Relation between Firewall and NAT

alfred998 · October 9, 2023, 10:18am

I have set up an openvpn server on my LAN and opened port 1194 in firewall for a selected sources of IP ranges, and redirected that port to the openvpn server with dst-nat. But I am seeing attempts in dst-nat logs to connect to the server from IP-s not allowed in the firewall Address List. The question is why do these connections reach dst-nat (forward) if I am filtering them in firewall (input) ?

This are the rules I have :

ip firewall filter print

5    chain=input action=accept protocol=udp src-address-list=okvpn 
      in-interface-list=WAN dst-port=1194 log=yes log-prefix="ovpn"

src-address-list=okvpn contains the restricted public ip-s that I want to be able to connect to VPN

ip firewall nat print

3    ;;; openvpn
      chain=dstnat action=dst-nat to-addresses=192.168.1.17 to-ports=1194 
      protocol=udp in-interface-list=WAN dst-port=1194 log=yes log-prefix="ovpn"

I think I solved it by adding src-address-list=okvpn also in dst-nat. My question is why is this necessary, and is the firewall rule even needed ?

Thanks

llamajaja · October 9, 2023, 10:22am

THe only rule required in the forward chain is to allow port forwarding in general.
add chain=forward action=accept comment=“allow port forwarding” connection-nat-stat=dstnat

Then in your dst-nat rules
(dynamic wanip)
add chain=dstnat action=masquerade protocol=??? dst-port=xxxxx in-interface-list=WAN
to-address=serverIP src-address=authorized_users

(static wanip)
add chain=dstnat action=dst-nat protocol=??? dst-port=xxxxxx dst-address=WANIP
to-address=serverIP src-address=authorized_users

mkx · October 9, 2023, 12:15pm

Because of DST-NAT connections targeting OVPN port are not chain=input anymore, they’re chain=forward.

llamajaja · October 9, 2023, 1:37pm

In general, if one is connecting TO THE ROUTER, as in a VPN service offered by the router say something like wireguard, the remote user has to initiate a connection to the router and this is accomplished via the INPUT CHAIN!! (WAN to Router)

If you are connecting to a SERVER behind the router ( nothing to do with a router service ) that is WAN to LAN and is handled
a. firewall forward chain to allow dstnat traffic.
b. dst chain to stipulate what ports the traffic is coming in on and where on the LAN (usually) the incoming traffic should be directed.