Can you post the output of
uci export network; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; wg
from both routers again.
OK Here it goes...
Router 192.168.98.254
uci export network; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> iptables-save -c; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; wg
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd99:0306:2fe1::/48'
config interface 'lan'
option ifname 'eth0'
option proto 'static'
option ipaddr '192.168.98.254'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.99.254'
list dns '8.8.8.8'
list dns '9.9.9.9'
list dns '1.1.1.1'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
config interface 'wg0'
option proto 'wireguard'
option private_key 'PRIVATE_KEY'
option listen_port '51888'
config wireguard_wg0
option description 'ow3'
option public_key 'PEER_PUBLIC_KEY'
option route_allowed_ips '1'
list allowed_ips '192.168.96.0/24'
config route
option interface 'wg0'
option target '192.168.96.0'
option netmask '255.255.255.0'
option gateway '192.168.99.96'
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option ra_management '1'
option start '10'
option limit '40'
list dhcp_option '42,192.168.98.254'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option dns '1'
option mac '2C:9E:FC:09:D9:42'
option ip '192.168.98.100'
option name 'mg5250'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option family 'ipv4'
list proto 'udp'
option src 'wan'
option target 'ACCEPT'
option name 'Allow WireGuard'
option dest_port '51888'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config zone
option name 'Intercom'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option network 'wg0'
config forwarding
option src 'Intercom'
option dest 'lan'
config forwarding
option dest 'Intercom'
config forwarding
option dest 'Intercom'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Generated by iptables-save v1.8.7 on Fri Feb 26 17:53:24 2021
*nat
:PREROUTING ACCEPT [392:68393]
:INPUT ACCEPT [149:11466]
:OUTPUT ACCEPT [242:20263]
:POSTROUTING ACCEPT [68:8820]
:postrouting_Intercom_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_Intercom_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_Intercom_postrouting - [0:0]
:zone_Intercom_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[392:68393] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[384:66304] -A PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_lan_prerouting
[8:2089] -A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i wg0 -m comment --comment "!fw3" -j zone_Intercom_prerouting
[428:67657] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[4:1314] -A POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_lan_postrouting
[360:58837] -A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o wg0 -m comment --comment "!fw3" -j zone_Intercom_postrouting
[0:0] -A zone_Intercom_postrouting -m comment --comment "!fw3: Custom Intercom postrouting rule chain" -j postrouting_Intercom_rule
[0:0] -A zone_Intercom_prerouting -m comment --comment "!fw3: Custom Intercom prerouting rule chain" -j prerouting_Intercom_rule
[4:1314] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[384:66304] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[360:58837] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[360:58837] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[8:2089] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Fri Feb 26 17:53:24 2021
# Generated by iptables-save v1.8.7 on Fri Feb 26 17:53:24 2021
*mangle
:PREROUTING ACCEPT [7533:2790524]
:INPUT ACCEPT [3028:481971]
:FORWARD ACCEPT [4455:2301069]
:OUTPUT ACCEPT [3225:1181404]
:POSTROUTING ACCEPT [7667:3483105]
[143:7448] -A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[135:6968] -A FORWARD -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Fri Feb 26 17:53:24 2021
# Generated by iptables-save v1.8.7 on Fri Feb 26 17:53:24 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_Intercom_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_Intercom_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_Intercom_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_Intercom_dest_ACCEPT - [0:0]
:zone_Intercom_dest_REJECT - [0:0]
:zone_Intercom_forward - [0:0]
:zone_Intercom_input - [0:0]
:zone_Intercom_output - [0:0]
:zone_Intercom_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[1136:105949] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[1893:376062] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[1527:327798] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[4:208] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[340:43635] -A INPUT -i eth0 -m comment --comment "!fw3" -j zone_lan_input
[26:4629] -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i wg0 -m comment --comment "!fw3" -j zone_Intercom_input
[4455:2301069] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[4258:2253103] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[197:47966] -A FORWARD -m comment --comment "!fw3: Zone * to Intercom forwarding policy" -j zone_Intercom_dest_ACCEPT
[197:47966] -A FORWARD -m comment --comment "!fw3: Zone * to Intercom forwarding policy" -j zone_Intercom_dest_ACCEPT
[197:47966] -A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i wg0 -m comment --comment "!fw3" -j zone_Intercom_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[1145:106657] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[2085:1075811] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[1888:1060548] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[10:3300] -A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_lan_output
[187:11963] -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o wg0 -m comment --comment "!fw3" -j zone_Intercom_output
