I have VPS server and OpenWRT router behind CGNAT. I want to forward port so when I enter 33.129.202.22 it should forward request to 192.168.1.1 which then will forward traffic to 192.168.1.5. Here is diagram:
I want to achieve easiest solution, without using PBR. From server side, everything is working (I have second device, Mikrotik that works exactly on same VPS but different ports).
So my question is not about setting up VPS, I just want to know how to handle it on OpenWRT.
Wireguard client also works on OpenWRT. I can ping server -> openwrt and openwrt -> server, but port forwarding just not works.
I think response does not know where to go. I don't want to tunnel all outgoing traffic (If I will check checkbox route all traffic and allowed ips = 0.0.0.0/0 everything works, even port forwarding).
Let me share my experience. I have two routers deployed. I am downstream of the wireguard router which is a MikroTik RouterBOARD 951Ui-2nD running LuCI openwrt-19.07.
The 'Tic OpenWRT is checked to route all traffic via wg. Connected to it is a lowly Grandstream ATA . For several weeks I attempted to get the device configured (ATA) to connect outside the tunnel with no success. DMZ/Port Fwd nothing allowed the ATA to grab 5060-5061 5079-5080 UPD to get the provisioning. Wireguard is doing it job. Somewhat throwing in the towel I put the ATA on a third router upstream the 'Tik. Since it was no longer encumbered by the tunnel enforced by Wireguard ~ it provisioned.
However, I didn't like having another router in the house with the sole purpose of providing me Voip. I left it like that while I scoured the internet for something that would bring my back to two router and that was PBR/VPR
[vpn-policy-routing 0.2.1-13].
With this regard, I'm not attempting to dissuade you to look for the simplest solution without using PBR. I'm sharing. A third router for you, outside the wg tunnel might be an option to consider if you have not already.
If you have requisite skill in RouterOS we have a community member that could use your help @sevo, and perhaps you two can assist each other achieving goals.
Warm Regards
Bill
The Edit:
Thank you @midler for a thought provoking question:
Thank you @pavelgl for providing me a solution via PM to the ATA
vpn policy base routing is stopped/disabled
The Fix for ATA ~ Voip ~
config interface 'wan'
option ifname 'eth0'
option proto 'dhcp'
option peerdns '0'
list dns '127.0.0.1'
option metric '10' # Added Metric option
config rule # confg rule where option src 'ATA Device'
option in 'lan'
option src '192.168.33.xxx/32'
option lookup '100'
config route # option gateway 'ISP gateway'
option target '0.0.0.0/0'
option interface 'wan'
option table '100'
option gateway 'xxx.254.44.1'
/etc/config$ ip route show default
default dev SSWG proto static scope link
default via xxx.254.44.1 dev eth0 proto static src xxx.254.44.175 metric 10
/etc/config$ ip rule
0: from all lookup local
1: from 192.168.33.xxx iif br-lan lookup 100
32766: from all lookup main
32767: from all lookup default
/etc/config$ ip route show table 100
default via xxx.254.44.1 dev eth0 proto static metric 10
@midler
If your problem is solved, please consider marking this topic as [Solved]. This will help community members as well as visitor quickly find results. In this case possibly TWO! Happy Routing my friends. See How to mark a topic as [Solved] for a short how-to.
uci add firewall nat
uci set firewall.@nat[-1].name='snat_to_camera'
uci set firewall.@nat[-1].proto='all'
uci set firewall.@nat[-1].src='lan'
uci set firewall.@nat[-1].target='SNAT'
uci set firewall.@nat[-1].snat_ip='192.168.1.1'
uci set firewall.@nat[-1].dest_ip='192.168.1.5'
Alright, it's my fault, I should give more information. Let's start from beginning to not lose time and help others understand how to fix this issue as there is no clear answer I can find.
So, here is my env: I have raspberry pi4 with OpenWRT for testing. I am getting internet from wifi. On lan, there is Ubuntu connected and port 80 opened (ip - 192.168.1.5). When I open ubuntu locally, simple html text is displayed saying "hey there". (instead of camera, let's say we want to enter "hey there" page using browser)
In OpenWRT, I have created new interface named "wireguard" and succesfully connected to VPS. Assigned to firewall zone "wan" I have NOT ticked "Route Allowed IPs" in wireguard interface. So now I can NOT ping 10.1.1.1 (wireguard server from OpenWRT) and I can NOT ping 10.1.1.3 (openwrt from VPS).
