C7v2 VLAN + wireguard problem

Hello,

C7v2
v21.02.5

I made 4 vlans for the 4 ports and it worked nicely. Then I tried adding wireguard to port 4 only (with an AP on br-lan4). Now none of the ports will serve internet. But the AP with wireguard works. What did I do wrong?

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxxxxxxxx::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	option delegate '0'
	option ipaddr '82.168.101.1'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'
	option delegate '0'
	option peerdns '0'
	list dns 'xxxxxxxxxx'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0t 2'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 6t'
	option vid '2'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '0t 3'
	option vid '3'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option ports '0t 4'
	option vid '4'

config switch_vlan
	option device 'switch0'
	option vlan '5'
	option ports '0t 5'
	option vid '5'

config interface 'lan2'
	option device 'eth1.3'
	option proto 'static'
	option netmask '255.255.255.0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	option ipaddr '82.168.102.1'

config interface 'lan3'
	option proto 'static'
	option device 'eth1.4'
	option netmask '255.255.255.0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	option ipaddr '82.168.103.1'

config interface 'lan4'
	option proto 'static'
	option netmask '255.255.255.0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	option type 'bridge'
	option device 'br-lan4'
	option ipaddr '82.168.104.1'

config device
	option name 'eth0'
	option ipv6 '0'

config device
	option name 'eth0.2'
	option type '8021q'
	option ifname 'eth0'
	option vid '2'
	option ipv6 '0'

config device
	option name 'eth1'
	option ipv6 '0'

config device
	option name 'eth1.1'
	option type '8021q'
	option ifname 'eth1'
	option vid '1'
	option ipv6 '0'

config device
	option name 'eth1.3'
	option type '8021q'
	option ifname 'eth1'
	option vid '3'
	option ipv6 '0'

config device
	option name 'eth1.4'
	option type '8021q'
	option ifname 'eth1'
	option vid '4'
	option ipv6 '0'

config device
	option name 'eth1.5'
	option type '8021q'
	option ifname 'eth1'
	option vid '5'
	option ipv6 '0'

config device
	option type 'bridge'
	option name 'br-lan4'
	list ports 'eth1.5'
	option ipv6 '0'

config interface 'WG'
	option proto 'wireguard'
	option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxx='
	list addresses 'xxxxxxxxxxx/32'

config wireguard_WG
	option description 'xxxxxxxxxxx'
	option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx='
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'
	option endpoint_host 'xxxxxxxxxx'
	option endpoint_port '51820'

config device
	option name 'WG'
	option ipv6 '0'

config device
	option name 'wlan0'
	option ipv6 '0'

cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config zone
	option name 'lan2'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan2'

config zone
	option name 'lan3'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan3'

config zone
	option name 'lan4'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan4'

config zone
	option name 'wgzone'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'WG'

config forwarding
	option src 'lan4'
	option dest 'wgzone'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'lan2'
	option dest 'wan'

config forwarding
	option src 'lan3'
	option dest 'wan'

cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option dnssec '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	list ra_flags 'none'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'lan2'
	option interface 'lan2'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'

config dhcp 'lan3'
	option interface 'lan3'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'

config dhcp 'lan4'
	option interface 'lan4'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'

type or pasSystem log:

Tue Dec 27 00:35:48 2022 daemon.err odhcpd[1574]: Failed to send to ff02::1%lan@br-lan (Permission denied)

