About your comment below
Put the VPN in a separate zone and then allow lan > vpn and vpn > lan forwarding.
just to be super clear as i am going to get one chance to apply this setting (as risk if i do anything stupid, will have to travel all the way back to client 
)
should it look like this;
@psherman already covered the incorrect route and incorrect use of masquerading.
I would suggest, if there is memory space, install Zerotier as a backup VPN so you can (almost) always log into the other router remotely. You can still do that and route lan-lan traffic via Wireguard.
@mk24 Have added Zeroteir and its working like you mentioned, thank a ton,
@psherman have added the changes you have suggested, but the situation is yet to improve, sharing current status and configs for reference;
what works -
doesn't work
Client (farmhouse) cat /etc/config/network
root@farmhouse:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fda8:8838:553c::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option proto 'qmi'
option device '/dev/cdc-wdm0'
option apn 'www'
option auth 'chap'
option pdptype 'ipv4v6'
option default_profile '1'
option dualstack_profile '2'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '3 6t'
config interface 'vpn'
option proto 'wireguard'
option private_key 'key'
list addresses '192.168.9.3/24'
list addresses 'fdf1:e8a1:8d3f:9::3/64'
config wireguard_vpn 'wgserver'
option public_key 'pub'
option preshared_key 'psk'
option endpoint_host 'server_ip'
option endpoint_port '51820'
option route_allowed_ips '1'
option persistent_keepalive '25'
list allowed_ips '192.168.9.1/32'
list allowed_ips 'fdf1:e8a1:8d3f:9::1/128'
list allowed_ips '192.168.0.0/24'
list allowed_ips '192.169.9.2/32'
list allowed_ips 'fdf1:e8a1:8d3f:9::2/128'
Client (farmhouse) cat /etc/config/firewall
root@farmhouse:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config zone 'vpn'
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'vpn'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'vpn'
config forwarding
option src 'vpn'
option dest 'lan'
config zone 'vpn_zone'
option name 'zerotier'
option input 'ACCEPT'
option forward 'REJECT'
option output 'ACCEPT'
option device 'zt+'
option masq '1'
option mtu_fix '1'
config forwarding
option dest 'zerotier'
option src 'lan'
config forwarding
option dest 'lan'
option src 'zerotier'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
home (server) cat /etc/config/network
root@home:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fda8:d312:a0d8::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.0.1'
config device
option name 'eth0.2'
option macaddr '60:32:b1:b7:43:fc'
config interface 'wan'
option device 'eth0.2'
option proto 'pppoe'
option username 'userid'
option password 'userid'
option ipv6 'auto'
option peerdns '0'
list dns '8.8.8.8'
list dns '8.8.4.4'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
option reqprefix 'auto'
option reqaddress 'try'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
config interface 'vpn'
option proto 'wireguard'
option listen_port '51820'
option private_key 'key'
list addresses '192.168.9.1/24'
list addresses 'fdf1:e8a1:8d3f:9::1/64'
config wireguard_vpn 'wgclient'
option description 'FarmHouseRouter'
option route_allowed_ips '1'
option public_key 'pbk'
option private_key 'key'
option preshared_key 'psk'
list allowed_ips '192.168.9.3/32'
list allowed_ips 'fdf1:e8a1:8d3f:9::3/128'
list allowed_ips '192.168.1.0/24'
config wireguard_vpn
option description 'Mohit’s Iphone'
option public_key 'pbk'
list allowed_ips '192.168.9.2/32'
list allowed_ips 'fdf1:e8a1:8d3f:9::2/128'
list allowed_ips '192.168.1.0/24'
option route_allowed_ips '1'
config route
option target '192.168.1.0/24'
option gateway '192.168.9.3'
home (server) cat /etc/config/firewall
root@home:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'vpn'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
shouldn't affect your general connectivity, but remove 192.168.9.1/32 and 192.168.9.2/32 and add 192.168.9.0/24 instead.
I think that you need to turn off masquerading on the vpn zone at the farmhosue.
Remove the allowed IPs of 192.168.1.0/24 from the peer configs in your home router. These allowed IPs addresses should only be the tunnel address for the peer (i.e. 192.168.9.2/32 and 192.168.9.3/32).
Definitely. You want symmetric routing from either LAN to the other one, so masquerading must not be used. Masquerading the tunnel blocks incoming connections through the tunnel.
