Menu
What's new
By:
Filters Better Search

Port forwarding on WireGuard seems unsupported in 388.1

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

abir1909 said:
I was able to open the port on the fireguard vpn using the following lines only in firewall-start

ifconfig br0:0 192.168.1.xxx up
iptables -t nat -A PREROUTING -i wgc2 -p udp --dport 55xxx -j DNAT --to-destination 192.168.1.xxx
iptables -t nat -A PREROUTING -i wgc2 -p tcp --dport 55xxx -j DNAT --to-destination 192.168.1.xxx

@Jeffrey Young do I still need to put the delete rules with the above lines?
Click to expand...
The NAT rules should go in the nat-start script. The ifconfig can stay in firewall-start script.

Yes, you should include the delete (-D) rules above your insert rules so as not to create a bunch of duplicates rules should the script get called multiple times.

By wireguard very nature, a kill switch is not possible.

EDIT: perhaps we can rewind and you explain exactly what you are trying to achieve. The reason for setting up an alias IP on the br0 bridge is confusing me.
 
Last edited:
abir1909 said:
I was able to open the port on the fireguard vpn using the following lines only in firewall-start

ifconfig br0:0 192.168.1.xxx up
iptables -t nat -A PREROUTING -i wgc2 -p udp --dport 55xxx -j DNAT --to-destination 192.168.1.xxx
iptables -t nat -A PREROUTING -i wgc2 -p tcp --dport 55xxx -j DNAT --to-destination 192.168.1.xxx

@Jeffrey Young do I still need to put the delete rules with the above lines?
Click to expand...
Its always a good idea to execute your modified commands at the prompt directly so you see the commands execute ok and there are no errors and give you correct effect, before putting them in nat/firewall start. And/or you can test and tweak the commands until its working.

you didnt use the FORWARD command, I guess you have "allow inbound firewall" turned on so firewall is wide open between wgc2 and your lan. My commands only opens for the forwarded packets, all others are closed. Do as you wish.
 
Jeffrey Young said:
The NAT rules should go in the nat-start script. The ifconfig can stay in firewall-start script.

Yes, you should include the delete (-D) rules above your insert rules so as not to create a bunch of duplicates rules should the script get called multiple times.

By wireguard very nature, a kill switch is not possible.

EDIT: perhaps we can rewind and you explain exactly what you are trying to achieve. The reason for setting up an alias IP on the br0 bridge is confusing me.
Click to expand...
I am running transmission on the router. in transmission settings.json I setup a bind ip for transmission "bind-address-ipv4": "192.168.1.xxx" that way I can have that specific ip go through the vpn. In order for this ip to get internet I had to add the br0 bridge command to firewall-start.

@ZebMcKayhan I didn’t open the inbound firewall as you can see. However, I have no knowledge of how to do this things, I am piecing up different information from the forum and running tests. If there is better way to achieve it I would love to know. Thx
(see attached settings)
 

Attachments

  • 57C88456-187F-4C2B-AB20-6E0A8CF331F1.jpeg
    57C88456-187F-4C2B-AB20-6E0A8CF331F1.jpeg
    34.7 KB · Views: 51
  • 39A506C1-1BFF-4940-B03B-3844EFAA74C7.jpeg
    39A506C1-1BFF-4940-B03B-3844EFAA74C7.jpeg
    22.4 KB · Views: 48
  • 113008C0-F3D8-4EC6-A97B-0D15BB7000E5.jpeg
    113008C0-F3D8-4EC6-A97B-0D15BB7000E5.jpeg
    37.2 KB · Views: 52
abir1909 said:
I am running transmission on the router. in transmission settings.json I setup a bind ip for transmission "bind-address-ipv4": "192.168.1.xxx" that way I can have that specific ip go through the vpn. In order for this ip to get internet I had to add the br0 bridge command to firewall-start.

@ZebMcKayhan I didn’t open the inbound firewall as you can see. However, I have no knowledge of how to do this things, I am piecing up different information from the forum and running tests. If there is better way to achieve it I would love to know. Thx
(see attached settings)
Click to expand...
Thanks. That adds context. Also explains why you did not need the forward rules. You were talking to the router itself. No need to forward.
 
Jeffrey Young said:
Thanks. That adds context. Also explains why you did not need the forward rules. You were talking to the router itself. No need to forward.
Click to expand...
With that said, would you change something in my settings?
You previously mentioned to move the nat rules to nat-start. Do I still need to do it? Should I create a nat start script?
Also, you mentioned the delete rules (-D). Do I still need it? If so how would you add it to my existing script (I have no idea)
Thanks
 
abir1909 said:
With that said, would you change something in my settings?
You previously mentioned to move the nat rules to nat-start. Do I still need to do it? Should I create a nat start script?
Also, you mentioned the delete rules (-D). Do I still need it? If so how would you add it to my existing script (I have no idea)
Thanks
Click to expand...
Yes, any iptables rules that deal with NAT should go in the nat-start script. How they are handled and why in Merlin, I don't know.

