Problem on getting a Wireguard port forwarded to lan

Hey there,

I hate it to post something, because it often looks like I haven't read something.
I searched for the issue, I tried different ways of port forwarding and traffic control rules and spent a few hours last week and at the beginning of this week.
Nothing helped, I am out of ideas and look for some help.

What I want to do:
I want to forward a port from my Mullvad VPN with wireguard to another client in LAN.
Problem: I have no control of the firewall settings of my "ISP" because I live in a "student house", where internet is provided as is and no port forwarding will be done.
I want to set up a VoIP account to call my parents and others way cheaper than now via mobile.

For this I need an open port for incoming calls - that's where I want to use my VPN providers port forwarding feature.

The port forwarding feature works with a local client (laptop) I opened up netcat on the specific port and the port was open while testing.
I see no reason, why this wouldn't work for my OpenWRT router.

Next, my network setup is a bit complex because I provide 3 different networks with one OpenWRT router.

  • LAN
  • Guest WLAN
  • FreeWiFi

Guest WLAN and FreeWiFi (the latter with limited bandwidth for now) are redirected to the VPN tunnel.

I want to use this VPN tunnel for the port forwarding, so I forwarded the port of the VPN-Zone to my laptop.

But I noticed rejected packets in syslog, so I had to set up a traffic rule to allow the port (this time I just allowed all traffic, so nothing gets blocked). There are way more rules, to restrict certain devices to connect outside, also for Guest-WLAN and FreeWiFi, but nothing should stop it from working, since I don't get a rejected or dropped notice in syslog.

I tried different rules, nothing helped.
My guess is, that I have missed something in the "General Settings"-tab, though, I have no idea.
If you need some specific file out of /etc/config, please say so. I am used to linux and ssh, but I obviously miss some understanding in firewalls.

I hope you can give me a hand.
Thank you for reading.
Alex

PS: Hate the forum software for removing my double-returns, the structure gets lost.

Hello Alex, welcome to the OpenWrt forum and we hope we can help you!
Are you absolutely sure the Voip account needs port forward? Mine work fine without any forwarding of ports.
Anyway, I suppose you have already configured Mulvad to forward this port to your router.
Post here the following:
uci show network; uci show firewall; cat /etc/firewall.user; iptables-save;

1 Like

Thank you for your warm welcome!

I probably could use VoIP without port forwarding, but I also want to use it for incoming calls.
Afaik no incoming calls are working without an open port. (At least that's what I remember.)

Mullvad is forwarding two ports now (for testing I opened two) to my specific wireguard public key.
Since this worked locally on my laptop (with the mullvad client set to use wireguard), I expect this to also work on OpenWRT.

Here you go with certain outputs.
I hope you understand, that I censored all MAC-addresses and the mullvad-IP in order to protect my privacy.

# uci show network
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd4e:312c:5ea1::/48'

// my comment: this is my LAN
network.lan=interface
network.lan.type='bridge'
network.lan.proto='static'
network.lan.ipaddr='192.168.9.1'
network.lan._orig_ifname='eth0.1 wlan0 wlan1'
network.lan._orig_bridge='true'
network.lan.netmask='255.255.255.0'
network.lan.ifname='eth0.1'
network.lan_dev=device
network.lan_dev.name='eth0.1'
network.lan_dev.macaddr='HIDDEN'

// my comment: this should be VLAN2 for wan_DHCP. Afair I tried out VLAN, might have left things when I had no time for it.
network.wan_dev=device
network.wan_dev.name='eth0.2'
network.wan_dev.macaddr='HIDDEN'

network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].vid='1'
network.@switch_vlan[0].ports='0t 1 2 3 4t'

// my comment: wan_PPPoE is deactivated, it still exists if I have my own ISP again
network.wan_PPPoE=interface
network.wan_PPPoE.proto='pppoe'
network.wan_PPPoE.peerdns='0'
network.wan_PPPoE.dns='85.214.20.141 213.73.91.35 31.220.27.46'
network.wan_PPPoE.password='HIDDEN'
network.wan_PPPoE.username='HIDDEN'
network.wan_PPPoE.mtu='1492'
network.wan_PPPoE.ipv6='auto'
network.wan_PPPoE.delegate='0'
network.wan_PPPoE.service='easybell'
network.wan_PPPoE.ifname='eth0.2'
network.wan_PPPoE.auto='0'

