@Bob-Dig yeah lol, but I'm pretty sure I've followed everything to the letter as the other services are working or it's something small I'm overlooking....

@kstlan02
First off, it's not wise to use public IP ranges in the local network, even for docker.

Then I'm wondering, why don't you run the OpenVPN server on pfSense.

Do I have to do the port forwarding from the WAN to the LAN or do I have to do it from the WAN to the Docker container that is running OpenVPN?

"LAN address" is the wrong destination here for sure. This is an IP assigned to pfSense itself. Hence forwarding to it, is not that, what you want.

The question is then, how can pfSense reach the container?
I'd expect, that the container gets its traffic forwarded inside the VM. But don't know, how you did configure it.

So you have to forward the OpenVPN traffic either to the VM address or to the container IP. In the latter case, you would need to add a static route for it on pfSense of course.

@FoolCoconut said in Wireguard + Port Forwarding = Return Traffic exiting through WAN???:

Holy f**k.

The problem was an any/any rule in the Wireguard unasigned tunnel firewall rule list. Even though the AirVPN WG interface was assigned, group rules are evaluated first...

Hope this helps someone else as well.

@FoolCoconut THANK you. ive been trying to figure this out for a very long time.

@viragomann
that did work, anything else I can try?

It might be an edge case we can't really detect well since it may be valid in some other way, even if it isn't an IP address (e.g. a hostname, other alias name, etc)

So if eventhing is 1 flat network then no pfsense has zero to do with any stun problem with AP talking to your controller.

As to vlan.. Simple enough to do yes.. Create another SSID, lets say its ssid-guest, put a vlan ID on it - lets call it 100.

Then on the switch port connected to your AP set vlan 100 as tagged. On switch port connected to pfsense also tagg vlan id 100.

On pfsense create a vlan, lets make the network 192.168.100.0/24 pfsense IP 192.168.100.1 and put this vlan on the physical port your lan is on. There you go other than creating the rules you want on this new vlan your done.

Resolvido...
Para quem mais estiver com o mesmo problema é bem simples na verdade, foi pura burrice mesmo, no campo Destination eu estava colocando o ip interno do pc com o site, na verdade tem que estar o ip da wan, no meu caso 177.8.37.254