[14:953] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[12:3676] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[4:208] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_Intercom_dest_ACCEPT -o wg0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_Intercom_dest_REJECT -o wg0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_Intercom_forward -m comment --comment "!fw3: Custom Intercom forwarding rule chain" -j forwarding_Intercom_rule
[0:0] -A zone_Intercom_forward -m comment --comment "!fw3: Zone Intercom to lan forwarding policy" -j zone_lan_dest_ACCEPT
[0:0] -A zone_Intercom_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_Intercom_forward -m comment --comment "!fw3" -j zone_Intercom_dest_REJECT
[0:0] -A zone_Intercom_input -m comment --comment "!fw3: Custom Intercom input rule chain" -j input_Intercom_rule
[0:0] -A zone_Intercom_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_Intercom_input -m comment --comment "!fw3" -j zone_Intercom_src_ACCEPT
[0:0] -A zone_Intercom_output -m comment --comment "!fw3: Custom Intercom output rule chain" -j output_Intercom_rule
[0:0] -A zone_Intercom_output -m comment --comment "!fw3" -j zone_Intercom_dest_ACCEPT
[0:0] -A zone_Intercom_src_ACCEPT -i wg0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[10:3300] -A zone_lan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
[197:47966] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[197:47966] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[340:43635] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[340:43635] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[10:3300] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[10:3300] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[340:43635] -A zone_lan_src_ACCEPT -i eth0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[17:680] -A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[367:59249] -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[26:4629] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 51888 -m comment --comment "!fw3: Allow WireGuard" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[26:4629] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[187:11963] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[187:11963] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[26:4629] -A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Fri Feb 26 17:53:24 2021
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
inet 192.168.98.254/24 brd 192.168.98.255 scope global eth0
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
inet 192.168.99.98/24 brd 192.168.99.255 scope global eth1
valid_lft forever preferred_lft forever
default via 192.168.99.254 dev eth1 src 192.168.99.98
192.168.96.0/24 dev wg0 scope link
192.168.98.0/24 dev eth0 scope link src 192.168.98.254
192.168.99.0/24 dev eth1 scope link src 192.168.99.98
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
broadcast 192.168.98.0 dev eth0 table local scope link src 192.168.98.254
local 192.168.98.254 dev eth0 table local scope host src 192.168.98.254
broadcast 192.168.98.255 dev eth0 table local scope link src 192.168.98.254
broadcast 192.168.99.0 dev eth1 table local scope link src 192.168.99.98
local 192.168.99.98 dev eth1 table local scope host src 192.168.99.98
broadcast 192.168.99.255 dev eth1 table local scope link src 192.168.99.98
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
interface: wg0
public key: PUBLIC_KEY
private key: (hidden)
listening port: 51888
peer: PEER_PUBLIC_KEY
allowed ips: 192.168.96.0/24
The other on next post as too big!
Router 192.168.96.254
uci export network; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> iptables-save -c; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; wg
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fded:7984:1d2e::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '192.168.99.254'
option gateway '192.168.96.254’
option ipaddr '192.168.96.254’
config interface 'WAN'
option ifname 'eth1'
option proto 'dhcp'
config interface 'wg0'
option proto 'wireguard'
option private_key ‘PRI’VATE_KEY
option listen_port '51888'
config wireguard_wg0
option public_key ‘PEER_PUBLIC_KEY
option description 'ow4'
option route_allowed_ips '1'
list allowed_ips '192.168.98.0/24'
config route
option target '192.168.98.0'
option gateway '192.168.99.98'
option netmask '255.255.255.0'
option interface 'wg0'
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option mac 'B8:27:EB:1A:8A:7A'
option name 'pi2'
option dns '1'
option ip '192.168.96.98'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6 WAN'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option src 'wan'
option family 'ipv4'
option target 'ACCEPT'
list proto 'udp'
option name 'Allow WireGuard'
option dest_port '51888'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option input 'ACCEPT'
option name 'Intercom'
option output 'ACCEPT'
option network 'wg0'
option forward 'REJECT'
config forwarding
option dest 'lan'
option src 'Intercom'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Generated by iptables-save v1.8.3 on Fri Feb 26 11:10:59 2021
*nat
:PREROUTING ACCEPT [150:24301]
:INPUT ACCEPT [62:4586]
:OUTPUT ACCEPT [58:4302]
:POSTROUTING ACCEPT [1:74]
:postrouting_Intercom_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_Intercom_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_Intercom_postrouting - [0:0]
:zone_Intercom_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[150:24301] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[142:21630] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[8:2671] -A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i wg0 -m comment --comment "!fw3" -j zone_Intercom_prerouting
[105:12664] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[104:12590] -A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o wg0 -m comment --comment "!fw3" -j zone_Intercom_postrouting
[0:0] -A zone_Intercom_postrouting -m comment --comment "!fw3: Custom Intercom postrouting rule chain" -j postrouting_Intercom_rule
[0:0] -A zone_Intercom_prerouting -m comment --comment "!fw3: Custom Intercom prerouting rule chain" -j prerouting_Intercom_rule
