Port forwarding not working properly

yon 0

@stephenw10 Before I upgraded pfsense, it had been working normally. The current version causes it to not work unless wg is set as the default gateway.Each wg tunnel is assigned a separate interface, so there must be something wrong now.

In the previous version of Pfsense, I had nearly 6 tunnels in different regions connected to pfsense, and the public IPv4 of each tunnel could be forwarded to my intranet server normally through pfsense.

yon 0

I used to forward each tunnel's public IPv4 to my LAN mail server. Now it is necessary to set the tunnel interface as the system default gateway, so the problem is with pfsense because my previous tunnel configuration has not changed.

Bob.Dig

@yon-0 Maybe show some screenshots of your rules, gateways etc. at least for one WG interface. What is running on those VPS, Linux?

stephenw10

What version did you upgrade from where it did work? Is this only failing in 23.09?

Check the ruleset in /tmp/rules.debug. Do the pass rules you have on the WG interfaces have the reply-to tags?

yon 0

@Bob-Dig said in Port forwarding not working properly:

@yon-0 Maybe show some screenshots of your rules, gateways etc. at least for one WG interface. What is running on those VPS, Linux?

Screenshot of pf.- System_ Routing_ Gateways (1).jpg

Screenshot of pf.- System_ Routing_ Gateways (2).jpg

now i have setup Default gateway IPv4 with wg0, so only wg0 can normal work, if i am not setup this, then all wg tunnle port forwarding can't normal work.

yon 0

@stephenw10 said in Port forwarding not working properly:

reply-to

pass  in  quick  on $US72WG reply-to ( tun_wg1 10.10.2.1 ) inet proto tcp  from any to 10.50.2.5 port 25 ridentifier 1645607936 flags S/SA keep state label "USER_RULE: NAT smtp" label "id:1645607936"

# array key "mwan" does not exist for "http" in array: {WAN LAN WAN2 WG0 US72WG WGZHU SEAVPN WGSEATTLE ZHUVP UKWG FRVPN DEVPN FMTVPN DEWG OpenVPN WireGuard } label "USER_RULE: http"
# array key "mwan" does not exist for "http" in array: {WAN LAN WAN2 WG0 US72WG WGZHU SEAVPN WGSEATTLE ZHUVP UKWG FRVPN DEVPN FMTVPN DEWG OpenVPN WireGuard } label "USER_RULE: http"
# array key "mwan" does not exist for "FTP" in array: {WAN LAN WAN2 WG0 US72WG WGZHU SEAVPN WGSEATTLE ZHUVP UKWG FRVPN DEVPN FMTVPN DEWG OpenVPN WireGuard } label "USER_RULE: FTP"
# array key "mwan" does not exist for "FTP" in array: {WAN LAN WAN2 WG0 US72WG WGZHU SEAVPN WGSEATTLE ZHUVP UKWG FRVPN DEVPN FMTVPN DEWG OpenVPN WireGuard } label "USER_RULE: FTP"
# array key "mwan" does not exist for "DNS" in array: {WAN LAN WAN2 WG0 US72WG WGZHU SEAVPN WGSEATTLE ZHUVP UKWG FRVPN DEVPN FMTVPN DEWG OpenVPN WireGuard } label "USER_RULE: DNS"
# array key "mwan" does not exist for "DNS" in array: {WAN LAN WAN2 WG0 US72WG WGZHU SEAVPN WGSEATTLE ZHUVP UKWG FRVPN DEVPN FMTVPN DEWG OpenVPN WireGuard } label "USER_RULE: DNS"
# array key "mwan" does not exist for "SMTP" in array: {WAN LAN WAN2 WG0 US72WG WGZHU SEAVPN WGSEATTLE ZHUVP UKWG FRVPN DEVPN FMTVPN DEWG OpenVPN WireGuard } label "USER_RULE: SMTP"
# array key "mwan" does not exist for "SMTP" in array: {WAN LAN WAN2 WG0 US72WG WGZHU SEAVPN WGSEATTLE ZHUVP UKWG FRVPN DEVPN FMTVPN DEWG OpenVPN WireGuard } label "USER_RULE: SMTP"
# array key "mwan" does not exist for "HTTPS" in array: {WAN LAN WAN2 WG0 US72WG WGZHU SEAVPN WGSEATTLE ZHUVP UKWG FRVPN DEVPN FMTVPN DEWG OpenVPN WireGuard } label "USER_RULE: HTTPS"
# array key "mwan" does not exist for "HTTPS" in array: {WAN LAN WAN2 WG0 US72WG WGZHU SEAVPN WGSEATTLE ZHUVP UKWG FRVPN DEVPN FMTVPN DEWG OpenVPN WireGuard } label "USER_RULE: HTTPS"
# array key "mwan" does not exist for "IMAP" in array: {WAN LAN WAN2 WG0 US72WG WGZHU SEAVPN WGSEATTLE ZHUVP UKWG FRVPN DEVPN FMTVPN DEWG OpenVPN WireGuard } label "USER_RULE: IMAP"
# array key "mwan" does not exist for "IMAP" in array: {WAN LAN WAN2 WG0 US72WG WGZHU SEAVPN WGSEATTLE ZHUVP UKWG FRVPN DEVPN FMTVPN DEWG OpenVPN WireGuard } label "USER_RULE: IMAP"
# array key "mwan" does not exist for "IMAPs" in array: {WAN LAN WAN2 WG0 US72WG WGZHU SEAVPN WGSEATTLE ZHUVP UKWG FRVPN DEVPN FMTVPN DEWG OpenVPN WireGuard } label "USER_RULE: IMAPs"
# array key "mwan" does not exist for "IMAPs" in array: {WAN LAN WAN2 WG0 US72WG WGZHU SEAVPN WGSEATTLE ZHUVP UKWG FRVPN DEVPN FMTVPN DEWG OpenVPN WireGuard } label "USER_RULE: IMAPs"
# array key "mwan" does not exist for "pop3" in array: {WAN LAN WAN2 WG0 US72WG WGZHU SEAVPN WGSEATTLE ZHUVP UKWG FRVPN DEVPN FMTVPN DEWG OpenVPN WireGuard } label "USER_RULE: pop3"
# array key "mwan" does not exist for "pop3" in array: {WAN LAN WAN2 WG0 US72WG WGZHU SEAVPN WGSEATTLE ZHUVP UKWG FRVPN DEVPN FMTVPN DEWG OpenVPN WireGuard } label "USER_RULE: pop3"
# array key "mwan" does not exist for "FTP pass  " in array: {WAN LAN WAN2 WG0 US72WG WGZHU SEAVPN WGSEATTLE ZHUVP UKWG FRVPN DEVPN FMTVPN DEWG OpenVPN WireGuard } label "USER_RULE: FTP pass  "
# array key "mwan" does not exist for "FTP pass" in array: {WAN LAN WAN2 WG0 US72WG WGZHU SEAVPN WGSEATTLE ZHUVP UKWG FRVPN DEVPN FMTVPN DEWG OpenVPN WireGuard } label "USER_RULE: FTP pass"
# array key "mwan" does not exist for "smtp" in array: {WAN LAN WAN2 WG0 US72WG WGZHU SEAVPN WGSEATTLE ZHUVP UKWG FRVPN DEVPN FMTVPN DEWG OpenVPN WireGuard } label "USER_RULE: smtp"
# array key "mwan" does not exist for "smtp" in array: {WAN LAN WAN2 WG0 US72WG WGZHU SEAVPN WGSEATTLE ZHUVP UKWG FRVPN DEVPN FMTVPN DEWG OpenVPN WireGuard } label "USER_RULE: smtp"