Your nat-start script would then look something like;

Code: 
#!/bin/sh

iptables -t nat -D PREROUTING -i wgc2 -p udp --dport 55xxx -j DNAT --to-destination 192.168.1.xxx > /dev/null 2>&1
iptables -t nat -D PREROUTING -i wgc2 -p tcp --dport 55xxx -j DNAT --to-destination 192.168.1.xxx > /dev/null 2>&1

iptables -t nat -I PREROUTING -i wgc2 -p udp --dport 55xxx -j DNAT --to-destination 192.168.1.xxx
iptables -t nat -I PREROUTING -i wgc2 -p tcp --dport 55xxx -j DNAT --to-destination 192.168.1.xxx

That that I am using -I (insert) as opposed to -A (append). If you append the rules to the end, you run the risk of inserting your rules after a DROP rule or a RETURN rule in the tables.
 
Jeffrey Young said:
Yes, any iptables rules that deal with NAT should go in the nat-start script. How they are handled and why in Merlin, I don't know.

Your nat-start script would then look something like;

Code: 
#!/bin/sh

iptables -t nat -D PREROUTING -i wgc2 -p udp --dport 55xxx -j DNAT --to-destination 192.168.1.xxx > /dev/null 2>&1
iptables -t nat -D PREROUTING -i wgc2 -p tcp --dport 55xxx -j DNAT --to-destination 192.168.1.xxx > /dev/null 2>&1

iptables -t nat -I PREROUTING -i wgc2 -p udp --dport 55xxx -j DNAT --to-destination 192.168.1.xxx
iptables -t nat -I PREROUTING -i wgc2 -p tcp --dport 55xxx -j DNAT --to-destination 192.168.1.xxx

That that I am using -I (insert) as opposed to -A (append). If you append the rules to the end, you run the risk of inserting your rules after a DROP rule or a RETURN rule in the tables.
Click to expand...
thanks Jeffrey, i made the changes and seems to work just fine. port is open on the wireguard vpn. will report if any issues.
 
abir1909 said:
thanks Jeffrey, i made the changes and seems to work just fine. port is open on the wireguard vpn. will report if any issues.
Click to expand...
Just fyi... if you need this port to reach some local service om the router, my 2 rules in FORWARD chain should be replaced by something like this in the INPUT chain:
Code: 
iptables -I INPUT -p tcp -i wgc1 --dport 8080 -j ACCEPT
iptables -I INPUT -p udp -i wgc1 --dport 8080 -j ACCEPT
But apperantly Transmission (or yourself, via some means) already took care of this. But thought I mention it for future reference.
 
You must log in or register to reply here.

Similar threads

OakleyFreak
Solved Guest network On VPN on 3004-388.8_2
Replies
2
Views
430
OakleyFreak
OakleyFreak
pippo_105
I cannot setup Wireguard on my AX6000
Replies
6
Views
520
pippo_105
pippo_105
H
Port Forwarding Over WireGuard Connection?
2
Replies
22
Views
3K
houmi
houmi
orudie
RT-AX86U Pro: after router reboot VPN Fusion Wireguard profile stock on connecting and Internet does not work
Replies
0
Views
272
orudie
orudie
Tyrfing
Asus RT-AX88U Stuck on Merlin Firmware 388.1
Replies
9
Views
1K
Tyrfing
Tyrfing
Similar threads
Thread starter Title Forum Replies Date
C Can port forwarding do failover to an alternative server? Asuswrt-Merlin 2
A DSL-AX82U HTTP/HTTPS Port Forwarding Asuswrt-Merlin 7
waldo43 Solved Port Forwarding Issue Asuswrt-Merlin 6
docta_v Is there any VPN provider with easy setup for port forwarding on Merlin? Asuswrt-Merlin 5
GShlomi Sharing my DualWan with port forwarding and DDNS experience Asuswrt-Merlin 0
GShlomi Two WANs but not dual-WAN, with port-forwarding Asuswrt-Merlin 7
Mr Solis Enabling NAT Acceleration (CTF) breaks Port Forwarding? (RT-AC68U w/ 386.12_4) Asuswrt-Merlin 17
A PS5 port forwarding and VPN rules Asuswrt-Merlin 4
SA_booley Port forwarding only works on LAN Asuswrt-Merlin 10
C Port Forwarding and Firewall - not working as I expect Asuswrt-Merlin 4

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 540 (members: 19, guests: 521)
Top