I am new to networking, so I hope someone can identify some bad assumptions I'm making. My problem: I want to port-forward seed traffic to port 6881 while still being able to remote access my webservices.
My home network is NATted behind a Proton VPN wireguard tunnel. I want to access the web services of my docker apps via public domain resolving to my ProtonVPN Public IP on the customer-specific port 150.250.0.1:12345 and ultimately be served by my server at 192.168.77.10 on ports 80 or 443.
Traefik proxies this traffic to the correct container based on path prefixes so that /qbittorrentwill return the webgui for my qBitTorrent instance. However, I need to expose port 6881 of qbit's container in order for seeding to work correctly. Thus, Traefik composes as ports: -80:80 -443:443 and the qbittorrent only composes as ports: -6881:6881
150.250.000.1:12345 ----> 10.2.0.0/30:12345--> dstnat --> 192.168.77.10:6881
[ProtonVpnIP:pubport] --> [LocalWG net:pubport] ---^^---> [my server:6881]
This of course breaks webservices as Traefik is listening on ports80, 443. Because I have only one port from the ProtonVPN-Wireguard interface, there is no way to distinguish which traffic should be routed for webservices. Is this a scenario in which a separate local container IP via docker MACvlans or IPVlans could allow me to preserve both webservices AND selectively port forward to my qbit container at 192.168.77.11?
Secondly, how can I create a dstnat that won't simply forward all traffic to my server? How does it know that the seed connection is only for 192.168.77.11? I realize this is a fundamental misunderstanding of how connections are tracked so I appreciate the insight.
I read the documentation for NAT PMP and UPnP but these are simply configuration docs and assume networking knowledge that I don't have (yet!).
arm64 / hAP ax^3 / 7.21.1 (stable)