I don't know if this will be possible. I have two openwrt routers.
Router 1 has client devices who want the files in the tftp server. Subnet is 192.168.1.1/24
Router 2 has a tftp server in a desktop machine. Router 2 is connected to router 1 via a wifi radio. subnet is 192.168.2.1/24
However, it's important to mention that if a server is located in router 1, clients in router 2 can connect to that server. It makes me think this is possible.
I am not sure how to go about achieving this, and I tried to figure out how to do this but I am starting to think it's not possible. It would suck to spend 2 hours trying to figure out how to do something that's not possible. But if it is possible, I think I am supposed to do static routing to achieve this, here's what I have
Are both devices running OpenWrt? If so, you should be able to setup a static route and disable masquerading. Or, alternatiely, you can setup port forwarding.
Could you draw a diagram of your topology to ensure that we understand how everything is connected and related?
I think portforwarding might be best, only problem is that I notice that filezilla tends to use a wide range of ports instead of keeping it consistent (30000-65535). Both in source and destination ports.
Only problem is that now I notice that I no longer get logs telling me a connection is rejected (Assuming the firewall works). But I still can't connect. I don't know if this was done expecting the ftp server was on the router, or if this is happening because the ftp server is on a desktop home computer. I don't know what is blocking it (if anything is)
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
Edit: This is very disorganized... here I notice the old things I used to do to that I no longer need. Like things to make my dns work with my vpn, tinyproxy, I guess that routing and link. Maybe the nat traversal and allow R1 Apps too.
There's a ton going on in this config... is all of it necessary?
You have two networks that appear to be upstream -- link and wwan. Are both active?
And what about the wireguard setup -- that appears to e operating in a client type config... is that active?
The firewall is quite confusing, too.
If that's the case, maybe it would make sense to reset to defaults and configure only what you need. It'll be hard to unravel the complex configuration as well as debug if things don't work as expected.
I don't want to reset and then go through the trouble, I prefer to remove it one by one instead of resetting. Wireguard is active, I deleted the config from what I posted because it has the web server address and private key. the link probably isn't active.
I can remove everything that's unnecessary for you though. I just didn't want to do that in case you didn't want edited logs. There is one line about wireguard I shouldn't had deleted though ( option route_allowed_ips '1')
Well, given the complexity of what is happening on this device, the complete configs are important. But my concern is that it's a lot of work to understand exactly what is happening -- a lot of stuff to keep track of as I read through it. So it's not a matter of simplifying what is presented... IMO, it's better to simplify the true configuration by either resetting your configs and starting fresh again, or by actually scrubbing through line by line and removing all the items that are no longer needed.
alright, now pretty much everything that I edited out from the new logs I posted I had also removed from my configuration. Only a few things aren't removed, but they were disabled instead (allow-R1-Apps and Allow-DNS-to-WAN)
edit: updated config
root@OpenWRT:~# ubus call system board
{
"kernel": "5.10.176",
"hostname": "OpenWRT",
"system": "Atheros AR7161 rev 2",
"model": "Netgear WNDR3800CH",
"board_name": "netgear,wndr3800ch",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "22.03.5",
"revision": "r20134-5f15225c1e",
"target": "ath79/generic",
"description": "OpenWrt 22.03.5 r20134-5f15225c1e"
}
}
root@OpenWRT:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd3e:8f07:980e::/48'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
option auto '0'
option reqaddress 'try'
option reqprefix 'auto'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.2.1'
list dns '192.168.2.15'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
option blinkrate '2'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5'
config switch_port
option device 'switch0'
option port '1'
option led '6'
config switch_port
option device 'switch0'
option port '2'
option led '9'
config switch_port
option device 'switch0'
option port '5'
option led '2'
config interface 'wwan'
option proto 'dhcp'
option peerdns '0'
list dns '192.168.2.15'
config interface 'wgclient'
option proto 'wireguard'
option private_key 'rfrtfghyju'
list addresses 'numbers'
config wireguard_wgclient
option endpoint_port '1194'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
option persistent_keepalive '15'
option preshared_key 'fshbfxjdjksrsyh'
option description 'Vacas'
option route_allowed_ips '1'
option public_key 'hgsgegzezgzzeg'
option endpoint_host 'www.youtube.moe'
root@OpenWRT:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option log '1'
list network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
option forward 'REJECT'
option log '1'
