Question

Hello,

I am looking for a way to allow lan->wireguard and wireguard->lan forwarding without masquerading, and still having lan->wan forwarding with masquerading enabled. This is not obvious withe GUI, is it possible to do that by editing /etc/config/firewall ?

Note: a similar configuration with dd-wrt is possible and works as expected.

Regards,

Answer 1

Hello,

For that you should, login to the router via WebUI and navigate to Network>Firewall>General settings (default window) and edit the "wireguard" interface. Here you can disable "Masquerading". Make sure to save & apply the settings. 

Regards.

Comments

The wireguard->lan direction is the easy part the issue is with lan->wan/wireguard, lan->wan requires masquerading and you can't have it disabled for lan->wireguard.

---

Let me supplement my answer. I think, you should try disable "Masquerading" and "Accept" forward on both sides, then A will see the source IP address of B:

---

No that doesn't work because for a mobile wan you still need to have masquerading set for lan->wan so you end up with the same value for lan->wireguard, so back to the initial issue disabling wireguard->lan masquerading is not enough. And disabling wireguard->lan forwarding means that you will be able to reach the router itself but not the devices behind it.

Answer 2

I'm not sure if this is exactly what you're looking but I'll give an attempt at providing a potential solution below. Let me know if this isn't what you're looking.

Disabling masquerading is part of the process but, depending on how the traffic will be traveling, the other end (WG peer of Teltonika device) will need to accept the LAN IP subnet of Teltonika (192.168.1.0/24 for example). I've tested this on my end, using a private WG server on my VPS. This is the required configuration on VPS end (other peer):

Teltonika will be accepting any input from wireguard zone by default so no additional firewall rule should be needed. However, much like the other peer, Teltonika router must also "know" about the other peer and the subnets which will be "incoming" as src address, in case it isn't a single IP address trying to reach devices behind Teltonika router. Configure allowed IPs in the WG tunnel on Teltonika end accordingly, either by specifying only hosts (/32) or a whole subnet.

This configuration is applicable specifically for split-tunnel configurations when you need only certain IPs to be routed via WG tunnel.

Comments

Allowing/disallowing IP addresses/networks in the Allowed IP lists is not the point here.The underlying issue is the fact that you can't set the lan->wan and lan->wireguard (or ipsec) masquerading flag separately, at least from the GUI.

What I want to do is propagate the original IP address through the wg tunnel. For example:

A <-> dd-wrt (<--- wg tunnel -->) RUTX11 <->B ==> B should receive the IP address of A, not the br-lan address of the RUTX.

It works the other way A sees the source IP address of B. Idem for two dd-wrt and associated networks.

---

@flebourse,

can you share the dd-wrt settings or a source link that allowed you to achieve the desired result for wq masquerading?

---

Easy two parameters only. In the Setup->Tunnels tab disable "NAT via tunnel" and in the Setup->Networking tab disable "Masquerade / NAT" for the interface you want to be transparent. Save and reboot and you are done.

---

Turns out that lan=>wan masquerading is not required after all so the flag can simply be unset in the GUI for lan=>wan wireguard ipsec.
Masquerading is still required in the wan=>lan zone forwardings. Not very obvious, masquerading applies to data flow lan->wan requires it but the button is in the wan=>lan configuration line.

Sorry for the noise.