Connection Wireguard => LAN => VPN => WAN not working

Installing and Using OpenWrt
21

No, it does not work. I have applied the settings and then tested. I tested, rebooted the router. Tested again. Still same situation.

Policy Routing now shows the following when I click on Services > Policy Routing

image
image958×86 9.14 KB

The novpn interface is set to Protocol: "Unmanaged"

image
image860×363 21.3 KB

22

Can you try to uninstall PBR, reboot, then issue these 2 commands and give it a try?

1 Like
23

I uninstalled PBR, rebooted, issued the commands, and it still does not work. Maybe it's not meant to be. :slight_smile:

24

These commands are tested to work properly, so we are missing something.
Install tcpdump to inspect the packets: opkg update; opkg install tcpdump
Turn on vpn and connect from the internet to the wireguard.
Then capture the interesting packets: tcpdump -i eth1 -n udp port 51820

2 Likes
25

Ok, I installed tcpdump and then i captures the packets with tcpdump -i eth1 -n udp port 51820

84.192.225.152 is here the public ip of my internet connection.

tcpdump -i eth1 -n udp port 51820
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
15:18:13.247838 IP 185.196.22.202.46179 > 192.168.100.35.51820: UDP, length 148
15:18:13.267054 IP 192.168.100.35.51820 > 185.196.22.202.46179: UDP, length 92
15:18:13.274911 IP 84.192.225.152.51820 > 192.168.201.140.46179: UDP, length 92
15:18:18.290239 IP 185.196.22.202.46179 > 192.168.100.35.51820: UDP, length 148
15:18:18.314400 IP 192.168.100.35.51820 > 185.196.22.202.46179: UDP, length 92
15:18:18.322294 IP 89.142.215.123.51820 > 192.168.201.140.46179: UDP, length 92
15:18:23.514641 IP 185.196.22.202.46179 > 192.168.100.35.51820: UDP, length 148
15:18:23.536218 IP 192.168.100.35.51820 > 185.196.22.202.46179: UDP, length 92
15:18:23.543958 IP 89.142.215.123.51820 > 192.168.201.140.46179: UDP, length 92
15:18:28.523781 IP 185.196.22.202.46179 > 192.168.100.35.51820: UDP, length 148
15:18:28.545488 IP 192.168.100.35.51820 > 185.196.22.202.46179: UDP, length 92
15:18:28.553350 IP 89.142.215.123.51820 > 192.168.201.140.46179: UDP, length 92
15:18:33.528565 IP 185.196.22.202.46179 > 192.168.100.35.51820: UDP, length 148
15:18:33.545218 IP 192.168.100.35.51820 > 185.196.22.202.46179: UDP, length 92
15:18:33.553674 IP 89.142.215.123.51820 > 192.168.201.140.46179: UDP, length 92
15:18:38.846865 IP 185.196.22.202.46179 > 192.168.100.35.51820: UDP, length 148
15:18:38.873600 IP 192.168.100.35.51820 > 185.196.22.202.46179: UDP, length 92
15:18:38.881266 IP 89.142.215.123.51820 > 192.168.201.140.46179: UDP, length 92
15:18:43.966848 IP 185.196.22.202.46179 > 192.168.100.35.51820: UDP, length 148
15:18:43.990360 IP 192.168.100.35.51820 > 185.196.22.202.46179: UDP, length 92
15:18:43.998215 IP 89.142.215.123.51820 > 192.168.201.140.46179: UDP, length 92
15:18:49.341702 IP 185.196.22.202.46179 > 192.168.100.35.51820: UDP, length 148
15:18:49.362384 IP 192.168.100.35.51820 > 185.196.22.202.46179: UDP, length 92
15:18:49.370731 IP 89.142.215.123.51820 > 192.168.201.140.46179: UDP, length 92
15:18:54.467336 IP 185.196.22.202.46179 > 192.168.100.35.51820: UDP, length 148
15:18:54.487837 IP 192.168.100.35.51820 > 185.196.22.202.46179: UDP, length 92
