Port forward coming from wireguard tunnel not routed back via WG

Installing and Using OpenWrt
1

I'm trying to host a web server on my LAN (192.168.1.x) and since my ISP filters all traffic the only way for me to get this to work is to tunnel traffic via a wireguard tunnel on a VPS somewhere.

Need some help as it looks like response traffic from my LAN client is being routed thru the default-gateway (WAN) instead of being routed outbound via the VPN tunnel where the original packet originated.

I may have misunderstood, but I thought this would not be an issue after I configured routing tables for the VPN itself in Wireguard internet reply traffic is going out WAN instead of tunnel - #7

However after some tcpdump in all directions, I see that traffic to my public IPv4 is going thru wireguard tunnel, it hits OpenWRT and it gets forwarded to my LAN 192.168.1.x device, which then responds to the public IP of the HTTP request. Then OpenWrt sends this out via WAN.

Interestingly, the "Port Forwards" web UI shows my settings both enabled but the configuration dump below says "option enabled '0'" not sure if this may be causing this?

Screenshot 2021-05-22 033449
Screenshot 2021-05-22 033449989×610 74.9 KB

Here's some config

# uci export firewall
package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option masq6 '1'
        option masq6_privacy '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'wgmia'

config rule
        option name 'Allow-Ping-WG'
        option src 'wgmia'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP-WG'
        option src 'wgmia'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6-WG'
        option src 'wgmia'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD-WG'
        option src 'wgmia'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input-WG'
        option src 'wgmia'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward-WG'
        option src 'wgmia'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-IPSec-ESP-WG'
        option src 'wgmia'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP-WG'
        option src 'wgmia'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config include 'bcp38'
        option type 'script'
        option path '/usr/lib/bcp38/run.sh'
        option family 'IPv4'
        option reload '1'

config include 'nat6'
        option path '/etc/firewall.nat6'
        option reload '1'

config zone
        option name 'wgmia'
        option forward 'REJECT'
        list network 'wgmia'
        option output 'ACCEPT'
        option masq '1'
        option masq6 '1'
        option input 'REJECT'

config rule
        option dest_port '443'
        option src 'wgmia'
        option target 'ACCEPT'
        list proto 'tcp'
        option name 'Allow-Internet-Luci-WG'
        option enabled '0'

config redirect
        option name 'HTTP'
        option src_dport '80'
        option target 'DNAT'
        option dest 'lan'
        list proto 'tcp'
        option src 'wgmia'
        option dest_port '22'
        option dest_ip '192.168.1.49'

config redirect
        option dest_port '443'
        option name 'HTTPS'
        option src_dport '443'
        option target 'DNAT'
        option dest_ip '192.168.1.214'
        option dest 'lan'
        list proto 'tcp'
        option src 'wgmia'

config nat
        option src_port '80'
        list proto 'tcp'
        option name 'HTTP'
        option src_ip '192.168.1.214'
        option target 'MASQUERADE'
        option device 'wgmia'
        option src 'lan'
        option enabled '0'

config nat
        option src_port '443'
        list proto 'tcp'
        option name 'HTTPS'
        option src_ip '192.168.1.214'
        option target 'MASQUERADE'
        option device 'wgmia'
        option src 'lan'
        option enabled '0'

network (secrets removed)

# cat network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdde:104a:0f59::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '6t 3 2 1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 5'
        option vid '2'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '11'
        option ports '6t 4'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option ports '0t'
        option vid '200'

config interface 'wgmia'
        option proto 'wireguard'
        option private_key 'xxxx'
        list addresses '10.100.100.12/24'
        list addresses 'xx:xx:xx:106:8888::12/112'
        option mtu '1350'
        option ip4table '1'
        option ip6table '1'

config wireguard_wgmia
        option public_key 'hxxx'
        option description 'xxx'
        option endpoint_port '88'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option preshared_key 'xx'
        option endpoint_host 'xx'
        option persistent_keepalive '19'
        option route_allowed_ips '1'

config interface 'opnsense'
        option proto 'none'
        option type 'bridge'
        option ifname 'eth1.11'

