No Port forwarding from WAN when VPN is on

It seems like once the VPN(Wireguard) is on, I can’t do port forwarding from WAN to LAN? I could only port forwarding from Wireguard to LAN.
Is there any workaround to WAN to LAN when VPN is on?

You can check vpn policy and make sure “use vpn for the process on the router” is disabled?

Yes, they are disabled @alzhao

Which firmware version are you using?

@Riho-shuu can you help check this issue?

Pls note we will have holiday until Tuesday

I’m using 3.105 firmware on MV1000

If your using a normal vpn service they do not permit you to open ports, its a shared IP address, I guess you might need a vpn company that can give you a dedicated IP.

If you running your own wired guard server / client, then yeah I expect it to work.

Hi @xuan port forwarding from my VPN server into my LAN works just fine. I am trying to figure out if I can port forwarding from my WAN to LAN while VPN is running. So that I could do port forwarding from my WAN port to LAN while VPN is on.

I change the "enabled ‘0’ to ‘1’ and run service firewall restart
It doesn’t seem to do anything.

From my test just now the forwarding rule works fine when wg client is running.

Could you show me the forwarding rule you have set?

Below is my entire /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan Guest_LAN'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option forward 'ACCEPT'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'
        option enabled '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'
        option reload '1'

config include 'gls2s'
        option type 'script'
        option path '/var/etc/gls2s.include'
        option reload '1'

config include 'glfw'
        option type 'script'
        option path '/usr/bin/glfw.sh'
        option reload '1'

config include 'glqos'
        option type 'script'
        option path '/usr/sbin/glqos.sh'
        option reload '1'

config include 'mwan3'
        option type 'script'
        option path '/var/etc/mwan3.include'
        option reload '1'

config rule 'sambasharewan'
        option src 'wan'
        option dest_port '137 138 139 445'
        option dest_proto 'tcpudp'
        option target 'DROP'

config rule 'sambasharelan'
        option src 'lan'
        option dest_port '137 138 139 445'
        option dest_proto 'tcpudp'
        option target 'ACCEPT'

config rule 'glservice_rule'
        option name 'glservice'
        option dest_port '83'
        option proto 'tcp udp'
        option src 'wan'
        option target 'ACCEPT'
        option enabled '0'

config redirect
        option target 'DNAT'
        option name 'SMTP'
        option dest 'lan'
        option src_dport '25'
        option dest_port '25'
        option gl '1'
        option proto 'tcp'
        option dest_ip '192.168.1.160'
        option enabled '1'
        option src 'wireguard'

config redirect
        option target 'DNAT'
        option name 'SMTP_Submission'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '587'
        option dest_port '587'
        option enabled '1'
        option gl '1'
        option dest_ip '192.168.1.160'
        option src 'wireguard'

config redirect
        option target 'DNAT'
        option name 'SMTPs'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '465'
        option dest_port '465'
        option enabled '1'
        option gl '1'
        option dest_ip '192.168.1.160'
        option src 'wireguard'

config redirect
        option target 'DNAT'
        option name 'IMAP'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '143'
        option dest_port '143'
        option enabled '1'
        option gl '1'
        option dest_ip '192.168.1.160'
        option src 'wireguard'

config redirect
        option target 'DNAT'
        option name 'IMAPS'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '993'
        option dest_port '993'
        option enabled '1'
        option gl '1'
        option dest_ip '192.168.1.160'
        option src 'wireguard'

config redirect
        option target 'DNAT'
        option name 'POP3'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '110'
        option dest_port '110'
        option enabled '1'
        option gl '1'
        option dest_ip '192.168.1.160'
        option src 'wireguard'

config redirect
        option target 'DNAT'
        option name 'POP3s'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '995'
        option dest_port '995'
        option enabled '1'
        option gl '1'
        option dest_ip '192.168.1.160'
        option src 'wireguard'

config redirect
        option target 'DNAT'
        option name 'NAS_Web'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '8443'
        option dest_ip '192.168.1.175'
        option dest_port '8443'
        option enabled '1'
        option gl '1'

config redirect
        option target 'DNAT'
        option name 'NAS_WEB1'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '8080'
        option dest_ip '192.168.1.175'
        option dest_port '8080'
        option enabled '1'
        option gl '1'

config redirect
        option target 'DNAT'
        option name 'Mail_Web'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '80'
        option dest_ip '192.168.1.160'
        option dest_port '80'
        option enabled '1'
        option gl '1'
        option src 'wireguard'

config redirect
        option target 'DNAT'
        option name 'Mail_HTTPS'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '443'
        option dest_ip '192.168.1.160'
        option dest_port '443'
        option enabled '1'
        option gl '1'
        option src 'wireguard'

config rule 'AllowWireguard'
        option name 'Allow-Wireguard'
        option target 'ACCEPT'
        option src 'wan'
        option proto 'udp tcp'
        option family 'ipv4'
        option dest_port '48137'

config zone 'wireguard'
        option name 'wireguard'
        option input 'DROP'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option device 'wg0'
        option masq6 '1'

config forwarding 'wireguard_wan'
        option src 'wireguard'
        option dest 'wan'

config forwarding 'wireguard_lan'
        option src 'wireguard'
        option dest 'lan'

config forwarding 'lan_wireguard'
        option src 'lan'
        option dest 'wireguard'

Hi guys,

we have the same problem here, is there a solution to the problem in the meantime?

Are you using 3.201 firmware? In wireguard client, there is an option “allow access local network”. You have to enable this.

Hi Alzhao,

thank you for your fast response.

We already did that and unfortunately it is not working.

We use latest Firmware 3.201, the device is behind a DSL Router from AVM as a single device with a complete DMZ forwarding to that single AR-750.
If we disconnect the connection to Azire VPN it works well, with VPN activated not.

We also made some tries with the VPN policies, to exclude the MAC’s from using VPN, same result here, no change.

Any other idea?

With best Regards - Matt

I just tested, it does not matter if you set up wireguard or not, the port forward works.

I tested in in firmware 3.203.

Hi Alzhao,

good to hear, but 3.203 is not available for me, how to get?

You can download from GL.iNet download center

rather opened a separate thread

Yes, I built one today. See this post.

HTH!