Port forwarding in through a WAN IP with active wireguard connection to LAN IP


I’m trying to understand where I’m going wrong when port forwarding with openwrt.

I’m trying to switch over to openwrt from opnsense.

The setup I have with opnsense is one of a fairly basic WAN and LAN with the LAN IP being and a public WAN IP being 212.213.xx.xx

On top of this I have a wireguard client running which gives a public ip of 89.54.xx.xx

This all works on opnsense and also on openwrt.

The problem I have is that with opnsense i can just create a port forwarding rule under Firewall>NAT>Port forward and it allows a service running on a computer ( to be accessed via the public WAN IP (212.213.xx.xx) while still only permitting the same computer ( to access the internet via the wireguard connection (89.54.xx.xx).

When I try and do the same thing with openwrt the port fowarding no longer works through the WAN IP. I can get port forwarding to work through the wireguard connection but not the WAN IP.

The end result I’m trying to achieve is this: Remote computer ( 80.113.xx.xx) ftp into 212.213.xx.xx:25811 that has the ftp server running on

At the same time accesses whatsmyip.com and it shows its accessing the internet via the wireguard connection (89.54.xx.xx)

This works fine with opnsense but I can’t for the life of me figure out how to get it to work with openwrt.

Going a little bit crazy trying to understand how to get it to work and so I thought I would come here and ask for help as well as just to check and make sure what I want can even be done with openwrt as that’s the impression I’m getting right now.

Just to be clear I’m not trying to port forward via wireguard. I’m trying to port forward through the WAN IP while also having wireguard active for internet access on the same computer. Everything going out from the computer ( goes out via wireguard. Anything coming in through the WAN IP (212.213.xx.xx) on port 25811 goes to the same computer (

I can easily do this on opnsense but can’t seem to do the same thing with openwrt.

Any help appreciated.

Currently, the requests arrive from the wan interface, but the replies are returned through the wireguard interface.

If you are not experienced enough, the easiest way would be to install the pbr package and create a policy like this:

config policy
        option name 'FTP'
        option src_port '25811'
        option interface 'wan'
        option proto 'tcp'
        option src_addr ''
        option enabled '1'

Hey, thanks for the reply.

Where exactly do I put these settings?

I found and installed this package: luci-app-pbr

I tried doing this:

Along with some other variations but it didn't work.

I'd split this into steps.

  1. Make sure wg is not a default route on your router.
  2. Set up the fw rule to forward wanip:25811 connections to and make sure it works.
  3. Add this one and only policy to pbr (substituting wg with the name of the wg interface on your router):
config policy
        option name 'FTP'
        option src_port '!25811'
        option interface 'wg'
        option src_addr ''

Thanks for the reply.

I tried that and it did sort of work but then it broke my DNS so couldn’t access the net.

However, the good news is I’ve finally managed to get it working now!

I think I know what happened and where I went wrong.

When I first installed luci-app-pbr I had the LAN port forward rule working, input the first replies config settings into a route policy like I showed in my screenshot above but failed to notice that the stupid luci-app-pbr wasn’t enabled and running by default after install.

I then fruitlessly tried fiddling with the luci-app-pbr settings, concluded it still wasn’t working and then had the bright idea that maybe the port forwarding I originally made to the LAN was now interfering with the luci-app-pbr config so deleted it.

A short while later I then discovered luci-app-pbr wasn’t even enabled or running so enabled it and got it running but then only continued to focus on getting the luci-app-pbr config to work without the port forwarding to the LAN being there as well.

So of course when I try the next replies advice it says to make sure the port forwarding to the LAN is working first so I add it back.

I then discover the DNS problem, revert back to the first replies initial config, now with the port forwarding to LAN also being present WITH luci-app-pbr enabled and running and woohoo, its working now!

So thanks to both of you for the help, between you, you managed to help me get the right settings and overcome my own stupidity.

Lesson learnt: When installing a new package, makes sure it’s enabled and running before you try and use it!

Second lesson learnt: When you discover you’ve made a mistake, go back and try everything from the start. Don’t continue mid-way through something not working and then consider it as having tried “everything”.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.