Another basic question that google search and AI aren’t helping with.
I have an RB5009 at location-1.
I have a hEX at location-2.
The two devices/location are connected via Wireguard (works great!).
Both locations have a public IP and a Wireguard IP (10.10.100.1 and 10.10.100.40 respectively).
If I run an nmap from location-1 to 10.10.100.40 (where frames use the Wireguard interface and connection), I can see all the open ports at 10.10.100.40).
But, if I run an nmap from location-1 to the public IP of location-2, there are no open ports showing.
I understand (basically) why and how the wireguard connection shows all the open ports to location-1 (that is, using the 10.10.100.x IP routing via the Wireguard interface).
I am unclear why the routing to the public address of location-2 does not know that it is the same location as 10.10.100.40?
Is it because the default routing for all public addresses is out ether1 to the IPS’s gateway?
Follow up question: Would running an nmap scan of all locations by their public IP addresses from location-1 be a valid test to find any open ports, despite all locations having a wireguard connection to location-1?
That’s because exit point of your WG port is already AFTER the firewall which ( hopefully) is located right after that public IP.
When using WG, you already passed it. And probably you allowed all traffic coming in via that interface.
Your WG interface is your secret backdoor.
You do not do that when coming in via public IP, do you ?
Be careful, can still be the same firewall but in that case the entry point will be different.
And good firewall rules block everything coming from outside unless what you specifically allow. Right ?
I understand that the firewall rules at location-2 specifically allow traffic arriving on the wireguard interface destined for the router.
And, the firewall rules at location-2 drop all other not otherwise allowed traffic arriving on the WAN interface.
If I send frames from location-1 to the public address of location-2, the route is out location-1’s ether1 (WAN) and into location-2’s ether1 (WAN).
So the routing is not the determining issue, right? The determining issue in this case is whether the frames are part of the wireguard VPN, regardless of them route still taking them from location-1’s WAN to location-2’s WAN?
And manually checked each site for the ports claimed to be open and found them to be closed.
The only site with a truly open port (443) is one where a Ubiquiti UDM is the edge router, and that port is open to allow log in/management access to the router.
