Accessing LAN behind Wireguard VPN

tommiedepommie · March 4, 2021, 3:55pm

Hello, I'm sorry to bother but I have a similar problem as many users with an Openwrt router.

I Installed Wireguard according the manual of Chris Buchan (https://chrisbuchan.co.uk/computing/wireguard-setup-openwrt/)

I can make a connection to the router from my phone but I can’t access the servers on the lan.

I already tried some solutions which are mentioned on this forum but with no luck.

Can someone help me to figure out what I am doing wrong?

Thank you very much.

/etc/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdac:59cf:6adc::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.8.1'
	list dns '1.1.1.1'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'static'
	option gateway '192.168.1.1'
	option ipaddr '192.168.1.2'
	list dns '1.1.1.1'
	option netmask '255.255.255.0'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 0t'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

config interface 'wwan'
	option proto 'dhcp'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'private key'
	option listen_port '51820'
	list addresses '10.200.200.1/24'

config wireguard_wg0
	option description 'AndroidPhone'
	list allowed_ips '10.200.200.2/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option public_key 'public key'

/etc/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan wg0'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6 wwan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config redirect
	option src 'wan'
	option name 'L2TP (VPN)'
	option target 'DNAT'
	option dest_ip '192.168.8.252'
	option dest 'lan'
	list proto 'udp'
	option dest_port '1701'
	option src_dport '1701'

config redirect
	option src 'wan'
	option name 'PPTP (VPN) '
	option src_dport '1723'
	option target 'DNAT'
	option dest_ip '192.168.8.252'
	option dest 'lan'
	list proto 'tcp'
	option dest_port '1723'

config redirect
	option src 'wan'
	option name 'L2TP (VPN)'
	option target 'DNAT'
	option dest_ip '192.168.8.252'
	option dest 'lan'
	list proto 'udp'
	option dest_port '1701'
	option src_dport '1701'

config redirect
	option src 'wan'
	option name 'PPTP (VPN) '
	option src_dport '1723'
	option target 'DNAT'
	option dest_ip '192.168.8.252'
	option dest 'lan'
	list proto 'tcp'
	option dest_port '1723'

config redirect
	option src 'wan'
	option name 'OPENVPN (VPN)'
	option dest 'lan'
	option dest_ip '192.168.8.252'
	option target 'DNAT'
	option dest_port '1194'
	list proto 'tcp'
	list proto 'udp'
	option src_dport '1194'

config redirect
	option dest_port '13131'
	option src 'wan'
	option name 'telnet'
	option src_dport '13131'
	option target 'DNAT'
	option dest_ip '192.168.8.252'
	option dest 'lan'
	list proto 'tcp'

config redirect
	option dest_port '8081'
	option src 'wan'
	option name 'webserver'
	option src_dport '8081'
	option target 'DNAT'
	option dest_ip '192.168.8.252'
	option dest 'lan'
	list proto 'tcp'

config redirect
	option dest_port '500'
	option src 'wan'
	option src_dport '500'
	option target 'DNAT'
	option dest_ip '192.168.8.252'
	option dest 'lan'
	list proto 'udp'
	option name 'ISAKMP (VPN)'

config redirect
	option dest_port '4500'
	option src 'wan'
	option name 'IPSec NAT (VPN)'
	option src_dport '4500'
	option target 'DNAT'
	option dest_ip '192.168.8.252'
	option dest 'lan'
	list proto 'udp'

config redirect
	option dest_port '20'
	option src 'wan'
	option name 'FTP (DATA)'
	option src_dport '20'
	option target 'DNAT'
	option dest_ip '192.168.8.252'
	option dest 'lan'
	list proto 'tcp'

config redirect
	option dest_port '21'
	option src 'wan'
	option name 'FTP (CONTROL)'
	option src_dport '21'
	option target 'DNAT'
	option dest_ip '192.168.8.252'
	option dest 'lan'
	list proto 'tcp'

config zone 'guest'
	option name 'guest'
	option network 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding 'guest_wan'
	option src 'guest'
	option dest 'wan'

config rule 'guest_dns'
	option name 'Allow-DNS-Guest'
	option src 'guest'
	option dest_port '53'
	option proto 'tcpudp'
	option target 'ACCEPT'

config rule 'guest_dhcp'
	option name 'Allow-DHCP-Guest'
	option src 'guest'
	option dest_port '67'
	option family 'ipv4'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option src '*'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '51820'
	option name 'Allow-Wireguard-Inbound'

Android client

Public key public_key
Addresses 10.200.200.2/32
DNS server 192.168.8.1

Peer

public key public_key
Endpoint ddns:51820
Allowed IP's 0.0.0.0/0

trendy · March 4, 2021, 4:06pm

Should be Private key and /24
Other than that I don't see anything wrong.
Do you have 2 gateways? wan and wwan? Are you sure the replies go out of the same interface as the solicitations come in?
Also there is an official and tested guide.

krazeh · March 4, 2021, 4:09pm

The android app shows 'Public key' for both the interface and peer so it's probably a direct copy of what is shown in the app. The address on the client is also correct as a /32.