@psherman @mk24 have implemented changes you both have suggested, sharing new status;
what works -
doesn't work
this time sharing some result of tcpdup monitoring while attemting to access farmhouse subnet 192.168.1.127 from Home subnet 192.168.0.189, it might support diagnosis
root@farmhouse:~# tcpdump -i br-lan host 192.168.1.127 -vv
21:43:31.448952 IP (tos 0x0, ttl 235, id 21113, offset 0, flags [DF], proto TCP (6), length 52)
ec2-43-204-103-22.ap-south-1.compute.amazonaws.com.31006 > 192.168.1.127.40796: Flags [.], cksum 0xc09d (correct), seq 3, ack 546, win 849, options [nop,nop,TS val 3178480494 ecr 10247046], length 0
21:43:32.549642 IP (tos 0x0, ttl 126, id 2419, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.189.54033 > 192.168.1.127.80: Flags [S], cksum 0xe0b0 (correct), seq 3706937228, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:43:32.587132 IP (tos 0x0, ttl 126, id 2420, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.189.54034 > 192.168.1.127.80: Flags [S], cksum 0x1e40 (correct), seq 2391109738, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:43:32.806121 IP (tos 0x0, ttl 126, id 2421, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.189.54038 > 192.168.1.127.80: Flags [S], cksum 0x418b (correct), seq 3204324514, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:43:33.560130 IP (tos 0x0, ttl 126, id 2422, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.189.54033 > 192.168.1.127.80: Flags [S], cksum 0xe0b0 (correct), seq 3706937228, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:43:33.591112 IP (tos 0x0, ttl 126, id 2423, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.189.54034 > 192.168.1.127.80: Flags [S], cksum 0x1e40 (correct), seq 2391109738, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:43:33.821096 IP (tos 0x0, ttl 126, id 2424, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.189.54038 > 192.168.1.127.80: Flags [S], cksum 0x418b (correct), seq 3204324514, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:43:35.562136 IP (tos 0x0, ttl 126, id 2425, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.189.54033 > 192.168.1.127.80: Flags [S], cksum 0xe0b0 (correct), seq 3706937228, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:43:35.597113 IP (tos 0x0, ttl 126, id 2426, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.189.54034 > 192.168.1.127.80: Flags [S], cksum 0x1e40 (correct), seq 2391109738, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:43:35.829105 IP (tos 0x0, ttl 126, id 2427, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.189.54038 > 192.168.1.127.80: Flags [S], cksum 0x418b (correct), seq 3204324514, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:43:36.285822 IP (tos 0x0, ttl 64, id 40752, offset 0, flags [DF], proto UDP (17), length 88)
192.168.1.127.48141 > ec2-35-154-85-188.ap-south-1.compute.amazonaws.com.6000: [udp sum ok] UDP, length 60
21:43:36.288137 IP (tos 0x0, ttl 64, id 12665, offset 0, flags [DF], proto UDP (17), length 88)
192.168.1.127.48141 > ec2-3-108-32-185.ap-south-1.compute.amazonaws.com.6000: [udp sum ok] UDP, length 60
21:43:36.383834 IP (tos 0x0, ttl 236, id 13333, offset 0, flags [DF], proto UDP (17), length 72)
ec2-35-154-85-188.ap-south-1.compute.amazonaws.com.6000 > 192.168.1.127.48141: [udp sum ok] UDP, length 44
21:43:36.415475 IP (tos 0x0, ttl 236, id 37178, offset 0, flags [DF], proto UDP (17), length 72)
ec2-3-108-32-185.ap-south-1.compute.amazonaws.com.6000 > 192.168.1.127.48141: [udp sum ok] UDP, length 44
21:43:36.702450 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.127 tell farmhouse.lan, length 28
21:43:36.705227 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.1.127 is-at 50:2b:73:a0:11:92 (oui Unknown), length 28
^C
23 packets captured
23 packets received by filter
0 packets dropped by kernel
What OS is on this host? If it is windows, you probably have a firewall issue on the windows machine itself. Typically, the Windows Firewall doesn't permit connections from other subnets, so you'll have to make changes to the settings there.
192.168.1.127 is a CCTV system installed at Farmhouse (wireguard client 192.168.9.3), which i am trying to connect from my laptop connected with Home router ( wireguard server 192.168.9.1)- on laptop i am using windows, but i guess you are referring to device that i am trying to connect to (192.168.1.127) ..
i can check if there is any firewall issue with cctv system, will be back asap
Can you ping 192.168.1.127 from the house router (not a PC in the house, but the router itself)? psherman has a good point that some settings of Windows block private IP other than the LAN that the PC is part of.
If you can't ping from the router either, review router settings:
Let's take a look at the latest configs:
/etc/config/network and /etc/config/firewall
/etc/config/network and /etc/config/firewall
Do you have any other devices on 192.168.1.0/24 that are not the CCTV or windows hosts? If you have a linux system, that would be great.