[0:0] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[142:21630] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[104:12590] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[104:12590] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[8:2671] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Fri Feb 26 11:10:59 2021
# Generated by iptables-save v1.8.3 on Fri Feb 26 11:10:59 2021
*mangle
:PREROUTING ACCEPT [5498:4593002]
:INPUT ACCEPT [396:44496]
:FORWARD ACCEPT [5068:4539784]
:OUTPUT ACCEPT [357:65725]
:POSTROUTING ACCEPT [5396:4604217]
[35:2236] -A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[35:2044] -A FORWARD -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Fri Feb 26 11:10:59 2021
# Generated by iptables-save v1.8.3 on Fri Feb 26 11:10:59 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_Intercom_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_Intercom_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_Intercom_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_Intercom_dest_ACCEPT - [0:0]
:zone_Intercom_dest_REJECT - [0:0]
:zone_Intercom_forward - [0:0]
:zone_Intercom_input - [0:0]
:zone_Intercom_output - [0:0]
:zone_Intercom_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[10:780] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[390:43924] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[285:29629] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1:64] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[97:11624] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[8:2671] -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i wg0 -m comment --comment "!fw3" -j zone_Intercom_input
[5068:4539784] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[4992:4530114] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[76:9670] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i wg0 -m comment --comment "!fw3" -j zone_Intercom_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[10:780] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[352:66101] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[285:61168] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[67:4933] -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o wg0 -m comment --comment "!fw3" -j zone_Intercom_output
[1:439] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[7:2232] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[1:64] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_Intercom_dest_ACCEPT -o wg0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_Intercom_dest_REJECT -o wg0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_Intercom_forward -m comment --comment "!fw3: Custom Intercom forwarding rule chain" -j forwarding_Intercom_rule
[0:0] -A zone_Intercom_forward -m comment --comment "!fw3: Zone Intercom to lan forwarding policy" -j zone_lan_dest_ACCEPT
[0:0] -A zone_Intercom_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_Intercom_forward -m comment --comment "!fw3" -j zone_Intercom_dest_REJECT
[0:0] -A zone_Intercom_input -m comment --comment "!fw3: Custom Intercom input rule chain" -j input_Intercom_rule
[0:0] -A zone_Intercom_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_Intercom_input -m comment --comment "!fw3" -j zone_Intercom_src_ACCEPT
[0:0] -A zone_Intercom_output -m comment --comment "!fw3: Custom Intercom output rule chain" -j output_Intercom_rule
[0:0] -A zone_Intercom_output -m comment --comment "!fw3" -j zone_Intercom_dest_ACCEPT
[0:0] -A zone_Intercom_src_ACCEPT -i wg0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[76:9670] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[76:9670] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[97:11624] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[97:11624] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[0:0] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[0:0] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[97:11624] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[29:1292] -A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[114:13311] -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[8:2671] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 51888 -m comment --comment "!fw3: Allow WireGuard" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[8:2671] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[67:4933] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[67:4933] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[8:2671] -A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Fri Feb 26 11:10:59 2021
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
inet 192.168.99.96/24 brd 192.168.99.255 scope global eth1
valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.96.254/24 brd 192.168.96.255 scope global br-lan
valid_lft forever preferred_lft forever
default via 192.168.99.254 dev eth1 proto static src 192.168.99.96
192.168.96.0/24 dev br-lan proto kernel scope link src 192.168.96.254
192.168.98.0/24 dev wg0 proto static scope link
192.168.99.0/24 dev eth1 proto kernel scope link src 192.168.99.96
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.96.0 dev br-lan table local proto kernel scope link src 192.168.96.254
local 192.168.96.254 dev br-lan table local proto kernel scope host src 192.168.96.254
broadcast 192.168.96.255 dev br-lan table local proto kernel scope link src 192.168.96.254
broadcast 192.168.99.0 dev eth1 table local proto kernel scope link src 192.168.99.96
local 192.168.99.96 dev eth1 table local proto kernel scope host src 192.168.99.96
broadcast 192.168.99.255 dev eth1 table local proto kernel scope link src 192.168.99.96
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
interface: wg0
public key: PUBLIC_KEY
private key: (hidden)
listening port: 51888
peer: PEER_PUBLIC_KEY
allowed ips: 192.168.98.0/24
Done!!! Thx for the help
Delete these routes. Get rid of the Intercom zone on both routers and add the wg0 network into the lan firewall zone.
