Port forwarding help

justsomeguy · October 13, 2025, 1:48pm

I recently switched from OPNsense to OpenWRT, and I'm trying to configure the same functionality.

I'm trying to forward port 51820 to a Wireguard server on my LAN, so I can access my LAN when I'm not at home. This is a setup I've used for years. I can connect to the Wireguard server from my LAN.

Port forward settings:
Name:                       Wireguard
Restrict to address family: IPv4 only
Protocol:                   UDP
Source zone:                WAN
External port:              51820
Destination zone:           LAN
Internal IP address:        192.168.10.10 (I'm using 192.168.10.0/24 as my LAN subnet)
Internal port:              51820

I've set up dynamic DNS so that my domain is pointing to my WAN address, and this is working.
However, I can't ping the WAN address from my phone when it's connected to the cell network.

I should also mention that I have configured OpenWRT so that all internet traffic goes through Mullvad VPN. I've set up firewall zones so that if the Mullvad connection goes down, all internet traffic is blocked. I have a suspicion that this is the source of my problem, but I'm not sure.

brada4 · October 13, 2025, 1:51pm

That is port forward rule of DNAT type. Do not select destination zone filter as packets incoming are not destined to blindly forward to ip4 lan from your parameters, it follows (neighbour) route instead.

justsomeguy · October 13, 2025, 1:54pm

Do you mean I should set Destination zone = unspecified?

egc · October 13, 2025, 1:57pm

so your WireGuard server is not on the router but on a separate server on your lan in that case you use a portforward/dnat rule as @brada mentioned

these are my rules for my WireGuard server Using port 51810 both for IPv6 and IPv4 my server has a static IPv6 address of ::6 and is in the lan zone

config rule
	option name 'wg-server6-6'
	list proto 'udp'
	option src 'wan'
	option dest 'lan'
	option dest_port '51810'
	option target 'ACCEPT'
	option family 'ipv6'
	list dest_ip '::6/-64'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'WG-server6'
	list proto 'udp'
	option src 'wan'
	option src_dport '51810'
	option dest_ip '192.168.0.6'
	option dest_port '51810'

egc · October 13, 2025, 2:00pm

But if you have a default route out via the Mullvad VPN then you need to make sure that traffic which comes in via the WAN (e.g. your Wireguard server traffic) goes out via the WAN and not via the VPN.

You need Policy Based Routing for this
Either install the full PBR app which will do this automatically or do it manually

My notes about this:
OpenWRT Policy Based Routing (PBR)

P.S. not sure why you have a WireGuard firewall zone on the router if your WG server is in the LAN zone?

justsomeguy · October 13, 2025, 2:03pm

Can I set this up via the web inteface, or do I have to do it via SSH?

justsomeguy · October 13, 2025, 2:06pm

The way I had it set up on OPNsense, was that when I was connected to my Wireguard server, the traffic was still going out to the internet via Mullvad. I want the same functionality now.

The Wireguard firewall zone is for Mullvad, not my Wireguard server. I followed this guide to set it up.

egc · October 13, 2025, 2:10pm

Sure you can, but first see my P.S. from my post

It looks like this from the GUI:
for IPv4 it is PortForward (DNAT) rule

For IPv6 it is a Traffic rule just opening the port, no dnat necessary as the server has a public IPv6 address note the negative netmask so that the prefix does not matter in case the prefix is dynamic

egc · October 13, 2025, 2:15pm

Then you also have to connect via the Mullvad external IP address, they used to allow port forwarding but I think they stopped supporting this so this no longer seems possible?

You cannot connect from the WAN and go out via the VPN, the firewall will not allow that.

That guide is OK, but does not cover IPv6 and Mullvad has excellent IPv6 support, my own guide is of course better
WireGuard Client Setup Guide

justsomeguy · October 13, 2025, 2:19pm

This worked on OPNsense. But it can't be configured on OpenWRT?

egc · October 13, 2025, 2:25pm

I think that a decent firewall should not allow that but @brada is one of our firewall experts.

I never used OPNSense so I do not know what they do, I would be surprised if they allow traffic coming in from one interface go out via different interface but who knows :).

So the way to do it is to route traffic back via the incoming interface as outlined already