15:18:54.495479 IP 89.142.215.123.51820 > 192.168.201.140.46179: UDP, length 92
15:18:59.581353 IP 185.196.22.202.46179 > 192.168.100.35.51820: UDP, length 148
15:18:59.672225 IP 192.168.100.35.51820 > 185.196.22.202.46179: UDP, length 92
15:18:59.680159 IP 89.142.215.123.51820 > 192.168.201.140.46179: UDP, length 92
15:19:04.702663 IP 185.196.22.202.46179 > 192.168.100.35.51820: UDP, length 148
15:19:04.719434 IP 192.168.100.35.51820 > 185.196.22.202.46179: UDP, length 92
15:19:04.727398 IP 89.142.215.123.51820 > 192.168.201.140.46179: UDP, length 92
15:19:10.077745 IP 185.196.22.202.46179 > 192.168.100.35.51820: UDP, length 148
15:19:10.175018 IP 192.168.100.35.51820 > 185.196.22.202.46179: UDP, length 92
15:19:10.182863 IP 89.142.215.123.51820 > 192.168.201.140.46179: UDP, length 92
15:19:15.199882 IP 185.196.22.202.46179 > 192.168.100.35.51820: UDP, length 148
15:19:15.293765 IP 192.168.100.35.51820 > 185.196.22.202.46179: UDP, length 92
15:19:15.301705 IP 89.142.215.123.51820 > 192.168.201.140.46179: UDP, length 92
15:19:20.319664 IP 185.196.22.202.46179 > 192.168.100.35.51820: UDP, length 148
15:19:20.420786 IP 192.168.100.35.51820 > 185.196.22.202.46179: UDP, length 92
15:19:20.428708 IP 89.142.215.123.51820 > 192.168.201.140.46179: UDP, length 92
15:19:25.440044 IP 185.196.22.202.46179 > 192.168.100.35.51820: UDP, length 148
15:19:25.463490 IP 192.168.100.35.51820 > 185.196.22.202.46179: UDP, length 92
15:19:25.471270 IP 89.142.215.123.51820 > 192.168.201.140.46179: UDP, length 92
15:19:30.817773 IP 185.196.22.202.46179 > 192.168.100.35.51820: UDP, length 148
15:19:30.838561 IP 192.168.100.35.51820 > 185.196.22.202.46179: UDP, length 92
15:19:30.846863 IP 89.142.215.123.51820 > 192.168.201.140.46179: UDP, length 92
15:19:35.935632 IP 185.196.22.202.46179 > 192.168.100.35.51820: UDP, length 148
15:19:35.957522 IP 192.168.100.35.51820 > 185.196.22.202.46179: UDP, length 92
15:19:35.965390 IP 89.142.215.123.51820 > 192.168.201.140.46179: UDP, length 92
15:19:41.022584 IP 185.196.22.202.46179 > 192.168.100.35.51820: UDP, length 148
15:19:41.043312 IP 192.168.100.35.51820 > 185.196.22.202.46179: UDP, length 92
15:19:41.051174 IP 89.142.215.123.51820 > 192.168.201.140.46179: UDP, length 92
15:19:46.177330 IP 185.196.22.202.46179 > 192.168.100.35.51820: UDP, length 148
15:19:46.277139 IP 192.168.100.35.51820 > 185.196.22.202.46179: UDP, length 92
15:19:46.285312 IP 89.142.215.123.51820 > 192.168.201.140.46179: UDP, length 92
15:19:51.549870 IP 185.196.22.202.46179 > 192.168.100.35.51820: UDP, length 148
15:19:51.570335 IP 192.168.100.35.51820 > 185.196.22.202.46179: UDP, length 92
15:19:51.578059 IP 89.142.215.123.51820 > 192.168.201.140.46179: UDP, length 92
^C
60 packets captured
60 packets received by filter
0 packets dropped by kernel
26

This one looks right.

This one doesn't look right.
If I understand correctly, you are doing double NAT, as your OpenWrt router is connected upstream to your ISP router and you are forwarding port 51820 from ISP router to OpenWrt, right?
Are you certain that you test from the internet? That means switch off wifi and connect by mobile data. Because what I see is the wireguard server to try to communicate with a client using the lan IP over the wan interface.

