We have a two firewalls connected through wireguard where locally everything is working normally.
With reference to the attached diagram, we would like to connect to a device (with port 4575) which is connected to Firewall 2 from a public computer.
Basically connection shall pass from:
1) Public computer to the FW 1
2) FW1 to FW2 (via wireguard)
3) FW2 to the connected device
When checking firewall rules on FW1 and FW2, traffic was accepted to the device but connection was still not available.
Could it be something with TCP going back to FW1?
Natting Public Ip Over Wireguard
You do not have the required permissions to view the files attached to this post.
-
-
jvanhambelgium
Forum Guru
- Posts: 1120
- Joined:
- Location: Belgium
Re: Natting Public Ip Over Wireguard
It could be 10 things, without any config impossible to say. (could be nat, routing, ...)
Did you "torch" on FW2 to see if the DNAT'ted packet arrives at that point ???
The "device" is exposed to Internet with a DNAT ? Or does this "public computer" also has Wireguard Client ?
On a side-note, if FW2 is *also* connected to ISP/Internet, why not perform the DNAT at the location ? You have this FW2 under your control/administration ?
Did you "torch" on FW2 to see if the DNAT'ted packet arrives at that point ???
The "device" is exposed to Internet with a DNAT ? Or does this "public computer" also has Wireguard Client ?
On a side-note, if FW2 is *also* connected to ISP/Internet, why not perform the DNAT at the location ? You have this FW2 under your control/administration ?
Re: Natting Public Ip Over Wireguard
Ok, the schema is clear, but are missing all IPs.....We have a two firewalls ....
If you don't provide the configurations, you can only go blind, trying, groping, you choice...
Re: Natting Public Ip Over Wireguard
Ok, the schema is clear, but are missing all IPs.....We have a two firewalls ....
If you don't provide the configurations, you can only go blind, trying, groping, you choice...
Code: Select all
FW1
/interface wireguard
add listen-port=22222 mtu=1420 name=wireguard-to-remote-site#1
add listen-port=33333 mtu=1420 name=wireguard-to-remote-site#2
/ip address
add address=10.20.200.1 interface=wireguard-remote-site#2 network=10.20.200.2
add address=10.21.200.1 interface=wireguard-remote-site#1 network=10.21.200.2
add address=172.50.201.1/30 interface=ether1 network=172.50.201.0
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=\
187.122.133.144 endpoint-port=22222 interface=wireguard-to-remote-site#1 \
persistent-keepalive=10s public-key=\
"xxxxxxxxxxxxxxxxxxxxxxxxxx="
add allowed-address=0.0.0.0/0 endpoint-address=\
187.122.133.145 endpoint-port=33333 interface=wireguard-to-remote-site#2 \
persistent-keepalive=10s public-key=\
"xxxxxxxxxxxxxxxxxxxxxxxxxx="
/ip firewall filter
add action=accept chain=input comment=\
"WireGuard Ports " dst-port=22222,33333 \
protocol=udp
add action=accept chain=input comment=\
"WireGuard Ports " src-port=22222,33333 \
protocol=udp
add action=accept chain=forward-from-wan \
dst-address=10.200.40.5 dst-port=4575
/ip firewall nat
add action=dst-nat chain=dstnat-services dst-port=\
4575 protocol=tcp to-addresses=10.200.40.5
FW 2
/interface ethernet
set [ find default-name=ether2 ] speed=100Mbps
/ip dhcp-client
add interface=ether2
/ip address
add address=10.20.200.2 interface=wireguard-to-main-site#1 network=10.20.200.1
add address=10.21.200.2 interface=wireguard-to-main-site#2 network=10.21.200.1
/interface wireguard
add listen-port=22222 mtu=1420 name=wireguard-to-main-site#1
add listen-port=33333 mtu=1420 name=wireguard-to-main-site#2
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=\
188.122.133.144 endpoint-port=22222 interface=wireguard-to-main-site#1 \
persistent-keepalive=10s public-key=\
"xxxxxxxxxxxxxxxxxxxxxxxxxx="
add allowed-address=0.0.0.0/0 endpoint-address=\
188.122.133.145 endpoint-port=33333 interface=wireguard-to-main-site#2 \
persistent-keepalive=10s public-key=\
"xxxxxxxxxxxxxxxxxxxxxxxxxx="
/ip firewall filter
add action=accept chain=forward comment=\
"natted from remote site" dst-address=10.200.40.5 \
dst-port=4575 log=yes log-prefix=inside protocol=tcp
add action=accept chain=input comment=\
"WireGuard Ports " dst-port=22222,33333 \
protocol=udp
add action=accept chain=input comment=\
"WireGuard Ports " src-port=22222,33333 \
protocol=udp Internally we are able to connect to 10.200.40.5:4575 but from external connection arrives to firewall 2 but connection fails.
