I have replaced my router recently, a port forward was working, but now I just can't figure out how to get it to work. Here are some screenshots from my config:
(https://photos.app.goo.gl/hj6ZpubYRqf49tKU9)
What's interesting that from the local network querying the WAN ip, the port forward works.
Thanks very much for your help!
The wan zone should never have input=accept when the upstream connection is untrusted (i.e. the internet). It should always be reject or drop. Your current situation is extremely dangerous.
You've also allowed forwarding from wan > lan. This is also very dangerous as it basically renders the firewall as useless. Fortunately, the NAT masquerading makes direct access to your devices difficult, but still this is a major issue that should be fixed.
Once those are fixed, lets take a look at the configuration in text form:
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
Thanks! No, it starts with 178, and there is no '-' in it, and when I check my outside IP from the https://whatismyipaddress.com/ site, it returns the same as listed on the interface.
While this is unrelated to your issue, you have 2 items in your wan network interface definition that should be removed. Remove the two lines below (note: "devide")
Meanwhile, can you connect to your wireguard peer when you point the 'remote' peer to 192.168.0.99 (it must be on the same network for this to work, of course).
Great. Just to confirm -- you do get the expected connectivity of your 'remote' peer via the 192.168.0.99 peer, right? It makes sense to verify that the tunnel is actually working (wg show on the .99 machine should show the "latest handshake").
Next, are you using your WAN IP to make the connection, or are you using a domain name? If the latter, please make sure that your domain name does indeed resolve to the WAN IP as expected.
Finally, how are you testing? Is the 'remote peer' a phone? If so, turn off wifi and use your cellular connection for the test.
There are two angles here -- one is the local DNS (via your pihole) could be resolving to the LAN IP, but it appears that you are connecting via the ddns domain name. Or, your router is doing a hairpin.
If you are unable to connect while you are on cellular, but you can connect while you are on the LAN, that may suggest that your ISP is blocking the port.
I have tried using the WAN IP (not the domain) from the local network, and it has still connected to the wireguard server.
I don't think that the ISP is blocking this port, because a few days ago this worked fine with another router.
I have a modem, and I'm using that to plug it in the router's WAN port (this was the case with the older router as well), I think this should work.
Thanks for your effort!
Well, interesting story . I have installed back the old router, it received a perfectly different public ip starting with 89 not 178. At first it didn't work either, but I had an idea to restart my phone, after that it worked, then I switched to the new router, and now that also works :: . I'm so sorry, and thank you very much for your help!