// my comment: this is Guest-WLAN
network.guest=interface
network.guest.type='bridge'
network.guest.proto='static'
network.guest.ipaddr='192.168.8.1'
network.guest.netmask='255.255.255.0'
network.guest._orig_ifname='guest radio0.network2 radio1.network2'
network.guest._orig_bridge='true'
network.guest.delegate='0'

network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='3'
network.@switch_vlan[1].vid='2'
network.@switch_vlan[1].ports='0t 5'

network.wan_DHCP=interface
network.wan_DHCP._orig_ifname='eth0.7'
network.wan_DHCP._orig_bridge='false'
network.wan_DHCP.proto='dhcp'
network.wan_DHCP.peerdns='0'
network.wan_DHCP.macaddr='HIDDEN'
network.wan_DHCP.dns='85.214.20.141 194.150.168.168 103.236.162.119 192.99.85.244'
network.wan_DHCP.ifname='eth0.2'
network.wan_DHCP.mtu='1500'

network.WAN_DHCPv6=interface
network.WAN_DHCPv6._orig_ifname='eth0.7'
network.WAN_DHCPv6._orig_bridge='false'
network.WAN_DHCPv6.proto='dhcpv6'
network.WAN_DHCPv6.reqaddress='try'
network.WAN_DHCPv6.reqprefix='auto'
network.WAN_DHCPv6.ifname='@wan_DHCP'

// my comment: this is obviously my wireguard VPN tunnel to a mullvad server
network.VPN_WG_Mullvad=interface
network.VPN_WG_Mullvad.proto='wireguard'
network.VPN_WG_Mullvad.force_link='1'
network.VPN_WG_Mullvad.private_key='HIDDEN'
network.VPN_WG_Mullvad.addresses='HIDDENipV6/128' 'HIDDENipV4/32'
network.VPN_WG_Mullvad.listen_port='51820'

network.@wireguard_VPN_WG_Mullvad[0]=wireguard_VPN_WG_Mullvad
network.@wireguard_VPN_WG_Mullvad[0].public_key='HIDDEN'
network.@wireguard_VPN_WG_Mullvad[0].allowed_ips='0.0.0.0/0'
network.@wireguard_VPN_WG_Mullvad[0].persistent_keepalive='25'
network.@wireguard_VPN_WG_Mullvad[0].endpoint_host='HIDDENipV4'

// my comment: this is FreeWiFi
network.free=interface
network.free.proto='static'
network.free.netmask='255.255.255.0'
network.free.delegate='0'
network.free.ipaddr='192.168.10.1'
network.free.type='bridge'