Some additional info

root@OpenWrt:/etc/config# fw3 print
Warning: Option @zone[1].masq6 is unknown
Warning: Option @zone[1].masq6_privacy is unknown
Warning: Option @zone[2].masq6 is unknown
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD DROP
iptables -t filter -N reject
iptables -t filter -N input_rule
iptables -t filter -N output_rule
iptables -t filter -N forwarding_rule
iptables -t filter -N syn_flood
iptables -t filter -N zone_lan_input
iptables -t filter -N zone_lan_output
iptables -t filter -N zone_lan_forward
iptables -t filter -N zone_lan_src_ACCEPT
iptables -t filter -N zone_lan_dest_ACCEPT
iptables -t filter -N input_lan_rule
iptables -t filter -N output_lan_rule
iptables -t filter -N forwarding_lan_rule
iptables -t filter -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
iptables -t filter -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
iptables -t filter -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
iptables -t filter -N zone_wan_input
iptables -t filter -N zone_wan_output
iptables -t filter -N zone_wan_forward
iptables -t filter -N zone_wan_src_REJECT
iptables -t filter -N zone_wan_dest_ACCEPT
iptables -t filter -N zone_wan_dest_REJECT
iptables -t filter -N input_wan_rule
iptables -t filter -N output_wan_rule
iptables -t filter -N forwarding_wan_rule
iptables -t filter -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
iptables -t filter -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
iptables -t filter -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
iptables -t filter -N zone_wgmia_input
iptables -t filter -N zone_wgmia_output
iptables -t filter -N zone_wgmia_forward
iptables -t filter -N zone_wgmia_src_REJECT
iptables -t filter -N zone_wgmia_dest_ACCEPT
iptables -t filter -N zone_wgmia_dest_REJECT
iptables -t filter -N input_wgmia_rule
iptables -t filter -N output_wgmia_rule
iptables -t filter -N forwarding_wgmia_rule
iptables -t filter -A zone_wgmia_input -m comment --comment "!fw3: Custom wgmia input rule chain" -j input_wgmia_rule
iptables -t filter -A zone_wgmia_output -m comment --comment "!fw3: Custom wgmia output rule chain" -j output_wgmia_rule
iptables -t filter -A zone_wgmia_forward -m comment --comment "!fw3: Custom wgmia forwarding rule chain" -j forwarding_wgmia_rule
iptables -t filter -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
iptables -t filter -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
iptables -t filter -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
iptables -t filter -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
iptables -t filter -A syn_flood -m comment --comment "!fw3" -j DROP
iptables -t filter -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
iptables -t filter -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
iptables -t filter -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
iptables -t filter -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
iptables -t filter -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
iptables -t filter -A zone_wan_input -p 2 -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
iptables -t filter -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_wgmia_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping-WG" -j ACCEPT
iptables -t filter -A zone_wgmia_input -p 2 -m comment --comment "!fw3: Allow-IGMP-WG" -j ACCEPT
iptables -t filter -A zone_wgmia_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP-WG" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_wgmia_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP-WG" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
iptables -t filter -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wgmia forwarding policy" -j zone_wgmia_dest_ACCEPT
iptables -t filter -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
iptables -t filter -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
iptables -t filter -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
iptables -t filter -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
iptables -t filter -D zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
iptables -t filter -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
iptables -t filter -D OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
iptables -t filter -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
iptables -t filter -D FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
iptables -t filter -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
iptables -t filter -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
iptables -t filter -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
iptables -t filter -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
iptables -t filter -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
iptables -t filter -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
iptables -t filter -D zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
iptables -t filter -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
iptables -t filter -D zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
iptables -t filter -D zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
iptables -t filter -D INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
iptables -t filter -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
iptables -t filter -D OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
iptables -t filter -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
iptables -t filter -D FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
iptables -t filter -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
iptables -t filter -D zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
iptables -t filter -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
iptables -t filter -D zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
iptables -t filter -D zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
iptables -t filter -D INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
iptables -t filter -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
iptables -t filter -D OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
iptables -t filter -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
iptables -t filter -D FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
iptables -t filter -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
iptables -t filter -A zone_wgmia_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
iptables -t filter -A zone_wgmia_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
iptables -t filter -A zone_wgmia_input -m comment --comment "!fw3" -j zone_wgmia_src_REJECT
iptables -t filter -A zone_wgmia_forward -m comment --comment "!fw3" -j zone_wgmia_dest_REJECT
iptables -t filter -A zone_wgmia_output -m comment --comment "!fw3" -j zone_wgmia_dest_ACCEPT
iptables -t filter -D zone_wgmia_dest_ACCEPT -o wgmia -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
iptables -t filter -A zone_wgmia_dest_ACCEPT -o wgmia -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
iptables -t filter -D zone_wgmia_dest_ACCEPT -o wgmia -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_wgmia_dest_ACCEPT -o wgmia -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D zone_wgmia_src_REJECT -i wgmia -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_wgmia_src_REJECT -i wgmia -m comment --comment "!fw3" -j reject
iptables -t filter -D zone_wgmia_dest_REJECT -o wgmia -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_wgmia_dest_REJECT -o wgmia -m comment --comment "!fw3" -j reject
iptables -t filter -D INPUT -i wgmia -m comment --comment "!fw3" -j zone_wgmia_input
iptables -t filter -A INPUT -i wgmia -m comment --comment "!fw3" -j zone_wgmia_input
iptables -t filter -D OUTPUT -o wgmia -m comment --comment "!fw3" -j zone_wgmia_output
iptables -t filter -A OUTPUT -o wgmia -m comment --comment "!fw3" -j zone_wgmia_output
iptables -t filter -D FORWARD -i wgmia -m comment --comment "!fw3" -j zone_wgmia_forward
iptables -t filter -A FORWARD -i wgmia -m comment --comment "!fw3" -j zone_wgmia_forward
iptables -t filter -A FORWARD -m comment --comment "!fw3" -j reject
iptables -t nat -N prerouting_rule
iptables -t nat -N postrouting_rule
iptables -t nat -N zone_lan_postrouting
iptables -t nat -N zone_lan_prerouting
iptables -t nat -N prerouting_lan_rule
iptables -t nat -N postrouting_lan_rule
iptables -t nat -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
iptables -t nat -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
iptables -t nat -N zone_wan_postrouting
iptables -t nat -N zone_wan_prerouting
iptables -t nat -N prerouting_wan_rule
iptables -t nat -N postrouting_wan_rule
iptables -t nat -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
iptables -t nat -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
iptables -t nat -N zone_wgmia_postrouting
iptables -t nat -N zone_wgmia_prerouting
iptables -t nat -N prerouting_wgmia_rule
iptables -t nat -N postrouting_wgmia_rule
iptables -t nat -A zone_wgmia_prerouting -m comment --comment "!fw3: Custom wgmia prerouting rule chain" -j prerouting_wgmia_rule
iptables -t nat -A zone_wgmia_postrouting -m comment --comment "!fw3: Custom wgmia postrouting rule chain" -j postrouting_wgmia_rule
iptables -t nat -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
iptables -t nat -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
iptables -t nat -A zone_wgmia_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: HTTP" -j DNAT --to-destination 192.168.1.49:22
iptables -t nat -D zone_lan_prerouting -p tcp -s 192.168.1.0/255.255.255.0 -d 10.100.100.12/255.255.255.255 -m tcp --dport 80 -m comment --comment "!fw3: HTTP (reflection)" -j DNAT --to-destination 192.168.1.49:22
iptables -t nat -A zone_lan_prerouting -p tcp -s 192.168.1.0/255.255.255.0 -d 10.100.100.12/255.255.255.255 -m tcp --dport 80 -m comment --comment "!fw3: HTTP (reflection)" -j DNAT --to-destination 192.168.1.49:22
iptables -t nat -D zone_lan_postrouting -p tcp -s 192.168.1.0/255.255.255.0 -d 192.168.1.49/255.255.255.255 -m tcp --dport 22 -m comment --comment "!fw3: HTTP (reflection)" -j SNAT --to-source 192.168.1.1
iptables -t nat -A zone_lan_postrouting -p tcp -s 192.168.1.0/255.255.255.0 -d 192.168.1.49/255.255.255.255 -m tcp --dport 22 -m comment --comment "!fw3: HTTP (reflection)" -j SNAT --to-source 192.168.1.1
iptables -t nat -A zone_wgmia_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: HTTPS" -j DNAT --to-destination 192.168.1.214:443
iptables -t nat -D zone_lan_prerouting -p tcp -s 192.168.1.0/255.255.255.0 -d 10.100.100.12/255.255.255.255 -m tcp --dport 443 -m comment --comment "!fw3: HTTPS (reflection)" -j DNAT --to-destination 192.168.1.214:443
iptables -t nat -A zone_lan_prerouting -p tcp -s 192.168.1.0/255.255.255.0 -d 10.100.100.12/255.255.255.255 -m tcp --dport 443 -m comment --comment "!fw3: HTTPS (reflection)" -j DNAT --to-destination 192.168.1.214:443
iptables -t nat -D zone_lan_postrouting -p tcp -s 192.168.1.0/255.255.255.0 -d 192.168.1.214/255.255.255.255 -m tcp --dport 443 -m comment --comment "!fw3: HTTPS (reflection)" -j SNAT --to-source 192.168.1.1
iptables -t nat -A zone_lan_postrouting -p tcp -s 192.168.1.0/255.255.255.0 -d 192.168.1.214/255.255.255.255 -m tcp --dport 443 -m comment --comment "!fw3: HTTPS (reflection)" -j SNAT --to-source 192.168.1.1
iptables -t nat -D PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
iptables -t nat -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
iptables -t nat -D POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
iptables -t nat -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
iptables -t nat -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
iptables -t nat -D PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
iptables -t nat -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
iptables -t nat -D POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
iptables -t nat -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
iptables -t nat -D PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
iptables -t nat -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
iptables -t nat -D POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
iptables -t nat -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
iptables -t nat -A zone_wgmia_postrouting -m comment --comment "!fw3" -j MASQUERADE
iptables -t nat -D PREROUTING -i wgmia -m comment --comment "!fw3" -j zone_wgmia_prerouting
iptables -t nat -A PREROUTING -i wgmia -m comment --comment "!fw3" -j zone_wgmia_prerouting
iptables -t nat -D POSTROUTING -o wgmia -m comment --comment "!fw3" -j zone_wgmia_postrouting
iptables -t nat -A POSTROUTING -o wgmia -m comment --comment "!fw3" -j zone_wgmia_postrouting
iptables -t mangle -D FORWARD -p tcp -o eth0.2 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A FORWARD -p tcp -o eth0.2 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -D FORWARD -p tcp -i eth0.2 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A FORWARD -p tcp -i eth0.2 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -D FORWARD -p tcp -o eth0.2 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A FORWARD -p tcp -o eth0.2 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -D FORWARD -p tcp -i eth0.2 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A FORWARD -p tcp -i eth0.2 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
iptables -t raw -N zone_lan_helper
iptables -t raw -D PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
iptables -t raw -A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
root@OpenWrt:/etc/config#

Thanks!

