Question about Wireguard server

I have the following firewall setup on my Belkin RT3200:

WAN zone (public IPv4 /32)
LAN zone (10.1.0.1/24)
VPN zone (10.1.99.1/24)

DNS is handled by a Raspberry Pi inside the LAN zone (10.1.0.2) however when I check the logs the requests come from the LAN gateway (10.1.0.1) and not from the Wireguard client (10.1.99.2) itself despite putting 10.1.0.2 as the DNS server in the Wireguard app.

I wonder if this is the intended behavior.

Thanks in advance :wink:

Be sure to disable masquerading on the LAN zone.

I see masquerading is enabled only on the WAN zone

This the firewall conf

root@homelab-router:~# cat /etc/config/firewall
config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'
config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'wg0'
config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
config forwarding
        option src 'lan'
        option dest 'wan'
config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'
config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'
config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'
config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'
config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'
config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Allow-Wireguard'
        option src 'wan'
        option src_dport '51820'
        option dest_ip '10.1.0.1'
        option dest_port '51820'
config forwarding
        option src 'vpn'
        option dest 'lan'
config forwarding
        option src 'vpn'
        option dest 'wan'
config forwarding
        option src 'lan'
        option dest 'vpn'
config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Redirect-DNS'
        option src 'lan'
        option src_ip '!10.1.0.2'
        option src_dport '53'
        option dest_ip '10.1.0.2'
        option dest_port '53'
config nat
        option name 'Masquerade-DNS'
        list proto 'tcp'
        list proto 'udp'
        option src 'lan'
        option dest_ip '10.1.0.2'
        option dest_port '53'
        option target 'MASQUERADE'
uci set firewall.@nat[-1].src_ip="10.1.0.0/24"
uci commit firewall
/etc/init.d/firewall restart
3 Likes

It works, thanks @vgaetera :blush:

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.