Firewall rule to forward traffic from specific SSID to WireGuard Iface

I just finished setting up my first OpenWrt router, and it was working fine. Except for one thing:
My network is full of Apple devices, and I'm used to using Airplay/Airprint from any wireless SSID. But this did not work anymore from the Guest interface which I've used to create a wireless SSID with Wireguard VPN.

Now I'm trying to everything into a single VLAN, so that all the Bonjour/Airplay services will work normal, but also have a dedicated wireless SSID that sends all connected devices through a WireGuard VPN connection.

What I want to achieve:

  • Wireless SSID wifi_1_5GHz, wifi_2_2.4GHz = unencrypted, direct WAN connection.
  • Wireless SSID wifi_3_5GHz = all devices connected are routed through WAN_VPN WireGuard interface.

I'm playing around with the Firewall rules, but haven't really achieved anything so far.

Is what I describe here, even possible?

I'm not aware of a way to achieve this using a single VLAN.

Perhaps it's worth trying multiple VLANs with Policy-Based Routing, and then seeing if Avahi can be used to meet your
Bonjour/Airplay requirement?

@tectonic thanks! :slight_smile:

I actually set up avahi already before, I didn't mention it because I didn't want to overcomplicate the thread.

The problem with avahi is, not everything works. I cannot Airplay video/music from apps & websites between ssids in different Vlans, only screen mirroring works, as well as Airplay from my camera roll.

I've read for full Airplay support one VLAN is required, hence my question if this can be done with a Firewall rule.

I went another way, and created only one wan & one lan interface for internet.
For VPN I created one wireguard interface.
Then a static route and rule, to route one of my hosts static leases through the wireguard interface.

It almost works, but it seems IPV6 or something is leaking.
IPV4 is routed through the wireguard interface, and I can also see custom IPV4 DNS server when the host device connects to my wifi network.

How can I make sure that all traffic from my device, really goes through the wireguard interface?

PS: My VPN provider does not include ipv6 connectivity. (Windscribe)

Here is the related config I have so far:

/etc/config/dhcp

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config host
        option mac 'C8:69:CD:5F:AF:18'
        option leasetime '900'
        option dns '1'
        option name 'apple-tv'
        option ip '192.168.1.192'
        option networkid 'wan_vpn'
        list dhcp_option '6,10.255.255.3'
        option dhcpv6 'disabled'

/etc/config/network

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	list dns '2606:4700:4700::1111'
	list dns '2606:4700:4700::1001'

config interface 'wan'
	option ifname 'eth1.2'
	option proto 'pppoe'
	option username 'blahblah'
	option ipv6 'auto'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	list dns '2606:4700:4700::1111'
	list dns '2606:4700:4700::1001'
	option peerdns '0'
	option password 'blahblah'

config interface 'wan6'
	option ifname 'eth1.2'
	option proto 'dhcpv6'

config rule
	option in 'lan'
	option src '192.168.1.192/32'
	option lookup 'vpn'

config route
	option interface 'wan_vpn'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option metric '10'
	option table 'vpn'
	option mtu '1420'
	list dns '10.255.255.3'
root@OpenWrt:~# ip rule show
0:	from all lookup local
1:	from 192.168.1.192 iif br-lan lookup vpn
2:	from 192.168.1.222 iif br-lan lookup vpn
32766:	from all lookup main
32767:	from all lookup default
root@OpenWrt:~# ip rule show table vpn
1:	from 192.168.1.192 iif br-lan lookup vpn
2:	from 192.168.1.222 iif br-lan lookup vpn
root@OpenWrt:~# ip route show table vpn
default dev wan_vpn proto static scope link metric 10 mtu 1420

EDIT:

If I go to https://ipleak.net with one of the devices that are redirected throuh wireguard, I see the IPV4 of my VPN.

But the IPV6 of my ISP... So this is def. causing the issues.

Wireguard is Layer 3, aren't these Apply technologies Layer 2?

I don't know what you mean by that @lleachii sorry :slight_smile:
I can give you a more noobie explanation though haha.

When I connect through Wireguard app on my phone/iPad it works, and I can for example watch itunes etc.

With the static route, it doesn't work 100% because something is leaking, I believe IPV6/DNS.

So I'm asking, what can I do to make all traffic go through the WG interface. Because I'm not even sure what I'm doing haha. Not enough knowledge

By not using IPv6 on the device.

1 Like

@krazeh haha thanks, I should have maybe worded that different :slight_smile:
That is pretty much my question, how can I do that for the static route only?

Ideally you'd disable IPv6 on the device itself. If that's not possible then I would try a firewall rule such as:

        option name 'prevent ipv6'
        option family 'ipv6'
        list proto 'all'
        option src 'lan'
        option dest 'wan'
        option target 'DROP'
        list src_mac '<fill in MAC address for device>'
1 Like

This was it! Thanks so much @krazeh
It's kinda hard even realizing all of the options you can set with OpenWrt :slight_smile:
Learned a big one about firewall rules here, thanks!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.