2 
uci -q delete firewall.mark_ssh
uci set firewall.mark_ssh="rule"
uci set firewall.mark_ssh.name="Mark-SSH"
uci set firewall.mark_ssh.src="lan"
uci set firewall.mark_ssh.src_ip="192.168.1.49"
uci set firewall.mark_ssh.src_port="22"
uci set firewall.mark_ssh.proto="tcp"
uci set firewall.mark_ssh.set_mark="0x1"
uci set firewall.mark_ssh.target="MARK"
uci -q delete firewall.mark_https
uci set firewall.mark_https="rule"
uci set firewall.mark_https.name="Mark-HTTPS"
uci set firewall.mark_https.src="lan"
uci set firewall.mark_https.src_ip="192.168.1.214"
uci set firewall.mark_https.src_port="443"
uci set firewall.mark_https.proto="tcp"
uci set firewall.mark_https.set_mark="0x1"
uci set firewall.mark_https.target="MARK"
uci commit firewall
/etc/init.d/firewall restart
uci -q delete network.lan_vpn
uci set network.lan_vpn="rule"
uci set network.lan_vpn.in="lan"
uci set network.lan_vpn.mark="1"
uci set network.lan_vpn.lookup="1"
uci set network.lan_vpn.priority="30000"
uci commit network
/etc/init.d/network restart
3

I tried this but I am unsure if it worked.

Here is my debug trace between my LAN and the tunnel, there's a tcpdump wrapper to identify interface by mac

