Sorry, I am still new with this. Here it comes:
Router A (server)
root@OpenWrt1:~# ubus call system board
{
"kernel": "5.10.176",
"hostname": "OpenWrt1",
"system": "x86/64",
"model": "[redacted]",
"board_name": "[redacted]",
"rootfs_type": "ext4",
"release": {
"distribution": "OpenWrt",
"version": "22.03.5",
"revision": "r20134-5f15225c1e",
"target": "x86/64",
"description": "OpenWrt 22.03.5 r20134-5f15225c1e"
}
}
root@OpenWrt1:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd06:a50f:2d21::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.0.1'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
config interface 'wg_lan'
option proto 'wireguard'
option private_key '[redacted]'
list addresses '10.0.5.1/24'
option mtu '1420'
option listen_port '443'
config wireguard_wg_lan
option public_key '[redacted]'
option preshared_key '[redacted]'
option description '1_lan_Alpha'
list allowed_ips '10.0.5.2/32'
option route_allowed_ips '1'
option persistent_keepalive '25'
config wireguard_wg_lan
option public_key '[redacted]'
option preshared_key '[redacted]'
option description '2_lan_Bravo'
list allowed_ips '10.0.5.3/32'
option route_allowed_ips '1'
option persistent_keepalive '25'
config wireguard_wg_lan
option public_key '[redacted]'
option preshared_key '[redacted]'
option description '3_lan_Charlie'
list allowed_ips '10.0.5.4/32'
option route_allowed_ips '1'
option persistent_keepalive '25'
config wireguard_wg_lan
option public_key '[redacted]'
option preshared_key '[redacted]'
option description '4_lan_Delta'
list allowed_ips '10.0.5.5/32'
option route_allowed_ips '1'
option persistent_keepalive '25'
config device
option name 'eth1'
option macaddr '[redacted]'
config interface 'guest_wifi'
option proto 'static'
option device 'eth0.5'
option ipaddr '192.168.5.200'
option netmask '255.255.255.0'
config interface 'iot'
option proto 'static'
option ipaddr '192.168.4.200'
option netmask '255.255.255.0'
option device 'eth0.4'
root@OpenWrt1:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'WireGuard'
...and much more.....................................................................
root@OpenWrt1:~# ip route show
default via [redacted] dev eth1 proto static src [redacted]
10.0.5.0/24 dev wg_lan proto kernel scope link src 10.0.5.1
10.0.5.2 dev wg_lan proto static scope link
10.0.5.3 dev wg_lan proto static scope link
10.0.5.4 dev wg_lan proto static scope link
10.0.5.5 dev wg_lan proto static scope link
[redacted]/22 dev eth1 proto kernel scope link src [redacted]
192.168.0.0/24 dev br-lan proto kernel scope link src 192.168.0.1
192.168.4.0/24 dev eth0.4 proto kernel scope link src 192.168.4.200
192.168.5.0/24 dev eth0.5 proto kernel scope link src 192.168.5.200
root@OpenWrt1:~# wg show
interface: wg_lan
public key: [redacted]
private key: (hidden)
listening port: 443
peer: [redacted]
preshared key: (hidden)
endpoint: [redacted]
allowed ips: 10.0.5.5/32
latest handshake: 1 minute, 54 seconds ago
transfer: 1.82 KiB received, 2.35 KiB sent
persistent keepalive: every 25 seconds
peer: [redacted]
preshared key: (hidden)
endpoint: [redacted]
allowed ips: 10.0.5.2/32
latest handshake: 15 minutes, 10 seconds ago
transfer: 143.44 KiB received, 3.78 MiB sent
persistent keepalive: every 25 seconds
peer: [redacted]
preshared key: (hidden)
allowed ips: 10.0.5.3/32
persistent keepalive: every 25 seconds
peer: [redacted]
preshared key: (hidden)
allowed ips: 10.0.5.4/32
persistent keepalive: every 25 seconds
Router B (client):
ubus call system board
{
"kernel": "5.15.167",
"hostname": "HostName",
"system": "x86/64",
"model": "[redacted]",
"board_name": "[redacted]",
"rootfs_type": "ext4",
"release": {
"distribution": "OpenWrt",
"version": "23.05.5",
"revision": "r24106-10cc5fcd00",
"target": "x86/64",
"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
}
}
root@HostName:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '[redacted]'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
config device 'guest_dev'
option type 'bridge'
option name 'br-guest'
config interface 'guest'
option proto 'static'
option device 'br-guest'
option ipaddr '192.168.100.1'
option netmask '255.255.255.0'
config interface 'WireGuard'
option proto 'wireguard'
option private_key '[redacted]'
list addresses '10.0.5.5/32'
list dns '10.0.5.1'
config wireguard_WireGuard
option description '4_lan_Delta.conf'
option public_key '[redacted]'
option preshared_key '[redacted]'
list allowed_ips '192.168.0.0/24'
list allowed_ips '::/0'
option persistent_keepalive '25'
option endpoint_host '[redacted]'
option endpoint_port '443'
root@HostName:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'WireGuard'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone 'guest'
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config forwarding 'guest_wan'
option src 'guest'
option dest 'wan'
config rule 'guest_dns'
option name 'Allow-DNS-Guest'
option src 'guest'
option dest_port '53'
option proto 'tcp udp'
option target 'ACCEPT'
config rule 'guest_dhcp'
option name 'Allow-DHCP-Guest'
option src 'guest'
option dest_port '67'
option proto 'udp'
option family 'ipv4'
option target 'ACCEPT'
root@HostName:~# ip route show
default via 192.168.0.1 dev eth1 src 192.168.0.159
[Router A external IP] via 192.168.0.1 dev eth1
192.168.0.0/24 dev eth1 scope link src 192.168.0.159
192.168.1.0/24 dev br-lan scope link src 192.168.1.1
root@HostName:~# wg show
interface: WireGuard
public key: [redacted]
private key: (hidden)
listening port: 47559
peer: [redacted]
preshared key: (hidden)
endpoint: [Router A pulic IP]:443
allowed ips: 192.168.0.0/24, ::/0
latest handshake: 3 seconds ago
transfer: 468 B received, 764 B sent
persistent keepalive: every 25 seconds
root@HostName:~#