Skip to content

How to run iperf3 as a server accessible from the WAN on your VyOS router

Published by [email protected] on October 27, 2025

To run iperf3 as a server accessible from the WAN on your VyOS router, you’ll need to:

1. Install iperf3 (if not already installed)

sudo apt update
sudo apt install iperf3

2. Add a firewall rule to allow iperf3 traffic from WAN

iperf3 uses TCP port 5201 by default. Add a firewall input rule:

configure
set firewall ipv4 input filter rule 24 action 'accept'
set firewall ipv4 input filter rule 24 description 'Allow iperf3 from WAN'
set firewall ipv4 input filter rule 24 destination port '5201'
set firewall ipv4 input filter rule 24 inbound-interface name 'eth7'
set firewall ipv4 input filter rule 24 protocol 'tcp'
commit
save
exit

3. Run iperf3 server

iperf3 -s

Or to run it in the background:

iperf3 -s -D

4. Test from a WAN client

From an external machine:

iperf3 -c <your_wan_ip>

Optional: If you want to forward to an internal host instead

If you want to run iperf3 on a device in your LAN/DMZ instead of the router itself, you’d also need to add a NAT destination rule:

configure
set nat destination rule 110 description 'Forward iperf3 to internal host'
set nat destination rule 110 destination port '5201'
set nat destination rule 110 inbound-interface name 'eth7'
set nat destination rule 110 protocol 'tcp'
set nat destination rule 110 translation address '192.168.99.X'  # Internal host IP
set nat destination rule 110 translation port '5201'
commit
save

And add a forward filter rule to allow the traffic through.

To allow iperf3 access from the DMZ network (192.168.100.0/24 on br1), you need to add a firewall input rule:

Add firewall rule for DMZ access to iperf3

configure
set firewall ipv4 input filter rule 26 action 'accept'
set firewall ipv4 input filter rule 26 description 'Allow iperf3 from DMZ'
set firewall ipv4 input filter rule 26 destination port '5201'
set firewall ipv4 input filter rule 26 inbound-interface name 'br1'
set firewall ipv4 input filter rule 26 protocol 'tcp'
commit
save
exit

Then run iperf3 server on the router

iperf3 -s

Or to bind to the DMZ interface specifically:

iperf3 -s -B 192.168.100.1

Test from a DMZ host

From a device in the DMZ network:

iperf3 -c 192.168.100.1

Note: Looking at your current config, the DMZ has restricted access to the router (unlike the LAN which has broader access via rule 20). The DMZ can currently only access:

  • HTTP/nginx (port 80) – rules 22
  • ICMP – rule 25

Adding rule 26 as shown above will allow DMZ devices to connect to iperf3 running on the router.

To delete the firewall rule for DMZ access to iperf3 (rule 26):

configure
delete firewall ipv4 input filter rule 26
commit
save
exit

This will remove the rule that allows iperf3 traffic from the DMZ to the router.

General syntax for deleting firewall rules:

configure
delete firewall ipv4 input filter rule <rule_number>
commit
save

Or if you want to delete the entire input filter chain:

delete firewall ipv4 input filter

Remember to always run commit to apply changes and save to persist them across reboots.

Published inUncategorized

Be First to Comment

Leave a Reply