root@OpenWrt:~# ./dump.sh  '(host 185.106.123.70 or host 192.168.1.214) and port 80'
listening on wgmia, link-type RAW (Raw IP), capture size 262144 bytes
[Interface:eth1.1] 13:24:10.094150 IP 185.106.123.70.37306 > 192.168.1.49.80: Flags [S], seq 4122536239, win 29200, options [mss 1460,nop,nop,TS val 293648160 ecr 0,nop,wscale 8], length 0
[Interface:br-lan] 13:24:10.094143 IP 185.106.123.70.37306 > 192.168.1.49.80: Flags [S], seq 4122536239, win 29200, options [mss 1460,nop,nop,TS val 293648160 ecr 0,nop,wscale 8], length 0
[Interface:eth1.1] 13:24:10.094727 IP 192.168.1.49.80 > 185.106.123.70.37306: Flags [S.], seq 3974655237, ack 4122536240, win 65160, options [mss 1460,nop,nop,TS val 3370440203 ecr 293617103,nop,wscale 7], length 0
[Interface:eth0.2] 13:24:10.094775 IP 10.100.100.12.80 > 185.106.123.70.37306: Flags [S.], seq 3974655237, ack 4122536240, win 65160, options [mss 1460,nop,nop,TS val 3370440203 ecr 293617103,nop,wscale 7], length 0
[Interface:eth1.1] 13:24:14.976821 IP 185.106.123.70.37458 > 192.168.1.49.80: Flags [S], seq 441372093, win 29200, options [mss 1460,nop,nop,TS val 293653064 ecr 0,nop,wscale 8], length 0
[Interface:eth1.1] 13:24:14.977438 IP 192.168.1.49.80 > 185.106.123.70.37458: Flags [S.], seq 1280850273, ack 441372094, win 65160, options [mss 1460,nop,nop,TS val 3370445086 ecr 293653064,nop,wscale 7], length 0
[Interface:br-lan] 13:24:10.094727 IP 192.168.1.49.80 > 185.106.123.70.37306: Flags [S.], seq 3974655237, ack 4122536240, win 65160, options [mss 1460,nop,nop,TS val 3370440203 ecr 293617103,nop,wscale 7], length 0
[Interface:br-lan] 13:24:14.976801 IP 185.106.123.70.37458 > 192.168.1.49.80: Flags [S], seq 441372093, win 29200, options [mss 1460,nop,nop,TS val 293653064 ecr 0,nop,wscale 8], length 0
[Interface:br-lan] 13:24:14.977438 IP 192.168.1.49.80 > 185.106.123.70.37458: Flags [S.], seq 1280850273, ack 441372094, win 65160, options [mss 1460,nop,nop,TS val 3370445086 ecr 293653064,nop,wscale 7], length 0
[Interface:eth1] 13:24:10.094727 IP 192.168.1.49.80 > 185.106.123.70.37306: Flags [S.], seq 3974655237, ack 4122536240, win 65160, options [mss 1460,nop,nop,TS val 3370440203 ecr 293617103,nop,wscale 7], length 0
[Interface:wgmia] 13:24:10.094118 IP 185.106.123.70.37306 > 10.100.100.12.80: Flags [S], seq 4122536239, win 29200, options [mss 1460,nop,nop,TS val 293648160 ecr 0,nop,wscale 8], length 0
[Interface:wgmia] 13:24:14.976619 IP 185.106.123.70.37458 > 10.100.100.12.80: Flags [S], seq 441372093, win 29200, options [mss 1460,nop,nop,TS val 293653064 ecr 0,nop,wscale 8], length 0
[Interface:eth1.1] 13:24:15.977181 IP 185.106.123.70.37458 > 192.168.1.49.80: Flags [S], seq 441372093, win 29200, options [mss 1460,nop,nop,TS val 293654066 ecr 0,nop,wscale 8], length 0
[Interface:eth1.1] 13:24:15.977944 IP 192.168.1.49.80 > 185.106.123.70.37458: Flags [S.], seq 1280850273, ack 441372094, win 65160, options [mss 1460,nop,nop,TS val 3370446086 ecr 293653064,nop,wscale 7], length 0
[Interface:eth0.2] 13:24:14.977581 IP 10.100.100.12.80 > 185.106.123.70.37458: Flags [S.], seq 1280850273, ack 441372094, win 65160, options [mss 1460,nop,nop,TS val 3370445086 ecr 293653064,nop,wscale 7], length 0
[Interface:eth0.2] 13:24:15.978084 IP 10.100.100.12.80 > 185.106.123.70.37458: Flags [S.], seq 1280850273, ack 441372094, win 65160, options [mss 1460,nop,nop,TS val 3370446086 ecr 293653064,nop,wscale 7], length 0
[Interface:eth1] 13:24:14.977438 IP 192.168.1.49.80 > 185.106.123.70.37458: Flags [S.], seq 1280850273, ack 441372094, win 65160, options [mss 1460,nop,nop,TS val 3370445086 ecr 293653064,nop,wscale 7], length 0
[Interface:eth1] 13:24:15.977944 IP 192.168.1.49.80 > 185.106.123.70.37458: Flags [S.], seq 1280850273, ack 441372094, win 65160, options [mss 1460,nop,nop,TS val 3370446086 ecr 293653064,nop,wscale 7], length 0
[Interface:br-lan] 13:24:15.977160 IP 185.106.123.70.37458 > 192.168.1.49.80: Flags [S], seq 441372093, win 29200, options [mss 1460,nop,nop,TS val 293654066 ecr 0,nop,wscale 8], length 0
[Interface:br-lan] 13:24:15.977944 IP 192.168.1.49.80 > 185.106.123.70.37458: Flags [S.], seq 1280850273, ack 441372094, win 65160, options [mss 1460,nop,nop,TS val 3370446086 ecr 293653064,nop,wscale 7], length 0
[Interface:eth1] 13:24:15.977967 IP 192.168.1.49.80 > 185.106.123.70.37458: Flags [S.], seq 1280850273, ack 441372094, win 65160, options [mss 1460,nop,nop,TS val 3370446086 ecr 293653064,nop,wscale 7], length 0
[Interface:br-lan] 13:24:15.977967 IP 192.168.1.49.80 > 185.106.123.70.37458: Flags [S.], seq 1280850273, ack 441372094, win 65160, options [mss 1460,nop,nop,TS val 3370446086 ecr 293653064,nop,wscale 7], length 0
[Interface:wgmia] 13:24:15.977081 IP 185.106.123.70.37458 > 10.100.100.12.80: Flags [S], seq 441372093, win 29200, options [mss 1460,nop,nop,TS val 293654066 ecr 0,nop,wscale 8], length 0
[Interface:br-lan] 13:24:17.984868 IP 185.106.123.70.37458 > 192.168.1.49.80: Flags [S], seq 441372093, win 29200, options [mss 1460,nop,nop,TS val 293656072 ecr 0,nop,wscale 8], length 0
[Interface:eth1.1] 13:24:15.977967 IP 192.168.1.49.80 > 185.106.123.70.37458: Flags [S.], seq 1280850273, ack 441372094, win 65160, options [mss 1460,nop,nop,TS val 3370446086 ecr 293653064,nop,wscale 7], length 0
[Interface:eth0.2] 13:24:15.978193 IP 10.100.100.12.80 > 185.106.123.70.37458: Flags [S.], seq 1280850273, ack 441372094, win 65160, options [mss 1460,nop,nop,TS val 3370446086 ecr 293653064,nop,wscale 7], length 0
[Interface:eth1.1] 13:24:17.984876 IP 185.106.123.70.37458 > 192.168.1.49.80: Flags [S], seq 441372093, win 29200, options [mss 1460,nop,nop,TS val 293656072 ecr 0,nop,wscale 8], length 0
[Interface:br-lan] 13:24:17.985437 IP 192.168.1.49.80 > 185.106.123.70.37458: Flags [S.], seq 1280850273, ack 441372094, win 65160, options [mss 1460,nop,nop,TS val 3370448094 ecr 293653064,nop,wscale 7], length 0
[Interface:eth1] 13:24:17.985437 IP 192.168.1.49.80 > 185.106.123.70.37458: Flags [S.], seq 1280850273, ack 441372094, win 65160, options [mss 1460,nop,nop,TS val 3370448094 ecr 293653064,nop,wscale 7], length 0
[Interface:eth1.1] 13:24:17.985437 IP 192.168.1.49.80 > 185.106.123.70.37458: Flags [S.], seq 1280850273, ack 441372094, win 65160, options [mss 1460,nop,nop,TS val 3370448094 ecr 293653064,nop,wscale 7], length 0
[Interface:eth0.2] 13:24:17.985482 IP 10.100.100.12.80 > 185.106.123.70.37458: Flags [S.], seq 1280850273, ack 441372094, win 65160, options [mss 1460,nop,nop,TS val 3370448094 ecr 293653064,nop,wscale 7], length 0
[Interface:br-lan] 13:24:20.013720 IP 192.168.1.49.80 > 185.106.123.70.37458: Flags [S.], seq 1280850273, ack 441372094, win 65160, options [mss 1460,nop,nop,TS val 3370450122 ecr 293653064,nop,wscale 7], length 0
[Interface:br-lan] 13:24:21.989507 IP 185.106.123.70.37458 > 192.168.1.49.80: Flags [S], seq 441372093, win 29200, options [mss 1460,nop,nop,TS val 293660080 ecr 0,nop,wscale 8], length 0
[Interface:eth1] 13:24:20.013720 IP 192.168.1.49.80 > 185.106.123.70.37458: Flags [S.], seq 1280850273, ack 441372094, win 65160, options [mss 1460,nop,nop,TS val 3370450122 ecr 293653064,nop,wscale 7], length 0
[Interface:wgmia] 13:24:17.984842 IP 185.106.123.70.37458 > 10.100.100.12.80: Flags [S], seq 441372093, win 29200, options [mss 1460,nop,nop,TS val 293656072 ecr 0,nop,wscale 8], length 0
[Interface:eth1.1] 13:24:20.013720 IP 192.168.1.49.80 > 185.106.123.70.37458: Flags [S.], seq 1280850273, ack 441372094, win 65160, options [mss 1460,nop,nop,TS val 3370450122 ecr 293653064,nop,wscale 7], length 0
[Interface:eth1.1] 13:24:21.989517 IP 185.106.123.70.37458 > 192.168.1.49.80: Flags [S], seq 441372093, win 29200, options [mss 1460,nop,nop,TS val 293660080 ecr 0,nop,wscale 8], length 0
[Interface:eth0.2] 13:24:20.013766 IP 10.100.100.12.80 > 185.106.123.70.37458: Flags [S.], seq 1280850273, ack 441372094, win 65160, options [mss 1460,nop,nop,TS val 3370450122 ecr 293653064,nop,wscale 7], length 0
[Interface:br-lan] 13:24:21.989917 IP 192.168.1.49.80 > 185.106.123.70.37458: Flags [S.], seq 1280850273, ack 441372094, win 65160, options [mss 1460,nop,nop,TS val 3370452098 ecr 293653064,nop,wscale 7], length 0
[Interface:br-lan] 13:24:26.025659 IP 192.168.1.49.80 > 185.106.123.70.37458: Flags [S.], seq 1280850273, ack 441372094, win 65160, options [mss 1460,nop,nop,TS val 3370456134 ecr 293653064,nop,wscale 7], length 0
[Interface:eth1] 13:24:21.989917 IP 192.168.1.49.80 > 185.106.123.70.37458: Flags [S.], seq 1280850273, ack 441372094, win 65160, options [mss 1460,nop,nop,TS val 3370452098 ecr 293653064,nop,wscale 7], length 0
[Interface:eth1] 13:24:26.025659 IP 192.168.1.49.80 > 185.106.123.70.37458: Flags [S.], seq 1280850273, ack 441372094, win 65160, options [mss 1460,nop,nop,TS val 3370456134 ecr 293653064,nop,wscale 7], length 0
[Interface:eth1.1] 13:24:21.989917 IP 192.168.1.49.80 > 185.106.123.70.37458: Flags [S.], seq 1280850273, ack 441372094, win 65160, options [mss 1460,nop,nop,TS val 3370452098 ecr 293653064,nop,wscale 7], length 0
[Interface:eth1.1] 13:24:26.025659 IP 192.168.1.49.80 > 185.106.123.70.37458: Flags [S.], seq 1280850273, ack 441372094, win 65160, options [mss 1460,nop,nop,TS val 3370456134 ecr 293653064,nop,wscale 7], length 0
[Interface:eth0.2] 13:24:21.990019 IP 10.100.100.12.80 > 185.106.123.70.37458: Flags [S.], seq 1280850273, ack 441372094, win 65160, options [mss 1460,nop,nop,TS val 3370452098 ecr 293653064,nop,wscale 7], length 0
[Interface:eth0.2] 13:24:26.025765 IP 10.100.100.12.80 > 185.106.123.70.37458: Flags [S.], seq 1280850273, ack 441372094, win 65160, options [mss 1460,nop,nop,TS val 3370456134 ecr 293653064,nop,wscale 7], length 0
[Interface:br-lan] 13:24:26.281610 IP 192.168.1.49.80 > 185.106.123.70.37306: Flags [S.], seq 3974655237, ack 4122536240, win 65160, options [mss 1460,nop,nop,TS val 3370456390 ecr 293617103,nop,wscale 7], length 0
[Interface:br-lan] 13:24:30.010815 IP 185.106.123.70.37458 > 192.168.1.49.80: Flags [S], seq 441372093, win 29200, options [mss 1460,nop,nop,TS val 293668096 ecr 0,nop,wscale 8], length 0
[Interface:eth1] 13:24:26.281610 IP 192.168.1.49.80 > 185.106.123.70.37306: Flags [S.], seq 3974655237, ack 4122536240, win 65160, options [mss 1460,nop,nop,TS val 3370456390 ecr 293617103,nop,wscale 7], length 0
[Interface:eth1.1] 13:24:26.281610 IP 192.168.1.49.80 > 185.106.123.70.37306: Flags [S.], seq 3974655237, ack 4122536240, win 65160, options [mss 1460,nop,nop,TS val 3370456390 ecr 293617103,nop,wscale 7], length 0
[Interface:eth1.1] 13:24:30.010834 IP 185.106.123.70.37458 > 192.168.1.49.80: Flags [S], seq 441372093, win 29200, options [mss 1460,nop,nop,TS val 293668096 ecr 0,nop,wscale 8], length 0
[Interface:eth0.2] 13:24:26.281765 IP 10.100.100.12.80 > 185.106.123.70.37306: Flags [S.], seq 3974655237, ack 4122536240, win 65160, options [mss 1460,nop,nop,TS val 3370456390 ecr 293617103,nop,wscale 7], length 0
[Interface:wgmia] 13:24:21.989482 IP 185.106.123.70.37458 > 10.100.100.12.80: Flags [S], seq 441372093, win 29200, options [mss 1460,nop,nop,TS val 293660080 ecr 0,nop,wscale 8], length 0
[Interface:br-lan] 13:24:30.011363 IP 192.168.1.49.80 > 185.106.123.70.37458: Flags [S.], seq 1280850273, ack 441372094, win 65160, options [mss 1460,nop,nop,TS val 3370460120 ecr 293653064,nop,wscale 7], length 0
[Interface:eth1] 13:24:30.011363 IP 192.168.1.49.80 > 185.106.123.70.37458: Flags [S.], seq 1280850273, ack 441372094, win 65160, options [mss 1460,nop,nop,TS val 3370460120 ecr 293653064,nop,wscale 7], length 0
[Interface:eth1.1] 13:24:30.011363 IP 192.168.1.49.80 > 185.106.123.70.37458: Flags [S.], seq 1280850273, ack 441372094, win 65160, options [mss 1460,nop,nop,TS val 3370460120 ecr 293653064,nop,wscale 7], length 0
[Interface:eth0.2] 13:24:30.011478 IP 10.100.100.12.80 > 185.106.123.70.37458: Flags [S.], seq 1280850273, ack 441372094, win 65160, options [mss 1460,nop,nop,TS val 3370460120 ecr 293653064,nop,wscale 7], length 0

