Menu
What's new
By:
Filters Better Search

Is my port forwarding with WireGuard working properly or?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

D

Deleted member 83610

Guest
I have set up a WireGuard connection with port forwarding on my Asus RT-AX86U (with the latest Asuswrt-Merlin firmware). Everything seems to be working great...

This is my iptables FORWARD table:

1694552992698.png


As you can see marked in green above the iptables firewall is letting through a ton of packets coming in on WireGuard Client 5/WGC5.

However, my PREROUTING table rules doesn't get hit at all unless I manually test that port forwarding is working (from you get signal):

1694553331248.png


Isn't that weird?

This is my POSTROUTING table by the way:

1694553655393.png


VPN Director has automatically created the rule marked in green above to handle the traffic the other way.
 
raritywrt said:
Isn't that weird?
Click to expand...
Sure is...

Ive read somwhere that not all packets are hitting the nat tables. Perhaps only some packets (like initial packets) hits here the rest are offloaded to some autonomous function deep inside netfilter to replicate for related packets, thus not counted?
Or this could be an effect of FlowCache (nat hw accelleration) perhaps?

Ill be interested to know as well.

Worth notice is the main deviation are for udp packets.
 
Flow Cache is on:

1694703872706.png


Not sure I want to try and turn it off.

I'm wondering if this has something to do with VPN Director?

Also just found my iptables PREROUTING rules in the GUI:

1694704194817.png


Is there perhaps some other iptables chain I should be using when using VPN Director and WireGuard?

Port Fowarding and Port Trigger is disabled by the way as I understood this is for WAN only (which is under the tab where they are found as well):


1694704592729.png


1694704575651.png
 
raritywrt said:
I'm wondering if this has something to do with VPN Director?
Click to expand...
No way, VPNDirector handles routing and some firewall rules only. Your rules are on top so higher priority than anything else.

raritywrt said:
Is there perhaps some other iptables chain I should be using when using VPN Director and WireGuard?
Click to expand...
No, you are using the only possible ones. Sure the firmware is creating own chains and call them from these, but its just a matter of flavor / tidyness.

raritywrt said:
Port Fowarding and Port Trigger is disabled by the way as I understood this is for WAN only (which is under the tab where they are found as well):
Click to expand...
Not sure what this does, probably creates the custom chain and calls it from prerouting. But it may be empty if you havnt added any. Turn it on and check for yourself.
 
I finally had some time to do some more testing:

  • Turning on Port Forwarding under WAN made no difference to the hits of my rules in the iptables PREROUTING chain.

  • Switching from WireGuard back to OpenVPN made no difference to the hits of my rules in the iptables PREROUTING chain.

  • I use ProtonVPN and turning On/Off Moderate NAT made no difference to the hits of my rules in the iptables PREROUTING chain:

    1695120988276.png


    1695121191388.png
I'm of course selecting P2P servers marked with this symbol:

1695121297425.png


NAT is by default enabled in the WireGuard client on the Asus router:

1695121462108.png


NAT-PMP is also working fine on the router:

1695121751058.png


As I saw the the NAT-PMP screenshot above... Is NAT-PMP the reason why my rules in the iptables PREROUTING chain are ignored?
 
raritywrt said:
As I saw the the NAT-PMP screenshot above... Is NAT-PMP the reason why my rules in the iptables PREROUTING chain are ignored?
Click to expand...
That would explain the udp difference atleast, but natpmp goes over port 5351 (?). But perhaps related packets?

If you have Entware installed you could install TcpDump which should be able to capture the packets to see what it is?
 
I do have Entware installed, but it's been a while since I last used tcpdump and WireShark.

With ProtonVPN the natpmp client gets a random remote port mapped to the same port locally (symmetrical NAT):

1695671163104.png


This got me thinking: How does clients out there on Internet know about which remote port the natpmp client has opened on my Asus router?

I figured I had to match this port in the client I'm using so it's announced to others out there. That was it!

Finally my rules in the iptables PREROUTING chain get hit as they should (and not just when I manually test from CanYouSeeMe.org):

1695671726441.png


:D
 
raritywrt said:
I do have Entware installed, but it's been a while since I last used tcpdump and WireShark.

