[Solved] Access to LAN hosts through different interfaces partially target router

Hi everyone,
after researching and numerous unsuccessful attempts I seeking for assistance here. Thank you in advance.

Summary of problem: Depending in the interface I am connected to, access to specific hosts by the domain name (Dynamic DNS) either works or redirects to the router.

Network/Interface setup:

  • Router is a Turris Omnia with Turris OS version 3.11.17 5.0.1
  • let’s assume an IPv4-only network
  • router is assigned a dynamic external IP address (a.b.c.d) by my ISP on the WAN interface
  • Dynamic DNS is fully functional: domain.xy -> a.b.c.d
  • Wireguard is used for VPN and also fully functional (e.g. connections to hosts in LAN)
  • Interfaces
    • WAN
      • IP address is assigned by ISP, e.g. a.b.c.d
    • LAN
      • IP address of Turris Omnia/interface ‘LAN’ is 192.168.0.1
      • This network contains
        • Server 1 with IP address 192.168.0.111
        • Server 2 with IP address 192.168.0.222
    • wg0 (for Wireguard VPN)
      • IP address of Turris Omnia/interface ‘wg0’ is 192.168.99.1
      • connected clients use IP addresses 192.168.99.*
  • Firewall
    • Port forwards:
      • from any host in WAN via any router IP at port 80 to Server 1 port 80
      • from any host in WAN via any router IP at port 8443 to Server 2 port 8443

Expected and actual behavior:

Scenario Expected Actual Result
Client “somewhere on the internet” accessing domain.xy:8443 Service from 192.168.0.222:8443 is offered to client as expected OK
Client in LAN (192.168.0.n) accessing domain.xy:8443 Service from 192.168.0.222:8443 is offered to client as expected OK
Client within wg0 (192.168.99.n) accessing domain.xy:8443 Service from 192.168.0.222:8443 is offered to client Access to Turris Omnia on port 8443 is attempted Problem

The same applies to server 1 and port 80.

In other words: clients connected by Wireguard VPN cannot access hosts using hostname:port because they are always directed to Turris Omnia.
It appears as if the external IP a.b.c.d is “translated” to the internal IP and consequently the port forwarding configuration is without effect.

Further notes:

  • nslookup domain.xy always returns a.b.c.d, independent from the interface
  • access to 192.168.0.111:80 or 192.168.0.222:8443 works, independent from the interface
  • I do not want to route all accesses to ports 80 or 8443 initially targeting the router to one of the servers, because I still require access to the Turris Omnia UI while connected to VPN.

Any ideas on how to achieve the same behavior on wg0 as for LAN?

Thanks so much in advance!

Additional research results:

I made a few attempts using different firewall settings.
My zone setup looks as follows (please ignore DMZ, not used at the moment):

image

All LAN interfaces (lan0-4) are associated with the lan zone.
wg0 for Wireguard is associated with zone vpn.

If a move interface wg0 to the lan zone I receive the expected results as mentioned in my previous/initial post. Therefore I assume that I am missing a certain traffic rule or port forward.

Comparing zones lan vs. vpn, the firewall setup is identical with the following exceptions:

  • Forwarding lan -> vpn in lan and vpn -> lan for vpn
  • Associated interfaces/Covered networks (see above)
  • Zone lan is the destination for various port forwards (previous/initial post)
  • One traffic rule allowing DNS requests to the router, but deactivating this rules makes no difference
    image

The following commands added to Network…Firewall…Custom Rules solved the issue:

iptables -t nat -A prerouting_vpn_rule -s 192.168.99.0/24 -d <WAN-IP>/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.111
iptables -t nat -A postrouting_vpn_rule -s 192.168.99.0/24 -d 192.168.0.111/32 -p tcp -m tcp --dport 80 -j SNAT --to-source 192.168.0.1

(IP addresses correlate to post above, <WAN-IP> needs to be replaced)

2 Likes