This seems to say the old WAN outbound route is still being used instead of 'wgmia' ?

[Interface:eth0.2] 13:24:14.977581 IP 10.100.100.12.80 > 185.106.123.70.37458: Flags [S.], seq 1280850273, ack 441372094, win 65160, options [mss 1460,nop,nop,TS val 3370445086 ecr 293653064,nop,wscale 7], length 0
[Interface:eth0.2] 13:24:15.978084 IP 10.100.100.12.80 > 185.106.123.70.37458: Flags [S.], seq 1280850273, ack 441372094, win 65160, options [mss 1460,nop,nop,TS val 3370446086 ecr 293653064,nop,wscale 7], length 0

I'm not really sure how to verify this - but I went to the VPS public internet facing interface eth0 and did tcpdump there - i should be seeing a reponse packet sent back to client 38864 port but nothing is coming

root@mia:~/split# tcpdump -i eth0 host 185.106.123.70 and port 80 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
13:29:04.036963 IP 185.106.123.70.38864 > 158.51.113.115.80: Flags [S], seq 441345269, win 29200, options [mss 1460,nop,nop,TS val 293942143 ecr 0,nop,wscale 8], length 0
13:29:05.037935 IP 185.106.123.70.38864 > 158.51.113.115.80: Flags [S], seq 441345269, win 29200, options [mss 1460,nop,nop,TS val 293943144 ecr 0,nop,wscale 8], length 0
13:29:07.041895 IP 185.106.123.70.38864 > 158.51.113.115.80: Flags [S], seq 441345269, win 29200, options [mss 1460,nop,nop,TS val 293945148 ecr 0,nop,wscale 8], length 0
13:29:11.046001 IP 185.106.123.70.38864 > 158.51.113.115.80: Flags [S], seq 441345269, win 29200, options [mss 1460,nop,nop,TS val 293949152 ecr 0,nop,wscale 8], length 0
13:29:19.061788 IP 185.106.123.70.38864 > 158.51.113.115.80: Flags [S], seq 441345269, win 29200, options [mss 1460,nop,nop,TS val 293957168 ecr 0,nop,wscale 8], length 0
13:29:35.077759 IP 185.106.123.70.38864 > 158.51.113.115.80: Flags [S], seq 441345269, win 29200, options [mss 1460,nop,nop,TS val 293973184 ecr 0,nop,wscale 8], length 0
13:30:07.141554 IP 185.106.123.70.38864 > 158.51.113.115.80: Flags [S], seq 441345269, win 29200, options [mss 1460,nop,nop,TS val 294005248 ecr 0,nop,wscale 8], length 0

doing packet capture on the VPS wireguard tunnel interface too - shows no responses

root@mia:~/split# tcpdump -i wghub host 185.106.123.70 and port 80 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wghub, link-type RAW (Raw IP), capture size 262144 bytes
13:30:47.328351 IP 185.106.123.70.39370 > 10.100.100.12.80: Flags [S], seq 3676323380, win 29200, options [mss 1460,nop,nop,TS val 294045425 ecr 0,nop,wscale 8], length 0
13:30:48.321457 IP 185.106.123.70.39370 > 10.100.100.12.80: Flags [S], seq 3676323380, win 29200, options [mss 1460,nop,nop,TS val 294046428 ecr 0,nop,wscale 8], length 0
13:30:50.325427 IP 185.106.123.70.39370 > 10.100.100.12.80: Flags [S], seq 3676323380, win 29200, options [mss 1460,nop,nop,TS val 294048432 ecr 0,nop,wscale 8], length 0
13:30:54.333426 IP 185.106.123.70.39370 > 10.100.100.12.80: Flags [S], seq 3676323380, win 29200, options [mss 1460,nop,nop,TS val 294052440 ecr 0,nop,wscale 8], length 0
13:31:02.341453 IP 185.106.123.70.39370 > 10.100.100.12.80: Flags [S], seq 3676323380, win 29200, options [mss 1460,nop,nop,TS val 294060448 ecr 0,nop,wscale 8], length 0
1 Like
4

Collect the diagnostics and post it to pastebin.com redacting the private parts:

ip address show; ip route show table all; ip rule show; iptables-save -c
5

You updated this as I was writing the below.

