Can't open and/or forward ports

Hi everyone.

I've got two OpenWrt routers and I'm trying to connect two local networks over the internet via WireGuard.
Now, this works as long as both OpenWrt routers are behind another router, but when I move up one of the OpenWrt routers to be the only router in the chain, open and/or forwarded ports stop working.

This works:
Network1: VDSL Router -> OpenWrt1 -> LocalNetwork
Network2: CPE -> Router -> OpenWrt2 -> LocalNetwork

The OpenWrt routers are connected to the non-Wrt routers through the WAN port.
The non-Wrt routers forward port 51280 to the OpenWrt routers.

This doesn't:
Network1: VDSL Router -> OpenWrt1 -> LocalNetwork
Network2: CPE -> OpenWrt2 -> LocalNetwork

Same as above, except there is no router behind the CPE to forward port 51820.

The configuration is the exact same in both setups.

OpenWrt1:
/etc/config/network:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option gateway '192.168.1.1'
        option dns '1.1.1.1 208.67.220.220'
        option delegate '0'

config device 'lan_dev'
        option name 'eth0.1'
        option macaddr '5D:B8:BA:C3:29:26'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'
        option delegate '0'
        option dns '1.1.1.1 208.67.220.220'

config device 'wan_dev'
        option name 'eth0.2'
        option macaddr '5D:B8:BA:C3:29:30'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6t'

config interface 'vpn'
        option proto 'wireguard'
        option private_key 'aIZ6MMJxVvnrdYvaDYNsJd9c1/Bw2WfsvO6fJmPeO14='
        option listen_port '51820'
        option delegate '0'
        list addresses '10.0.0.1/24'

config wireguard_vpn
        option public_key 'sCHBwc8OZHcC4DQM3EdJDVLFTkQ1OI2pXrZsBnaZU2s='
        option route_allowed_ips '1'
        option endpoint_host '<external-ip-network1>'
        option endpoint_port '51820'
        option persistent_keepalive '25'
        list allowed_ips '10.0.0.0/24'
        list allowed_ips '192.168.2.0/24'

/etc/config/firewall:

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option disable_ipv6 '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config zone
        option name 'vpn'
        list network 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config forwarding
        option src 'vpn'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'vpn'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

OpenWrt2:
/etc/config/network:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option gateway '192.168.2.1'
        option dns '1.1.1.1 208.67.220.220'
        option delegate '0'

config device 'lan_dev'
        option name 'eth0.1'
        option macaddr 'D5:61:27:CF:15:33'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'
        option delegate '0'
        option dns '1.1.1.1 208.67.220.220'

config device 'wan_dev'
        option name 'eth0.2'
        option macaddr 'D5:61:27:CF:15:37'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6t'

config interface 'vpn'
        option proto 'wireguard'
        option private_key 'WHMzAaughG6WY1gQtLl78I9g72q97EUhkL0/LG2F2V0='
        option listen_port '51820'
        option delegate '0'
        list addresses '10.0.0.1/24'

config wireguard_vpn
        option public_key 'mxne3qvZkiaa3VbhVk9Ggbggs1V2qWn+HTuASf/sGnc='
        option route_allowed_ips '1'
        option endpoint_host '<external-ip-network1>'
        option endpoint_port '51820'
        option persistent_keepalive '25'
        list allowed_ips '10.0.0.0/24'
        list allowed_ips '192.168.1.0/24'

/etc/config/firewall:

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option disable_ipv6 '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config zone
        option name 'vpn'
        list network 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config forwarding
        option src 'vpn'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'vpn'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '30102'
        option dest_ip '192.168.2.2'
        option dest_port '80'
        option name 'Test'

This is where I'm at right now.

So it appears that once OpenWrt2 gets the external IP directly on the WAN interface it blocks all ports.
Then, I thougt,the obvious thing to do would be to open port 51820 manually:

config rule
        option name 'WireGuard'
        option src 'wan'
        option proto 'udp'
        option dest_port '51820'
        option target 'ACCEPT'

But that doesn't do anything, WireGuard is still unable to connect.
There is also a port forward in the config above and that doesn't work either.