network.@switch_vlan[2]=switch_vlan
network.@switch_vlan[2].device='switch0'
network.@switch_vlan[2].vlan='4'
network.@switch_vlan[2].ports='0t 4t'
network.@switch_vlan[2].vid='12'
# uci show firewall
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[0].src='FW_wanPort'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-DHCPv6'
firewall.@rule[1].proto='udp'
firewall.@rule[1].src_ip='fc00::/6'
firewall.@rule[1].dest_ip='fc00::/6'
firewall.@rule[1].dest_port='546'
firewall.@rule[1].family='ipv6'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[1].src='FW_wanPort'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-Ping'
firewall.@rule[2].proto='icmp'
firewall.@rule[2].icmp_type='echo-request'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[2].src='FW_wanPort'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-ICMPv6-Forward'
firewall.@rule[3].dest='*'
firewall.@rule[3].proto='icmp'
firewall.@rule[3].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[3].limit='1000/sec'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[3].src='FW_wanPort'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-IGMP'
firewall.@rule[4].proto='igmp'
firewall.@rule[4].family='ipv4'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[4].src='FW_wanPort'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[5].src='FW_wanPort'
firewall.@rule[6]=rule
firewall.@rule[6].target='ACCEPT'
firewall.@rule[6].proto='tcp udp'
firewall.@rule[6].dest_port='53'
firewall.@rule[6].name='Guest DNS'
firewall.@rule[6].dest_ip='192.168.8.1'
firewall.@rule[6].src_ip='192.168.8.0/24 192.168.10.0/24'
firewall.@rule[6].src='FW_guest'
firewall.@rule[7]=rule
firewall.@rule[7].target='ACCEPT'
firewall.@rule[7].proto='udp'
firewall.@rule[7].dest_port='67-68'
firewall.@rule[7].name='Guest DHCP'
firewall.@rule[7].src='FW_guest'
firewall.@rule[8]=rule
firewall.@rule[8].name='Guest LAN Block'
firewall.@rule[8].proto='all'
firewall.@rule[8].target='DROP'
firewall.@rule[8].dest_ip='192.168.9.0/24'
firewall.@rule[8].src_ip='192.168.8.0/24 192.168.10.0/24'
firewall.@rule[8].dest='FW_lan'
firewall.@rule[8].src='FW_guest'
firewall.@rule[9]=rule
firewall.@rule[9].name='Guest 192.168.0.0/16'
firewall.@rule[9].family='ipv4'
firewall.@rule[9].proto='all'
firewall.@rule[9].dest_ip='192.168.0.0/16'
firewall.@rule[9].target='DROP'
firewall.@rule[9].dest='FW_wanPort'
firewall.@rule[9].src='FW_guest'
firewall.@rule[10]=rule
firewall.@rule[10].name='Guest 172.16.0.0/12'
firewall.@rule[10].family='ipv4'
firewall.@rule[10].proto='all'
firewall.@rule[10].dest_ip='172.16.0.0/12'
firewall.@rule[10].target='DROP'
firewall.@rule[10].dest='FW_wanPort'
firewall.@rule[10].src='FW_guest'
firewall.@rule[11]=rule
firewall.@rule[11].name='Guest 10.0.0.0/8'
firewall.@rule[11].family='ipv4'
firewall.@rule[11].proto='all'
firewall.@rule[11].dest_ip='10.0.0.0/8'
firewall.@rule[11].target='DROP'
firewall.@rule[11].dest='FW_wanPort'
firewall.@rule[11].src='FW_guest'
firewall.@rule[12]=rule
firewall.@rule[12].name='Guest fd00::/8'
firewall.@rule[12].family='ipv6'
firewall.@rule[12].proto='all'
firewall.@rule[12].dest_ip='fd00::/8'
firewall.@rule[12].target='DROP'
firewall.@rule[12].dest='FW_wanPort'
firewall.@rule[12].src='FW_guest'
firewall.@rule[13]=rule
firewall.@rule[13].name='Lan 10.0.0.0/8'
firewall.@rule[13].family='ipv4'
firewall.@rule[13].proto='all'
firewall.@rule[13].dest_ip='10.0.0.0/8'
firewall.@rule[13].target='REJECT'
firewall.@rule[13].enabled='0'
firewall.@rule[13].dest='FW_wanPort'
firewall.@rule[13].src='FW_lan'
firewall.@rule[14]=rule
firewall.@rule[14].name='Lan 172.16.0.0/12'
firewall.@rule[14].family='ipv4'
firewall.@rule[14].proto='all'
firewall.@rule[14].dest_ip='172.16.0.0/12'
firewall.@rule[14].target='REJECT'
firewall.@rule[14].dest='FW_wanPort'
firewall.@rule[14].src='FW_lan'
firewall.@rule[15]=rule
firewall.@rule[15].target='ACCEPT'
firewall.@rule[15].family='ipv4'
firewall.@rule[15].proto='tcp'
firewall.@rule[15].name='Lan 192.168.178.1 exception'
firewall.@rule[15].src_ip='192.168.9.62'
firewall.@rule[15].dest_ip='192.168.178.1'
firewall.@rule[15].enabled='0'
firewall.@rule[15].dest='FW_wanPort'
firewall.@rule[15].src='FW_lan'
firewall.@rule[16]=rule
firewall.@rule[16].name='Lan 192.168.0.0/16'
firewall.@rule[16].family='ipv4'
firewall.@rule[16].proto='all'
firewall.@rule[16].dest_ip='192.168.0.0/16'
firewall.@rule[16].target='REJECT'
firewall.@rule[16].enabled='0'
firewall.@rule[16].dest='FW_wanPort'
firewall.@rule[16].src='FW_lan'
firewall.@rule[17]=rule
firewall.@rule[17].name='n3DS Reject'
firewall.@rule[17].proto='all'
firewall.@rule[17].src='*'
firewall.@rule[17].target='REJECT'
firewall.@rule[17].src_mac='HIDDEN'
firewall.@rule[17].enabled='0'
firewall.@rule[17].dest='FW_wanPort'
firewall.@rule[18]=rule
firewall.@rule[18].name='PS3 Reject'
firewall.@rule[18].proto='all'
firewall.@rule[18].src='*'
firewall.@rule[18].src_mac='HIDDEN'
firewall.@rule[18].target='REJECT'
firewall.@rule[18].enabled='0'
firewall.@rule[18].dest='FW_wanPort'
firewall.@rule[19]=rule
firewall.@rule[19].name='WiiU Reject'
firewall.@rule[19].proto='all'
firewall.@rule[19].src='*'
firewall.@rule[19].src_mac='HIDDEN'
firewall.@rule[19].target='REJECT'
firewall.@rule[19].enabled='0'
firewall.@rule[19].dest='FW_wanPort'
firewall.@rule[20]=rule
firewall.@rule[20].name='PRNTR Reject'
firewall.@rule[20].proto='all'
firewall.@rule[20].src_mac='HIDDEN'
firewall.@rule[20].target='REJECT'
firewall.@rule[20].dest='FW_wanPort'
firewall.@rule[20].src='FW_lan'
firewall.@rule[21]=rule
firewall.@rule[21].name='Denon Reject'
firewall.@rule[21].proto='all'
firewall.@rule[21].src='*'
firewall.@rule[21].src_mac='HIDDEN'
firewall.@rule[21].target='REJECT'
firewall.@rule[21].dest='FW_wanPort'
firewall.@rule[22]=rule
firewall.@rule[22].name='TV Reject'
firewall.@rule[22].proto='all'
firewall.@rule[22].src='*'
firewall.@rule[22].src_mac='HIDDEN'
firewall.@rule[22].target='REJECT'
firewall.@rule[22].dest='FW_wanPort'

firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'

firewall.@zone[0]=zone
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='REJECT'
firewall.@zone[0].network='lan'
firewall.@zone[0].name='FW_lan'
firewall.@zone[1]=zone
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].name='FW_wanPort'
firewall.@zone[1].network='WAN_DHCPv6 wan_DHCP wan_PPPoE'
firewall.@zone[1].input='ACCEPT'

firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'

firewall.@zone[2]=zone
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].name='FW_guest'
firewall.@zone[2].network='guest free'

firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].proto='udp'
firewall.@redirect[0].src_dport='7077'
firewall.@redirect[0].dest_ip='192.168.9.3'
firewall.@redirect[0].dest_port='7077'
firewall.@redirect[0].name='FBox_DNS'
firewall.@redirect[0].enabled='0'
firewall.@redirect[0].src='FW_wanPort'
firewall.@redirect[0].dest='FW_lan'
firewall.@redirect[1]=redirect
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].proto='udp'
firewall.@redirect[1].src_dport='5060'
firewall.@redirect[1].dest_ip='192.168.9.3'
firewall.@redirect[1].dest_port='5060'
firewall.@redirect[1].name='FBox_SIP'
firewall.@redirect[1].enabled='0'
firewall.@redirect[1].src='FW_wanPort'
firewall.@redirect[1].dest='FW_lan'

firewall.@zone[3]=zone
firewall.@zone[3].output='ACCEPT'
firewall.@zone[3].network='VPN_WG_Mullvad'
firewall.@zone[3].masq='1'
firewall.@zone[3].mtu_fix='1'
firewall.@zone[3].name='FW_vpnOUT'
firewall.@zone[3].log='1'
firewall.@zone[3].family='ipv4'
firewall.@zone[3].conntrack='1'
firewall.@zone[3].forward='REJECT'
firewall.@zone[3].input='ACCEPT'

firewall.@redirect[2]=redirect
firewall.@redirect[2].target='DNAT'
firewall.@redirect[2].proto='tcp udp'
firewall.@redirect[2].name='test'
firewall.@redirect[2].reflection='0'
firewall.@redirect[2].src='FW_vpnOUT'
firewall.@redirect[2].dest_port='18363'
firewall.@redirect[2].src_dport='18363'
firewall.@redirect[2].dest='FW_lan'
firewall.@redirect[2].dest_ip='192.168.9.62'

firewall.@rule[23]=rule
firewall.@rule[23].target='ACCEPT'
firewall.@rule[23].name='WG test'
firewall.@rule[23].src='FW_vpnOUT'
firewall.@rule[23].proto='all'
firewall.@rule[23].dest='FW_lan'
firewall.@rule[23].dest_ip='192.168.9.62'

firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest='FW_wanPort'
firewall.@forwarding[0].src='FW_lan'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='FW_vpnOUT'
firewall.@forwarding[1].src='FW_guest'
# cat /etc/firewall.user
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# iptables-save
# Generated by iptables-save v1.6.2 on Fri Nov  8 10:45:01 2019
*nat
:PREROUTING ACCEPT [2:188]
:INPUT ACCEPT [2:188]
:OUTPUT ACCEPT [1:71]
:POSTROUTING ACCEPT [1:71]
:postrouting_FW_guest_rule - [0:0]
:postrouting_FW_lan_rule - [0:0]
:postrouting_FW_vpnOUT_rule - [0:0]
:postrouting_FW_wanPort_rule - [0:0]
:postrouting_rule - [0:0]
:prerouting_FW_guest_rule - [0:0]
:prerouting_FW_lan_rule - [0:0]
:prerouting_FW_vpnOUT_rule - [0:0]
:prerouting_FW_wanPort_rule - [0:0]
:prerouting_rule - [0:0]
:zone_FW_guest_postrouting - [0:0]
:zone_FW_guest_prerouting - [0:0]
:zone_FW_lan_postrouting - [0:0]
:zone_FW_lan_prerouting - [0:0]
:zone_FW_vpnOUT_postrouting - [0:0]
:zone_FW_vpnOUT_prerouting - [0:0]
:zone_FW_wanPort_postrouting - [0:0]
:zone_FW_wanPort_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_FW_lan_prerouting
-A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_FW_wanPort_prerouting
-A PREROUTING -i br-guest -m comment --comment "!fw3" -j zone_FW_guest_prerouting
-A PREROUTING -i br-free -m comment --comment "!fw3" -j zone_FW_guest_prerouting
-A PREROUTING -i VPN_WG_Mullvad -m comment --comment "!fw3" -j zone_FW_vpnOUT_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_FW_lan_postrouting
-A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_FW_wanPort_postrouting
-A POSTROUTING -o br-guest -m comment --comment "!fw3" -j zone_FW_guest_postrouting
-A POSTROUTING -o br-free -m comment --comment "!fw3" -j zone_FW_guest_postrouting
-A POSTROUTING -o VPN_WG_Mullvad -m comment --comment "!fw3" -j zone_FW_vpnOUT_postrouting
-A zone_FW_guest_postrouting -m comment --comment "!fw3: Custom FW_guest postrouting rule chain" -j postrouting_FW_guest_rule
-A zone_FW_guest_prerouting -m comment --comment "!fw3: Custom FW_guest prerouting rule chain" -j prerouting_FW_guest_rule
-A zone_FW_lan_postrouting -m comment --comment "!fw3: Custom FW_lan postrouting rule chain" -j postrouting_FW_lan_rule
-A zone_FW_lan_prerouting -m comment --comment "!fw3: Custom FW_lan prerouting rule chain" -j prerouting_FW_lan_rule
-A zone_FW_vpnOUT_postrouting -m comment --comment "!fw3: Custom FW_vpnOUT postrouting rule chain" -j postrouting_FW_vpnOUT_rule
-A zone_FW_vpnOUT_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_FW_vpnOUT_prerouting -m comment --comment "!fw3: Custom FW_vpnOUT prerouting rule chain" -j prerouting_FW_vpnOUT_rule
-A zone_FW_vpnOUT_prerouting -p tcp -m tcp --dport 18363 -m comment --comment "!fw3: test" -j DNAT --to-destination 192.168.9.62:18363
-A zone_FW_vpnOUT_prerouting -p udp -m udp --dport 18363 -m comment --comment "!fw3: test" -j DNAT --to-destination 192.168.9.62:18363
-A zone_FW_wanPort_postrouting -m comment --comment "!fw3: Custom FW_wanPort postrouting rule chain" -j postrouting_FW_wanPort_rule
-A zone_FW_wanPort_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_FW_wanPort_prerouting -m comment --comment "!fw3: Custom FW_wanPort prerouting rule chain" -j prerouting_FW_wanPort_rule
COMMIT
# Completed on Fri Nov  8 10:45:01 2019
# Generated by iptables-save v1.6.2 on Fri Nov  8 10:45:01 2019
*mangle
:PREROUTING ACCEPT [1549:316432]
:INPUT ACCEPT [405:29334]
:FORWARD ACCEPT [1144:287098]
:OUTPUT ACCEPT [345:99667]
:POSTROUTING ACCEPT [1489:386765]
-A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone FW_wanPort MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o VPN_WG_Mullvad -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone FW_vpnOUT MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Fri Nov  8 10:45:01 2019
# Generated by iptables-save v1.6.2 on Fri Nov  8 10:45:01 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_FW_guest_rule - [0:0]
:forwarding_FW_lan_rule - [0:0]
:forwarding_FW_vpnOUT_rule - [0:0]
:forwarding_FW_wanPort_rule - [0:0]
:forwarding_rule - [0:0]
:input_FW_guest_rule - [0:0]
:input_FW_lan_rule - [0:0]
:input_FW_vpnOUT_rule - [0:0]
:input_FW_wanPort_rule - [0:0]
:input_rule - [0:0]
:output_FW_guest_rule - [0:0]
:output_FW_lan_rule - [0:0]
:output_FW_vpnOUT_rule - [0:0]
:output_FW_wanPort_rule - [0:0]
:output_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_FW_guest_dest_ACCEPT - [0:0]
