I have several interfaces but i need to make all the requests from LAN network go through other gataway not the one that goes throug WAN ?
i tried via luci but nothig changed
You probably need to use policy based routing. Bit can you provide more detail?
network
root@my:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.222.1'
option delegate '0'
option ipv6 '0'
option defaultroute '0'
option gateway '192.168.0.1'
config device
option name 'eth0.2'
option macaddr 'f8:00:0c:0c:09:00'
config interface 'wan'
option device 'eth0.2'
option proto 'pppoe'
option username '000'
option password '000'
option ipv6 '0'
config interface 'vpn'
option proto 'wireguard'
option private_key 'eOneBBvXA='
list addresses '192.168.9.1/24'
option listen_port '700000'
config device
option name 'vpn'
option ipv6 '0'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '6t 1 2 3'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '6t 4'
option vid '2'
config wireguard_vpn
option description 'chachina24wifibridge'
option public_key 'O7Zgyqz3t41R4='
option route_allowed_ips '1'
list allowed_ips '192.168.9.88/32'
config wireguard_vpn
option description 'Ovc0ikrotik'
option public_key 'C1TdwWcle7rh4='
option route_allowed_ips '1'
list allowed_ips '192.168.9.199/32'
config switch_vlan
option device 'switch0'
option vlan '3'
option ports '6t 0'
option vid '249'
config interface '249'
option proto 'static'
option device 'eth0.249'
option ipaddr '192.168.249.1'
option netmask '255.255.255.0'
config wireguard_vpn
option description 'Se0e'
option public_key 'olzBZ4Px7x4='
option route_allowed_ips '1'
list allowed_ips '192.168.9.121/32'
list allowed_ips '192.168.121.0/24'
config wireguard_vpn
option description 'SonyWorkNout'
option public_key 'hsUyGmY='
list allowed_ips '192.168.9.7/32'
option route_allowed_ips '1'
config interface 'wgcli'
option proto 'wireguard'
option private_key 'ABt8BmYqPj2M='
list addresses '10.197.197.2/32'
config wireguard_wgcli
option description 'clienttoserv'
option public_key '/pp71wFX6l2k='
option route_allowed_ips '1'
option endpoint_host '000.000.253.000'
option endpoint_port '800000'
option persistent_keepalive '24'
list allowed_ips '10.197.197.1/32'
list allowed_ips '10.197.197.10/32'
list allowed_ips '10.197.197.100/32'
list allowed_ips '10.197.197.101/32'
list allowed_ips '192.168.0.0/24'
config interface 'wwan'
option proto 'dhcp'
config route
option interface 'lan'
option target '0.0.0.0'
option gateway '192.168.0.1'
i modified some adresess and ports
curent route
root@my:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 00-00-0-1.m 0.0.0.0 UG 0 0 0 pppoe-wan
10.197.197.1 * 255.255.255.255 UH 0 0 0 wgcli
10.197.197.10 * 255.255.255.255 UH 0 0 0 wgcli
10.197.197.100 * 255.255.255.255 UH 0 0 0 wgcli
10.197.197.101 * 255.255.255.255 UH 0 0 0 wgcli
95.37.0.1 * 255.255.255.255 UH 0 0 0 pppoe-wan
192.168.0.0 * 255.255.255.0 U 0 0 0 wgcli
192.168.9.0 * 255.255.255.0 U 0 0 0 vpn
192.168.9.7 * 255.255.255.255 UH 0 0 0 vpn
192.168.9.88 * 255.255.255.255 UH 0 0 0 vpn
192.168.9.121 * 255.255.255.255 UH 0 0 0 vpn
192.168.9.199 * 255.255.255.255 UH 0 0 0 vpn
192.168.121.0 * 255.255.255.0 U 0 0 0 vpn
192.168.222.0 * 255.255.255.0 U 0 0 0 br-lan
192.168.249.0 * 255.255.255.0 U 0 0 0 eth0.249
000.000.000.000 00-00-0-1.m 255.255.255.255 UGH 0 0 0 pppoe-wan
LAN network is 192.168.222.0/24
firewall
root@my:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wwan'
config rule
option name 'WG'
list proto 'udp'
option src 'wan'
option dest_port '0000'
option target 'ACCEPT'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config zone
option name 'VPN'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
list network 'vpn'
config rule
option name 'Iperf3'
option src 'wan'
option dest_port '0000'
option target 'ACCEPT'
option enabled '0'
config zone
option name 'videonet'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network '249'
config forwarding
option src 'videonet'
option dest 'wan'
config zone
option name 'wgcli'
option output 'ACCEPT'
list network 'wgcli'
option forward 'ACCEPT'
option input 'REJECT'
config forwarding
option src 'lan'
option dest 'wgcli'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'VPN'
config forwarding
option src 'lan'
option dest 'videonet'
i just need all the request from 192.168.222.0/24 go to 192.168.0.1 which goes trough WG tunnel
BTW nothing chnaged in route table after a added route via luci
You have two wireguard tunnels. It appears that 192.168.0.1 is accessible via the wireguard interface called wgcli is that correct?