I'm not sure which version stopped working. I found it didn't work in version 23.09.01. I think it should work in version 23.05 because I tested it when I set up port forwarding.

stephenw10

@yon-0 said in Port forwarding not working properly:

10.10.2.1

Do you see states/traffic on that pass rule?

Do you have pass rules on the WireGuard group interface? That would prevent the reply-to being applied.

yon 0

@stephenw10 said in Port forwarding not working properly:

@yon-0 said in Port forwarding not working properly:

10.10.2.1

Do you see states/traffic on that pass rule?

Do you have pass rules on the WireGuard group interface? That would prevent the reply-to being applied.

Screenshot of pf- Firewall_ Rules_ US72WG.jpg

yon 0

@stephenw10 said in Port forwarding not working properly:

Do you see states/traffic on that pass rule?

no, No traffic shows up on wg forwarding port

stephenw10

Ok, so no traffic is hitting those rules. Most likely it's being passed on the WG group interface. If that is the case then reply-to would not be applied.

What rules do you have on the WG group?

yon 0

@stephenw10 said in Port forwarding not working properly:

Ok, so no traffic is hitting those rules. Most likely it's being passed on the WG group interface. If that is the case then reply-to would not be applied.

What rules do you have on the WG group?

Screenshot of pf - Firewall_ Rules_ WireGuard.jpg

yon 0

because wg0 has setup to pfsense default gateway, so wg0 is normal, other wireguard tunnel can't work.

stephenw10

You have to pass that traffic on the assigned interface tabs and not on the Wireguard group tab otherwise reply-to cannot work.

So disable the rules on the group tab.

yon 0

@stephenw10

i will try it...

yon 0

@stephenw10

i have been deleted all wg group rule, and add rule to each wg . but it still can't work.

Screenshot of pf.- Firewall_ Rules_ WireGuard.jpg

stephenw10

Do you see states/traffic on the assigned interface tabs now?

yon 0

@stephenw10

no, i can't it.

yon 0

The firewall rules have been delayed for too long. Now I can test a port 25. Let me test the others.

yon 0

I have a question, if I have ipv6 bgp, should ipv6 use group rules or per-interface rules? of cause ipv6 no need port farwarding. Does it affect multiple routing exports?

stephenw10

With IPv6 there would usually only be one route, defined by BGP, since there is no NAT. I would not expect there to be any policy based routing.