1 Like
27

Ok, being connected from the internet everything works. Amazing! Thanks for your support.
For reference I provide some more output from tcpdump

16:45:10.266771 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1072
16:45:10.388391 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:10.388396 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:10.388401 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:10.388405 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:10.388409 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:10.390859 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:10.390864 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:10.390868 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:10.631973 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 496
16:45:10.637928 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1312
16:45:10.727964 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:10.727964 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:10.749053 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1072
16:45:10.798234 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:10.812101 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 96
16:45:10.848300 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:19.198313 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 112
16:45:19.202973 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 96
16:45:19.330984 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 96
16:45:19.396924 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:19.396930 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:24.655374 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 528
16:45:24.694801 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 96
16:45:25.801323 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1424
16:45:25.804334 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1424
16:45:25.806522 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1424
16:45:25.806699 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 192
16:45:25.809071 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1424
16:45:25.810478 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1424
16:45:25.812813 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1424
16:45:25.812989 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 192
16:45:25.814309 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1424
16:45:25.815609 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1424
16:45:25.816971 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1424
16:45:25.817781 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 192
16:45:25.820504 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1424
16:45:25.820985 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1424
16:45:25.821398 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1424
16:45:25.821524 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 192
16:45:25.821981 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1424
16:45:25.822379 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1424
16:45:25.823737 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 640
16:45:25.878658 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:25.878662 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:25.878666 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:25.878670 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:25.881462 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:25.881467 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:25.887816 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:25.887822 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:25.887827 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:25.887831 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:25.887835 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:25.898959 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1440
16:45:25.901115 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 96
16:45:25.948325 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:29.928047 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 128
16:45:29.963621 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 96
16:45:29.970193 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 144
16:45:29.975663 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 112
16:45:29.977138 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 96
16:45:30.017247 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:30.018542 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 112
16:45:30.019517 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:30.019522 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 80
16:45:30.033099 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 80
16:45:30.052164 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 80
16:45:30.053480 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 80
16:45:34.188855 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:34.188860 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:34.205718 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 128
16:45:34.206949 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 128
16:45:34.257162 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:34.266256 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 96
16:45:34.308175 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:34.312192 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 608
16:45:34.329949 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 96
16:45:34.354438 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1312
16:45:34.361569 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1312
16:45:34.368212 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1312
16:45:34.369205 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 720
16:45:34.393999 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:34.401985 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:34.401986 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:34.410362 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:34.438595 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 160
16:45:34.438596 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 192
16:45:34.439071 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 560
16:45:34.447619 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 96
16:45:34.448187 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 96
16:45:34.449142 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 608
16:45:34.449969 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 128
16:45:34.450118 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 96
16:45:34.488477 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:34.488482 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 128
16:45:34.504988 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 96
16:45:34.742399 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1312
16:45:34.743135 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1312
16:45:34.744093 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1312
16:45:34.744812 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 576
16:45:34.746660 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1312
16:45:34.749421 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1312
16:45:34.751107 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1312
16:45:34.751202 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1312
16:45:34.752605 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1312
16:45:34.753074 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1312
16:45:34.756924 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1312
16:45:34.757364 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1312
16:45:34.761480 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1312
16:45:34.761939 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1312
16:45:34.765763 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1312
16:45:34.766200 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1312
16:45:34.897912 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:34.897915 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:34.899195 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:34.899200 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:34.900638 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:34.900644 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:34.900648 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:34.900653 IP 109.43.113.169.8613 > 192.168.100.35.51820: UDP, length 96
16:45:34.919876 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1312
16:45:34.920247 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1312
16:45:34.920789 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1312
16:45:34.927922 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1312
16:45:34.928293 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1312
16:45:34.930274 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1312
16:45:34.930802 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1312
16:45:34.934423 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1312
16:45:34.934765 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1312
16:45:34.938784 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1312
16:45:34.939581 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1312
16:45:34.943701 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1312
16:45:34.944169 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 1312
16:45:34.947849 IP 192.168.100.35.51820 > 109.43.113.169.8613: UDP, length 13
28

Very good. Try now to install PBR and add the rule you had before. These commands will not survive a reboot, so reboot first and then test.

