lte1 is the default gateway as it should be.
ether5 is used only for incoming external connections, only traffic that should be routed through this gateway is response to incoming connections.
This is double-NAT (ether5 address of 192.168.10.13) but no firewall rules on other router so all ports allowed through.
I want Wireguard to listen and respond only on ether5, but I am having an issue in which the wireguard packets from external clients are received fine via ether5, but the returning packets are being sent via lte1 instead.
I can resolve this issue by adding a static route of the wireguard peer IP to the routing table, telling it to route via ether5 gateway IP address - but this is not really a solution since the VPN peer will be a roaming client and use any number of unknown external IP addresses.
Result of /tool sniffer quick port=51820:
Code: Select all
INTERF TIME NUM DIR SRC-MAC DST-MAC SRC-ADDRESS DST-ADDRESS PROTOC SIZ C
ether5 951.804 322 <- 00:1D:AA:F9:9B:88 2C:C8:1B:B9:92:45 ip.of.wireguard.peer:49822 192.168.10.13:51820 ip:udp 190 1
lte1 951.82 323 -> 02:50:F4:00:00:00 02:50:F4:00:00:00 lte.gateway.ip:51820 ip.of.wireguard.peer:49822 ip:udp 134 1
I have read that using mangle rules to mark packets could help resolve this issue, but I have tried many different suggestions but none have seemed to make any difference from my knowledge, perhaps I am using these incorrectly or the examples I have found do not work in my instance - perhaps if someone could suggest what to try here I can give this another go.
I have several dst-nat rules on ether5 for port forwarding to other devices in the LAN and this works without an issue, so I am not sure why the router is choosing to respond via this gateway.
Any help or advice is much appreciated.