Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Wireguard outbound is fine; inbound seemingly blocked?

    Scheduled Pinned Locked Moved Routing and Multi WAN
    routingwireguardfirewall
    2 Posts 1 Posters 139 Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P Offline
      phongn
      last edited by

      I have a routed IPv4/29 subnet via Wireguard that I would like to use with a VLAN for publicly-addressable services. I spun up a test container and it is able to properly traverse the VPN, verified by traceroute -I mirror.fcix.net (the VPN endpoint is a peer of FCIX; my ordinary Internet connection bounces around a bit until it hits HE Fremont and then into FCIX).

      This is probably a silly problem, but for the life of me I cannot figure out how to get the internal services subnet to respond to the outside world, even the router (which is configured to permit any ICMP packets, and responds appropriately on its own WAN IP). I am able to talk to it internally from a typical private-IP subnet. I don't see any obvious firewall "this is blocked" log messages, either.

      Are there some obvious firewall rules that I am missing?

      VLAN ID: 200
      Subnet: a.b.c.160/29
      Router: a.b.c.161
      Test box: a.b.c.164

      VLAN 200 Firewall:

      bb88f2a0-3ce4-47e4-b4f0-15a0f9e56f75-image.png

      Tunnel interface firewall:

      f8edfacb-7a4b-460a-a304-b810725e0fa7-image.png

      Wireguard firewall:

      b73bb1f9-e847-4e56-ad7b-1ad3f4b4b76f-image.png

      NAT:

      e3a863e9-1674-41fc-bd96-448f9e1055c9-image.png

      P 1 Reply Last reply Reply Quote 0
      • P Offline
        phongn @phongn
        last edited by

        Traceroute from the outside world:

        vpsuser@test:~$ sudo traceroute -I a.b.c.164
traceroute to a.b.c.164 (a.b.c.164), 30 hops max, 60 byte packets
 1  daniel.domesticagriculture.org.uk (103.144.176.193)  0.518 ms  0.470 ms  0.457 ms
 2  wist.lyle.org (103.144.176.143)  0.479 ms * *
 3  100.64.101.167 (100.64.101.167)  10.793 ms  10.781 ms *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 ...

        100.64.101.167 is my router's WG client IP

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.