:zone_FW_guest_dest_REJECT - [0:0]
:zone_FW_guest_forward - [0:0]
:zone_FW_guest_input - [0:0]
:zone_FW_guest_output - [0:0]
:zone_FW_guest_src_REJECT - [0:0]
:zone_FW_lan_dest_ACCEPT - [0:0]
:zone_FW_lan_dest_DROP - [0:0]
:zone_FW_lan_dest_REJECT - [0:0]
:zone_FW_lan_forward - [0:0]
:zone_FW_lan_input - [0:0]
:zone_FW_lan_output - [0:0]
:zone_FW_lan_src_ACCEPT - [0:0]
:zone_FW_vpnOUT_dest_ACCEPT - [0:0]
:zone_FW_vpnOUT_dest_REJECT - [0:0]
:zone_FW_vpnOUT_forward - [0:0]
:zone_FW_vpnOUT_input - [0:0]
:zone_FW_vpnOUT_output - [0:0]
:zone_FW_vpnOUT_src_ACCEPT - [0:0]
:zone_FW_wanPort_dest_ACCEPT - [0:0]
:zone_FW_wanPort_dest_DROP - [0:0]
:zone_FW_wanPort_dest_REJECT - [0:0]
:zone_FW_wanPort_forward - [0:0]
:zone_FW_wanPort_input - [0:0]
:zone_FW_wanPort_output - [0:0]
:zone_FW_wanPort_src_ACCEPT - [0:0]
:zone_newzone_forward - [0:0]
:zone_newzone_input - [0:0]
:zone_newzone_output - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_FW_lan_input
-A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_FW_wanPort_input
-A INPUT -i br-guest -m comment --comment "!fw3" -j zone_FW_guest_input
-A INPUT -i br-free -m comment --comment "!fw3" -j zone_FW_guest_input
-A INPUT -i VPN_WG_Mullvad -m comment --comment "!fw3" -j zone_FW_vpnOUT_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -m mac --mac-source HIDDEN -m comment --comment "!fw3: Denon Reject" -j zone_FW_wanPort_dest_REJECT
-A FORWARD -m mac --mac-source HIDDEN -m comment --comment "!fw3: TV Reject" -j zone_FW_wanPort_dest_REJECT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_FW_lan_forward
-A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_FW_wanPort_forward
-A FORWARD -i br-guest -m comment --comment "!fw3" -j zone_FW_guest_forward
-A FORWARD -i br-free -m comment --comment "!fw3" -j zone_FW_guest_forward
-A FORWARD -i VPN_WG_Mullvad -m comment --comment "!fw3" -j zone_FW_vpnOUT_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_FW_lan_output
-A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_FW_wanPort_output
-A OUTPUT -o br-guest -m comment --comment "!fw3" -j zone_FW_guest_output
-A OUTPUT -o br-free -m comment --comment "!fw3" -j zone_FW_guest_output
-A OUTPUT -o VPN_WG_Mullvad -m comment --comment "!fw3" -j zone_FW_vpnOUT_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_FW_guest_dest_ACCEPT -o br-guest -m comment --comment "!fw3" -j ACCEPT
-A zone_FW_guest_dest_ACCEPT -o br-free -m comment --comment "!fw3" -j ACCEPT
-A zone_FW_guest_dest_REJECT -o br-guest -m comment --comment "!fw3" -j reject
-A zone_FW_guest_dest_REJECT -o br-free -m comment --comment "!fw3" -j reject
-A zone_FW_guest_forward -m comment --comment "!fw3: Custom FW_guest forwarding rule chain" -j forwarding_FW_guest_rule
-A zone_FW_guest_forward -s 192.168.8.0/24 -d 192.168.9.0/24 -m comment --comment "!fw3: Guest LAN Block" -j zone_FW_lan_dest_DROP
-A zone_FW_guest_forward -s 192.168.10.0/24 -d 192.168.9.0/24 -m comment --comment "!fw3: Guest LAN Block" -j zone_FW_lan_dest_DROP
-A zone_FW_guest_forward -d 192.168.0.0/16 -m comment --comment "!fw3: Guest 192.168.0.0/16" -j zone_FW_wanPort_dest_DROP
-A zone_FW_guest_forward -d 172.16.0.0/12 -m comment --comment "!fw3: Guest 172.16.0.0/12" -j zone_FW_wanPort_dest_DROP
-A zone_FW_guest_forward -d 10.0.0.0/8 -m comment --comment "!fw3: Guest 10.0.0.0/8" -j zone_FW_wanPort_dest_DROP
-A zone_FW_guest_forward -m comment --comment "!fw3: Zone FW_guest to FW_vpnOUT forwarding policy" -j zone_FW_vpnOUT_dest_ACCEPT
-A zone_FW_guest_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_FW_guest_forward -m comment --comment "!fw3" -j zone_FW_guest_dest_REJECT
-A zone_FW_guest_input -m comment --comment "!fw3: Custom FW_guest input rule chain" -j input_FW_guest_rule
-A zone_FW_guest_input -s 192.168.8.0/24 -d 192.168.8.1/32 -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Guest DNS" -j ACCEPT
-A zone_FW_guest_input -s 192.168.10.0/24 -d 192.168.8.1/32 -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Guest DNS" -j ACCEPT
-A zone_FW_guest_input -s 192.168.8.0/24 -d 192.168.8.1/32 -p udp -m udp --dport 53 -m comment --comment "!fw3: Guest DNS" -j ACCEPT
-A zone_FW_guest_input -s 192.168.10.0/24 -d 192.168.8.1/32 -p udp -m udp --dport 53 -m comment --comment "!fw3: Guest DNS" -j ACCEPT
-A zone_FW_guest_input -p udp -m udp --dport 67:68 -m comment --comment "!fw3: Guest DHCP" -j ACCEPT
