GL-iNet Router connects to vpn Server but no access via Wlan connected Computer

Striker_75 · October 24, 2020, 8:43pm

I use a Gl iNet router as an Openvpn client to connect to our company server. The VPN connection seems to be working. I can ping other clients if I do this directly from the router through the SSH console.

However, when I connect a computer via LAN or WiFi, I cannot connect to the VPN clients.

I suspect that I only have to set one more route to create a bridge between the network behind the router and the VPN tunnel.

My routing table looks like this:

root@GL-AR750:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.2.1     0.0.0.0         UG    10     0        0 eth0
10.8.4.0        10.8.4.133      255.255.255.0   UG    0      0        0 tun0
10.8.4.133      *               255.255.255.255 UH    0      0        0 tun0
192.168.2.0     *               255.255.255.0   U     10     0        0 eth0
192.168.157.0   10.8.4.133      255.255.255.0   UG    0      0        0 tun0
192.168.158.0   10.8.4.133      255.255.255.0   UG    0      0        0 tun0
192.168.164.0   10.8.4.133      255.255.255.0   UG    0      0        0 tun0
192.168.165.0   10.8.4.133      255.255.255.0   UG    0      0        0 tun0
192.168.166.0   10.8.4.133      255.255.255.0   UG    0      0        0 tun0
192.168.167.0   10.8.4.133      255.255.255.0   UG    0      0        0 tun0
192.168.170.0   10.8.4.133      255.255.255.0   UG    0      0        0 tun0
192.168.171.0   10.8.4.133      255.255.255.0   UG    0      0        0 tun0
192.168.173.0   10.8.4.133      255.255.255.0   UG    0      0        0 tun0
192.168.174.0   *               255.255.255.0   U     0      0        0 br-lan

The VPN Server in our company has the adress 10.8.4.1

Lokal Network: 192.168.174.X
Router: 192.168.174.1

Can someone tell me what I have to do to get into the VPN network from a computer connected to the Router?

I can reach the router itself, but no devices in the VPN network behind it.

trendy · October 24, 2020, 9:28pm

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*

Striker_75 · October 25, 2020, 11:49am

root@GL-AR750:~# ubus call system board;
{
	"kernel": "4.9.120",
	"hostname": "GL-AR750",
	"system": "Qualcomm Atheros QCA9533 ver 2 rev 0",
	"model": "GL.iNet GL-AR750",
	"board_name": "gl-ar750",
	"release": {
		"distribution": "OpenWrt",
		"version": "18.06.1",
		"revision": "r7258-5eb055306f",
		"target": "ar71xx\/generic",
		"description": "OpenWrt 18.06.1 r7258-5eb055306f"
	}
}

root@GL-AR750:~# uci export network; uci export wireless;
package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdfc:784f:8f39::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option hostname 'GL-AR750-cd6'
	option ipaddr '192.168.174.1'

config interface 'wan'
	option ifname 'eth0'
	option proto 'dhcp'
	option hostname 'GL-AR750-cd6'
	option metric '10'

config interface 'wan6'
	option ifname 'eth0'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 0t'

config interface 'guest'
	option ifname 'guest'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.9.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config route
	option interface 'lan'
	option gateway '10.8.4.0'
	option target '192.168.0.0'
	option netmask '255.255.255.0'
	option type 'anycast'

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:00.0'
	option htmode 'VHT80'
	option txpower '20'
	option txpower_max '20'
	option band '5G'
	option disabled '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option encryption 'psk2'
	option ifname 'wlan0'
	option wds '1'
	option ssid 'Rhy_VPN_5G'
	option key 'Bill1895'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11g'
	option path 'platform/qca953x_wmac'
	option channel '6'
	option htmode 'HT40'
	option noscan '1'
	option txpower '20'
	option txpower_max '20'
	option band '2G'
	option disabled '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option encryption 'psk2'
	option wds '1'
	option ifname 'wlan1'
	option ssid 'Rhy_VPN_2.4G'
	option key 'Bill1895'

config wifi-iface 'guest5g'
	option device 'radio0'
	option network 'guest'
	option mode 'ap'
	option wds '1'
	option ssid 'GL-AR750-cd6-Guest-5G'
	option encryption 'psk2'
	option key 'goodlife'
	option ifname 'wlan2'
	option disabled '1'
	option guest '1'

