Wireguard and Firewall


I share LAN services over the web, and have a dynamic DNS name. These use Firewall port forwards. Then I can access http://example.com

e.g. port 80 on the WAN forwards to port 80, with From:WAN_zone

Now that I use wireguard just about all the time, I wondered why I could no longer access http://example.com while the tunnel was up.

Did some wireshark troubleshooting and watched the firewall status, and it turns out, I needed to add an almost identical port forward, with From:wireguard_zone to the same LAN destination, to access wan services via the global dns name.

Is this the right way to do it? It works, but I want to make sure it works for the right reason.

I'm used to having an IPsec phase 2 which goes between XlanIP<->YwanIP to be sure vpn traffic to the remote wan services remain encrypted, whereas for wireguard it's like an IPsec phase 2 which goes between XlanIP<->YlanIP

Is this because traffic to the wan service which forwards to the lan, is basically just a traffic rewrite anyway?

You need to use policy based routing to resolve this issue.

What is happening is that a request comes in on the wan, but all of the reply/egress traffic goes by the tunnel which means that it cannot go back to the original source of the request. Therefore, you need to tell the routing engine to send certain traffic back through the regular wan rather than the tunnel.

1 Like