-A zone_FW_guest_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_FW_guest_input -m comment --comment "!fw3" -j zone_FW_guest_src_REJECT
-A zone_FW_guest_output -m comment --comment "!fw3: Custom FW_guest output rule chain" -j output_FW_guest_rule
-A zone_FW_guest_output -m comment --comment "!fw3" -j zone_FW_guest_dest_ACCEPT
-A zone_FW_guest_src_REJECT -i br-guest -m comment --comment "!fw3" -j reject
-A zone_FW_guest_src_REJECT -i br-free -m comment --comment "!fw3" -j reject
-A zone_FW_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_FW_lan_dest_DROP -o br-lan -m comment --comment "!fw3" -j DROP
-A zone_FW_lan_dest_REJECT -o br-lan -m comment --comment "!fw3" -j reject
-A zone_FW_lan_forward -m comment --comment "!fw3: Custom FW_lan forwarding rule chain" -j forwarding_FW_lan_rule
-A zone_FW_lan_forward -d 172.16.0.0/12 -m comment --comment "!fw3: Lan 172.16.0.0/12" -j zone_FW_wanPort_dest_REJECT
-A zone_FW_lan_forward -m mac --mac-source 00:C0:EE:6A:61:18 -m comment --comment "!fw3: PRNTR Reject" -j zone_FW_wanPort_dest_REJECT
-A zone_FW_lan_forward -m comment --comment "!fw3: Zone FW_lan to FW_wanPort forwarding policy" -j zone_FW_wanPort_dest_ACCEPT
-A zone_FW_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_FW_lan_forward -m comment --comment "!fw3" -j zone_FW_lan_dest_REJECT
-A zone_FW_lan_input -m comment --comment "!fw3: Custom FW_lan input rule chain" -j input_FW_lan_rule
-A zone_FW_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_FW_lan_input -m comment --comment "!fw3" -j zone_FW_lan_src_ACCEPT
-A zone_FW_lan_output -m comment --comment "!fw3: Custom FW_lan output rule chain" -j output_FW_lan_rule
-A zone_FW_lan_output -m comment --comment "!fw3" -j zone_FW_lan_dest_ACCEPT
-A zone_FW_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_FW_vpnOUT_dest_ACCEPT -o VPN_WG_Mullvad -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_FW_vpnOUT_dest_ACCEPT -o VPN_WG_Mullvad -m comment --comment "!fw3" -j ACCEPT
-A zone_FW_vpnOUT_dest_REJECT -o VPN_WG_Mullvad -m limit --limit 10/sec -m comment --comment "!fw3" -j LOG --log-prefix "REJECT FW_vpnOUT out: "
-A zone_FW_vpnOUT_dest_REJECT -o VPN_WG_Mullvad -m comment --comment "!fw3" -j reject
-A zone_FW_vpnOUT_forward -m comment --comment "!fw3: Custom FW_vpnOUT forwarding rule chain" -j forwarding_FW_vpnOUT_rule
-A zone_FW_vpnOUT_forward -d 192.168.9.62/32 -m comment --comment "!fw3: WG test" -j zone_FW_lan_dest_ACCEPT
-A zone_FW_vpnOUT_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_FW_vpnOUT_forward -m comment --comment "!fw3" -j zone_FW_vpnOUT_dest_REJECT
-A zone_FW_vpnOUT_input -m comment --comment "!fw3: Custom FW_vpnOUT input rule chain" -j input_FW_vpnOUT_rule
-A zone_FW_vpnOUT_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_FW_vpnOUT_input -m comment --comment "!fw3" -j zone_FW_vpnOUT_src_ACCEPT
-A zone_FW_vpnOUT_output -m comment --comment "!fw3: Custom FW_vpnOUT output rule chain" -j output_FW_vpnOUT_rule
-A zone_FW_vpnOUT_output -m comment --comment "!fw3" -j zone_FW_vpnOUT_dest_ACCEPT
-A zone_FW_vpnOUT_src_ACCEPT -i VPN_WG_Mullvad -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_FW_wanPort_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_FW_wanPort_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
-A zone_FW_wanPort_dest_DROP -o eth0.2 -m comment --comment "!fw3" -j DROP
-A zone_FW_wanPort_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
-A zone_FW_wanPort_forward -m comment --comment "!fw3: Custom FW_wanPort forwarding rule chain" -j forwarding_FW_wanPort_rule
-A zone_FW_wanPort_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_FW_wanPort_forward -m comment --comment "!fw3" -j zone_FW_wanPort_dest_REJECT
-A zone_FW_wanPort_input -m comment --comment "!fw3: Custom FW_wanPort input rule chain" -j input_FW_wanPort_rule
-A zone_FW_wanPort_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_FW_wanPort_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_FW_wanPort_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_FW_wanPort_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_FW_wanPort_input -m comment --comment "!fw3" -j zone_FW_wanPort_src_ACCEPT
-A zone_FW_wanPort_output -m comment --comment "!fw3: Custom FW_wanPort output rule chain" -j output_FW_wanPort_rule
-A zone_FW_wanPort_output -m comment --comment "!fw3" -j zone_FW_wanPort_dest_ACCEPT
-A zone_FW_wanPort_src_ACCEPT -i eth0.2 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
COMMIT
# Completed on Fri Nov  8 10:45:01 2019

