Jail NAT forwarded ports not accessible from wireguard vpn subnet

[LMCDZ]

Hi,
I have truenas server on my local network at 192.168.0.8, and also connected to my wireguard vpn network as a client with address 10.0.0.8 (on the host freebsd, not in a jail).

I have several jails all with NAT setup with port forwarding. I can reach the truenas GUI as well as any jail services at 192.168.0.8:xyz (by specifying the port) from any machine on the 192.168.x.x subnet.

The issues is when accessing the truenas server over my vpn, I can only access the GUI (10.0.0.8:80) and shares, but other ports pointing to jails, such as 10.0.0.8:xyz that work from the local network, are not reachable from 10.0.0.0/24 machines. I have several linux servers that I access over the vpn by specifying particular ports, so the issue seems unique to truenas.

From any jail shell, I can ping all of 192.168.0.0/24, but I can only ping 10.0.0.8 on the 10.0.0.0/24 subnet. From truenas shell I can ping 192.168.0.0/24 and also all my other machines on 10.0.0.0/24.

Is there a firewall that only forwards packets to the jails, from particular subnets? How do I setup the NAT to allow jail ports access to both local network and my wireguard interface?

I could setup each jail with a connection to my vpn but would rather not do this due to extra work, certificates to manage, and extra security risk as jails are not meant to be trusted.

Thanks

 

[LMCDZ]

Scanning the plex port over local network gives:

Code:

Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-04 16:36 AEDT
Nmap scan report for 192.168.0.8
Host is up (0.00044s latency).

PORT      STATE SERVICE
32400/tcp open  plex

Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds

Scanning over the wireguard vpn shows the port state as closed?

Code:

Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-04 16:37 AEDT
Nmap scan report for 10.0.0.8
Host is up (0.071s latency).

PORT      STATE  SERVICE
32400/tcp closed plex

Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds

 

[Fattoni]

Is there any movement in this Threat or a solution somewhere else?
I have the same exact problem (maybe except for my traffic is going thru a Wireguard Server) and routing between wg0 and em0 (following this guide https://serverfault.com/questions/1020740/how-to-configure-freenas-for-a-wireguard-vpn) doesn't seem to do the trick.


Any help or push in the right direction is appreciated.
Thanks

 

[spatruenas]

Hello,

Same issue here for me, someone has managed to resolve this ?

 

[usern]

I have essentially same problem. Trying to reach other networks connected to TrueNAS with wireguard from a jail.

 

[Heracles]

Hey guys,

I did not worked much with wireguard and my opinion is that such routing and VPN infrastructure should not be done from TrueNAS itself. TrueNAS is a storage appliance and should be used as such. For this, I do my VPN and routing in pfSense firewalls deployed in front of each of my TrueNAS.

Still, your problem seems to be related to routing. Mostly, probably routing of return packets. As such, post all your routing tables from all devices involved in that communication. We should see what is wrong from that.

 

[usern]

In my case it is NAT. I can see in tcpdump that when I ping in a jail a network address through wireguard, the source address is not NATed. The jail creation process will not create ipfw NAT rule for wireguard interface.

When the Jail is running, ipfw list in TrueNAS shell shows:

Code:

root@truenas[~]# ipfw list
00100 nat 462 ip4 from 172.16.0.0/24 to any out via igb0
00101 nat 462 ip4 from any to any in via igb0
65535 allow ip from any to any

There should be wg0 rules too, I guess I can add them as system init tasks. Just have to figure out proper ipfw rule for it.

 

[idArns]

Is there any progress on this? I have the same exact problem, starting to drive me crazy