doesn't allow that to road warrior IPs (starting in my case from

To reach my goals I have several options (or nor):

  1. Configure Port Forwarding in TL-WR1043 from zone wan to zone lan for every Port I need (with the mentioned limitation) :white_check_mark:
  2. Adjust the Firewall in TL-WR1043 to accept connections from I played around with several settings like creating an zone vpn, moving my rules to the top but all without success.
  3. Configure site-to-site VPN in the TL-WR1043. For that I already tried to vpnc and ping from an device in is possible :white_check_mark: . But then the mentioned limitation comes into game and I can't forward that port to public.
  4. Install another site-to-site VPN software packet e.g. strongswan-full in TL-WR1043 and in case of not enough space for all the dependencies (min. 4.3 MB) try to attach an USB flash drive and mount that permanently.

Thank you in advance.