Port forwarding in a CGNAT scenario

My ISP doesn't provide a true public IP, and uses a double/CGNat setup.
They have instead forwarded a port from one of their public servers to my ISP provided WAN ip (10.200.xx.yy). They are adamant that both TCP and UDP is enabled by default.

My ultimate goal is to get WG up and running but during debugging figured out that only TCP was coming through and no UDP packets.

I have tried to setup a minimal test for this theory, and would like some feedback if I am doing this correctly. Essentially, I've opened up a port to another LAN device, and then use netcat.

# Fw rule WAN 50026 (TCP/UDP/ICMP) --> 51112
config redirect
        option target 'DNAT'
        option name 'TestFwd'
        option src 'wan'
        option dest 'lan'
        option dest_ip ''
        option src_dport '50026 '
        list proto 'tcp'
        list proto 'udp'
        list proto 'icmp'
        option dest_port '51112'

Testing using nc -vvlp 51112 and nc -vvulp 51112 on the LAN device, only TCP seems to arrive when using their public IP. Inside my LAN, testing with netcat directly from the router works for both UDP and TCP as expected.

So, while I dig around more, would like to ask are they any particular (default) firewall rules that might be blocking UDP from the WAN side, but allowing TCP?

If your ISP provides IPv6 you can directly use your IPv6 address.

1 Like

You don't need option dest 'lan' since the destination is known by the route to dest_ip. Also it's a good idea to write a separate rule for each proto rather than trying to combine them.

Run tcpdump on the router directly looking for packets to arrive on the WAN port. If they don't reach there, clearly the problem is with the ISP.

1 Like

To be clear, Wireguard uses UDP.

No, all inbound should be blocked on wan by default.*

Troubleshoot by running tcpdump on your WAN interface to look for the packets. Then if you see them, setup a firewall rule.

*- Things like ping and traceroute are allowed - those rules are setup by default.