I share LAN services over the web, and have a dynamic DNS name. These use Firewall port forwards. Then I can access http://example.com
e.g. port 80 on the WAN forwards to 192.168.1.2 port 80, with From:WAN_zone
Now that I use wireguard just about all the time, I wondered why I could no longer access http://example.com while the tunnel was up.
Did some wireshark troubleshooting and watched the firewall status, and it turns out, I needed to add an almost identical port forward, with From:wireguard_zone to the same LAN destination, to access wan services via the global dns name.
Is this the right way to do it? It works, but I want to make sure it works for the right reason.
I'm used to having an IPsec phase 2 which goes between XlanIP<->YwanIP to be sure vpn traffic to the remote wan services remain encrypted, whereas for wireguard it's like an IPsec phase 2 which goes between XlanIP<->YlanIP
Is this because traffic to the wan service which forwards to the lan, is basically just a traffic rewrite anyway?