list network 'wan'
list network 'wan6'
list network 'wwan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option proto 'icmp'
option family 'ipv4'
option target 'ACCEPT'
list icmp_type 'echo-request'
option src 'wan'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'wgclient'
option masq '1'
option mtu_fix '1'
option output 'ACCEPT'
option input 'ACCEPT'
option forward 'ACCEPT'
option log '1'
list network 'wgclient'
config redirect 'dns_int'
option src 'lan'
option src_dport '53'
option proto 'tcp udp'
option target 'DNAT'
option src_mac '!00:E0:9C:37:50:84'
option name 'Redirect-DNS'
option src_ip '!192.168.2.15'
option dest_ip '192.168.2.15'
config ipset 'doh'
option name 'doh'
option family 'ipv4'
option match 'net'
option loadfile '/var/ipset-doh'
config rule 'doh_fwd'
option name 'Deny-DoH'
option src 'lan'
option dest 'wan'
option dest_port '443'
option proto 'tcp udp'
option family 'ipv4'
option ipset 'doh dest'
option target 'REJECT'
config ipset 'doh6'
option name 'doh6'
option family 'ipv6'
option match 'net'
option loadfile '/var/ipset-doh6'
config rule 'doh6_fwd'
option name 'Deny-DoH'
option src 'lan'
option dest 'wan'
option dest_port '443'
option proto 'tcp udp'
option family 'ipv6'
option ipset 'doh6 dest'
option target 'REJECT'
config rule 'dot_fwd'
option name 'Deny-DoT'
option src 'lan'
option dest 'wan'
option dest_port '853'
option proto 'tcp udp'
option target 'REJECT'
config nat 'dns_masq'
option name 'Masquerade-DNS'
option src 'lan'
option dest_ip '192.168.2.15'
option dest_port '53'
option proto 'tcp udp'
option target 'MASQUERADE'
config forwarding
option src 'lan'
option dest 'wgclient'
config rule
option name 'Allow-R1-Admin'
option target 'ACCEPT'
option family 'ipv4'
option src 'lan'
option dest 'wan'
list dest_ip '192.168.1.1'
option dest_port '80 22'
list proto 'tcp'
list proto 'icmp'
config rule
option name 'Allow-R1-FTP'
option target 'ACCEPT'
option family 'ipv4'
option src '*'
option dest '*'
list src_ip '192.168.1.1/24'
list src_ip '192.168.2.1/24'
list dest_ip '192.168.1.1/24'
list dest_ip '192.168.2.1/24'
list proto 'tcp'
list proto 'udp'
option src_port '30000-65535 2121 2022 22000 21027'
option dest_port '30000-65535 2121 2022 22000 21027'
config rule
option name 'Allow-R1-FTPServer'
option target 'ACCEPT'
option family 'ipv4'
option src_port '30000-65535 2121 2022 22000 21027'
option dest_port '30000-65535 2121 2022 22000 21027'
option src 'wan'
list src_ip '192.168.1.1/24'
list src_ip '192.168.2.1/24'
list dest_ip '192.168.1.1/24'
list dest_ip '192.168.2.1/24'
list dest_ip '192.168.1.84'
config redirect
option target 'DNAT'
option src_dport '2121'
option name 'FTPserver4R1'
option dest_ip '192.168.2.14'
option src 'lan'
option dest 'wan'
root@OpenWRT:~#
I haven't really reviewed the newest config, but one of the key things you will likely need is PBR. This is because the WG client is sending all egress traffic through the tunnel. But, in the case of an inbound port-forward, you need to make sure it returns the reply traffic via the original route (i.e. via the wan).
I really don't want to use PBR because that would mean I wouldn't have a kill switch (the ability to not have any internet until wireguard connects to the vpn)
But, in the case of an inbound port-forward, you need to make sure it returns the reply traffic via the original route (i.e. via the wan).
I am assuming I have to do a portforward with the wwan as the destination
I have a semi-similar setup.
I find that if I use a client VPN, I cannot connect to the downstream devices.
If I don't use the client VPN, I can connect.
The firewall determines what is allowed or prohibited, but it is the routing engine that ultimately is responsible to the path taken (assuming it is allowed).
You need to alter the routing tables such that the traffic returns properly. PBR is the easiest method to do this. As stated above, kill switch and other elements of PBR are configurable.
I guess that's something I'll have to try in another router, I remember in my experience that pbr leaks especially when you restart the router.
The service does NOT support the “killswitch” router mode (where is no firewall forwarding from lan interface to wan interface, so if you stop the VPN tunnel, you have no internet connection). For proper operation, leave all the default OpenWrt network and firewall settings for lan and wan intact.
but also
Supports strict policy enforcement, even if the policy interface is down – resulting in network being unreachable for specific policy (enabled by default).
secure_reload - hidden/experimental - When enabled, kills router traffic (activates killswitch) during service start/restart/reload operations to prevent traffic leaks on unwanted interface.
are we talking about the same thing? I think my other router already has it installed
It really depends on your specific goals. You can set a kill switch or not -- depending on your goals -- with PBR and/or the firewall. But in order to ensure that the port forwarded traffic returns through the non-tunneled path of the wan, you need to create policies to achieve this. PBR is the easiest and most straight forward method to do this, but it can also be done if you construct manual routing tables (PBR is basically just a smarter way of managing routing tables).