I was able to get IPv4 port forward working via vpn-policy-routing package

uci set vpn-policy-routing.config.enabled="1"
uci set vpn-policy-routing.config.webui_show_ignore_target="1"
while uci -q delete vpn-policy-routing.@policy[0]; do :; done
uci add vpn-policy-routing policy
uci set vpn-policy-routing.@policy[-1].dest_addr="192.168.1.0/24 10.100.100.0/24"
uci set vpn-policy-routing.@policy[-1].interface="ignore"
uci add vpn-policy-routing policy
uci set vpn-policy-routing.@policy[-1].src_addr="192.168.1.0/24 10.100.100.0/24"
uci set vpn-policy-routing.@policy[-1].interface="wgmia"
uci commit vpn-policy-routing
/etc/init.d/vpn-policy-routing restart

After editing the above via web UI and explicitly adding port 80 and 443 the port forwarding routing started working, since my IPv4 default gateway continues to be my WAN.

I do have an issue with vpn-policy-routing package when NAT6 is used, I enabled IPv6 and added a rule to route all IPv6 to the WGMIA tunnel but my tests are not showing my tunnel IPv6 (http://test-ipv6.com) do you have any idea?

here's debug

root@OpenWrt:~# cat /etc/config/vpn-policy-routing

config policy
        option dest_addr '192.168.1.0/24 10.100.100.0/24'
        option interface 'ignore'

config policy
        option name 'HTTP Wireguard'
        option src_addr '192.168.1.214'
        option src_port '80'
        option interface 'wgmia'

config policy
        option name 'HTTPS WG'
        option src_addr '192.168.1.214'
        option src_port '443'
        option interface 'wgmia'

config policy
        option interface 'wgmia'
        option src_addr '192.168.1.0/24'
        option name 'WG tunnel all V4'

config vpn-policy-routing 'config'
        option verbosity '2'
        option strict_enforcement '1'
        option src_ipset '0'
        option resolver_ipset 'dnsmasq.ipset'
        list ignored_interface 'vpnserver wgserver'
        option boot_timeout '30'
        option iptables_rule_option 'append'
        option procd_reload_delay '1'
        option webui_enable_column '0'
        option webui_protocol_column '0'
        option webui_chain_column '0'
        option webui_sorting '1'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'
        list webui_supported_protocol 'all'
        option enabled '1'
        option webui_show_ignore_target '1'
        option dest_ipset '0'
        option ipv6_enabled '1'

config include
        option path '/etc/vpn-policy-routing.netflix.user'
        option enabled '0'

config include
        option path '/etc/vpn-policy-routing.aws.user'
        option enabled '0'

config policy
        option name 'V6 WG'
        option src_addr 'fdde:104a:0f59::/48'
        option interface 'wgmia'