@tommiedepommie Is the wireguard connection coming up correctly? Showing as connected on your phone? What's the output of the wg command on the router?

trendy · March 4, 2021, 4:16pm

Let's stick to the guides since the server also has the /24 address.

I stand corrected.

krazeh · March 4, 2021, 4:22pm

The guide is for setting up a client on an OpenWRT device. That's not what's being done here. The 'server' should have a /24 (if you want to use that method of routing), but the client config (on the android device) is set up correctly with a /32 address.

trendy · March 4, 2021, 4:27pm

I have /24 on my Android client.

vgaetera · March 4, 2021, 4:27pm

The wiki how-to works fine for multi-client configuration:
https://openwrt.org/docs/guide-user/services/vpn/wireguard/extras#automated

It is tested with OpenWrt, general-purpose Linux and Android WireGuard clients.

krazeh · March 4, 2021, 4:33pm

So? I never said it wouldn't work with a /24, but my point was that as a single end device the address is properly configured as a /32. You're only ever going to be sending data to or receiving data from that one single IP anyway (due to the allowed IP field).

tommiedepommie · March 4, 2021, 4:34pm

Thank you for the quick replies,

[quote="trendy, post:2, topic:90300"]
Do you have 2 gateways? wan and wwan?
[/quote] In case of emergency I can use my hotspot from phone as internet gateway

My android phone connects correctly to my router. I can see it connecting in -->status->wireguard statusPersistent Keepalive: 25s Latest Handshake: Thu, 04 Mar 2021 16:34:31 GMT (34s ago) Data Received: 558 KiB Data Transmitted: 2 MiB

krazeh · March 4, 2021, 4:36pm

Can you access Luci from your phone? Or SSH to your router? (Obviously while connected remotely through the WG connection)

vgaetera · March 4, 2021, 4:36pm

Change to this:

10.200.200.1

trendy · March 4, 2021, 4:37pm

You implied it though, because the guide is for OpenWrt and not Android.
I'll agree that it shouldn't make much difference anyway and the problem is elsewhere, so let's leave it aside.

But are they both active?
ip -a addr; ip -4 ro li table all; ip -4 ru

tommiedepommie · March 4, 2021, 4:40pm

No, only wan is active. The other one is de-activated.

DNS changing to 10.200.200.1 doesn't change anything.