config wifi-iface 'guest2g'
	option device 'radio1'
	option network 'guest'
	option mode 'ap'
	option wds '1'
	option ssid 'GL-AR750-cd6-Guest'
	option encryption 'psk2'
	option key 'goodlife'
	option ifname 'wlan3'
	option disabled '1'
	option guest '1'

root@GL-AR750:~# uci export dhcp; uci export firewall;
package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option force '1'
	option dhcpv6 'server'
	option ra 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option dhcpv6 'server'
	option ra 'server'

config domain 'localhost'
	option name 'console.gl-inet.com'
	option ip '192.168.174.1'

package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option input 'REJECT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'
	option reload '1'

config include 'gls2s'
	option type 'script'
	option path '/var/etc/gls2s.include'
	option reload '1'

config include 'glfw'
	option type 'script'
	option path '/usr/bin/glfw.sh'
	option reload '1'

config include 'glqos'
	option type 'script'
	option path '/usr/sbin/glqos.sh'
	option reload '1'

config include 'mwan3'
	option type 'script'
	option path '/var/etc/mwan3.include'
	option reload '1'

config zone 'guestzone'
	option name 'guestzone'
	option network 'guest'
	option forward 'REJECT'
	option output 'ACCEPT'
	option input 'REJECT'

config forwarding 'guestzone_fwd'
	option src 'guestzone'
	option dest 'wan'

config rule 'guestzone_dhcp'
	option name 'guestzone_DHCP'
	option src 'guestzone'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'

config rule 'guestzone_dns'
	option name 'guestzone_DNS'
	option src 'guestzone'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'

config rule 'glservice_rule'
	option name 'glservice'
	option dest_port '83'
	option proto 'tcp udp'
	option src 'wan'
	option target 'ACCEPT'
	option enabled '0'

root@GL-AR750:~# head -n -0 /etc/firewall.user;

force_dns() {
	# lanip=$(ifconfig br-lan |sed -n 's/.*dr:\(.*\) Bc.*/\1/p')
	lanip=$(uci get network.lan.ipaddr)
	[ "$1" = "add" ] && {
		ip=$(uci get glconfig.general.ipaddr)
		[ -z "$ip" ] && ip=$(uci get network.lan.ipaddr)
		iptables -t nat -D PREROUTING -s 0/0 -p udp --dport 53 -j DNAT --to $ip
		iptables -t nat -D PREROUTING -s 0/0 -p tcp --dport 53 -j DNAT --to $ip
		
		uci set glconfig.general.ipaddr=$lanip
		uci commit glconfig
		iptables -t nat -C PREROUTING -s 0/0 -p udp --dport 53 -j DNAT --to $lanip
		[ ! "$?" = "0" ] && iptables -t nat -I PREROUTING -s 0/0 -p udp --dport 53 -j DNAT --to $lanip
 		iptables -t nat -C PREROUTING -s 0/0 -p tcp --dport 53 -j DNAT --to $lanip
 		[ ! "$?" = "0" ] && iptables -t nat -I PREROUTING -s 0/0 -p tcp --dport 53 -j DNAT --to $lanip

 		
	}
	[ "$1" = "remove" ] && {
		lanip=$(uci get glconfig.general.ipaddr)
		[ -z "$lanip" ] && lanip=$(uci get network.lan.ipaddr)
		iptables -t nat -C PREROUTING -s 0/0 -p udp --dport 53 -j DNAT --to $lanip
		[ "$?" = "0" ] && iptables -t nat -D PREROUTING -s 0/0 -p udp --dport 53 -j DNAT --to $lanip
 		iptables -t nat -C PREROUTING -s 0/0 -p tcp --dport 53 -j DNAT --to $lanip
 		[ "$?" = "0" ] && iptables -t nat -D PREROUTING -s 0/0 -p tcp --dport 53 -j DNAT --to $lanip
	}
}

force=$(uci get glconfig.general.force_dns)
if [ -n "$force" ]; then
    force_dns add
else
    force_dns remove
fi
gl-firewall