1 Like
Done... but same behaviour... 
One detail (I don't know if this has an impact:) pi3 is with kernel 4.14.215 and pi4 uses 5.4.99 as in the last snapshot
Collect the updated diagnostics from both peers and post it to pastebin.com redacting the private parts:
ip address show; ip route show table all; ip rule show; iptables-save; wg show
Did you try restarting the network interfaces and/or the routers after making changes?
Should've spotted this earlier, but you need an endpoint in at least one of the peers. Add this and restart the interface.
2 Likes
Hello,
Sorry to be late answering, but I had several meetings yesterday.
I did add the endpoint, but it does not make the wg0 to get live. On the WG Luci screen I see the endpoint modifications bur the last handshake is still at never.
To be sure all modifications were saved I restarted network & even rebooted both sides.
@vgaetera here is the list
ip address show; ip route show table all; ip rule show; iptables-save; wg show
...
Actually it did work... Thx @krazeh you had the right point.
I had to create the the end point, it had to be the the public IP of the remote site. I did this on both PIs and it ended up working.
Unfortunately I dont understand why suddenly it doesn't any more... I don't think I've changed anything... & stuck again.
I'll try to find out...
So... here is the update... Something is quite weird in this config.
As I was quite lost, I deleted all the WG config & created it newly from scratch. It worked immediately. 
Saved everything & reboot... doesn't work anymore... 
This not going to be very helpful...
Any ideas?
Not without configs.
OK I'll upload both again...
Router 98.254
uci export network;
uci export dhcp; uci export firewall;
head -n -0 /etc/firewall.user;
iptables-save -c;
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; wg
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd99:0306:2fe1::/48'
config interface 'lan'
option ifname 'eth0'
option proto 'static'
option ipaddr '192.168.98.254'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.99.254'
list dns '8.8.8.8'
list dns '9.9.9.9'
list dns '1.1.1.1'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
config interface 'wg0'
option proto 'wireguard'
option private_key 'PRIVATE_KEY'
option listen_port '55555'
config wireguard_wg0
option description 'ow3'
option public_key 'PEER_PUBLIC_KEY'
list allowed_ips '192.168.96.0/24'
option route_allowed_ips '1'
option endpoint_host '192.168.99.96'
option endpoint_port '55555'
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option ra_management '1'
option start '10'
option limit '40'
list dhcp_option '42,192.168.98.254'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option dns '1'
option mac '2C:9E:FC:09:D9:42'
option ip '192.168.98.100'
option name 'mg5250'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan wg0'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option family 'ipv4'
list proto 'udp'
option src 'wan'
option target 'ACCEPT'
option name 'Allow WireGuard'
option dest_port '55555'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Generated by iptables-save v1.8.7 on Wed Mar 3 10:51:53 2021
*nat
:PREROUTING ACCEPT [70:19349]
:INPUT ACCEPT [22:1676]
:OUTPUT ACCEPT [64:4427]
:POSTROUTING ACCEPT [24:1776]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[70:19349] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[60:16822] -A PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i wg0 -m comment --comment "!fw3" -j zone_lan_prerouting
[10:2527] -A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
[102:18418] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o wg0 -m comment --comment "!fw3" -j zone_lan_postrouting
[78:16642] -A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[60:16822] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[78:16642] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[78:16642] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[10:2527] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Wed Mar 3 10:51:53 2021
# Generated by iptables-save v1.8.7 on Wed Mar 3 10:51:53 2021
*mangle
:PREROUTING ACCEPT [1579:318082]
:INPUT ACCEPT [871:109893]
:FORWARD ACCEPT [701:206754]
:OUTPUT ACCEPT [1030:393866]
:POSTROUTING ACCEPT [1710:599780]
[12:644] -A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[12:628] -A FORWARD -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Wed Mar 3 10:51:53 2021
# Generated by iptables-save v1.8.7 on Wed Mar 3 10:51:53 2021
*filter
:INPUT ACCEPT [2:80]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[308:24472] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[565:85537] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[499:75501] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[3:148] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[51:7154] -A INPUT -i eth0 -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i wg0 -m comment --comment "!fw3" -j zone_lan_input
[15:2882] -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
[701:206754] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[649:187356] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[52:19398] -A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i wg0 -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[308:24472] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[727:370442] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[680:367511] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[2:80] -A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o wg0 -m comment --comment "!fw3" -j zone_lan_output