opkg list-installed
ath10k-board-qca988x - 20211216-1
ath10k-firmware-qca988x - 20211216-1
base-files - 1447-r16688-fa9a932fdb
busybox - 1.33.2-2
ca-bundle - 20210119-1
cgi-io - 2022-08-10-901b0f04-21
dnsmasq-full - 2.85-8
dropbear - 2020.81-2
firewall - 2021-03-23-61db17ed-1.1
fstools - 2021-01-04-c53b1882-1
fwtool - 2019-11-12-8f7fe925-1
getrandom - 2020-10-25-9ef88681-2
hostapd-common - 2020-06-08-5a8b3662-41
htop - 3.2.1-1
ip6tables - 1.8.7-1
iperf3 - 3.10.1-1
iptables - 1.8.7-1
iw - 5.9-8fab0c9e-3
jshn - 2021-05-16-b14c4688-2
jsonfilter - 2018-02-04-c7e938d6-1
kernel - 5.4.215-1-8bf2c37fddb5d4bb9e3ca54818bf5e18
kmod-ath - 5.4.215+5.10.110-1-1
kmod-ath10k - 5.4.215+5.10.110-1-1
kmod-ath9k - 5.4.215+5.10.110-1-1
kmod-ath9k-common - 5.4.215+5.10.110-1-1
kmod-cfg80211 - 5.4.215+5.10.110-1-1
kmod-crypto-hash - 5.4.215-1
kmod-crypto-kpp - 5.4.215-1
kmod-crypto-lib-chacha20 - 5.4.215-1
kmod-crypto-lib-chacha20poly1305 - 5.4.215-1
kmod-crypto-lib-curve25519 - 5.4.215-1
kmod-crypto-lib-poly1305 - 5.4.215-1
kmod-gpio-button-hotplug - 5.4.215-3
kmod-ip6tables - 5.4.215-1
kmod-ipt-conntrack - 5.4.215-1
kmod-ipt-core - 5.4.215-1
kmod-ipt-ipset - 5.4.215-1
kmod-ipt-nat - 5.4.215-1
kmod-ipt-offload - 5.4.215-1
kmod-lib-crc-ccitt - 5.4.215-1
kmod-mac80211 - 5.4.215+5.10.110-1-1
kmod-nf-conntrack - 5.4.215-1
kmod-nf-conntrack-netlink - 5.4.215-1
kmod-nf-conntrack6 - 5.4.215-1
kmod-nf-flow - 5.4.215-1
kmod-nf-ipt - 5.4.215-1
kmod-nf-ipt6 - 5.4.215-1
kmod-nf-nat - 5.4.215-1
kmod-nf-reject - 5.4.215-1
kmod-nf-reject6 - 5.4.215-1
kmod-nfnetlink - 5.4.215-1
kmod-nls-base - 5.4.215-1
kmod-phy-ath79-usb - 5.4.215-1
kmod-ppp - 5.4.215-1
kmod-pppoe - 5.4.215-1
kmod-pppox - 5.4.215-1
kmod-slhc - 5.4.215-1
kmod-udptunnel4 - 5.4.215-1
kmod-udptunnel6 - 5.4.215-1
kmod-usb-core - 5.4.215-1
kmod-usb-ehci - 5.4.215-1
kmod-usb-ledtrig-usbport - 5.4.215-1
kmod-usb2 - 5.4.215-1
kmod-wireguard - 5.4.215-1
libblobmsg-json20210516 - 2021-05-16-b14c4688-2
libc - 1.1.24-3
libgcc1 - 8.4.0-3
libgmp10 - 6.2.1-1
libip4tc2 - 1.8.7-1
libip6tc2 - 1.8.7-1
libiwinfo-data - 2022-04-26-dc6847eb-1
libiwinfo-lua - 2022-04-26-dc6847eb-1
libiwinfo20210430 - 2022-04-26-dc6847eb-1
libjson-c5 - 0.15-2
libjson-script20210516 - 2021-05-16-b14c4688-2
liblua5.1.5 - 5.1.5-9
