After adding Wireguard to LAN firewall zone, all traffic is being blocked

I have followed the basic setup steps for wireguard described at On two of my routers it works fine. On the third one it did until a few days ago, when I made some changes (created a second wg device). After that, communication was totally blocked. The router wouldn't even accept packages from any local device. I couldn't SSH to it anymore, not even ping it. Strangely, and fortunately, the web interface could still be reached. So I restored a backup of the config from before I had made the changes, but as soon as I had reinstalled the wireguard packages, the same would happen. I have no idea what's going on. I turned on logging for the LAN firewall zone, but I don't see any notices of rejected packages either (does it report only rejected or also dropped packages when you turn on logging through LUCI?)

The repeatable way of blocking all traffic between the LAN and the rest of the world is to add the wg0 device to the lan firewall zone, then restart the firewall and the network services. After that, everything is reliably blocked, and I don't see the slightest hint in the log as to why this might be the case. Does anyone have any suggestion?

Probably easiest if you post your config files:


And your remote peer’s wireguard config.

Please redact your keys and any public Ip addresses, but do not change your private ips, and make sure anything you change or redact is clearly indicated so we know it is not a mistake.

1 Like

I was just about to do as you advised, but now it is suddenly working. Nice, but not so nice that I have no understanding why it does and what the problem was. I will return if the problem comes back.

Glad it is working. But still makes sense to post your config files for review -- we can theoretically help proactively (assuming there we can indeed spot a problem with the config)