Routing & Gateway
Manage VPN gateway, NAT, port forwarding, and firewall rules
{/* Summary strip */}
{!statusLoading && (
{[
{ label: 'NAT Rules', value: rs.nat_rules_count ?? natRules.length },
{ label: 'Port Forwards', value: pfRules.length },
{ label: 'Peer Routes', value: rs.peer_routes_count ?? peerRoutes.length },
{ label: 'Firewall Rules', value: rs.firewall_rules_count ?? firewallRules.length },
].map(({ label, value }) => (
))}
)}
{/* Tabs */}
{tabs.map(tab => (
{
setActiveTab(tab.id);
if (tab.id === 'live' && !liveIptables) fetchLiveIptables();
}}
className={`flex items-center whitespace-nowrap px-1 py-3 border-b-2 font-medium text-sm ${
activeTab === tab.id
? 'border-primary-500 text-primary-600'
: 'border-transparent text-gray-500 hover:text-gray-700 hover:border-gray-300'
}`}
>
))}
{/* ── Overview ── */}
{activeTab === 'overview' && (
Destination
Gateway
Interface
Flags
{routingTable.map((r, i) => {
const p = r.parsed || {};
return (
{p.destination || r.route}
{p.via || '—'}
{p.dev || '—'}
{p.metric ? `metric ${p.metric}` : ''}
);
})}
) : (
No routing table entries available.
)}
)}
{/* ── Port Forwarding ── */}
{activeTab === 'portfwd' && (
setShowPfForm(v => !v)}>
Forward inbound traffic on a public port to an internal host. Rules here are stored and re-applied on restart.
{showPfForm && (
)}
Protocol
External Port
→ Internal IP
Internal Port
{pfRules.length === 0 ? (
{r.protocol || 'ALL'}
{r.external_port || '—'}
{r.internal_ip || '—'}
{r.internal_port || '—'}
handleDeletePf(r.id || i)}>
))}
)}
{/* ── NAT Rules ── */}
{activeTab === 'nat' && (
setShowNatForm(v => !v)}>
Loading…
: (
Source Network
Interface
Type
{natRules.length === 0 ? (
{r.source_network}
{r.target_interface}
{r.nat_type || 'MASQUERADE'}
handleDeleteNat(r.id || i)}>
))}
)}
)}
{/* ── Peer Routes ── */}
{activeTab === 'peers' && (
setShowPeerForm(v => !v)}>
OS-level ip route entries stored here. WireGuard per-peer access control (which traffic each peer is allowed) is on the Peers page , not here.
{showPeerForm && (
)}
{peersLoading ? Loading…
: (
Peer
VPN IP
Networks
Type
{peerRoutes.length === 0 ? (
{r.peer_name}
{r.peer_ip}
{Array.isArray(r.allowed_networks) ? r.allowed_networks.join(', ') : r.allowed_networks}
{r.route_type}
handleDeletePeer(r.peer_name)}>
))}
)}
)}
{/* ── Firewall ── */}
{activeTab === 'firewall' && (
setShowFwForm(v => !v)}>
This tab only shows rules added here. The Live iptables tab shows all running rules — including per-peer VPN rules (managed on the Peers page ) and WireGuard PostUp rules. They are intentionally separate.
{showFwForm && (
)}
{fwLoading ? Loading…
: (
Chain
Source
Destination
Proto
Port
Action
{firewallRules.length === 0 ? (
{r.rule_type}
{r.source}
{r.destination}
{r.protocol || 'ALL'}
{r.port_range || r.port || '—'}
{r.action}
handleDeleteFw(r.id)}>
))}
)}
)}
{/* ── Live iptables ── */}
{activeTab === 'live' && (
Read-only view of ALL rules running in cell-wireguard. Includes: pic-peer-* rules from the Peers page, MASQUERADE from wg0.conf PostUp, and any rules added via the forms above. Rules here cannot be edited directly.
{iptLoading ? (
) : liveIptables ? (
{Object.entries(liveIptables).map(([table, text]) => (
{table} table
{text || '(empty)'}
))}
Click Refresh to load live iptables rules.
)}
)}
{/* ── Diagnostics ── */}
{activeTab === 'diagnostics' && (
Ping and traceroute a target from the server to verify routing.
{diagResult && (
{diagResult.error && (
{diagResult.error}
)}
{diagResult.ping && (
Ping
{diagResult.ping.success ? 'reachable' : 'unreachable'}
{diagResult.ping.output || diagResult.ping.error || '(no output)'}
)}
{diagResult.traceroute && (
Traceroute
{diagResult.traceroute.output || diagResult.traceroute.error || '(no output)'}
)}
)}
)}
);
}
export default Routing;