# PPTP Passthrough
iptables -t raw -D OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp
iptables -t raw -A OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp

root@GL-AR750:~# ip -4 addr ; ip -4 ro li tab all ; ip -4 ru;
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 192.168.2.211/24 brd 192.168.2.255 scope global eth0
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.174.1/24 brd 192.168.174.255 scope global br-lan
       valid_lft forever preferred_lft forever
11: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    inet 10.8.4.134 peer 10.8.4.133/32 scope global tun0
       valid_lft forever preferred_lft forever
default via 192.168.2.1 dev eth0 table 1 
default via 192.168.2.1 dev eth0 proto static src 192.168.2.211 metric 10 
10.8.4.0/24 via 10.8.4.133 dev tun0 
10.8.4.133 dev tun0 proto kernel scope link src 10.8.4.134 
192.168.2.0/24 dev eth0 proto static scope link metric 10 
192.168.163.0/24 via 10.8.4.133 dev tun0 
192.168.174.0/24 dev br-lan proto kernel scope link src 192.168.174.1 
local 10.8.4.134 dev tun0 table local proto kernel scope host src 10.8.4.134 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.2.0 dev eth0 table local proto kernel scope link src 192.168.2.211 
local 192.168.2.211 dev eth0 table local proto kernel scope host src 192.168.2.211 
broadcast 192.168.2.255 dev eth0 table local proto kernel scope link src 192.168.2.211 
broadcast 192.168.174.0 dev br-lan table local proto kernel scope link src 192.168.174.1 
local 192.168.174.1 dev br-lan table local proto kernel scope host src 192.168.174.1 
broadcast 192.168.174.255 dev br-lan table local proto kernel scope link src 192.168.174.1 
0:	from all lookup local 
1001:	from all iif eth0 lookup main 
2001:	from all fwmark 0x100/0x3f00 lookup 1 
2061:	from all fwmark 0x3d00/0x3f00 blackhole
2062:	from all fwmark 0x3e00/0x3f00 unreachable
32766:	from all lookup main 
32767:	from all lookup default

root@GL-AR750:~# ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
lrwxrwxrwx    1 root     root            16 Oct  9  2019 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 Oct 25 10:14 /tmp/resolv.conf
-rw-r--r--    1 root     root            56 Oct 25 11:18 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface wan
nameserver 192.168.2.1
search fritz.box

trendy · October 25, 2020, 12:33pm

This route is wrong. Wrong gateway, wrong type, wrong interface.

No need to use ifname in wifi-iface, the network is better choice.

Other than that, tun0 doesn't belong to any interface or firewall zone.
Finally your OpenWrt version is old and unsupported. Consider upgrading to the latest 18.06.8 or 19.07.4

Striker_75 · October 25, 2020, 2:30pm

hey trendy

Can you explain that to me a little?

I thought when I set the route for 192.168.0.0. put on the VPN network 10.8.4.0, then all requests would be routed to this network.

I would like all inquiries from the LAN or WLAN if they concern the addresses 192.168.x.x to be routed into the VPN tunnel.

Where is my mistake here?

I have not yet understood your suggestion. Who is currently preventing traffic between LAN / WLAN and VPN?

Where and how do I take the settings for which you suggested?

vgaetera · October 25, 2020, 2:59pm

OpenVPN-related routes should be configured using the VPN config.
Otherwise you risk running into race conditions.
Moreover, the gateway is supposed to be in the VPN network, not LAN.
In short, add to the VPN server config as is:

push "route 192.168.0.0 255.255.255.0 vpn_gateway 1000"

Using DNAT target for all interfaces opens your DNS to the internet.
There's a much safer and simpler method to intercept DNS:
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns

Better replace with this:
https://openwrt.org/docs/guide-user/services/vpn/pptp/extras#nat_traversal

Striker_75 · October 25, 2020, 9:28pm

Before I optimize my settings this has to work first.I have added the push command
push "route 192.168.0.0 255.255.255.0 10.8.4.1 1000
but without success, but I think I have to explain my constellation a little bit more.

Laptop 192.168.174.x is connected to GL-Inet router 192.168.174.1
The router is used to establish a VPN connection to an OpenVPN server with a client-to-client configuration.
We have clients that only provide their network (e.g. at machine controls) to be reachable via remote maintenance, but also clients for the connection of several other clients to perform remote maintenance.

These remote maintenance clients are then configured as follows:
Routes are created for each client network to be reached
push "route 192.168.163.0 255.255.255.0 # client 1
Normally the Remote Control Client is directly connected to an Openvpn software installed in the operating system. So far so good. It all works.
Now I want to use the Gl-Inet router to establish the VPN connection and do remote maintenance with a computer installed behind it without having to install open-VPN.
This makes me independent of any incompatibilities in the installed software versions.