That is not right. I have SIP with fixed number and incoming calls too.

-A zone_FW_vpnOUT_prerouting -p tcp -m tcp --dport 18363 -m comment --comment "!fw3: test" -j DNAT --to-destination 192.168.9.62:18363
-A zone_FW_vpnOUT_prerouting -p udp -m udp --dport 18363 -m comment --comment "!fw3: test" -j DNAT --to-destination 192.168.9.62:18363

Your rules are in place. You can check for hits with the command iptables -t nat -Lvn | grep 18363
Also one more way to verify traffic is with tcpdump tcpdump -i any -vvn port 18363

1 Like

That's interesting, I get data with # tcpdump -i any -vvn port 18363 on both, my laptop (the forwarded IP) and on the router.
Which actually means, the port is open and forwarded.

Though, any check says, that the port is closed, even with netcat -l -p 18363 (with this it reported to be opened, when I did a local check - local check: mullvad client on my laptop).
Maybe I should just setup VoIP and check if it works.

I might test it again, but I had problems with incoming calls in the past, whenever the port was not forwarded. If it works without an open port, I will remove the port forwarding (since it is another hole to my LAN).

You have anyway a lot of holes open in your firewall from what I can see.
All your not-trusted zones should be with ACCEPT on OUTPUT only. INPUT and FORWARD should be DROP or REJECT. LAN zone can have them all ACCEPT.
Also forwardings from one zone to another are by default not allowed, unless you allow them.
So you also need to allow from LAN to vpnOUT.

2 Likes

I have done as you said.
I haven't fully understood the concept of zones yet, as well as static routes and VLAN.

The other things (port forwarding and traffic rules) seems to be quite simple and straight forward for me.

If your SIP client regularly (around every 30s) keeps the SIP session active (basically udp hole punching, abusing the conntracking), then you can avoid port forwarding and still get incoming calls. I would suggest this over port forwards, as it avoids exposing the SIP client to the whole internet, rather than only your ISP's SIP servers (but it does require the SIP clients to ping the SIP session regularly).

4 Likes

Ok, thank you for the explanation.
I saw this option, not sure what it did.
I will enable it and see if it works. I have to setup everything first and see if I can get along with asterisk.

1 Like