Port forwarding on WireGuard seems unsupported in 388.1

[Jeffrey Young]

I was able to open the port on the fireguard vpn using the following lines only in firewall-start

ifconfig br0:0 192.168.1.xxx up
iptables -t nat -A PREROUTING -i wgc2 -p udp --dport 55xxx -j DNAT --to-destination 192.168.1.xxx
iptables -t nat -A PREROUTING -i wgc2 -p tcp --dport 55xxx -j DNAT --to-destination 192.168.1.xxx

@Jeffrey Young do I still need to put the delete rules with the above lines?

The NAT rules should go in the nat-start script. The ifconfig can stay in firewall-start script.

Yes, you should include the delete (-D) rules above your insert rules so as not to create a bunch of duplicates rules should the script get called multiple times.

By wireguard very nature, a kill switch is not possible.

EDIT: perhaps we can rewind and you explain exactly what you are trying to achieve. The reason for setting up an alias IP on the br0 bridge is confusing me.

 

[ZebMcKayhan]

I was able to open the port on the fireguard vpn using the following lines only in firewall-start

ifconfig br0:0 192.168.1.xxx up
iptables -t nat -A PREROUTING -i wgc2 -p udp --dport 55xxx -j DNAT --to-destination 192.168.1.xxx
iptables -t nat -A PREROUTING -i wgc2 -p tcp --dport 55xxx -j DNAT --to-destination 192.168.1.xxx

@Jeffrey Young do I still need to put the delete rules with the above lines?

Its always a good idea to execute your modified commands at the prompt directly so you see the commands execute ok and there are no errors and give you correct effect, before putting them in nat/firewall start. And/or you can test and tweak the commands until its working.

you didnt use the FORWARD command, I guess you have "allow inbound firewall" turned on so firewall is wide open between wgc2 and your lan. My commands only opens for the forwarded packets, all others are closed. Do as you wish.

 

[abir1909]

The NAT rules should go in the nat-start script. The ifconfig can stay in firewall-start script.

Yes, you should include the delete (-D) rules above your insert rules so as not to create a bunch of duplicates rules should the script get called multiple times.

By wireguard very nature, a kill switch is not possible.

EDIT: perhaps we can rewind and you explain exactly what you are trying to achieve. The reason for setting up an alias IP on the br0 bridge is confusing me.

I am running transmission on the router. in transmission settings.json I setup a bind ip for transmission "bind-address-ipv4": "192.168.1.xxx" that way I can have that specific ip go through the vpn. In order for this ip to get internet I had to add the br0 bridge command to firewall-start.

@ZebMcKayhan I didn’t open the inbound firewall as you can see. However, I have no knowledge of how to do this things, I am piecing up different information from the forum and running tests. If there is better way to achieve it I would love to know. Thx
(see attached settings)

 

[Jeffrey Young]

I am running transmission on the router. in transmission settings.json I setup a bind ip for transmission "bind-address-ipv4": "192.168.1.xxx" that way I can have that specific ip go through the vpn. In order for this ip to get internet I had to add the br0 bridge command to firewall-start.

@ZebMcKayhan I didn’t open the inbound firewall as you can see. However, I have no knowledge of how to do this things, I am piecing up different information from the forum and running tests. If there is better way to achieve it I would love to know. Thx
(see attached settings)

Thanks. That adds context. Also explains why you did not need the forward rules. You were talking to the router itself. No need to forward.

 

[abir1909]

Thanks. That adds context. Also explains why you did not need the forward rules. You were talking to the router itself. No need to forward.

With that said, would you change something in my settings?
You previously mentioned to move the nat rules to nat-start. Do I still need to do it? Should I create a nat start script?
Also, you mentioned the delete rules (-D). Do I still need it? If so how would you add it to my existing script (I have no idea)
Thanks

 

[Jeffrey Young]

With that said, would you change something in my settings?
You previously mentioned to move the nat rules to nat-start. Do I still need to do it? Should I create a nat start script?
Also, you mentioned the delete rules (-D). Do I still need it? If so how would you add it to my existing script (I have no idea)
Thanks

Yes, any iptables rules that deal with NAT should go in the nat-start script. How they are handled and why in Merlin, I don't know.

Your nat-start script would then look something like;

#!/bin/sh

iptables -t nat -D PREROUTING -i wgc2 -p udp --dport 55xxx -j DNAT --to-destination 192.168.1.xxx > /dev/null 2>&1
iptables -t nat -D PREROUTING -i wgc2 -p tcp --dport 55xxx -j DNAT --to-destination 192.168.1.xxx > /dev/null 2>&1

iptables -t nat -I PREROUTING -i wgc2 -p udp --dport 55xxx -j DNAT --to-destination 192.168.1.xxx
iptables -t nat -I PREROUTING -i wgc2 -p tcp --dport 55xxx -j DNAT --to-destination 192.168.1.xxx

That that I am using -I (insert) as opposed to -A (append). If you append the rules to the end, you run the risk of inserting your rules after a DROP rule or a RETURN rule in the tables.

 

[abir1909]

Yes, any iptables rules that deal with NAT should go in the nat-start script. How they are handled and why in Merlin, I don't know.

Your nat-start script would then look something like;

#!/bin/sh

iptables -t nat -D PREROUTING -i wgc2 -p udp --dport 55xxx -j DNAT --to-destination 192.168.1.xxx > /dev/null 2>&1
iptables -t nat -D PREROUTING -i wgc2 -p tcp --dport 55xxx -j DNAT --to-destination 192.168.1.xxx > /dev/null 2>&1

iptables -t nat -I PREROUTING -i wgc2 -p udp --dport 55xxx -j DNAT --to-destination 192.168.1.xxx
iptables -t nat -I PREROUTING -i wgc2 -p tcp --dport 55xxx -j DNAT --to-destination 192.168.1.xxx

That that I am using -I (insert) as opposed to -A (append). If you append the rules to the end, you run the risk of inserting your rules after a DROP rule or a RETURN rule in the tables.

thanks Jeffrey, i made the changes and seems to work just fine. port is open on the wireguard vpn. will report if any issues.

 

[ZebMcKayhan]

thanks Jeffrey, i made the changes and seems to work just fine. port is open on the wireguard vpn. will report if any issues.

Just fyi... if you need this port to reach some local service om the router, my 2 rules in FORWARD chain should be replaced by something like this in the INPUT chain:

iptables -I INPUT -p tcp -i wgc1 --dport 8080 -j ACCEPT
iptables -I INPUT -p udp -i wgc1 --dport 8080 -j ACCEPT

But apperantly Transmission (or yourself, via some means) already took care of this. But thought I mention it for future reference.