root@OpenWrt:~# ip address show; ip route show table all; ip rule show; iptables-save -c
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 10:da:43:1a:c0:dc brd ff:ff:ff:ff:ff:ff
    inet6 fe80::12da:43ff:fe1a:c0dc/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 10:da:43:1a:c0:db brd ff:ff:ff:ff:ff:ff
    inet6 fe80::12da:43ff:fe1a:c0db/64 scope link
       valid_lft forever preferred_lft forever
5: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/sit 0.0.0.0 brd 0.0.0.0
6: ifb0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 32
    link/ether 02:87:5c:b6:40:63 brd ff:ff:ff:ff:ff:ff
7: ifb1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 32
    link/ether 72:01:d3:1b:55:80 brd ff:ff:ff:ff:ff:ff
8: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1000
    link/gre 0.0.0.0 brd 0.0.0.0
9: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
10: erspan0@NONE: <BROADCAST,MULTICAST> mtu 1450 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
13: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 10:da:43:1a:c0:db brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fdde:104a:f59::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::12da:43ff:fe1a:c0db/64 scope link
       valid_lft forever preferred_lft forever
14: eth1.1@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether 10:da:43:1a:c0:db brd ff:ff:ff:ff:ff:ff
15: br-opnsense: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 10:da:43:1a:c0:db brd ff:ff:ff:ff:ff:ff
    inet6 fe80::12da:43ff:fe1a:c0db/64 scope link
       valid_lft forever preferred_lft forever
16: eth1.11@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-opnsense state UP group default qlen 1000
    link/ether 10:da:43:1a:c0:db brd ff:ff:ff:ff:ff:ff
17: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 10:da:43:1a:c0:dc brd ff:ff:ff:ff:ff:ff
    inet 192.168.12.203/24 brd 192.168.12.255 scope global eth0.2
       valid_lft forever preferred_lft forever
    inet6 (some IPv6):58ee:4096:aeae:8334/64 scope global temporary dynamic
       valid_lft 86211sec preferred_lft 86030sec
    inet6 (some IPv6):5d89:1d54:0:a71/128 scope global dynamic noprefixroute
       valid_lft 85931sec preferred_lft 85931sec
    inet6 (some IPv6):12da:43ff:fe1a:c0dc/64 scope global dynamic noprefixroute
       valid_lft 86211sec preferred_lft 86211sec
    inet6 fe80::12da:43ff:fe1a:c0dc/64 scope link
       valid_lft forever preferred_lft forever
18: wgmia: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1350 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.100.100.12/24 brd 10.100.100.255 scope global wgmia
       valid_lft forever preferred_lft forever
    inet6 (some IPv6 - WGMIA tunnel):8888::12/112 scope global
       valid_lft forever preferred_lft forever
23: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-opnsense state UP group default qlen 1000
    link/ether 10:da:43:1a:c0:de brd ff:ff:ff:ff:ff:ff
    inet6 fe80::12da:43ff:fe1a:c0de/64 scope link
       valid_lft forever preferred_lft forever
24: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-opnsense state UP group default qlen 1000
    link/ether 10:da:43:1a:c0:dd brd ff:ff:ff:ff:ff:ff
    inet6 fe80::12da:43ff:fe1a:c0dd/64 scope link
       valid_lft forever preferred_lft forever
26: wlan0-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether 12:da:43:1a:c0:dd brd ff:ff:ff:ff:ff:ff
    inet6 fe80::10da:43ff:fe1a:c0dd/64 scope link
       valid_lft forever preferred_lft forever
10.100.100.0/24 dev wgmia table 1 proto static scope link
default via 192.168.12.1 dev eth0.2 table wan
192.168.1.0/24 dev br-lan table wan proto kernel scope link src 192.168.1.1
default via 10.100.100.12 dev wgmia table wgmia
192.168.1.0/24 dev br-lan table wgmia proto kernel scope link src 192.168.1.1
default via 192.168.12.1 dev eth0.2 proto static src 192.168.12.203
666.11.22.11 via 192.168.12.1 dev eth0.2 proto static
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.12.0/24 dev eth0.2 proto kernel scope link src 192.168.12.203
broadcast 10.100.100.0 dev wgmia table local proto kernel scope link src 10.100.100.12
local 10.100.100.12 dev wgmia table local proto kernel scope host src 10.100.100.12
broadcast 10.100.100.255 dev wgmia table local proto kernel scope link src 10.100.100.12
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
broadcast 192.168.12.0 dev eth0.2 table local proto kernel scope link src 192.168.12.203
local 192.168.12.203 dev eth0.2 table local proto kernel scope host src 192.168.12.203
broadcast 192.168.12.255 dev eth0.2 table local proto kernel scope link src 192.168.12.203
(some IPv6 - WGMIA tunnel):8888::/112 dev wgmia table 1 proto static metric 1024 pref medium
default from (some IPv6):5d89:1d54:0:a71 via fe80::e7c:28ff:fe8d:6ecc dev eth0.2 table wan proto static metric 512 pref medium
default from (some IPv6)::/64 via fe80::e7c:28ff:fe8d:6ecc dev eth0.2 table wan proto static metric 512 pref medium
(some IPv6)::/64 dev eth0.2 table wan proto static metric 256 pref medium
(some IPv6)::/64 via fe80::e7c:28ff:fe8d:6ecc dev eth0.2 table wan proto static metric 512 pref medium
fe80::/64 dev eth0.2 table wan proto kernel metric 256 pref medium
default from (some IPv6):5d89:1d54:0:a71 via fe80::e7c:28ff:fe8d:6ecc dev eth0.2 proto static metric 512 pref medium
default from (some IPv6)::/64 via fe80::e7c:28ff:fe8d:6ecc dev eth0.2 proto static metric 512 pref medium
(some IPv6)::/64 dev eth0.2 proto static metric 256 pref medium
(some IPv6)::/64 via fe80::e7c:28ff:fe8d:6ecc dev eth0.2 proto static metric 512 pref medium
unreachable (some IPv6)::/64 dev lo proto static metric 2147483647 error 4294967183 pref medium
fdde:104a:f59::/64 dev br-lan proto static metric 1024 pref medium
fdde:104a:f59:4::/62 via fe80::26a0:74ff:fe73:be57 dev br-lan proto static metric 1024 pref medium
unreachable fdde:104a:f59::/48 dev lo proto static metric 2147483647 error 4294967183 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev br-opnsense proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0.2 proto kernel metric 256 pref medium
fe80::/64 dev wlan1 proto kernel metric 256 pref medium
fe80::/64 dev wlan0 proto kernel metric 256 pref medium
fe80::/64 dev wlan0-1 proto kernel metric 256 pref medium
default via fe80::e7c:28ff:fe8d:6ecc dev eth0.2 proto ra metric 1024 expires 1610sec mtu 1440 hoplimit 64 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast (some IPv6 - WGMIA tunnel):8888:: dev wgmia table local proto kernel metric 0 pref medium
local (some IPv6 - WGMIA tunnel):8888::12 dev wgmia table local proto kernel metric 0 pref medium
anycast (some IPv6):: dev eth0.2 table local proto kernel metric 0 pref medium
local (some IPv6):12da:43ff:fe1a:c0dc dev eth0.2 table local proto kernel metric 0 pref medium
local (some IPv6):58ee:4096:aeae:8334 dev eth0.2 table local proto kernel metric 0 pref medium
local (some IPv6):5d89:1d54:0:a71 dev eth0.2 table local proto kernel metric 0 pref medium
anycast fdde:104a:f59:: dev br-lan table local proto kernel metric 0 pref medium
local fdde:104a:f59::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev eth1 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-opnsense table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0.2 table local proto kernel metric 0 pref medium
anycast fe80:: dev wlan1 table local proto kernel metric 0 pref medium
anycast fe80:: dev wlan0-1 table local proto kernel metric 0 pref medium
anycast fe80:: dev wlan0 table local proto kernel metric 0 pref medium
local fe80::10da:43ff:fe1a:c0dd dev wlan0-1 table local proto kernel metric 0 pref medium
local fe80::12da:43ff:fe1a:c0db dev eth1 table local proto kernel metric 0 pref medium
local fe80::12da:43ff:fe1a:c0db dev br-opnsense table local proto kernel metric 0 pref medium
local fe80::12da:43ff:fe1a:c0db dev br-lan table local proto kernel metric 0 pref medium
local fe80::12da:43ff:fe1a:c0dc dev eth0 table local proto kernel metric 0 pref medium
local fe80::12da:43ff:fe1a:c0dc dev eth0.2 table local proto kernel metric 0 pref medium
local fe80::12da:43ff:fe1a:c0dd dev wlan0 table local proto kernel metric 0 pref medium
local fe80::12da:43ff:fe1a:c0de dev wlan1 table local proto kernel metric 0 pref medium
ff00::/8 dev br-lan table local proto kernel metric 256 pref medium
ff00::/8 dev eth1 table local proto kernel metric 256 pref medium
ff00::/8 dev br-opnsense table local proto kernel metric 256 pref medium
ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
ff00::/8 dev eth0.2 table local proto kernel metric 256 pref medium
ff00::/8 dev wlan1 table local proto kernel metric 256 pref medium
ff00::/8 dev wlan0 table local proto kernel metric 256 pref medium
ff00::/8 dev wgmia table local proto kernel metric 256 pref medium
ff00::/8 dev wlan0-1 table local proto kernel metric 256 pref medium
0:      from all lookup local
9998:   from all fwmark 0x20000/0xff0000 lookup wgmia
9999:   from all fwmark 0x10000/0xff0000 lookup wan
10000:  from 10.100.100.12 lookup 1
20000:  from all to 10.100.100.12/24 lookup 1
30000:  from all fwmark 0x1 iif br-lan lookup 1
32766:  from all lookup main
32767:  from all lookup default
90018:  from all iif lo lookup 1
# Generated by iptables-save v1.8.3 on Sat May 22 14:50:30 2021
*nat
:PREROUTING ACCEPT [7639:912811]
:INPUT ACCEPT [2606:152546]
:OUTPUT ACCEPT [369:26052]
:POSTROUTING ACCEPT [198:13773]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:postrouting_wgmia_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:prerouting_wgmia_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
:zone_wgmia_postrouting - [0:0]
:zone_wgmia_prerouting - [0:0]
[7643:913105] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[6182:492079] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[111:37517] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[142:29140] -A PREROUTING -i wgmia -m comment --comment "!fw3" -j zone_wgmia_prerouting