tommiedepommie · March 4, 2021, 4:42pm

Here's part of the capture


    10.200.200.2.43000 > 192.168.8.251.445: Flags [S], cksum 0x7e03 (correct), seq 1148139999, win 65535, options [mss 1240,sackOK,TS val 32572533 ecr 0,nop,wscale 8], length 0
17:45:45.241120  In ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 5740, offset 0, flags [DF], proto TCP (6), length 60)
    10.200.200.2.43002 > 192.168.8.251.445: Flags [S], cksum 0x0ac3 (correct), seq 3814788651, win 65535, options [mss 1240,sackOK,TS val 32572533 ecr 0,nop,wscale 8], length 0
17:45:45.241169 Out dc:ef:09:f2:6e:bc ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 63, id 5740, offset 0, flags [DF], proto TCP (6), length 60)
    10.200.200.2.43002 > 192.168.8.251.445: Flags [S], cksum 0x0ac3 (correct), seq 3814788651, win 65535, options [mss 1240,sackOK,TS val 32572533 ecr 0,nop,wscale 8], length 0
17:45:45.241202 Out dc:ef:09:f2:6e:bc ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 63, id 5740, offset 0, flags [DF], proto TCP (6), length 60)
    10.200.200.2.43002 > 192.168.8.251.445: Flags [S], cksum 0x0ac3 (correct), seq 3814788651, win 65535, options [mss 1240,sackOK,TS val 32572533 ecr 0,nop,wscale 8], length 0
17:45:46.282205  In ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 5741, offset 0, flags [DF], proto TCP (6), length 60)
    10.200.200.2.43002 > 192.168.8.251.445: Flags [S], cksum 0x06c3 (correct), seq 3814788651, win 65535, options [mss 1240,sackOK,TS val 32573557 ecr 0,nop,wscale 8], length 0
17:45:46.282291 Out dc:ef:09:f2:6e:bc ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 63, id 5741, offset 0, flags [DF], proto TCP (6), length 60)
    10.200.200.2.43002 > 192.168.8.251.445: Flags [S], cksum 0x06c3 (correct), seq 3814788651, win 65535, options [mss 1240,sackOK,TS val 32573557 ecr 0,nop,wscale 8], length 0
17:45:46.282316 Out dc:ef:09:f2:6e:bc ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 63, id 5741, offset 0, flags [DF], proto TCP (6), length 60)
    10.200.200.2.43002 > 192.168.8.251.445: Flags [S], cksum 0x06c3 (correct), seq 3814788651, win 65535, options [mss 1240,sackOK,TS val 32573557 ecr 0,nop,wscale 8], length 0
17:45:46.282383  In ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 8610, offset 0, flags [DF], proto TCP (6), length 60)
    10.200.200.2.43000 > 192.168.8.251.445: Flags [S], cksum 0x7a03 (correct), seq 1148139999, win 65535, options [mss 1240,sackOK,TS val 32573557 ecr 0,nop,wscale 8], length 0
17:45:46.282429 Out dc:ef:09:f2:6e:bc ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 63, id 8610, offset 0, flags [DF], proto TCP (6), length 60)
    10.200.200.2.43000 > 192.168.8.251.445: Flags [S], cksum 0x7a03 (correct), seq 1148139999, win 65535, options [mss 1240,sackOK,TS val 32573557 ecr 0,nop,wscale 8], length 0
17:45:46.282448 Out dc:ef:09:f2:6e:bc ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 63, id 8610, offset 0, flags [DF], proto TCP (6), length 60)
    10.200.200.2.43000 > 192.168.8.251.445: Flags [S], cksum 0x7a03 (correct), seq 1148139999, win 65535, options [mss 1240,sackOK,TS val 32573557 ecr 0,nop,wscale 8], length 0
17:45:48.279324  In ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 8611, offset 0, flags [DF], proto TCP (6), length 60)
    10.200.200.2.43000 > 192.168.8.251.445: Flags [S], cksum 0x7223 (correct), seq 1148139999, win 65535, options [mss 1240,sackOK,TS val 32575573 ecr 0,nop,wscale 8], length 0
17:45:48.279401 Out dc:ef:09:f2:6e:bc ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 63, id 8611, offset 0, flags [DF], proto TCP (6), length 60)
    10.200.200.2.43000 > 192.168.8.251.445: Flags [S], cksum 0x7223 (correct), seq 1148139999, win 65535, options [mss 1240,sackOK,TS val 32575573 ecr 0,nop,wscale 8], length 0
17:45:48.279425 Out dc:ef:09:f2:6e:bc ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 63, id 8611, offset 0, flags [DF], proto TCP (6), length 60)
    10.200.200.2.43000 > 192.168.8.251.445: Flags [S], cksum 0x7223 (correct), seq 1148139999, win 65535, options [mss 1240,sackOK,TS val 32575573 ecr 0,nop,wscale 8], length 0
17:45:48.279467  In ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 5742, offset 0, flags [DF], proto TCP (6), length 60)
    10.200.200.2.43002 > 192.168.8.251.445: Flags [S], cksum 0xfee2 (correct), seq 3814788651, win 65535, options [mss 1240,sackOK,TS val 32575573 ecr 0,nop,wscale 8], length 0
