No Port forwarding from WAN when VPN is on

It seems like once the VPN(Wireguard) is on, I can’t do port forwarding from WAN to LAN? I could only port forwarding from Wireguard to LAN.
Is there any workaround to WAN to LAN when VPN is on?

You can check vpn policy and make sure “use vpn for the process on the router” is disabled?

Yes, they are disabled @alzhao

Which firmware version are you using?

@Riho-shuu can you help check this issue?

Pls note we will have holiday until Tuesday

I’m using 3.105 firmware on MV1000

If your using a normal vpn service they do not permit you to open ports, its a shared IP address, I guess you might need a vpn company that can give you a dedicated IP.

If you running your own wired guard server / client, then yeah I expect it to work.

Hi @xuan port forwarding from my VPN server into my LAN works just fine. I am trying to figure out if I can port forwarding from my WAN to LAN while VPN is running. So that I could do port forwarding from my WAN port to LAN while VPN is on.

I change the "enabled ‘0’ to ‘1’ and run service firewall restart
It doesn’t seem to do anything.

From my test just now the forwarding rule works fine when wg client is running.

Could you show me the forwarding rule you have set?

Below is my entire /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan Guest_LAN'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option forward 'ACCEPT'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'
        option enabled '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'
        option reload '1'

config include 'gls2s'
        option type 'script'
        option path '/var/etc/gls2s.include'
        option reload '1'

config include 'glfw'
        option type 'script'
        option path '/usr/bin/glfw.sh'
        option reload '1'

config include 'glqos'
        option type 'script'
        option path '/usr/sbin/glqos.sh'
        option reload '1'

config include 'mwan3'
        option type 'script'
        option path '/var/etc/mwan3.include'
        option reload '1'

config rule 'sambasharewan'
        option src 'wan'
        option dest_port '137 138 139 445'
        option dest_proto 'tcpudp'
        option target 'DROP'

config rule 'sambasharelan'
        option src 'lan'
        option dest_port '137 138 139 445'
        option dest_proto 'tcpudp'
        option target 'ACCEPT'

config rule 'glservice_rule'
        option name 'glservice'
        option dest_port '83'
        option proto 'tcp udp'
        option src 'wan'
        option target 'ACCEPT'
        option enabled '0'

config redirect
        option target 'DNAT'
        option name 'SMTP'
        option dest 'lan'
        option src_dport '25'
        option dest_port '25'
        option gl '1'
        option proto 'tcp'
        option dest_ip '192.168.1.160'
        option enabled '1'
        option src 'wireguard'

config redirect
        option target 'DNAT'
        option name 'SMTP_Submission'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '587'
        option dest_port '587'
        option enabled '1'
        option gl '1'
        option dest_ip '192.168.1.160'
        option src 'wireguard'

config redirect
        option target 'DNAT'
        option name 'SMTPs'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '465'
        option dest_port '465'
        option enabled '1'
        option gl '1'
        option dest_ip '192.168.1.160'
        option src 'wireguard'

config redirect
        option target 'DNAT'
        option name 'IMAP'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '143'
        option dest_port '143'
        option enabled '1'
        option gl '1'
        option dest_ip '192.168.1.160'
        option src 'wireguard'

config redirect
        option target 'DNAT'
        option name 'IMAPS'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '993'
        option dest_port '993'
        option enabled '1'
        option gl '1'
        option dest_ip '192.168.1.160'
        option src 'wireguard'

config redirect
        option target 'DNAT'
        option name 'POP3'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '110'
        option dest_port '110'
        option enabled '1'
        option gl '1'
        option dest_ip '192.168.1.160'
        option src 'wireguard'

config redirect
        option target 'DNAT'
        option name 'POP3s'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '995'
        option dest_port '995'
        option enabled '1'
        option gl '1'
        option dest_ip '192.168.1.160'
        option src 'wireguard'

config redirect
        option target 'DNAT'
        option name 'NAS_Web'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '8443'
        option dest_ip '192.168.1.175'
        option dest_port '8443'
        option enabled '1'
        option gl '1'

config redirect
        option target 'DNAT'
        option name 'NAS_WEB1'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '8080'
        option dest_ip '192.168.1.175'
        option dest_port '8080'
        option enabled '1'
        option gl '1'

config redirect
        option target 'DNAT'
        option name 'Mail_Web'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '80'
        option dest_ip '192.168.1.160'
        option dest_port '80'
        option enabled '1'
        option gl '1'
        option src 'wireguard'

config redirect
        option target 'DNAT'
        option name 'Mail_HTTPS'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '443'
        option dest_ip '192.168.1.160'
        option dest_port '443'
        option enabled '1'
        option gl '1'
        option src 'wireguard'

config rule 'AllowWireguard'
        option name 'Allow-Wireguard'
        option target 'ACCEPT'
        option src 'wan'
        option proto 'udp tcp'
        option family 'ipv4'
        option dest_port '48137'

config zone 'wireguard'
        option name 'wireguard'
        option input 'DROP'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option device 'wg0'
        option masq6 '1'

config forwarding 'wireguard_wan'
        option src 'wireguard'
        option dest 'wan'

config forwarding 'wireguard_lan'
        option src 'wireguard'
        option dest 'lan'

config forwarding 'lan_wireguard'
        option src 'lan'
        option dest 'wireguard'