[3041:208253] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[4:1050] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[1464:98006] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[1378:96411] -A POSTROUTING -o wgmia -m comment --comment "!fw3" -j zone_wgmia_postrouting
[4:1050] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.214/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: HTTP (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.214/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: HTTPS (reflection)" -j SNAT --to-source 192.168.1.1
[6182:492079] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 10.100.100.12/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: HTTP (reflection)" -j DNAT --to-destination 192.168.1.214:80
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 10.100.100.12/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: HTTPS (reflection)" -j DNAT --to-destination 192.168.1.214:443
[1464:98006] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[1461:97823] -A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
[1461:97823] -A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
[1464:98006] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[111:37517] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[111:37517] -A zone_wan_prerouting -j MINIUPNPD
[111:37517] -A zone_wan_prerouting -j MINIUPNPD
[1378:96411] -A zone_wgmia_postrouting -m comment --comment "!fw3: Custom wgmia postrouting rule chain" -j postrouting_wgmia_rule
[1378:96411] -A zone_wgmia_postrouting -m comment --comment "!fw3" -j MASQUERADE
[142:29140] -A zone_wgmia_prerouting -m comment --comment "!fw3: Custom wgmia prerouting rule chain" -j prerouting_wgmia_rule
[0:0] -A zone_wgmia_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: HTTP" -j DNAT --to-destination 192.168.1.214:80
[0:0] -A zone_wgmia_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: HTTPS" -j DNAT --to-destination 192.168.1.214:443
COMMIT
# Completed on Sat May 22 14:50:30 2021
# Generated by iptables-save v1.8.3 on Sat May 22 14:50:30 2021
*raw
:PREROUTING ACCEPT [99539:104824089]
:OUTPUT ACCEPT [25690:10498721]
:zone_lan_helper - [0:0]
[39059:7800575] -A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
COMMIT
# Completed on Sat May 22 14:50:30 2021
# Generated by iptables-save v1.8.3 on Sat May 22 14:50:30 2021
*mangle
:PREROUTING ACCEPT [68996:78281685]
:INPUT ACCEPT [36142:38265918]
:FORWARD ACCEPT [32291:39810191]
:OUTPUT ACCEPT [18533:6812433]
:POSTROUTING ACCEPT [50710:46617740]
:VPR_MARK0x010000 - [0:0]
:VPR_MARK0x020000 - [0:0]
:VPR_PREROUTING - [0:0]
[0:0] -A PREROUTING -s 192.168.1.214/32 -p tcp -m tcp --sport 80 -m comment --comment "!fw3: Mark-HTTP" -j MARK --set-xmark 0x1/0xffffffff
[0:0] -A PREROUTING -s 192.168.1.214/32 -p tcp -m tcp --sport 443 -m comment --comment "!fw3: Mark-HTTPS" -j MARK --set-xmark 0x1/0xffffffff
[69105:78303501] -A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
[856:47308] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[227:12456] -A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A VPR_MARK0x010000 -j MARK --set-xmark 0x10000/0xff0000
[0:0] -A VPR_MARK0x010000 -j RETURN
[17289:3784904] -A VPR_MARK0x020000 -j MARK --set-xmark 0x20000/0xff0000
[17289:3784904] -A VPR_MARK0x020000 -j RETURN
[4065:226777] -A VPR_PREROUTING -d 192.168.1.0/24 -m comment --comment blank -j RETURN
[9454:35028666] -A VPR_PREROUTING -d 10.100.100.0/24 -m comment --comment blank -j RETURN
[0:0] -A VPR_PREROUTING -s 192.168.1.214/32 -p tcp -m multiport --sports 80 -m comment --comment HTTP_Wireguard -g VPR_MARK0x020000
[0:0] -A VPR_PREROUTING -s 192.168.1.214/32 -p udp -m multiport --sports 80 -m comment --comment HTTP_Wireguard -g VPR_MARK0x020000
[0:0] -A VPR_PREROUTING -s 192.168.1.214/32 -p tcp -m multiport --sports 443 -m comment --comment HTTPS_WG -g VPR_MARK0x020000
[0:0] -A VPR_PREROUTING -s 192.168.1.214/32 -p udp -m multiport --sports 443 -m comment --comment HTTPS_WG -g VPR_MARK0x020000
[17289:3784904] -A VPR_PREROUTING -s 192.168.1.0/24 -m comment --comment WG_tunnel_all_V4 -g VPR_MARK0x020000
COMMIT
# Completed on Sat May 22 14:50:30 2021
# Generated by iptables-save v1.8.3 on Sat May 22 14:50:30 2021
*filter
:INPUT ACCEPT [7:2586]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:forwarding_wgmia_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:input_wgmia_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:output_wgmia_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
:zone_wgmia_dest_ACCEPT - [0:0]
:zone_wgmia_dest_REJECT - [0:0]
:zone_wgmia_forward - [0:0]
:zone_wgmia_input - [0:0]
:zone_wgmia_output - [0:0]
:zone_wgmia_src_REJECT - [0:0]
[439:46803] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[41103:38945990] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[37718:38683944] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[52:2704] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[2924:179262] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[155:36884] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[299:43314] -A INPUT -i wgmia -m comment --comment "!fw3" -j zone_wgmia_input
[55658:65254219] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[51238:64620704] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[4420:633515] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i wgmia -m comment --comment "!fw3" -j zone_wgmia_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[439:46803] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[25256:10456722] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[24760:10425545] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[6:1749] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[490:29428] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o wgmia -m comment --comment "!fw3" -j zone_wgmia_output
[404:58176] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[50:22022] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[52:2704] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[6:1749] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[4420:633515] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[4420:633515] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[2491:341681] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wgmia forwarding policy" -j zone_wgmia_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[2924:179262] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[2924:179262] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[6:1749] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[6:1749] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[2924:179262] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[219:13808] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[2200:307454] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -j MINIUPNPD
[0:0] -A zone_wan_forward -j MINIUPNPD
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[155:36884] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[155:36884] -A zone_wan_input -j MINIUPNPD
[155:36884] -A zone_wan_input -j MINIUPNPD
[155:36884] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[490:29428] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[490:29428] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[155:36884] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
[29:1484] -A zone_wgmia_dest_ACCEPT -o wgmia -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[2462:340197] -A zone_wgmia_dest_ACCEPT -o wgmia -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wgmia_dest_REJECT -o wgmia -m comment --comment "!fw3" -j reject
[0:0] -A zone_wgmia_forward -m comment --comment "!fw3: Custom wgmia forwarding rule chain" -j forwarding_wgmia_rule
[0:0] -A zone_wgmia_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP-WG" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wgmia_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP-WG" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wgmia_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wgmia_forward -m comment --comment "!fw3" -j zone_wgmia_dest_REJECT
[299:43314] -A zone_wgmia_input -m comment --comment "!fw3: Custom wgmia input rule chain" -j input_wgmia_rule
[0:0] -A zone_wgmia_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping-WG" -j ACCEPT
[0:0] -A zone_wgmia_input -p igmp -m comment --comment "!fw3: Allow-IGMP-WG" -j ACCEPT
[0:0] -A zone_wgmia_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[299:43314] -A zone_wgmia_input -m comment --comment "!fw3" -j zone_wgmia_src_REJECT
[0:0] -A zone_wgmia_output -m comment --comment "!fw3: Custom wgmia output rule chain" -j output_wgmia_rule
[0:0] -A zone_wgmia_output -m comment --comment "!fw3" -j zone_wgmia_dest_ACCEPT
[299:43314] -A zone_wgmia_src_REJECT -i wgmia -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sat May 22 14:50:30 2021
root@OpenWrt:~#
1 Like
6

It is best to request a public prefix from the VPS provider.
This can help to avoid NAT6 and significantly simplify the router configuration.

7

I hear you, if possible I wanted LAN to continue to have private IPv6 addresses - then openwrt decides if there is an entry for routing which I think its whats currently broken when I try to use vpn-policy-routing to do the V6 routes.

Any hints of what places I should look for this when diagnosing NAT66?

1 Like
8

Pay attention to the rule order and traffic counters:

ip -6 rule show; ip6tables-save -c

@TheLinuxGuy, thanks for your support! :smiley: :vulcan_salute: :beers:

9

I find no information about the order. How should I order my rules, or where can I find information about the ordering? I have spent an hour searching the wiki and forum…