liblucihttp-lua - 2021-06-11-3dc89af4-1
liblucihttp0 - 2021-06-11-3dc89af4-1
libmnl0 - 1.0.4-2
libncurses6 - 6.2-3
libnetfilter-conntrack3 - 1.0.8-1
libnettle8 - 3.6-1
libnfnetlink0 - 1.0.1-4
libnl-tiny1 - 2020-08-05-c291088f-2
libopenssl1.1 - 1.1.1q-1
libpthread - 1.1.24-3
libubox20210516 - 2021-05-16-b14c4688-2
libubus-lua - 2021-06-30-4fc532c8-2
libubus20210630 - 2021-06-30-4fc532c8-2
libuci20130104 - 2021-04-14-4b3db117-5
libuclient20201210 - 2021-05-14-6a6011df-1
libustream-wolfssl20201210 - 2022-01-16-868fd881-2
libwolfssl5.5.1.99a5b54a - 5.5.1-stable-2
libxtables12 - 1.8.7-1
logd - 2020-10-25-9ef88681-2
lua - 5.1.5-9
luci - git-20.074.84698-ead5e81
luci-app-firewall - git-22.089.67741-3856d50
luci-app-opkg - git-22.273.29015-e01e38c
luci-app-wireguard - git-20.244.42172-21563a2
luci-base - git-22.304.65299-04257f6
luci-lib-base - git-20.232.39649-1f6dc29
luci-lib-ip - git-20.250.76529-62505bd
luci-lib-jsonc - git-22.097.61937-bc85ba5
luci-lib-nixio - git-20.234.06894-c4a4e43
luci-mod-admin-full - git-19.253.48496-3f93650
luci-mod-network - git-22.244.54918-77c916e
luci-mod-status - git-22.089.70019-d4f0b06
luci-mod-system - git-22.264.46189-30ba277
luci-proto-ipv6 - git-21.148.49484-14511e5
luci-proto-ppp - git-21.163.64918-6c6559a
luci-proto-wireguard - git-21.243.21928-71fe35c
luci-theme-bootstrap - git-22.288.45155-afd0012
mtd - 26
netifd - 2021-10-30-8f82742c-1
odhcp6c - 2021-01-09-53f07e90-16
odhcpd-ipv6only - 2021-07-18-bc9d317f-3
openwrt-keyring - 2021-02-20-49283916-2
opkg - 2021-06-13-1bf042dd-1
ppp - 2.4.8.git-2020-10-03-3
ppp-mod-pppoe - 2.4.8.git-2020-10-03-3
procd - 2021-03-08-2cfc26f8-1
rpcd - 2022-02-19-8d26a1ba-1
rpcd-mod-file - 2022-02-19-8d26a1ba-1
rpcd-mod-iwinfo - 2022-02-19-8d26a1ba-1
rpcd-mod-luci - 20210614
rpcd-mod-rrdns - 20170710
swconfig - 12
terminfo - 6.2-3
uboot-envtools - 2021.01-15
ubox - 2020-10-25-9ef88681-2
ubus - 2021-06-30-4fc532c8-2
ubusd - 2021-06-30-4fc532c8-2
uci - 2021-04-14-4b3db117-5
uclient-fetch - 2021-05-14-6a6011df-1
uhttpd - 2021-03-21-15346de8-2
uhttpd-mod-ubus - 2021-03-21-15346de8-2
urandom-seed - 3
urngd - 2020-01-21-c7f7b6b6-1
usign - 2020-05-23-f1f65026-1
wireguard-tools - 1.0.20210223-2
wireless-regdb - 2022.08.12-1
wpad-mesh-openssl - 2020-06-08-5a8b3662-41