1 Like
29

I have installed pbr, added the rule, and rebooted the router. Again no connection to WWW when connecting with Wireguard from outside.

Tcpdump:

tcpdump -i eth1 -n udp port 51820
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
17:36:25.886193 IP 109.43.113.169.25487 > 192.168.100.35.51820: UDP, length 148
17:36:31.076820 IP 109.43.113.169.25487 > 192.168.100.35.51820: UDP, length 148
17:36:36.216857 IP 109.43.113.169.25487 > 192.168.100.35.51820: UDP, length 148
17:36:41.216651 IP 109.43.113.169.25487 > 192.168.100.35.51820: UDP, length 148
17:36:46.367735 IP 109.43.113.169.25487 > 192.168.100.35.51820: UDP, length 148
17:36:51.336801 IP 109.43.113.169.25487 > 192.168.100.35.51820: UDP, length 148
17:36:56.446544 IP 109.43.113.169.25487 > 192.168.100.35.51820: UDP, length 148
17:36:59.176247 IP 109.43.113.169.32137 > 192.168.100.35.51820: UDP, length 148
17:37:04.226452 IP 109.43.113.169.32137 > 192.168.100.35.51820: UDP, length 148
17:37:09.284645 IP 109.43.113.169.32137 > 192.168.100.35.51820: UDP, length 148
17:37:14.416752 IP 109.43.113.169.32137 > 192.168.100.35.51820: UDP, length 148
17:37:19.356424 IP 109.43.113.169.32137 > 192.168.100.35.51820: UDP, length 148
17:37:24.544148 IP 109.43.113.169.32137 > 192.168.100.35.51820: UDP, length 148
30

@stangri why not use the ip rule, which works, instead of the firewall matching, then rule matching, where something is broken or evaluated wrongly?

1 Like
31

Sure, sounds good. So I suppose I have to add the ip rule to /etc/config/network, but how exactly? I tried the following.

config route                   
        option gateway '192.168.100.1'                                  
        option table '100'                                               
        option sport '51820'                
        option lookup '100'         
        option prio '100'
        option default '1'
32

There is a different config for rule, but according to the documentation doesn't accept ports.

2 Likes
33

I'm afraid that sport/dport are not yet supported by netifd:
https://git.openwrt.org/?p=project/netifd.git;a=blob;f=iprule.c;hb=HEAD#l52

2 Likes
34

@trendy can you please elaborate on what sections of the code/logic you suggest I replace and with what?

35

I ran into the same problem see: Policy-Based-Routing (pbr) package discussion - #478 by egc

The PBR interface let you add your own file with rules to execute and I just made a file and added:
ip rule add sport 52180 table pbr_wan
Which is then executed when PBR is active.

Not a true expert but starting with Kernel 4.19 ip rule is very versatile and can be used for a lot of routing decisions without the need for iptables (ipset being an exception, I think) so maybe it can be used instead of iptables?

2 Likes
36

I am referring to the Local Wireguard Server + Wireguard Client (Scenario 1) which works fine if you add just a rule for the source port and lookup the wan routing table. While your method to mark the traffic on the firewall and then make a rule for the marked traffic is somewhere broken.

37

I see. One of the goals for pbr for the foreseeable future is to implement atomic nft support, so it would just create the custom firewall file for policies which will then be automatically reloaded by fw4 when needed. Implementing ip rule would break that.

Until there's a solution for the scenario 1 with WG server/client and fwmarking, I believe what @egc suggested is the best option.

1 Like
38

Thanks @stangri, I understand your point.

But it is frustrating that this wonderful PBR package is not doing what we would like it to do.

Have you (or anyone else) have an idea what the problem is?

The nftable rule is there and is hit, maybe it has something to do with connection tracking/marking?
When I tried this for iptables I also struggled with CONNMARK --save-mark

39

I believe it's due to WG being UDP-based. No issues if you use the OpenVPN and switch it to TCP.