Firewall mysteriously blocking responses to outgoing connections

Installing and Using OpenWrt Network and Wireless Configuration
21

Huh...you're running a Java SDK on your router!?!?

Since you never provide information on this, it's unclear why you even mentioned the IPs...but if your routes are incorrect, that could cause an issue. Additionally, there's a setting that if the inbound packet enters an interface that the router cannot reply with due to an invalid or absent route using that interface - the packet is dropped. :wink:

  • What routes did you add (routes are rarely needed for such connections)?
  • Where is this 192.168.15.0/24 network..is this WAN, LAN or the WG interface???
  • Also, I'm completely unclear on what you mean by a /48 and /60
    • Please specify the location of these networks - they cannot be gleaned from the information already provided
  • You don't mention settings on the affected machines (i.e. Windows)
    • Did you alter any setting that affects ports 61000 or greater???
  • Have you returned the settings back to normal???

Your wording seem to imply you're quite aware of those settings...

I think you should begin with a default config, then re-install Wireguard, then re config the routes.

22

Jool is a in kernel NAT64 implementation

On a diffrent computer on the LAN that is running the wireguard "server", which is why there are static routes

I have not touched any settings on those computers, they are left at defaults

Wireguard is not on the router. last time this happened i did try removing the routes. Also if the routes where incorrect all traffic would be affected

23

NAT64...wow...OK, wow, then multiple software has the same name. This is the first time you mentioned this.

  • I'm still unclear on why a route is needed, perhaps you should show us these routes
  • To be clear, WG isn't running on the OpenWrt?
  • Are you sending IPv6 on WG too?

:confused:

  • Did this ever work...and it stopped working ??
  • Then I definitely advise resetting the OpenWrt.
24

image
image745×37 5.84 KB

image
image860×33 6.87 KB

the route is needed as im avoiding using NAT on the VPN at all, but more specificly the v6

It did work, the only commonality was upgrading to the latest version.

I have just realised that i didnt mention the version im on, im on 21.02.0

25

You tell the OpenWrt that 192.168.15.0/24 is located thru 192.168.1.11

  • So again where is 192.168.15.0/24?
  • Is this the WG?

...are these Windows machines connected to WG?

26

After reading all this thread, my humble first impression is that this could be a NAT issue.

When a client tries to open a connection with an external server, the router must open a connection from its WAN interface, and route/NAT the traffic between the client and the server. For some reason, it looks like the router is assigning a high port to that outgoing connection, and then rejecting the response packets from the server.

That NAT64 feature, and the local port range parameter, could both be related. Perhaps the NAT helper is choosing a port that should be reserved for other purposes, and hence the blocking on the response packets.

27

I will try disabling jool for a moment to see if that changes anything

28

JOOL appears to have been causing it, although im not sure why read the docs i now know why

I should have also mentioned Jool earlier

Thank you for the help

2 Likes
29

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.