[45:2851] -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
[12:1898] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[3:984] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[3:148] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[2:80] -A zone_lan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_ACCEPT -o wg0 -m comment --comment "!fw3" -j ACCEPT
[52:19398] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[52:19398] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[51:7154] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[51:7154] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[2:80] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[2:80] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[49:7074] -A zone_lan_src_ACCEPT -i eth0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i wg0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[21:840] -A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[76:21409] -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[15:2882] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 55555 -m comment --comment "!fw3: Allow WireGuard" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[15:2882] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[45:2851] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[45:2851] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[15:2882] -A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Wed Mar 3 10:51:53 2021
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
inet 192.168.98.254/24 brd 192.168.98.255 scope global eth0
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
inet 192.168.99.98/24 brd 192.168.99.255 scope global eth1
valid_lft forever preferred_lft forever
default via 192.168.99.254 dev eth1 src 192.168.99.98
192.168.96.0/24 dev wg0 scope link
192.168.98.0/24 dev eth0 scope link src 192.168.98.254
192.168.99.0/24 dev eth1 scope link src 192.168.99.98
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
broadcast 192.168.98.0 dev eth0 table local scope link src 192.168.98.254
local 192.168.98.254 dev eth0 table local scope host src 192.168.98.254
broadcast 192.168.98.255 dev eth0 table local scope link src 192.168.98.254
broadcast 192.168.99.0 dev eth1 table local scope link src 192.168.99.98
local 192.168.99.98 dev eth1 table local scope host src 192.168.99.98
broadcast 192.168.99.255 dev eth1 table local scope link src 192.168.99.98
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
interface: wg0
public key: PUBLIC_KEY
private key: (hidden)
listening port: 55555
peer: PEER_PUBLIC_KEY
endpoint: 192.168.99.96:55555
allowed ips: 192.168.96.0/24
Router 96.254
uci export network;
uci export dhcp; uci export firewall;
head -n -0 /etc/firewall.user;
iptables-save -c;
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; wg
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fded:7984:1d2e::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '192.168.99.254'
option gateway '192.168.96.254'
option ipaddr '192.168.96.254'
config interface 'WAN'
option ifname 'eth1'
option proto 'dhcp'
config interface 'wg0'
option proto 'wireguard'
option listen_port '55555'
option private_key ‘PRIVATE_KEY
config wireguard_wg0
option public_key ‘PEER_PUBLIC_KEY
option endpoint_port '55555'
list allowed_ips '192.168.98.0/24'
option route_allowed_ips '1'
option endpoint_host '192.168.99.98'
option description 'ow4'
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option mac 'B8:27:EB:1A:8A:7A'
option name 'pi2.lan'
option dns '1'
option ip '192.168.96.98'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan wg0'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6 WAN'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option src 'wan'
option family 'ipv4'
option target 'ACCEPT'
list proto 'udp'
option name 'Allow WireGuard'
option dest_port '55555'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Generated by iptables-save v1.8.3 on Wed Mar 3 03:58:19 2021
*nat
:PREROUTING ACCEPT [248:26984]
:INPUT ACCEPT [132:9726]
:OUTPUT ACCEPT [215:15835]
:POSTROUTING ACCEPT [116:8530]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[248:26984] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[239:24634] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i wg0 -m comment --comment "!fw3" -j zone_lan_prerouting
[9:2350] -A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
[300:25543] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o wg0 -m comment --comment "!fw3" -j zone_lan_postrouting
[184:17013] -A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[239:24634] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[184:17013] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[184:17013] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[9:2350] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Wed Mar 3 03:58:19 2021
# Generated by iptables-save v1.8.3 on Wed Mar 3 03:58:19 2021
*mangle
:PREROUTING ACCEPT [202071:297701119]
:INPUT ACCEPT [4538:636767]
:FORWARD ACCEPT [197507:297058992]
:OUTPUT ACCEPT [4448:1734245]
:POSTROUTING ACCEPT [201893:298790289]
[68:4348] -A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[68:3936] -A FORWARD -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Wed Mar 3 03:58:19 2021
# Generated by iptables-save v1.8.3 on Wed Mar 3 03:58:19 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[1136:88920] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[3405:548003] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[3220:527994] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[26:1568] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[170:17247] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i wg0 -m comment --comment "!fw3" -j zone_lan_input
[15:2762] -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
