Hello guys,
I'm recently playing with wireguard on my home router to connect several of my networks. My local LAN address is 192.168.0.1/24. The wireguard interface address is 192.168.9.1/24. Through this interface there's a remote server(192.168.9.2) is connected with my LAN network. I can access the SSH service at 192.168.9.2:50000 from PCs in LAN. The wireguard interface shares the same firewall zone with LAN interface. So they can access to each other without any port forward.
Now I want to connect to SSH service at 192.168.9.2:50000 from my office PC. Because IT blocks all the ports except 443. So I did a port forward from router WAN 443 port to LAN 192.168.9.2:50000. But seems it just doesn't work with this rule. To narrow down the cause, I tried forward WAN 443 to local 192.168.0.1:22 where there is a router admin SSH service and it works. So it looks like the issue isn't in the WAN side. I guess there must be some issues when I assign the wireguard interface to the LAN firewall zone. But this really simplify the setup. Not sure what I've missed. Any help or comment is appreciated.
I would guess that your server has its own default gateway and when it receives a request from some public IP address, the reply packets are returned through a different interface.
Try SNAT'ing the forwarded requests to the router's wg IP address.
uci add firewall nat
uci set firewall.@nat[-1].name='wg-SNAT-to-server'
uci set firewall.@nat[-1].src='lan'
uci set firewall.@nat[-1].target='SNAT'
uci set firewall.@nat[-1].snat_ip='192.168.9.1'
uci set firewall.@nat[-1].dest_ip='192.168.9.2'
uci set firewall.@nat[-1].proto='tcp'
uci set firewall.@nat[-1].dest_port='50000'
uci commit firewall
/etc/init.d/firewall restart
You're amazing my friend! I had doute but after tried it seems working. I tested it on my phone which has public IP address. Here are the new SNAT rules. The last line did the magic.
But I have one question. Would it be too extensive to translate the source address for all of the packets heading 192.168.9.2? I'm thinking of only apply the rule for the packets have the source address of my office WAN IP. I'm not able to test it until I get back to office. Do you think this would work? (maybe it's stupid. I'm lacking of knowledge on firewall rules)
The rule only covers packets destined to port 50000, so it's not a problem.
These nat reflection rules are not needed, nor is the udp protocol.
Edit the port forwarding rule by unchecking the udp protocol and Enable NAT Loopback as well.
If you will only access the server from your office, you can enter the corresponding IP address in the Source IP address field.
I decided to use iptables command to add the rules directly. Becuase I found with Luci no matter how I change the configuration the reflection rules are always there. That's quite annoying. Here are the commands I added to /etc/firewall.user as well as part of the NAT table after restart the firewall. It seems working well now. @pavelgl Do you see any potential issue with this configuration?
iptables -t nat -A zone_wan_prerouting -s [OFFICE WAN IP] -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.9.2:50000
iptables -t nat -A zone_lan_postrouting -s [OFFICE WAN IP] -d 192.168.9.2 -p tcp -m tcp --dport 50000 -j SNAT --to-source 192.168.9.1
Chain zone_lan_postrouting (2 references)
pkts bytes target prot opt in out source destination
121 35612 postrouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan postrouting rule chain */
35 1820 SNAT tcp -- * * [OFFICE WAN IP] 192.168.9.2 tcp dpt:50000 to:192.168.9.1
Chain zone_lan_prerouting (2 references)
pkts bytes target prot opt in out source destination
592 90076 prerouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan prerouting rule chain */
Chain zone_wan_postrouting (2 references)
pkts bytes target prot opt in out source destination
196 9753 postrouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan postrouting rule chain */
196 9753 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_prerouting (2 references)
pkts bytes target prot opt in out source destination
251 12985 prerouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan prerouting rule chain */
35 1820 DNAT tcp -- * * [OFFICE WAN IP] 0.0.0.0/0 tcp dpt:443 to:192.168.9.2:50000
