I have a problem with port forwarding through my provider’s link while my entire network is forwarded through wireguard to vpn.
In the route list it redirects all traffic using Dst. Address and gateway interface of the wireguard server, but when this is set up like this, traffic coming over the IP from my ISP is not routed correctly and the port forwarding just doesn’t work.
For example: my ip from my ISP is 1.2.3.4.
When the route is set like this: dst=0.0.0.0/0 and gateway 1.2.3.4 then when entering the browser (after forwarding port 80 to a device inside the network), from outside the network the server responds correctly but the network is not secured after vpn, but when I change the gateway to the wireguard server interface the network is behind vpn but port forwarding does not work. The way it redirects them can be seen here:
I don’t have too much knowledge in network configuration, but I noticed that with this configuration when the gateway is VPN, when the browser goes to the IP, the number of packets in Firewall/NAT increases, but the site still gets a timeout. I don’t know what the problem is, but it looks like my network is not responding to the requesting device.
What do I configure so that my network is behind the VPN but that port forwarding using my IP from the provider works?
In a nutshell,
a. you use a third party VPN provider for one or more subnets going out wireguard.
b. you also have servers on the LAN that
(i) internal users use Q1. How do you prefer internal users access server ( by direct LANIP ?)
(ii) external users use Q2. How do external users access the server ( by dyndns URL or by static WANIP )
In attempting to do both, the problem is you send traffic from the servers out the wireguard tunnel and not
a. back to internal users YES/NO ?
b. back to external users NO based on your input.
It is not clear how you are sending folks out the door to Wireguard but Q. would you agree that the servers have no need to go out wireguard.These servers are replying to users from the LAN and the WAN only.
Hence whatever method you are using, to send traffic into the wireguard tunnel, needs to be modified to ensure traffic to and from the servers is executed prior to traffic going out wireguard.
There are tools and methods to do so. Which reference are you using to set this up??
The pictures tell me almost nothing, a full export of the config and a network diagram would be more helpful.
/export file=anynameyouwish ( minus router serial number, public WANIP information, keys etc..)
So for full clarity on what I want to achieve in general.
I want my entire network to be routed through a VPN (e.g. Mullvad or protonVPN) so that I don’t have to run their programs on each computer and do it on each device. I simply want the connection to the VPN to be established by the router and for each device to be routed that way. In the screenshot you can see a couple of networks including three (mull_de, mull_pl and proton_pl) these are the networks that are required when configuring the wireguard interface). These are simply three different servers so that I can manually select that today I want traffic to go through this tunnel, and tomorrow I will change the gateway 0.0.0.0/0 and traffic will go through the second or third tunnel. So much for the VPN, but for port forwarding. I just have a small NAS server on which I have some sort of small WEB site and using a public Static IP from my provider I want me to access it. There is my private domain attached to it, but the IP is static public.
Hope this has clarified my goals but if anything is unclear let me know.
Does anyone have any ideas on how to do this?
It seems to me that it shouldn’t be complicated for someone experienced, but I’m just learning how to use microtik.
In a nutshell, all outgoing traffic is sent over the VPN, but then incoming traffic over the WAN doesn’t work( I guess because then the default gateway is set to the VPN IP)