Sorry but had to edit and subtract from 1000 lines of code.. so if you need anything else just ask
thanks for helping.Further find attachment of forwaded log from FW2.
You do not have the required permissions to view the files attached to this post.
Last edited by lukik007 on Wed Apr 26, 2023 1:47 pm, edited 1 time in total.
Re: Natting Public Ip Over Wireguard
The FW2 is under our control but the ISP modem is natted by the supplier through a 4G Dynamic Modem. This is not possible.It could be 10 things, without any config impossible to say. (could be nat, routing, ...)
Did you "torch" on FW2 to see if the DNAT'ted packet arrives at that point ???
The "device" is exposed to Internet with a DNAT ? Or does this "public computer" also has Wireguard Client ?
On a side-note, if FW2 is *also* connected to ISP/Internet, why not perform the DNAT at the location ? You have this FW2 under your control/administration ?
Re: Natting Public Ip Over Wireguard
ok, heavy edited.... for example missing all "dstnat-services", like have nothing.
But, if is the only NAT you do, and the line is not altered, miss the destination address or at least the incoming WAN interface.
/ip firewall nat
add action=dst-nat chain=dstnat-services dst-port=4575 protocol=tcp to-addresses=10.200.40.5
and missing also the source NAT, the device try to use ISP2 for reply, but is natted with another WANIP2 and remote connection can not be possible...
pseudo rule:
add action=src-nat chain=srcnat-services dst-address=10.200.40.5 to-addresses=<internal F1 address>
But, if is the only NAT you do, and the line is not altered, miss the destination address or at least the incoming WAN interface.
/ip firewall nat
add action=dst-nat chain=dstnat-services dst-port=4575 protocol=tcp to-addresses=10.200.40.5
and missing also the source NAT, the device try to use ISP2 for reply, but is natted with another WANIP2 and remote connection can not be possible...
pseudo rule:
add action=src-nat chain=srcnat-services dst-address=10.200.40.5 to-addresses=<internal F1 address>
Re: Natting Public Ip Over Wireguard
The FW2 is under our control but the ISP modem is natted by the supplier through a 4G Dynamic Modem. This is not possible.
Just a suggestion but you can try to enable DMZ (if supported by the 4G modem) which might sometime remove potential double-nat issues. Btw, what kind of 4G modems are they?
Re: Natting Public Ip Over Wireguard
not possible since managed by ISP.The FW2 is under our control but the ISP modem is natted by the supplier through a 4G Dynamic Modem. This is not possible.
Just a suggestion but you can try to enable DMZ (if supported by the 4G modem) which might sometime remove potential double-nat issues. Btw, what kind of 4G modems are they?
Re: Natting Public Ip Over Wireguard
n/a
You do not have the required permissions to view the files attached to this post.
Last edited by lukik007 on Wed Apr 26, 2023 3:41 pm, edited 1 time in total.
Re: Natting Public Ip Over Wireguard
tried didnt work.You read this?
viewtopic.php?t=195691#p998464
the first nat was already set. .the source nat was added but still didnt work.
Re: Natting Public Ip Over Wireguard
Pass... also hide the information that there is another firewall in the middle... it's too much for me, before I become vulgar, and I already am of my own...
Re: Natting Public Ip Over Wireguard
not possible since managed by ISP.
Okay. Is this some kind of NMO/SLA business subscription with a preconfigured router/modem that is managed and monitored by the ISP? What NMO/ISP and modem is it?
Btw, regarding the last network diagram, where are the 4G modems located?
EDIT:
Just a suggestion but if you add subnets and ip addresses to the picture it makes it much easier to understand your configuration.
Last edited by Larsa on Wed Apr 26, 2023 3:41 pm, edited 1 time in total.
Re: Natting Public Ip Over Wireguard [SOLVED]
sorryPass... also hide the information that there is another firewall in the middle... it's too much for me, before I become vulgar, and I already am of my own...
solved by adding the Source NAT on FW1 instead.
Thanks for your help.
Re: Natting Public Ip Over Wireguard
Glad you managed to get it working!
Just curious but do you use some sort of NMO/SLA business plan with a pre-configured router/modem managed and monitored by the ISP and secondly, what is the NMO/ISP and what kind of modem is it?
Just curious but do you use some sort of NMO/SLA business plan with a pre-configured router/modem managed and monitored by the ISP and secondly, what is the NMO/ISP and what kind of modem is it?
Re: Natting Public Ip Over Wireguard
so, even if I didn't know it, I had already written the right name....solved by adding the Source NAT on FW1 instead.