There's a lot wrong here...

For starters, this IP address that you have listed on your lan is not an RFC1918 address. This will likely cause all sorts of problems.

And again with these other networks, the addresses you've selected should not be used.

Same here with lan4. But beyond that you've defined the bridge inside the interface as well as defined it to use a bridge device br-lan4.

these both don't belong here and should be deleted.

You will need policy based routing to realize the goal of having only lan4 on the wg interface and the rest going through your regular wan.

Also, do you actually want LAN1-3 on entirely separate networks?

Honestly, this is enough of a mess that I would recommend that you reset to defaults and then build these out one network at a time.

Thank-you

I tried cleaning it up but still same problem as before - everything worked until I added the wireguard on port 4 (br-lan4/lan4/AP).

Fixed

It would be nice to isolate stuff and get one router to do everything.

I am currently using 2 routers daisy chained: one for the gateway and VLANS and one for the wireguard AP plugged into port 4 of the first one.

I will try researching PBR.

Here's the new network after cleaning up ifaces and br-lans (but same as before: only wireguard AP works and no internet on any ports):

OpenWrt 21.02.5, r16688-fa9a932fdb
 -----------------------------------------------------
root@openwrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxxxxxxxxx::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	option delegate '0'
	option ipaddr '192.168.101.1'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'
	option delegate '0'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0t 2'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 6t'
	option vid '2'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '0t 3'
	option vid '3'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option ports '0t 4'
	option vid '4'

config switch_vlan
	option device 'switch0'
	option vlan '5'
	option ports '0t 5'
	option vid '5'

config device
	option name 'eth0'
	option ipv6 '0'

config device
	option name 'eth0.2'
	option type '8021q'
	option ifname 'eth0'
	option vid '2'
	option ipv6 '0'

config device
	option name 'eth1'
	option ipv6 '0'

config device
	option name 'eth1.1'
	option type '8021q'
	option ifname 'eth1'
	option vid '1'
	option ipv6 '0'

config device
	option name 'eth1.3'
	option type '8021q'
	option ifname 'eth1'
	option vid '3'
	option ipv6 '0'

config device
	option name 'eth1.4'
	option type '8021q'
	option ifname 'eth1'
	option vid '4'
	option ipv6 '0'

config device
	option name 'eth1.5'
	option type '8021q'
	option ifname 'eth1'
	option vid '5'
	option ipv6 '0'

config interface 'WG'
	option proto 'wireguard'
	option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxx='
	list addresses 'xxxxxxxxxxx/32'

config wireguard_WG
	option description 'xxxxxxxxxxx'
	option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxx='
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'
	option endpoint_host 'xxxxxxxxx'
	option endpoint_port '51820'

config device
	option type 'bridge'
	option name 'br-lan4'
	list ports 'eth1.5'
	option ipv6 '0'

config interface 'lan4'
	option proto 'static'
	option device 'br-lan4'
	option netmask '255.255.255.0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	option delegate '0'
	option ipaddr '192.168.104.1'

config device
	option type 'bridge'
	option name 'br-lan2'
	list ports 'eth1.3'
	option ipv6 '0'

config device
	option type 'bridge'
	option name 'br-lan3'
	list ports 'eth1.4'
	option ipv6 '0'

config interface 'lan2'
	option proto 'static'
	option device 'br-lan2'
	option netmask '255.255.255.0'
	option delegate '0'
	option ipaddr '192.168.102.1'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'lan3'
	option proto 'static'
	option device 'br-lan3'
	option netmask '255.255.255.0'
	option delegate '0'
	option ipaddr '192.168.103.1'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

The joy of OpenWrt. Again previous iterations worked without the wireguard. It would be nice to consolidate 2 routers into 1.

It all looks a lot better. The problem you are experiencing is expected... more on that later.

good.

Yes, agreed. Do it all on one router. I just wanted to make sure you actually wanted 4 isolated ethernet networks, rather than maybe 2 networks (one with WG tunneling, one without) in a 3+1 port configuration.

This is the fundamental thing you'll need to do. The reason that your other networks are appearing dead is because the routing engine wants to send everything through the WG tunnel, but the firewall only allows lan4 to do so. PBR will allow you to tell the routing engine which networks should route through your regular WAN vs which one(s) should go through the WG tunnel.

Until you enable PBR, you have 3 options:

1. send everything through the WG tunnel (by allowing this in the firewall)
2. send nothing through the WG tunnel (by disabling WG)
3. send just lan4 through the tunnel while the other 3 networks cannot get out to the internet at all (your status quo).

This does look a lot better. However, can you clarify -- does the ethernet port associated with lan4 not work either?

