HI there,
I’m running an LXC Container with Wireguard on Proxmox server connected to my RB3011 on VLAN10 (192.168.10.x).
To allow client to connect to the WG server, I added a Port Forwarding:
[list]chain = dstnat[/list]
[list]protoco = udp[/list]
[list]port = 55820[/list]
[list]in interface list = wan[/list]
[list]action = dst-nat[/list]
[list]to addresses: 192.168.10.35[/list]
with only the NAT roule the WG client cannot connect.
Searching on internet, I found on reddit, a post, where an user had a probblem similar to mine.
Basically I must add a firewall rule to allow WG to access internet:
add action=accept chain=forward comment="Allow Wireguard traffic to internet" dst-port=55820 in-interface-list=wan out-interface=vlan_iot protocol=udp
With this firewall rule, everything works like a charm.
Another user suggest to create, instead of the above rule, a “forward” drop rule drops everything that’s “not dst-nat, established, related”:
add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
If you do this you don’t have to manage both firewall and NAT rules, as soon as you add a dst-nat, it will be allowed through the forward chain.
I tried to disable the first forward and enable the second one but WG client cannot connect to the server anymore.
These are my firewall rules (please note that the “Drop incoming packets that are not NAT`ted” rule is disabled):
add action=accept chain=input comment="Allow Estab & Related" \
connection-state=established,related
add action=accept chain=input comment="Allow vlan" in-interface-list=vlan
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
in-interface=vlan_mgmt
add action=accept chain=forward comment="Allow VLAN Home to access VLAN IoT" \
in-interface=vlan_home out-interface=vlan_iot
add action=accept chain=forward comment="Allow Wireguard traffic to internet" \
dst-port=55820 in-interface-list=wan out-interface=vlan_iot protocol=udp
add action=drop chain=forward comment=\
"Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=wan log=yes \
log-prefix=!NAT
add action=drop chain=input comment="Drop everything else"
add action=accept chain=forward comment="Allow Estab & Related" \
connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
connection-state=new in-interface-list=vlan out-interface-list=wan
add action=drop chain=forward comment="Drop Invalid Connection"
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
out-interface-list=wan
add action=dst-nat chain=dstnat comment="Wireguard Server" dst-port=55820 \
in-interface-list=wan log=yes log-prefix=wg protocol=udp to-addresses=\
192.168.10.35
Is there something I’m missing?
Thank you for you help!