v25.1: port forwarding over VPN network broken

[maxkratz]

Important notices

Our forum is located at https://forum.opnsense.org , please consider joining discussions there in stead of using GitHub for these matters.

I've tried to open an account on the forum but have received no email, yet. The mail server's log shows no attempt to deliver an email from the forum. Hence, I will open this issue.

Before you ask a new question, we ask you kindly to acknowledge the following:

• I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

---

Setup

I use an OPNsense router at home for basically everything. My ISP is a German fiber provider which gives me an ONT box that is directly connected to my OPNsense router. Hence, I do not have a separate router with NAT, etc.
Since I am behind a CGNAT, I use a VPS and a WireGuard tunnel to route traffic from the public internet to my home server.

• (All public IPs below are changed.)

• VPS public IP: 1.2.3.4

• VPS wg internal network IP: 10.10.92.1

• OPNsense wg internal network IP: 10.10.92.3

• Within OPNsense, I have port forwarding specified for the wg0 interface to my local DMZ network.

  • The ports are: 80 (HTTP), 443 (HTTPS), 2222 (SSH), 9100 (HTTP), ...

Both boxes are able to ping each other. nmap on the VPS shows that all forwarded ports on the wg address of my OPNsense box (10.10.92.3) are open.

Problem

On OPNsense 24.7, everything worked as expected and I used this setup reliably for quite a long time. However, today, I have upgraded to 25.1 and suddenly, only the HTTP-based ports are forwarded correctly.

• Running curl, e.g., with curl http://10.10.92.3 on the VPS returns the correct page.
  • Same for port 9100.
• Running curl with curl https://10.10.92.3 does not return anything (despite nmap show that the port is open!)
• SSH to port 2222 does also not work.

What did change from OPNsense 24.7 to 25.1 that might break my setup here? Is there any option I can try to fix my port forwarding over the WireGuard network?

If you need any config snippets, etc., please let me know. Thanks in advance.

[maxkratz]

I rolled back to v24.7 and everything was working without any problem. This leads me to conclude that there is something broken in v25.1 or my configuration is not compatible with v25.1.

[fichtner]

This leads me to conclude that there is something broken in v25.1 or my configuration is not compatible with v25.1.

This sounds like square one? :)

[fichtner]

You can take a look at opnsense/src#235 (comment) which is something we're investigation in relation to packet filter behaviour before and after a certain commit.