The only major thing I'd change is to remove the DNS lines from all except the wan network definition. It doesn't actually do anything in these locations... if you want to tell your DHCP clients to use those DNS servers, you do that by advertising the DNS servers with DHCP option 6. It serves no purpose here... delete them just to clean up the rest of the way.

Port 4 works now.

I decided to start from a clean slate with 22.03.2 with PBR. I had to use customized packages because luci-app-pbr and pbr did not appear in update on luci.

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxxxxxxxxxxxx::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.101.1'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 2'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 6t'
	option vid '2'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '3'
	option ports '0t 3'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option vid '4'
	option ports '0t 4'

config switch_vlan
	option device 'switch0'
	option vlan '5'
	option ports '0t 5'
	option vid '5'

config device
	option type 'bridge'
	option name 'br-lan2'
	list ports 'eth1.3'

config device
	option type 'bridge'
	option name 'br-lan3'
	list ports 'eth1.4'

config device
	option type 'bridge'
	option name 'br-lan4'
	list ports 'eth1.5'

config interface 'lan2'
	option proto 'static'
	option device 'br-lan2'
	option ipaddr '192.168.102.1'
	option netmask '255.255.255.0'

config interface 'lan3'
	option proto 'static'
	option device 'br-lan3'
	option ipaddr '192.168.103.1'
	option netmask '255.255.255.0'

config interface 'lan4'
	option proto 'static'
	option device 'br-lan4'
	option ipaddr '192.168.104.1'
	option netmask '255.255.255.0'
	list dns 'xxxxxxxxxxxx'

config interface 'wg'
	option proto 'wireguard'
	option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx='
	list addresses 'xxxxxxxx/32'

config wireguard_wg
	option description 'test123'
	option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx='
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'
	option endpoint_host 'xxxxxxxxxxxx'
	option endpoint_port '51820'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

config zone
	option name 'lan2'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan2'

config forwarding
	option src 'lan2'
	option dest 'wan'

config zone
	option name 'lan3'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan3'

config forwarding
	option src 'lan3'
	option dest 'wan'

config zone
	option name 'lan4'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan4'

config zone
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wg'
	option name 'wgzone'

config forwarding
	option src 'lan4'
	option dest 'wgzone'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'lan2'
	option interface 'lan2'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'lan4'
	option interface 'lan4'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'lan3'
	option interface 'lan3'
	option start '100'
	option limit '150'
	option leasetime '12h'

root@OpenWrt:~# cat /etc/config/pbr
config pbr 'config'
	option enabled '0'
	option verbosity '2'
	option strict_enforcement '1'
	option resolver_set 'none'
	option ipv6_enabled '0'
	list ignored_interface 'vpnserver'
	list ignored_interface 'wgserver'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_reload_delay '1'
	option webui_show_ignore_target '0'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'

config include
	option path '/usr/share/pbr/pbr.user.aws'
	option enabled 0

config include
	option path '/usr/share/pbr/pbr.user.netflix'
	option enabled 0

config policy
	option name 'Plex/Emby Local Server'
	option interface 'wan'
	option src_port '8096 8920 32400'
	option enabled '0'

config policy
	option name 'Plex/Emby Remote Servers'
	option interface 'wan'
	option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
	option enabled '0'

config policy
	option name 'WireGuard Server'
	option interface 'wan'
	option src_port '51820'
	option chain 'output'
	option proto 'udp'
	option enabled '0'

That's as far as I have got so far. Ports 1-3 don't have internet. Port 4 does and wg works.

I need help configuring PBR.

Everything in the main config files looks good now (except that the DNS in the lan4 network definition will not do anything -- if you want to advertise that DNS server to the client devices, this is achieved using DHCP option 6 in the DHCP server settings for that network).

As far as PBR is concerned, I'm going to defer to others who have more experience with this....

Ok thank-you. It looks like I have some reading to do.

Although obviously there is still the PBR part of the equation to resolve, I think we've gotten most of the way there.

If/when your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

(you could mark this topic as solved and open a new one specifically for PBR questions -- that might get the right eyes on the problem and thus a faster solution).

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.