Any help would be greatly appreciated.

Did you reboot after configuring the WG interface?

I honestly cannot see anything obviously wrong in your configs...except...

The internal tunnel addresses shouldn't be identical on both sides.

Yes, I've tried rebooting, multiple times.
I should have mentioned that this happens with a cold start with the settings saved.
As in I configure everything when it's behind the non-Wrt router, recheck it's working then power off and switch devices.

In the OpenWrt1 /etc/config/network it's:

list addresses '10.0.0.1/24'

And in OpenWrt2 it's:

list addresses '10.0.0.2/24'

It seems I made the mistake while pasting data, sorry about that.

Again, WireGuard is working great when the OpenWrt router is behind the other non-Wrt router.
Also, the port forwarding rule in the OpenWrt2 config works.
The issue only appears once the non-Wrt router is removed and OpenWrt receives the external IP right on the WAN interface.

I'm guessing it's something to do with the firewall.
So, is there anything I'm missing in the firewall config?

Thanks.

I'm still trying to get this to work.

In the week since I've tried the OpenWrt routers on different internet connections.
Both forwarding and WireGuard worked just fine.
However those setups were like the first one with the OpenWrt routers behind another Router or a Modem with DHCP capabilities.
So nothing new here.

One thing I've noticed is that the CPE assigs the external IP with an /23 netmask whereas all the routers and modems assign /24.
Could that be the problem?
How do I configure a port forward or a traffic rule in that case?
I don't see anything regarding netmasks under Port Forwards and Traffic Rules in LuCi.

If you're gateway is in the /24 before your subnet, it would definitely be a problem.

Also, only the Interface connected to WAN would get the /23 from the ISP, if you're referring to downstream LANs you setup (e.g. 192.168.1.0/24), they can be whatever CIDR you configure.

In the configuration above the LAN gateway is the OpenWrt router itself, so 192.168.2.1/24, which is the default setting as far as I'm aware.

Do you mean the WAN gateway?
WAN needs to be configured as dhcp client, so I'd assume the gateway it gets would be on the /23 netmask as is the IP.
I'll check.

That is what I'm seeing, WAN gets the /23 and LAN gets /24 as is configured.
Internet is working fine, but neither port forwarding nor the WireGuard traffic rule do anything.

That's OK, then.

Looking at your /etc/config/firewall, you do not have an input rule for the UDP port that you configured Wireguard to use.

You need:

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp'
	option name 'Wireguard_VPN'
	option family 'ipv4'
	option dest_port '51820'

I do actually, it's at the bottom of the first post:

EDIT:
Right now I'm not too concerned with the WireGuard config.

At this point all I want to get working is basic port forwarding so I can replace the non-Wrt router.
I've been at it way too long and I still can't figure out where the problem may be.

Have you asked your ISP if they prohibit traffic by MAC, authenticating their OEM device, etc?

You should simply have to remove the upstream router.

I don't have the destination zone in my forwards...are you using LuCI to configure your firewall?

No I haven't asked, I just assumed it's not the case since I replaced the non-Wrt router two times already.
For the record: Last time it was a FRITZ!Box 3370 and I've replaced it with a FRITZ!Box 7490.

That is what I was thinking.
I thought I'd be done configuring in a few hours then just replace the routers.
I was very wrong.

Yes I was in the beginning, maybe I edited it afterwards.
I will try regenerating those rules using LuCi.

But the thing is: It works when it's behind the other router, why would it stop?
The LAN zone does not change, the WAN zone does.

EDIT:
Here is what LuCi generates:

config redirect                                
        option target 'DNAT'                 
        option src 'wan'                        
        option dest 'lan'           
        option proto 'tcp'      
        option src_dport '30102'
        option dest_ip '192.168.2.2'
        option dest_port '80'
        option name 'TEST'

I guess that too isn't it.