Access another router from Openwrt LAN

I have an OpenWrt router with IP address 192.168.1.1/24.
I've connected another mikrotik router with IP address 192.168.2.1/24 to OpenWrt.
MT router gets IP from OpenWrt (MT is DHCP client for OpenWrt) and It's IP is 192.168.1.193.
All of clients connected to MT router can ping OpenWrt and devies connected to OpenWrt.
However, I cannot do that on opposite side (I cannot connect from OpenWrt clients to MT router clients.)
I've added a static route to pass every dest address 192.168.2.1/24 through MT gateway (192.168.1.193) but it didn't work.

Here are my config.
/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd7f:7520:0a69::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'
        option ipv6 '0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0.2'
        option macaddr 'BLAHBLAHBLAH'
        option ipv6 '0'

config interface 'wan'
        option device 'eth0.2'
        option proto 'pppoe'
        option username 'BLAHBLAHBLAH'
        option password 'BLAHBLAHBLAH'
        option ipv6 'auto'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '8.8.8.8'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        list dns 'BLAHBLAHBLAH'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '4 2 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 6t'

config interface 'wg0'
        option proto 'wireguard'
        option listen_port '6325'
        option delegate '0'
        list addresses '192.168.9.1/24'
        option mtu '1450'
        option private_key 'BLAHBLAHBLAH'

config wireguard_wg0
        option description 'P1'
        option public_key 'BLAHBLAHBLAH'
        option private_key 'BLAHBLAHBLAH'
        list allowed_ips '192.168.9.2/32'

/etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list device 'tun0'
        list device 'tun0'
        list network 'lan'
        list network 'wg0'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Allow-SSH'
        list proto 'tcp'
        option src 'wan'
        option dest_port '3560'
        option target 'ACCEPT'

config rule 'ovpn'
        option name 'Allow-OpenVPN'
        option src 'wan'
        option dest_port '443'
        option proto 'tcp'
        option target 'ACCEPT'

config rule
        option name 'Allow WG'
        option src 'wan'
        option dest_port '6325'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'

Can you help me in this?

You have to open up the firewall of the MT routerfor traffic coming from 192.168.1.1

Hi egc,
I updated the first post and added my openwrt config.

MT router firewall is turned off: (there is no rule)

Capture1135×450 33.4 KB

You need to add a static route

It won't.

Try 192.168.2.0/24 instead.

You might want to double-check your configuration anyway, regardless of .1 / .0 semantics. Any static route ought to appear in /etc/config/network... and your extract doesn't contain any static route directives.

The Mikrotik must not have a NAT set up. This is symmetric routing.
I didn't see the config route in your network config. You need this:

config route
	option target '192.168.2.0/24'
	option interface 'lan'
	option gateway '192.168.1.193'

A route to 192.168.1.0 is already in the Mikrotik inherently when the wan connection was created.

Thanks.
Here is the updated config.
It works for LAN devices on OpenWrt like a charm. However, I still cannot ping devices connected to MT when I am using wg0 interface.

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd7f:7520:0a69::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'
        option ipv6 '0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0.2'
        option macaddr 'BLAHBLAHBLAH'
        option ipv6 '0'

config interface 'wan'
        option device 'eth0.2'
        option proto 'pppoe'
        option username 'BLAHBLAHBLAH'
        option password 'BLAHBLAHBLAH'
        option ipv6 'auto'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '8.8.8.8'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        list dns 'BLAHBLAHBLAH'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '4 2 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 6t'

config interface 'wg0'
        option proto 'wireguard'
        option listen_port '6325'
        option delegate '0'
        list addresses '192.168.9.1/24'
        option mtu '1450'
        option private_key 'BLAHBLAHBLAH'

config wireguard_wg0
        option description 'P1'
        option public_key 'BLAHBLAHBLAH'
        option private_key 'BLAHBLAHBLAH'
        list allowed_ips '192.168.9.2/32'

config route
        option target '192.168.2.0/24'
        option gateway '192.168.1.193'
        option interface 'lan'

config route
        option interface 'wg0'
        option target '192.168.2.0/24'
        option gateway '192.168.1.193'

Thanks. MT has NAT indeed (ether is connected to OpenWrt and ether1 is connected to DSL modem.)

Capture912×161 27.6 KB

Your configs works for OpenWrt connected devices but I still have problem when I use wireguard. I add another route with wg0 interface but the issue still persists.

Does your firewall permit traffic from the WireGuard VPN zone to the LAN? I'm not sure it does; I don't see any rules or zones defined around the wg0 interface.