With ProtonVPN the natpmp client gets a random remote port mapped to the same port locally (symmetrical NAT):

View attachment 53303

This got me thinking: How does clients out there on Internet know about which remote port the natpmp client has opened on my Asus router?

I figured I had to match this port in the client I'm using so it's announced to others out there. That was it!

Finally my rules in the iptables PREROUTING chain get hit as they should (and not just when I manually test from CanYouSeeMe.org):

View attachment 53305

:D
Click to expand...
So, any idea about why this manifested in the way that it did? Your rules are kindof picky so in PREROUTING any packet recieved on WGC5 dport 61373 is DNAT to 192.168.1.110:53560
Then in FORWARD matches only packets from WGC5 destination 192.168.1.110 dport 53560.
So what packets would hit the FORWARD chain without hitting the PREROUTING chain?? Are there packets from WGC5 with 192.168.1.110:53560 as destination already without DNAT??
 
My TCP rule in the iptables PREROUTING chain only got hit when I manually checked if the forwarded port actually was open with something like you get signal. Problem was no one else out there on the Internet knew about my forwarded port (which was the key to solving the issue).

I believe my rules in the FORWARD chain still got hit because that port was specified and accepted by my client software and connections were initiated the other way, that is from my client to others on the Internet (and then back through my iptables firewall openings).
 
raritywrt said:
that port was specified and accepted by my client software and connections were initiated the other way,
Click to expand...
Ofcource, if you local clients connects/announce port 53560 outbound to wgc5, adress translation would be done via MASQUARADE and conntrack so your DNAT rule would never be hit because of wrong port but as everything matches for the FORWARD rule it will match. It would normally hit by the RELATED, ESTABLISHED rule but your rule would be higher up and take priority. Brilliant!
 
I use ProtonVPN Wireguard from within the router also and have attempted to forward it via the UI (which I am beginning to understand is unsupported) yet I can't see the port they provide me via NAT-PMP open at all ever no matter what I do on that open port checker website ... what am I missing

EDIT: Some deeper hacking by adding firewall rules and nat rules allows forwarding to work with a OPVN/WireGuard connection on. It seems counterintuitive to even have a port forwarding UI element if it doesn't apply to these connections for some reason ... Perhaps someone could write a script that installs over the in built UI to improve it.
 
Last edited:
You must log in or register to reply here.

Similar threads

H
Port Forwarding Over WireGuard Connection?
2
Replies
22
Views
2K
houmi
houmi
GShlomi
Sharing my DualWan with port forwarding and DDNS experience
Replies
0
Views
147
GShlomi
GShlomi
A
PS5 port forwarding and VPN rules
Replies
4
Views
1K
ColinTaylor
C
dacid44
Routing packets through a wireguard client
Replies
15
Views
2K
ZebMcKayhan
Z
G
VPN Client with Public IP, split tunnel web server over VPN and other traffic not on the VPN
Replies
4
Views
414
Grefyne
G
Similar threads
Thread starter Title Forum Replies Date
H Port Forwarding Over WireGuard Connection? Asuswrt-Merlin 22
GShlomi Sharing my DualWan with port forwarding and DDNS experience Asuswrt-Merlin 0
GShlomi Two WANs but not dual-WAN, with port-forwarding Asuswrt-Merlin 7
Mr Solis Enabling NAT Acceleration (CTF) breaks Port Forwarding? (RT-AC68U w/ 386.12_4) Asuswrt-Merlin 17
A PS5 port forwarding and VPN rules Asuswrt-Merlin 4
SA_booley Port forwarding only works on LAN Asuswrt-Merlin 10
C Port Forwarding and Firewall - not working as I expect Asuswrt-Merlin 4
C IPv4 Firewall/Port-Forwarding - Appear to be the same thing on Asuswrt Asuswrt-Merlin 4
mixels Possible to configure RT-AX86U w/ Merlin with more than 64 port forwarding rules? Asuswrt-Merlin 9
V Port forwarding not working? Asuswrt-Merlin 6

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 1,170 (members: 27, guests: 1,143)
Top