How to port forward to a specific host (without WG as the default route)
-
@molski You need a firewall rule for that too, at least there is none linked to that NAT Rule directly.
-
@bob-dig This rule is what implements the policy based route to even make it work it through the VPN in the first place. That works fine.
-
@molski Delete everything there! You should treat it like WAN, there shouldn't be anything other then the port you opened.
-
@molski I also set the Interface Group Membership to none in VPN-WireGuard-Setting.
-
@bob-dig said in How to port forward to a specific host (without WG as the default route):
I also set the Interface Group Membership to none in VPN-WireGuard-Setting.
I tried that first, and had that working fairly quickly when I was routing my entire LAN through the VPN. It was only until I was experimenting with routing certain hosts, where I could not get it to work at all that way.
I was watching Christian McDonald's YouTube videos which gave me other ideas to try. (Who is the I believe is the main developer of the WG package, and and then got hired by Netgate.) He creates an interface group for the VPN gateways (for fail over purposes). But I thought I'd try that for a single VPN gateway, and surprisingly, it worked! But not until I assigned it to an interface.
@bob-dig said in How to port forward to a specific host (without WG as the default route):
Delete everything there! You should treat it like WAN, there shouldn't be anything other then the port you opened.
Actually thinking back, those rules don't change anything. That's just left overs of me trying a hundred or so combinations of things.
-
@molski said in How to port forward to a specific host (without WG as the default route):
Actually thinking back, those rules don't change anything. That's just left overs of me trying a hundred or so combinations of things.
Yup, the only thing there should be the one port you like to forward. So just activate it in the NAT-Rule and it will be there.
-
That was the first thing I tried. Even redoing it so it makes that exact same rule, but with the gateway as "
*". It still gets the same result:$ curl https://ipv4.am.i.mullvad.net/port/57995 {"ip":"XX.XX.XX.XX","port":57995,"reachable":false}Edit: This all works in the normal use case of routing the entire LAN. (And yes the port is open and can connect through the VPN).
-
@molski said in How to port forward to a specific host (without WG as the default route):
Edit: This all works in the normal use case of routing the entire LAN. (And yes the port is open and can connect through the VPN).
I don't think this is the normal use case to route everything through the VPN.
Show the VPN Interface again, this time with only one rule and no gateway set in there.
Also show the outbound NAT Rules. -
@bob-dig said in How to port forward to a specific host (without WG as the default route):
I don't think this is the normal use case to route everything through the VPN.
That was a bad way to phrase it. I've done a lot with VPNs and even some pfSense through work, and tying networks together and whatnot. But I've never singled out specific hosts on a subnet, and treated them differently (routing-wise anyway). I was meaning this was not a common scenario (or secure), at least in my experience.
@bob-dig said in How to port forward to a specific host (without WG as the default route):
Show the VPN Interface again, this time with only one rule and no gateway set in there.
Also show the outbound NAT Rules.I could not get this working at all until I set the gateway there, for my VPN interface I had to put this:
Setting that gateway and this NAT rule made everything all work for a specific host. Both were needed.
That host uses the VPN, and everything else doesn't. It's great! Just the port forwarding doesn't.
-
@molski You are doing things your own way which is fine, if you know what you are doing, but I have my doubts. It looks to be more trial and error on your side.