If so, the route should have the address on the local wgcli interface:
config route
option interface 'lan'
option target '0.0.0.0'
option gateway '10.197.197.2/32'
But why shoud I point to wg interface if route knows there 192.168.0.0/24 exactly is? And this wgcli does not have any gw except default which is local
Because 192.168.0.0/24 isn't directly attached to the router.
But I realized I made 2 mistakes... 1) the route should not include the /32. That was just because I copied the address from the WG stanza and forgot to strip off the subnet mask. and 2) the destination should actually be the router at the other end of the tunnel... I'm going to guess that it is 10.197.197.1. This should accomplish the goal because the router has an address on that network and knows how to send traffic to another host on that network directly.
However, there are a few things you should change...
Make the interface address a /24:
config interface 'wgcli'
option proto 'wireguard'
option private_key 'ABt8BmYqPj2M='
list addresses '10.197.197.2/24'
And then, we're going to make the allowed_ips 0.0.0.0/0 so that all IP addresses can go through the tunnel. But... to make sure this doesn't clobber your routing table, we'll also take out the option to route_allowed_ips. You can remove all the 10.197.197.x and 192.168.0.0/24 allowed IPs:
config wireguard_wgcli
option description 'clienttoserv'
option public_key '/pp71wFX6l2k='
option endpoint_host '000.000.253.000'
option endpoint_port '800000'
option persistent_keepalive '24'
list allowed_ips '0.0.0.0/0'
Now, change the route:
config route
option interface 'lan'
option target '0.0.0.0/0'
option gateway '10.197.197.1'
(I'm assuming that the far end router is the above address).
And on the far side, make sure that the firewall and routing table allows routing from 10.197.197.2 to the wan.
Well i did what you say but if i
then all goes via default interface (my wan) even with
config route
option interface 'lan'
option target '0.0.0.0/0'
option gateway '10.197.197.1'
but if i route_allowed_ips all goes via 10.197.197.1 exept WG connection(which is good) so thre is no way i can make only LAN go outside via remote host (10.197.197.1)
Strange things that if i
config route
option interface 'lan'
option target '0.0.0.0/0'
option gateway '10.197.197.1'
it apears in network config but no in route table even after reboot
Ok... so... it seems you have a 2 local networks, a single 'regular' wan, and then 2 VPNs. Can you describe your goals for each of the networks and VPNs?
You might need PBR if you only want to route your LAN interface via the VPN:
https://openwrt.org/docs/guide-user/network/routing/pbr
First lets forget about VPN interface it is not important RN i am talking about only wgcli interface.
I thought it is posible to route all requests from LAN (192.168.222.0/24) to remote WG interface (10.197.197.1) but every other interfaces will have default route via my local wan connection .
Theretically it is posible : i remove route_allowed_ips so default gateway stays usual(my local wan) but all from LAN goes via wgcli to remote router (10.197.197.1). But fro some reason there is nothing about LAN goes via 10.1979.197.1 in route table even though i added route in network config
i am filling like maybe some masquared can help
Also i am starting to think there can not be two lines in route table like
0.0.0.0/0 anyway so it is not the route shoud do but rather iptables or somthing like that