17:45:48.279515 Out dc:ef:09:f2:6e:bc ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 63, id 5742, offset 0, flags [DF], proto TCP (6), length 60)
    10.200.200.2.43002 > 192.168.8.251.445: Flags [S], cksum 0xfee2 (correct), seq 3814788651, win 65535, options [mss 1240,sackOK,TS val 32575573 ecr 0,nop,wscale 8], length 0
17:45:48.279535 Out dc:ef:09:f2:6e:bc ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 63, id 5742, offset 0, flags [DF], proto TCP (6), length 60)
    10.200.200.2.43002 > 192.168.8.251.445: Flags [S], cksum 0xfee2 (correct), seq 3814788651, win 65535, options [mss 1240,sackOK,TS val 32575573 ecr 0,nop,wscale 8], length 0
17:45:52.476675  In ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 37613, offset 0, flags [DF], proto TCP (6), length 60)
    10.200.200.2.43004 > 192.168.8.251.445: Flags [S], cksum 0x1f00 (correct), seq 261992876, win 65535, options [mss 1240,sackOK,TS val 32579705 ecr 0,nop,wscale 8], length 0
17:45:52.476842 Out dc:ef:09:f2:6e:bc ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 63, id 37613, offset 0, flags [DF], proto TCP (6), length 60)
    10.200.200.2.43004 > 192.168.8.251.445: Flags [S], cksum 0x1f00 (correct), seq 261992876, win 65535, options [mss 1240,sackOK,TS val 32579705 ecr 0,nop,wscale 8], length 0
17:45:52.476870 Out dc:ef:09:f2:6e:bc ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 63, id 37613, offset 0, flags [DF], proto TCP (6), length 60)
    10.200.200.2.43004 > 192.168.8.251.445: Flags [S], cksum 0x1f00 (correct), seq 261992876, win 65535, options [mss 1240,sackOK,TS val 32579705 ecr 0,nop,wscale 8], length 0
17:45:53.419542  In ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 37614, offset 0, flags [DF], proto TCP (6), length 60)
    10.200.200.2.43004 > 192.168.8.251.445: Flags [S], cksum 0x1b05 (correct), seq 261992876, win 65535, options [mss 1240,sackOK,TS val 32580724 ecr 0,nop,wscale 8], length 0
17:45:53.419652 Out dc:ef:09:f2:6e:bc ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 63, id 37614, offset 0, flags [DF], proto TCP (6), length 60)
    10.200.200.2.43004 > 192.168.8.251.445: Flags [S], cksum 0x1b05 (correct), seq 261992876, win 65535, options [mss 1240,sackOK,TS val 32580724 ecr 0,nop,wscale 8], length 0
17:45:53.419678 Out dc:ef:09:f2:6e:bc ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 63, id 37614, offset 0, flags [DF], proto TCP (6), length 60)
    10.200.200.2.43004 > 192.168.8.251.445: Flags [S], cksum 0x1b05 (correct), seq 261992876, win 65535, options [mss 1240,sackOK,TS val 32580724 ecr 0,nop,wscale 8], length 0
17:45:54.470625  In ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 37615, offset 0, flags [DF], proto TCP (6), length 60)
    10.200.200.2.43004 > 192.168.8.251.445: Flags [S], cksum 0x1704 (correct), seq 261992876, win 65535, options [mss 1240,sackOK,TS val 32581749 ecr 0,nop,wscale 8], length 0
17:45:54.470685 Out dc:ef:09:f2:6e:bc ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 63, id 37615, offset 0, flags [DF], proto TCP (6), length 60)
    10.200.200.2.43004 > 192.168.8.251.445: Flags [S], cksum 0x1704 (correct), seq 261992876, win 65535, options [mss 1240,sackOK,TS val 32581749 ecr 0,nop,wscale 8], length 0
17:45:54.470709 Out dc:ef:09:f2:6e:bc ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 63, id 37615, offset 0, flags [DF], proto TCP (6), length 60)
    10.200.200.2.43004 > 192.168.8.251.445: Flags [S], cksum 0x1704 (correct), seq 261992876, win 65535, options [mss 1240,sackOK,TS val 32581749 ecr 0,nop,wscale 8], length 0
17:45:55.478427  In ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 37616, offset 0, flags [DF], proto TCP (6), length 60)
    10.200.200.2.43004 > 192.168.8.251.445: Flags [S], cksum 0x1304 (correct), seq 261992876, win 65535, options [mss 1240,sackOK,TS val 32582773 ecr 0,nop,wscale 8], length 0
17:45:55.478512 Out dc:ef:09:f2:6e:bc ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 63, id 37616, offset 0, flags [DF], proto TCP (6), length 60)
    10.200.200.2.43004 > 192.168.8.251.445: Flags [S], cksum 0x1304 (correct), seq 261992876, win 65535, options [mss 1240,sackOK,TS val 32582773 ecr 0,nop,wscale 8], length 0