[197507:297058992] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[197346:297044906] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[161:14086] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i wg0 -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[1136:88920] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[3317:1646625] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[3199:1638092] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o wg0 -m comment --comment "!fw3" -j zone_lan_output
[118:8533] -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
[10:1042] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[5:1720] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[26:1568] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_ACCEPT -o wg0 -m comment --comment "!fw3" -j ACCEPT
[161:14086] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[161:14086] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[170:17247] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[170:17247] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[0:0] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[0:0] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[170:17247] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i wg0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[62:2948] -A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[217:19671] -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[15:2762] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 55555 -m comment --comment "!fw3: Allow WireGuard" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[15:2762] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[118:8533] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[118:8533] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[15:2762] -A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Wed Mar 3 03:58:19 2021
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
inet 192.168.99.96/24 brd 192.168.99.255 scope global eth1
valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.96.254/24 brd 192.168.96.255 scope global br-lan
valid_lft forever preferred_lft forever
default via 192.168.99.254 dev eth1 proto static src 192.168.99.96
192.168.96.0/24 dev br-lan proto kernel scope link src 192.168.96.254
192.168.98.0/24 dev wg0 proto static scope link
192.168.99.0/24 dev eth1 proto kernel scope link src 192.168.99.96
192.168.99.98 via 192.168.96.254 dev br-lan proto static
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.96.0 dev br-lan table local proto kernel scope link src 192.168.96.254
local 192.168.96.254 dev br-lan table local proto kernel scope host src 192.168.96.254
broadcast 192.168.96.255 dev br-lan table local proto kernel scope link src 192.168.96.254
broadcast 192.168.99.0 dev eth1 table local proto kernel scope link src 192.168.99.96
local 192.168.99.96 dev eth1 table local proto kernel scope host src 192.168.99.96
broadcast 192.168.99.255 dev eth1 table local proto kernel scope link src 192.168.99.96
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
interface: wg0
public key: PUBLIC_KEY
private key: (hidden)
listening port: 55555
peer: PEER_PUBLIC_KEY
endpoint: 192.168.99.98:55555
allowed ips: 192.168.98.0/24
As I deleted all I tried to change some values as Listening Ports etc... but the main is the same.
I've just created everything as above & still doesn't work
My global procedure is:
- Install luci-proto-wireguard and luci-app-wireguard
- On both Raspberry, generate a key pair of private and public keys.
- wg genkey | tee wg.key | wg pubkey > wg.pub
- Add a new interface named wg0 protocol WinGuard
- Configure General Settings similar on both FW
-
Bring up on boot - Insert Local Private Key
- Insert a listen port
- Select Firewall Settings to lan
- Configure Peers
- Name of peer
- Public Key of peer
- Allowed IPs = Remote subnet
-
Route Allowed IPs
- Endpoint Host public IP of the remote site & same port
Thx
Hi Vladislav,
As illustrated on post #10 I've setup this in a lab prior setup in real life between 2 different countries, its easier to test. Network 192.168.99.0 simulates the internet so the "public" IP of my 2 FW given by the DHCP of my ISP box are 192.168.99.98 & 192.168.99.96
1 Like
Your configs look ok, but there's no hits on the firewall rule on either side. Which suggests that either the Wireguard interfaces aren't coming up, or there's something interfering with the traffic flow. What is the physical setup of the network? What's connected to what? What other devices are between the Raspberrys?
Do you have remote access to both devices that will eventually be used for this setup? Is there a reason you can't just add the relevant WG configs to them and test it?
1 Like
I agree that this looks quite straight forward... it should work!
The wan port of each Raspberry is connected to the same switch behind the 192.168.99.0 network that is the inside port of my ISP box... on that network I also have different devices (TV, NAS, Printer, Windows laptop...) that do work fine between them.
This situation is crazy... I fear that I will need to restart everything from the right beginning and reconfigure all by hand!
If it works I will never know why
If it doesn't work better I will still be stuck.
The problem is that I in any case I will not feel confident for a real deployment!
Apply to both peers:
uci -q delete network.lan.gateway
uci commit network
/etc/init.d/network restart