I made 4 vlans for the 4 ports and it worked nicely. Then I tried adding wireguard to port 4 only (with an AP on br-lan4). Now none of the ports will serve internet. But the AP with wireguard works. What did I do wrong?
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxxxxxxxxx::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1.1'
option ipv6 '0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '1.1.1.1'
list dns '1.0.0.1'
option delegate '0'
option ipaddr '82.168.101.1'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
option delegate '0'
option peerdns '0'
list dns 'xxxxxxxxxx'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0t 2'
option vid '1'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 6t'
option vid '2'
config switch_vlan
option device 'switch0'
option vlan '3'
option ports '0t 3'
option vid '3'
config switch_vlan
option device 'switch0'
option vlan '4'
option ports '0t 4'
option vid '4'
config switch_vlan
option device 'switch0'
option vlan '5'
option ports '0t 5'
option vid '5'
config interface 'lan2'
option device 'eth1.3'
option proto 'static'
option netmask '255.255.255.0'
list dns '1.1.1.1'
list dns '1.0.0.1'
option ipaddr '82.168.102.1'
config interface 'lan3'
option proto 'static'
option device 'eth1.4'
option netmask '255.255.255.0'
list dns '1.1.1.1'
list dns '1.0.0.1'
option ipaddr '82.168.103.1'
config interface 'lan4'
option proto 'static'
option netmask '255.255.255.0'
list dns '1.1.1.1'
list dns '1.0.0.1'
option type 'bridge'
option device 'br-lan4'
option ipaddr '82.168.104.1'
config device
option name 'eth0'
option ipv6 '0'
config device
option name 'eth0.2'
option type '8021q'
option ifname 'eth0'
option vid '2'
option ipv6 '0'
config device
option name 'eth1'
option ipv6 '0'
config device
option name 'eth1.1'
option type '8021q'
option ifname 'eth1'
option vid '1'
option ipv6 '0'
config device
option name 'eth1.3'
option type '8021q'
option ifname 'eth1'
option vid '3'
option ipv6 '0'
config device
option name 'eth1.4'
option type '8021q'
option ifname 'eth1'
option vid '4'
option ipv6 '0'
config device
option name 'eth1.5'
option type '8021q'
option ifname 'eth1'
option vid '5'
option ipv6 '0'
config device
option type 'bridge'
option name 'br-lan4'
list ports 'eth1.5'
option ipv6 '0'
config interface 'WG'
option proto 'wireguard'
option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxx='
list addresses 'xxxxxxxxxxx/32'
config wireguard_WG
option description 'xxxxxxxxxxx'
option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx='
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'
option endpoint_host 'xxxxxxxxxx'
option endpoint_port '51820'
config device
option name 'WG'
option ipv6 '0'
config device
option name 'wlan0'
option ipv6 '0'
cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config zone
option name 'lan2'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan2'
config zone
option name 'lan3'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan3'
config zone
option name 'lan4'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan4'
config zone
option name 'wgzone'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'WG'
config forwarding
option src 'lan4'
option dest 'wgzone'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option src 'lan2'
option dest 'wan'
config forwarding
option src 'lan3'
option dest 'wan'
It all looks a lot better. The problem you are experiencing is expected... more on that later.
good.
Yes, agreed. Do it all on one router. I just wanted to make sure you actually wanted 4 isolated ethernet networks, rather than maybe 2 networks (one with WG tunneling, one without) in a 3+1 port configuration.
This is the fundamental thing you'll need to do. The reason that your other networks are appearing dead is because the routing engine wants to send everything through the WG tunnel, but the firewall only allows lan4 to do so. PBR will allow you to tell the routing engine which networks should route through your regular WAN vs which one(s) should go through the WG tunnel.
Until you enable PBR, you have 3 options:
send everything through the WG tunnel (by allowing this in the firewall)
send nothing through the WG tunnel (by disabling WG)
send just lan4 through the tunnel while the other 3 networks cannot get out to the internet at all (your status quo).
This does look a lot better. However, can you clarify -- does the ethernet port associated with lan4 not work either?
The only major thing I'd change is to remove the DNS lines from all except the wan network definition. It doesn't actually do anything in these locations... if you want to tell your DHCP clients to use those DNS servers, you do that by advertising the DNS servers with DHCP option 6. It serves no purpose here... delete them just to clean up the rest of the way.
I decided to start from a clean slate with 22.03.2 with PBR. I had to use customized packages because luci-app-pbr and pbr did not appear in update on luci.
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxxxxxxxxxxxxx::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.101.1'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
option peerdns '0'
list dns '1.1.1.1'
list dns '1.0.0.1'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '0t 2'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 6t'
option vid '2'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '3'
option ports '0t 3'
config switch_vlan
option device 'switch0'
option vlan '4'
option vid '4'
option ports '0t 4'
config switch_vlan
option device 'switch0'
option vlan '5'
option ports '0t 5'
option vid '5'
config device
option type 'bridge'
option name 'br-lan2'
list ports 'eth1.3'
config device
option type 'bridge'
option name 'br-lan3'
list ports 'eth1.4'
config device
option type 'bridge'
option name 'br-lan4'
list ports 'eth1.5'
config interface 'lan2'
option proto 'static'
option device 'br-lan2'
option ipaddr '192.168.102.1'
option netmask '255.255.255.0'
config interface 'lan3'
option proto 'static'
option device 'br-lan3'
option ipaddr '192.168.103.1'
option netmask '255.255.255.0'
config interface 'lan4'
option proto 'static'
option device 'br-lan4'
option ipaddr '192.168.104.1'
option netmask '255.255.255.0'
list dns 'xxxxxxxxxxxx'
config interface 'wg'
option proto 'wireguard'
option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx='
list addresses 'xxxxxxxx/32'
config wireguard_wg
option description 'test123'
option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx='
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'
option endpoint_host 'xxxxxxxxxxxx'
option endpoint_port '51820'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/pbr.firewall.include'
config zone
option name 'lan2'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan2'
config forwarding
option src 'lan2'
option dest 'wan'
config zone
option name 'lan3'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan3'
config forwarding
option src 'lan3'
option dest 'wan'
config zone
option name 'lan4'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan4'
config zone
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wg'
option name 'wgzone'
config forwarding
option src 'lan4'
option dest 'wgzone'
Everything in the main config files looks good now (except that the DNS in the lan4 network definition will not do anything -- if you want to advertise that DNS server to the client devices, this is achieved using DHCP option 6 in the DHCP server settings for that network).
As far as PBR is concerned, I'm going to defer to others who have more experience with this....
Although obviously there is still the PBR part of the equation to resolve, I think we've gotten most of the way there.
If/when your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
(you could mark this topic as solved and open a new one specifically for PBR questions -- that might get the right eyes on the problem and thus a faster solution).