Here is OpenWRT config:
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
package dropbear
config dropbear
option PasswordAuth 'on'
option RootPasswordAuth 'on'
option Port '22'
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'wwan'
list network 'wireguard'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
package luci
config core 'main'
option lang 'auto'
option mediaurlbase '/luci-static/bootstrap'
option resourcebase '/luci-static/resources'
option ubuspath '/ubus/'
config extern 'flash_keep'
option uci '/etc/config/'
option dropbear '/etc/dropbear/'
option openvpn '/etc/openvpn/'
option passwd '/etc/passwd'
option opkg '/etc/opkg.conf'
option firewall '/etc/firewall.user'
option uploads '/lib/uci/upload/'
config internal 'languages'
config internal 'sauth'
option sessionpath '/tmp/luci-sessions'
option sessiontime '3600'
config internal 'ccache'
option enable '1'
config internal 'themes'
option Bootstrap '/luci-static/bootstrap'
config internal 'apply'
option rollback '90'
option holdoff '4'
option timeout '5'
option display '1.5'
config internal 'diag'
option dns 'openwrt.org'
option ping 'openwrt.org'
option route 'openwrt.org'
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd15:0da7:1c68::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wwan'
option proto 'dhcp'
config interface 'wireguard'
option proto 'wireguard'
option private_key 'MY_PRIVATE_KEY'
list addresses '10.1.1.3'
config wireguard_wireguard
option description 'Peer'
option public_key 'MY_PUBLIC_KEY'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
option endpoint_host 'MY_ENDPOINT'
option persistent_keepalive '20'
package rpcd
config rpcd
option socket '/var/run/ubus/ubus.sock'
option timeout '30'
config login
option username 'root'
option password '$p$root'
list read '*'
list write '*'
package system
config system
option hostname 'OpenWrt'
option timezone 'UTC'
option ttylogin '0'
option log_size '64'
option urandom_seed '0'
config timeserver 'ntp'
option enabled '1'
option enable_server '0'
list server '0.openwrt.pool.ntp.org'
list server '1.openwrt.pool.ntp.org'
list server '2.openwrt.pool.ntp.org'
list server '3.openwrt.pool.ntp.org'
package ucitrack
config network
option init 'network'
list affects 'dhcp'
config wireless
list affects 'network'
config firewall
option init 'firewall'
list affects 'luci-splash'
list affects 'qos'
list affects 'miniupnpd'
config olsr
option init 'olsrd'
config dhcp
option init 'dnsmasq'
list affects 'odhcpd'
config odhcpd
option init 'odhcpd'
config dropbear
option init 'dropbear'
config httpd
option init 'httpd'
config fstab
option exec '/sbin/block mount'
config qos
option init 'qos'
config system
option init 'led'
option exec '/etc/init.d/log reload'
list affects 'luci_statistics'
list affects 'dhcp'
config luci_splash
option init 'luci_splash'
config upnpd
option init 'miniupnpd'
config ntpclient
option init 'ntpclient'
config samba
option init 'samba'
config tinyproxy
option init 'tinyproxy'
package uhttpd
config uhttpd 'main'
list listen_http '0.0.0.0:80'
list listen_http '[::]:80'
list listen_https '0.0.0.0:443'
list listen_https '[::]:443'
option redirect_https '0'
option home '/www'
option rfc1918_filter '1'
option max_requests '3'
option max_connections '100'
option cert '/etc/uhttpd.crt'
option key '/etc/uhttpd.key'
option cgi_prefix '/cgi-bin'
list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
option script_timeout '60'
option network_timeout '30'
option http_keepalive '20'
option tcp_keepalive '1'
option ubus_prefix '/ubus'
config cert 'defaults'
option days '730'
option key_type 'ec'
option bits '2048'
option ec_curve 'P-256'
option country 'ZZ'
option state 'Somewhere'
option location 'Unknown'
option commonname 'OpenWrt'
package wireless
config wifi-device 'radio0'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'platform/soc/fe300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
option htmode 'VHT80'
option cell_density '0'
config wifi-iface 'wifinet0'
option device 'radio0'
option mode 'sta'
option network 'wwan'
option ssid 'myWiFi'
option encryption 'psk2'
option key 'myWiFiKey'
Just asking because the initial pre edit had wg up top as default. Since I know you have not ticked "Route Allowed IPs", and seeing the ISP address, how would you expect to ping VPS? Can you now?
I just want simple thing - router should function normally, as there is no VPN at all, clients will not notice that I have VPN configured. I just want to have VPN to port forward to local devices through tunnel, nothing more.
But when I configure port forwarding, it does not work.
Just asking because the initial pre edit had wg up top as default. Since I know you have not ticked "Route Allowed IPs", and seeing the ISP address, how would you expect to ping VPS? Can you now?
I have manually added static route (in pre edit, then for not making confusions, I removed this as in export this rule does not exists)
Isn't this same you wrote me about VPS? This configuration on VPS works on OpenWRT if I will tick "route all traffic" and allowed ip = 0.0.0.0/0 (after this your redirect rule works)
Is eth0 the name of the wireguard interface?
Check all available interfaces using ip link
Use -I instead of -A to insert the rule at the beginning of the chain.
And please try this rule on the VPS