As I said I had connection to a CLient from the router when I used the Route:
push "route 192.168.0.0 255.255.255.0"
when I set the route.

But from the connected computer I could not ping the IP.

I guess I have problems understanding this.

vgaetera · October 25, 2020, 9:37pm

Use the vpn_gateway as is, do not replace it with an IP address and do not remove metric.
Then restart the server, reconnect the client and check its routing:

ip route get 192.168.0.1

Striker_75 · October 28, 2020, 9:10pm

Sorry for the late reply. I was out of the house for a few days and couldn't continue.
Below is the test of the route. That looks plausible to me at first, doesn't it? The router tries to route through the VPN tunnel.

root@GL-AR750:~# ip route get 192.168.0.1
192.168.0.1 via 10.8.4.25 dev tun0 src 10.8.4.26 
    cache

vgaetera · October 28, 2020, 9:31pm

Configure firewall on the VPN client:

uci add_list firewall.@zone[0].device="tun+"
uci commit firewall
/etc/init.d/firewall restart

And announce the client subnet on the VPN server using CCD:
https://openwrt.org/docs/guide-user/services/vpn/openvpn/extras#site-to-site

Striker_75 · October 28, 2020, 10:01pm

I did, but it hasn't changed.

The CCD config is as follows:
push "route 192.168.163.0 255.255.255.0"

This client is actual available and i can ping the IP address with a different client account.

ip route get 192.168.163.1
192.168.163.1 via 10.8.4.25 dev tun0 src 10.8.4.26
cache

vgaetera · October 28, 2020, 10:28pm

This should be in the server config, not CCD config.
And you should specify gateway+metric for push route.
Custom metric is important to avoid routing collision.
And you are missing the iroute directive in the CCD config.

Striker_75 · October 30, 2020, 5:18pm

I've tried a lot now.
Currently I can ping a computer from my router with the computer behind Client1 that is behind Client2.

Unfortunately, this only works if I restart the firewall after starting the router of client 1. I do that with a script delayed after starting the router. But that doesn't seem to be the correct solution to me.

When I try to connect client 1 to client 2 via VNC software on port 5900, this only works if I deactivate the firewall on client 1 router.

The root of all my problems seems to be the firewall on client 1.

Client 1:
router 192.168.174.1
Computer: 192.168.174.162

Client: 2
router 192.168.173.1
Computer: 192.168.173.187

Firewall Client 1

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'tun+'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option input 'REJECT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'
	option reload '1'

config include 'glfw'
	option type 'script'
	option path '/usr/bin/glfw.sh'
	option reload '1'

config zone 'guestzone'
	option name 'guestzone'
	option network 'guest'
	option forward 'REJECT'
	option output 'ACCEPT'
	option input 'REJECT'

config forwarding 'guestzone_fwd'
	option src 'guestzone'
	option dest 'wan'

config rule 'guestzone_dhcp'
	option name 'guestzone_DHCP'
	option src 'guestzone'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'

config rule 'guestzone_dns'
	option name 'guestzone_DNS'
	option src 'guestzone'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'

config rule 'glservice_rule'
	option name 'glservice'
	option dest_port '83'
	option proto 'tcp udp'
	option src 'wan'
	option target 'ACCEPT'
	option enabled '0'

config include 'gls2s'
	option type 'script'
	option path '/var/etc/gls2s.include'
	option reload '1'

config include 'glqos'
	option type 'script'
	option path '/usr/sbin/glqos.sh'
	option reload '1'

config include 'mwan3'
	option type 'script'
	option path '/var/etc/mwan3.include'
	option reload '1'

vgaetera · October 30, 2020, 5:24pm

It's problematic to troubleshoot as your firewall config significantly differs from the OpenWrt defaults.

Striker_75 · October 30, 2020, 5:49pm

I haven't changed much.
However, I have now posted the contents of / etc / config / firewall.
I don't find any rule in the firewall that prohibits traffic from the LAN into the VPN tunnel.
Or do I have to create a rule that allows the traffic from the LAN into the VPN tunnel? The ping is a separate thing.

Striker_75 · October 30, 2020, 5:56pm

How can I find out which rule I am missing or which rule is hindering me?

sammo · October 30, 2020, 5:59pm

You are using GL inet firmware. It is best to ask them in their forum. We do not know what all the scripts from GL inet do