@psherman @mk24 i guess you both might be right, i can ping rest of the subnets at farmhouse now... but only this one 192.168.1.127 doesn't respond .. checking
sometimes you can adjust the local firewall on that device (especially if it runs a standard OS with CCTV/NVR software on top of it), but some vendors don't expose that functionality (in which case I'm not sure what to suggest).
strangely, i am able to ping e.g., 192.168.1.115 at farmhouse using another subnet from home server 192.168.0.189 (home subnet to farmhouse subnet works) , but this ping doesn't work if i ssh home server and ping 192.168.1.115 (home router to farmhouse subnet)
Anyways, it seems atleast subnet to subnet pings are working, so i just have to figure out what's wrong with my CCTV firewall
sharing configuration for reference;
Client (farmhouse) cat /etc/config/network
root@farmhouse:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fda8:8838:553c::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option proto 'qmi'
option device '/dev/cdc-wdm0'
option apn 'www'
option auth 'chap'
option pdptype 'ipv4v6'
option default_profile '1'
option dualstack_profile '2'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '3 6t'
config interface 'vpn'
option proto 'wireguard'
option private_key 'key'
list addresses '192.168.9.3/24'
list addresses 'fdf1:e8a1:8d3f:9::3/64'
config wireguard_vpn 'wgserver'
option public_key 'key'
option preshared_key 'key'
option endpoint_host 'endpoint'
option endpoint_port '51820'
option route_allowed_ips '1'
option persistent_keepalive '25'
option description 'homerouter'
list allowed_ips '192.168.9.1/32'
list allowed_ips 'fdf1:e8a1:8d3f:9::1/128'
list allowed_ips '192.168.0.0/24'
list allowed_ips '192.168.9.2/32'
list allowed_ips 'fdf1:e8a1:8d3f:9::2/128'
config device
option name 'vpn'
option macaddr 'C0:06:C3:31:22:DD'
Client (farmhouse) cat /etc/config/firewall
root@farmhouse:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config zone 'vpn_zone'
option name 'zerotier'
option input 'ACCEPT'
option output 'ACCEPT'
list device 'zt+'
option forward 'REJECT'
config forwarding
option dest 'zerotier'
option src 'lan'
config forwarding
option dest 'lan'
option src 'zerotier'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
list network 'vpn'
option forward 'ACCEPT'
config forwarding
option src 'vpn'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'vpn'
home (server) cat /etc/config/network
root@home:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fda8:d312:a0d8::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.0.1'
config device
option name 'eth0.2'
option macaddr '60:32:b1:b7:43:fc'
config interface 'wan'
option device 'eth0.2'
option proto 'pppoe'
option username 'id'
option password 'id'
option ipv6 'auto'
option peerdns '0'
list dns '8.8.8.8'
list dns '8.8.4.4'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
option reqprefix 'auto'
option reqaddress 'try'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
config interface 'vpn'
option proto 'wireguard'
option listen_port '51820'
option private_key 'key'
list addresses '192.168.9.1/24'
list addresses 'fdf1:e8a1:8d3f:9::1/64'
config wireguard_vpn 'wgclient'
option description 'FarmHouseRouter'
option route_allowed_ips '1'
option public_key 'key'
option private_key 'key'
option preshared_key 'key'
list allowed_ips '192.168.9.3/32'
list allowed_ips 'fdf1:e8a1:8d3f:9::3/128'
list allowed_ips '192.168.1.0/24'
config wireguard_vpn
option description 'Mohit’s Iphone'
option public_key 'key'
list allowed_ips '192.168.9.2/32'
list allowed_ips 'fdf1:e8a1:8d3f:9::2/128'
config route
option target '192.168.1.0/24'
option gateway '192.168.9.3'
home (server) cat /etc/config/firewall
root@home:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'vpn'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
list network 'vpn'
option forward 'ACCEPT'
config forwarding
option src 'vpn'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'vpn'
I don't think it will affect anything in this situation, but in your home firewall, you have the vpn network attached to 2 zones (lan and vpn)... it should only be on one.
Seems its lot more complex to access CCTV through VPN tunnel due to restriction CCTV OS is enforcing, is it possible to assign local IP while attempting to access client subnet?
in Current scenario example, let's say 192.168.0.189 (from Home server subnet) trying to connect with farmhouse subnet 192.168.1.127.....
is it possible to assign 192.168.0.189 a new subnet like 192.168.1.xxx while connecting through wireguard VPN?
There are some plausible ways to do this, although I am not an expert on these options and cannot say if they would actually work...
For either of those, you'd probably need guidance from other users. It's probably best to start a new thread on this new topic.... be sure to reference this thread as context for why you need to do this somewhat unusual translation/proxy situation.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.