Network came back up as normal. Router can received WAN IP from fiber modem and seems alright. From the main router I go to a 8 port gigabit POE switch (HP) then from there the unifi WAP and other assorted machines.
However after this all clients cannot connect to the internet, weirdly they receive dhcp addresses fine but cannot connect or communicate with the router (192.168.1.1). I suspend something wonky with the br-lan interface but everything SEEMS normal and nothing out of place.
Strangely if I connect externally via the wireguard VPN I CAN access LuCI web interface normally, not sure what is broken here tbh.
Any obvious things I'm missing to check would be greatly appreciated
The main router is a Fitlet1 x86 fanless SFF machine with openwrt 21.02.01
Switch is a HP OfficeConnect 1920S with POE
WAP is a unifi 6 lite reflashed with openwrt
Not much to go on here. How about some configs? A topology diagram? Test methods? Does the problem exist on WiFi and Ethernet? What about if you plug a device directly into the router (bypassing the switch)?
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
/etc/config/network
followed by dhcp and firewall, I'll leave out wireless for now as I'm not as concerned about getting that back online yet ( and suspect it's working fine, it's an external WAP)
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
list ports 'eth1'
list ports 'eth2'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option proto 'dhcp'
option device 'eth3'
option peerdns '0'
config interface 'wg0'
option proto 'wireguard'
option listen_port '51820'
list addresses '192.168.2.1/24'
option private_key 'BLANKED'
config wireguard_wg0
option public_key 'BLANKED'
option persistent_keepalive '25'
list allowed_ips '192.168.2.2/32'
option description 'a20e'
option route_allowed_ips '1'
config wireguard_wg0
option description 'X1'
option public_key 'BLANKED'
option persistent_keepalive '25'
option route_allowed_ips '1'
list allowed_ips '192.168.1.0/24'
list allowed_ips '192.168.2.3/32'
First check would be trying to connect to the router via ssh (maybe over wireguard), to get a look and dmesg/ logread, as well as checking the overlay for config corruption (/overlay/upper/).
Then debug your issue methodically, can the router (over ssh) ping (e.g) google by name, by IP - can you get website contents (wget -O- http://google.com).
Next step, disconnect switch/ AP and put a computer directly at your router's lan port, do you get a DHCP lease, are IP, gateway & DNS correct, can you ping the router and google and site contents.
Check AP (directly to your router's lan port) and switch individually (directly to your router's lan port) and check again how your computer connected to either of those behaves.
Rinse and repeat, until you know what exactly is misbehaving - and debug that further.
Allowed ips has to do with the traffic that should go though the tunnel — basically the destination addresses. By setting that on this side, you created a routing conflict where the traffic that should have gone to the actual lan devices couldn’t be properly routed because of a conflict about where it the traffic should go (local or though the tunnel).
You should delete the line so that it can’t be accidentally uncommented and cause problems in the future.
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
that makes perfect sense upon further explanation.
I sincerely thank you for the help, I was feeling really frustrated by this time and wasn't making any progress fixing it all last night, I definitely should have asked for help sooner. I'll delete the line now that I understand better what it does.