Portforward WAN -> OpenWrt -> S2S Fritzbox

uhm perhaps i did not explain my usecase exactly.

I want to use storj.
each storj-node needs one TCP and one UDP port to be forwarded in my router.
two storj-nodes reachable within the same IP-address are treated as one node.

i have 2 internal subnets connected to eachother: SON and MOM

Both storj-nodes are running on but should talk to internet via different gateways

Node1 -> -> Gateway (Son-Fritzbox) -> son.dyn.de
Node2 -> -> Gateway (Mom OpenWRT) -> mom.dyn.de

i tried to just create a new network on docker with mom-gateway.
i tried to portforward 25002 tcp + udp to
nothing worked.

All Requests from external to needs routing to Node2
All Answers needs to be routed to Gateway mom.dyn.de

Perhaps use OpenWRT as Proxy ?

You need policy routing to route the packets from 179.2:25002 via Mom's. The port forwarding from Mom to 179.2:25002 is nothing special.

I will try to google it.

Policy based routing need docker + macvlan ? Or works with bridged standard ?

My second usecase: dad - son

Dad: Fritzbox 7490 FritzOS 7.50
Son: Fritzbox 7590 FritzOS 7.50

Both Networks connected via Wireguard.

I cannot replace his 7490 because of Telephone + DSL Modem usage.

Placed one OpenWRT Fritzbox 4040 at his and forwarded Wireguard Port + storj port 25003.
Tried Docker Wireguard Client and was able to connect via dad.dyn.de.

Policy based routing possible using docker ?

  • mom-macvlan
  • dad-macvlan

I need to route to dad fritzbox or openwrt ?

Policy routing has nothing to do with docker or macvlan.
Use firewall to mark the packets then a rule to send them to a different routing table

1 Like

Good Evening Trendy,

in OpenWRT i created 3 Rules in etc/config/firewall:

config rule
        option src 'wan'
        option target 'ACCEPT'
        option family 'ipv4'
        option dest_port '25002'
        option name 'storj incoming'
        option dest '*'

config rule
        option name 'storj outgoing'
        option src 'lan'
        option src_port '25002'
        option dest 'wan'
        option target 'ACCEPT'
        option family 'ipv4'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option src 'wan'
        option name 'storj'
        option src_dport '25002'
        option dest_port '25002'
        option dest_ip ''

now i tried to config my linux nuc:

iptables -A OUTPUT -t mangle -p tcp --sport 25002 -j MARK --set-mark 1
sudo ip rule add to all fwmark 1 lookup mama
sudo ip route add default via dev enp0s25 table mama onlink

I am still getting an error:

cannot ping from mom openwrt through wireguard to my pc.

perhaps still some rules wrong or a route missing ? how to check this ?

The first 2 rules are not needed. You only need the redirect.

marking is supposed to take place in OpenWrt firewall. There is a special target in the firewall rules to mark. Then use this mark to create an ip rule and forward the matched traffic to custom routing table. Finally create a default route in the custom routing table.

i dont have an OpenWRT Router inside my network. just can use iptables at my intel nuc outgoing.

In: dad-inet (DynDNS) -> 7490 (Portforward 25002) -> OpenWRT (Portforward 25002) -> Intel Nuc Port 25002 both tcp+udp
Out: Storj -> Docker -> Intel NUC (PBR) -> Route to 7490 -> Internet

I can ping dad openwrt <-> intel nuc both ways.

uhm now i missconfigured my moms router.... :frowning:
she cannot access internet anymore.
will factory reset her 4040 this evening and start from scratch :frowning:

Better draw a complete diagram because in one post there is mom-son in another dad-son.
Policy routing should take place on the router which is running the S2S tunnel. Firewall marks are not passed from one device to another.

Good Morning Trendy,

I tried to draw my Connections. Will try to change my 7590 with 4040 OpenWRT, too.

Got Problems forwarding my Phone after getting a new IP every 24h....

played with PBR on Debian Linux PC like: forward all outgoing on port xx to or

And the site to site tunnel with wireguard is from your 7590 to 4040 at your mother?
Then on your Fritzbox you need to route the packets with source port 25002 via the wireguard tunnel to your network. I don't know if there is policy routing in Fritzbox.
You have already forwarded 25002. So you are almost finished.

Hello Trendy,

connected via WG: 7590 + 7490 (dad) + OpenWRT 4040 (mom).
fritzbox does not support PBR. tried to PBR on my linux machine.
found another thread with "macvlan" option to identify different traffic.

i just see 2 other options:

  1. change 7590 to 4040 running OpenWRT
  2. try storj without docker on linux machine (use services instead)

option 1: problem ip-phone. every 24h auto reconnect from ISP to change IP.
old Fritz FW did not reconnect phone after ip change....
will try again.
option 2: dont know if PBR on linux machine will work.

PBR works fine on any Linux and docker is not the problem here.
The problem is that the tunnel runs on the router. If, for example, you migrate the tunnel from the 7590 to the Debian, then it will be easy to direct traffic from 25002 towards the tunnel.

played the whole day with openwrt as mainrouter and fb7530 as phone client... on my network.
incoming calls did not work. tried any hint i was able to catch... SIP from LAN to wan, sipproxd,
portforwarding, traffic rules. used wireshark to analyse... i am still a newbie. will open a new thread "VoIP 1&1 with OpenWRT and IP-Client Fritzbox" and collect all Infos.
In Future i can change my 7590 to 4040 OpenWRT hopefully... would be easier that way.

install WG on Debian or inside Docker ?
full expansion: 5 nodes on linux.
3 nodes routing to dad, 2 nodes routing to mom :slight_smile:

I think changing dad 7490 to 7530 OpenWRT needs still some development to establish DSL Modem.
lets focus on son <-> mom routing.

worked another day on phone repair. no success with openwrt and fiber. changed phone back to DSL only. tried to simplify my installation:

need to config WG client <-> server within the next week. no remote access at the moment to mom´s router.

Good Morning Trendy,

i drawed another option. you think its possible to route ?

OpenWRT is just a Client at this usecase.

Yes, but you may want to keep only one s2s tunnel to avoid routing loops.