Actually I assigned LAN zone to wg interface:

image892×206 12.9 KB

Indeed you did, and I should pay more attention. Apologies.

This is where some packet sniffing could be handy, e.g. tcpdump or Wireshark.

It's possible that the outbound ICMP ECHO packets are leaving OpenWRT, but might not be arriving at their destinations.

It's also possible that the ICMP ECHO packets are arriving at their destinations, but are being ignored by the targets.

It's also possible that the targets are replying, but the ICMP ECHO REPLY packets are going astray.

Ping is a great diagnostic tool, but it's important to be aware of its requirements and its limitations, as well as how individual devices may choose to handle such traffic.

No problem dude.
I did a traceroute on 192.168.2.1 when I am on wireguard and it seems that it is routed through 0.0.0.0 gateway (not MT gateway)

Tracing route to 192.168.2.1 over a maximum of 30 hops

  1   103 ms    88 ms   130 ms  192.168.9.1 (WG interface IP)
  2   129 ms   130 ms   113 ms  (Here is internet provider IP)

Traceroute != ping. Different protocols, different behaviour.

However, routing is routing regardless so, as long as the protocol is permitted, traffic aimed at 192.168.2.0/24 should leave OpenWRT towards the MT device.

Again, packet sniffing would be great. If you can install tcpdump on OpenWRT and kick off three instances of it (three separate SSH sessions), listening on WAN, LAN, and WG0 for ICMP traffic (if using ping; a different protocol/address/port if using other diagnostic tools), the results may help you identify where to direct your troubleshooting efforts.

Just to be clear the overall network is:

Internet via DSL Modem
^
|
OpenWrt router with Wireguard server
^
| 192.168.1.0/24
| -- LAN devices
|
Mikrotik router
^
| 192.168.2.0/24
|
Other LAN Devices

Internet via DSL Modem
^
|
OpenWrt router with Wireguard server
^
| 192.168.1.0/24
| -- LAN devices
|
|
Mikrotik router --> LTE Modem
^
| 192.168.2.0/24
|
Other LAN Devices

So some Internet is by DSL and some by LTE?

In the case the default route of the Mikrotik router is by LTE (lan 2 uses LTE while lan 1 is on DSL), you would need to install in the Mikrotik a route to 192.168.9.0/24 via 192.168.1.1 so that VPN access to the 2.0 LAN returns to the VPN road warrior via the OpenWrt router.

Road warrior (192.168.9.2->192.168.2.5) --> encrypted internet --> DSL modem --> OpenWrt decrypt --> Mikrotik --> LAN 2
The above already happens. The problem is the return packet:
LAN 2 (192.168.2.5->192.168.9.2) --> Mikrotik default route --> LTE modem --> dropped
Adding the 192.168.9.0 return route will make it work properly:
LAN2 --> Mikrotik --> OpenWrt encrypt --> DSL modem --> road warrior

Yes.
Thanks. but still no changes.

image1127×418 20.4 KB

By the way, here is tcpdump:

01:09:26.734954 IP 192.168.9.2.55985 > 192.168.2.1.80: Flags [S], seq 4012579974, win 65535, options [mss 1380,nop,wscale 6,nop,nop,TS val 133887185 ecr 0,sackOK,eol], length 0
01:09:26.765660 IP 192.168.2.1.80 > 192.168.9.2.55985: Flags [R.], seq 0, ack 4012579975, win 0, length 0
01:09:26.838094 IP 192.168.9.2.55986 > 192.168.2.1.80: Flags [S], seq 4050401349, win 65535, options [mss 1380,nop,wscale 6,nop,nop,TS val 3204443125 ecr 0,sackOK,eol], length 0
01:09:28.005444 IP 192.168.2.1.80 > 192.168.9.2.55986: Flags [R.], seq 0, ack 4050401350, win 0, length 0
01:09:28.805981 IP 192.168.9.2.55986 > 192.168.2.1.80: Flags [S], seq 4050401349, win 65535, options [mss 1380,nop,wscale 6,nop,nop,TS val 3204445128 ecr 0,sackOK,eol], length 0
01:09:28.975474 IP 192.168.2.1.80 > 192.168.9.2.55986: Flags [R.], seq 0, ack 1, win 0, length 0

I'm not a Mikrotik expert - yet - but that screenshot looks like you've set up a Source NAT rule, not a static route.

(I do have a RouterOS license which I probably ought to stick on a VM at some point so that I can become a Mikrotik expert, but it hasn't happened yet.)