17:45:55.478537 Out dc:ef:09:f2:6e:bc ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 63, id 37616, offset 0, flags [DF], proto TCP (6), length 60)
    10.200.200.2.43004 > 192.168.8.251.445: Flags [S], cksum 0x1304 (correct), seq 261992876, win 65535, options [mss 1240,sackOK,TS val 32582773 ecr 0,nop,wscale 8], length 0
17:45:56.501872  In ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 37617, offset 0, flags [DF], proto TCP (6), length 60)
    10.200.200.2.43004 > 192.168.8.251.445: Flags [S], cksum 0x0f04 (correct), seq 261992876, win 65535, options [mss 1240,sackOK,TS val 32583797 ecr 0,nop,wscale 8], length 0
17:45:56.501937 Out dc:ef:09:f2:6e:bc ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 63, id 37617, offset 0, flags [DF], proto TCP (6), length 60)
    10.200.200.2.43004 > 192.168.8.251.445: Flags [S], cksum 0x0f04 (correct), seq 261992876, win 65535, options [mss 1240,sackOK,TS val 32583797 ecr 0,nop,wscale 8], length 0
17:45:56.501957 Out dc:ef:09:f2:6e:bc ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 63, id 37617, offset 0, flags [DF], proto TCP (6), length 60)
    10.200.200.2.43004 > 192.168.8.251.445: Flags [S], cksum 0x0f04 (correct), seq 261992876, win 65535, options [mss 1240,sackOK,TS val 32583797 ecr 0,nop,wscale 8], length 0
17:45:57.561768  In ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 37618, offset 0, flags [DF], proto TCP (6), length 60)
    10.200.200.2.43004 > 192.168.8.251.445: Flags [S], cksum 0x0b04 (correct), seq 261992876, win 65535, options [mss 1240,sackOK,TS val 32584821 ecr 0,nop,wscale 8], length 0
17:45:57.561849 Out dc:ef:09:f2:6e:bc ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 63, id 37618, offset 0, flags [DF], proto TCP (6), length 60)
    10.200.200.2.43004 > 192.168.8.251.445: Flags [S], cksum 0x0b04 (correct), seq 261992876, win 65535, options [mss 1240,sackOK,TS val 32584821 ecr 0,nop,wscale 8], length 0
17:45:57.561875 Out dc:ef:09:f2:6e:bc ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 63, id 37618, offset 0, flags [DF], proto TCP (6), length 60)
    10.200.200.2.43004 > 192.168.8.251.445: Flags [S], cksum 0x0b04 (correct), seq 261992876, win 65535, options [mss 1240,sackOK,TS val 32584821 ecr 0,nop,wscale 8], length 0
17:45:59.546808  In ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 37619, offset 0, flags [DF], proto TCP (6), length 60)
    10.200.200.2.43004 > 192.168.8.251.445: Flags [S], cksum 0x0324 (correct), seq 261992876, win 65535, options [mss 1240,sackOK,TS val 32586837 ecr 0,nop,wscale 8], length 0
17:45:59.546901 Out dc:ef:09:f2:6e:bc ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 63, id 37619, offset 0, flags [DF], proto TCP (6), length 60)
    10.200.200.2.43004 > 192.168.8.251.445: Flags [S], cksum 0x0324 (correct), seq 261992876, win 65535, options [mss 1240,sackOK,TS val 32586837 ecr 0,nop,wscale 8], length 0
17:45:59.546929 Out dc:ef:09:f2:6e:bc ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 63, id 37619, offset 0, flags [DF], proto TCP (6), length 60)
    10.200.200.2.43004 > 192.168.8.251.445: Flags [S], cksum 0x0324 (correct), seq 261992876, win 65535, options [mss 1240,sackOK,TS val 32586837 ecr 0,nop,wscale 8], length 0
^C
144 packets captured
154 packets received by filter
2 packets dropped by kernel

trendy · March 4, 2021, 4:44pm

Setup a capture on the OpenWrt.
opkg update; opkg install tcpdump; tcpdump -i any -env host 10.200.200.2
Then start some traffic from the client. Stop with Ctrl-c and post here the output.

krazeh · March 4, 2021, 4:45pm

Are the devices you're trying to reach on the 192.168.8.0/24 subnet?

tommiedepommie · March 4, 2021, 4:49pm

yes, 192.168.8.251. NAS server which I'm trying to connect with X-plore manager Android

vgaetera · March 4, 2021, 4:53pm

Check the firewall settings on the destination host.
Make sure it doesn't restrict incoming connections.
Windows firewall allows only local subnet by default.

tommiedepommie · March 4, 2021, 5:00pm

LOL. Got it.

I secured my Qnap server with "only allow network access from 192.168.8.0"
I removed that entry and it connects immediate.

Thank you Vgaetera for your hint on the security.
Thanks all for the quick and perfect assistance for this dumbo.

Grtzz tom

tommiedepommie · March 4, 2021, 5:02pm

I´ll secure my server with other methods, no problem.

thanks again