Help, I have a working wireguard client configuration but am struggling with reliability in the face of network restarts and loss of wan connectivity.
Goal:
- By default, route traffic through warp tunnel
- Use DoT (Stubby) for secure DNS to 1.1.1.1
- Use vpn-policy-routing to send guest subnet and selected internal clients (set-top boxes) out wan
- Handle wan coming up and down (flaky ISP here)
I have a working config that does not meet the last goal, and which has the following major problem:
Inconsistency of response to ‘service network restart’ and reboots. It’s a 50/50 proposition (or worse) the config delivers connectivity.
Sometimes, an ifup wan will get it back, at others it won’t.
To simplify debugging, I have disabled VPN-Policy-routing and only have stubby, sqm and wireguard (connecting to Cloudflare warp) enabled.
The logs look clean, with slight variations in order, but pretty much the same log entries for the interfaces and services as they come up.
The outputs of ‘ip address show; ip route show table all’ are identical (except sequence #s’) in either case.
Firewall outputs show the same rule sets.
The ‘wg’ command consistently shows the tunnel is up, but we just are not passing data.
I’ve been reading every thread on wireguard clients + openwrt, and even deployed a hotplug to /iface to ensure the wireguard interface is restarted/stopped in sync with the wan.
Here’s the hotplug code for /iface/50-warp:
#!/bin/sh
# skip if not enabled
if [ $(uci -q get network.warp.disabled) -eq 1 ] ; then exit 0; fi
if [ "$INTERFACE" = wan ] ; then
[ "${ACTION}" = ifdown ] && ubus call network.interface.warp down
if [ "${ACTION}" = "ifup" -o "${ACTION}" = "ifupdate" ]; then
logger -t warp "performing an ifup on warp due to ${ACTION} of wan"
ifup warp
fi
exit 0
fi
But even without that hotplug, the results are about the same, it seems to help, but clearly is not a fix.
It would seem there is a race condition somewhere, but I can’t spot it.
Anything in these configs and diagnostic outputs that would give us a clue as to what to try next?
Platform is a x86 (i5) with 4 intel NIC’s eth0 is wan, eth1 & eth2 are br-lan, eth2.3 & eth3 are br-guest.
OpenWRT is 19.07.8
Here is the output requested for troubleshooting wireguard, these are while in the non-working state:
pgrep -f -a wg; wg show; wg showconf warp
19545 wg-crypt-warp
interface: warp
public key: 9Cfa37HmktBBSyDjjsrFIkcTW/yyzAodPHBnwNx34mc=
private key: (hidden)
listening port: 57218
peer: bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=
endpoint: 162.159.192.1:2408
allowed ips: 0.0.0.0/0, ::/0
latest handshake: 15 seconds ago
transfer: 276 B received, 96.23 KiB sent
persistent keepalive: every 24 seconds
[Interface]
ListenPort = 57218
PrivateKey = [redacted PrivateKey]
[Peer]
PublicKey = bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 162.159.192.1:2408
PersistentKeepalive = 24
ip address show; ip route show table all
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ifb0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 32
link/ether de:37:f5:24:bb:a1 brd ff:ff:ff:ff:ff:ff
3: ifb1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 32
link/ether 2a:af:39:06:a1:8e brd ff:ff:ff:ff:ff:ff
4: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc cake state UP group default qlen 1000
link/ether 40:62:31:15:01:c4 brd ff:ff:ff:ff:ff:ff
inet 75.117.160.x/22 brd 75.117.163.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::4262:31ff:fe15:1c4/64 scope link
valid_lft forever preferred_lft forever
5: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP group default qlen 1000
link/ether 40:62:31:15:01:c5 brd ff:ff:ff:ff:ff:ff
6: eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq master br-lan state DOWN group default qlen 1000
link/ether 40:62:31:15:01:c6 brd ff:ff:ff:ff:ff:ff
7: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-guest state UP group default qlen 1000
link/ether 40:62:31:15:01:c7 brd ff:ff:ff:ff:ff:ff
8: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1000
link/gre 0.0.0.0 brd 0.0.0.0
9: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
10: erspan0@NONE: <BROADCAST,MULTICAST> mtu 1450 qdisc noop state DOWN group default qlen 1000
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
83: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 40:62:31:15:01:c7 brd ff:ff:ff:ff:ff:ff
inet 192.168.3.1/24 brd 192.168.3.255 scope global br-guest
valid_lft forever preferred_lft forever
inet6 fe80::4262:31ff:fe15:1c7/64 scope link
valid_lft forever preferred_lft forever
84: eth2.3@eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-guest state LOWERLAYERDOWN group default qlen 1000
link/ether 40:62:31:15:01:c6 brd ff:ff:ff:ff:ff:ff
85: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 40:62:31:15:01:c5 brd ff:ff:ff:ff:ff:ff
inet 192.168.7.1/24 brd 192.168.7.255 scope global br-lan
valid_lft forever preferred_lft forever
inet6 fda0:a0eb:3c56::1/60 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::4262:31ff:fe15:1c5/64 scope link
valid_lft forever preferred_lft forever
86: warp: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1280 qdisc cake state UNKNOWN group default qlen 1000
link/none
inet 172.16.0.2/32 brd 255.255.255.255 scope global warp
valid_lft forever preferred_lft forever
inet6 fd01:5ca1:ab1e:8353:2283:e81c:x:x/128 scope global
valid_lft forever preferred_lft forever
89: ifb4eth0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc cake state UNKNOWN group default qlen 32
link/ether 3e:9f:0d:ae:56:63 brd ff:ff:ff:ff:ff:ff
inet6 fe80::3c9f:dff:feae:5663/64 scope link
valid_lft forever preferred_lft forever
93: ifb4warp: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 32
link/ether e6:d1:ec:84:8b:e9 brd ff:ff:ff:ff:ff:ff
default dev warp proto static scope link
75.117.160.0/22 dev eth0 proto kernel scope link src 75.117.160.x
162.159.192.1 via 75.117.160.1 dev eth0 proto static
192.168.3.0/24 dev br-guest proto kernel scope link src 192.168.3.1
192.168.7.0/24 dev br-lan proto kernel scope link src 192.168.7.1
broadcast 75.117.160.0 dev eth0 table local proto kernel scope link src 75.117.160.x
local 75.117.160.x dev eth0 table local proto kernel scope host src 75.117.160.x
broadcast 75.117.163.255 dev eth0 table local proto kernel scope link src 75.117.160.x
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 172.16.0.2 dev warp table local proto kernel scope host src 172.16.0.2
broadcast 192.168.3.0 dev br-guest table local proto kernel scope link src 192.168.3.1
local 192.168.3.1 dev br-guest table local proto kernel scope host src 192.168.3.1
broadcast 192.168.3.255 dev br-guest table local proto kernel scope link src 192.168.3.1
broadcast 192.168.7.0 dev br-lan table local proto kernel scope link src 192.168.7.1
local 192.168.7.1 dev br-lan table local proto kernel scope host src 192.168.7.1
broadcast 192.168.7.255 dev br-lan table local proto kernel scope link src 192.168.7.1
fd01:5ca1:ab1e:8353:2283:e81c:1490:2238 dev warp proto kernel metric 256 pref medium
fda0:a0eb:3c56::/64 dev br-lan proto static metric 1024 pref medium
unreachable fda0:a0eb:3c56::/48 dev lo proto static metric 2147483647 error 4294967183 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev br-guest proto kernel metric 256 pref medium
fe80::/64 dev ifb4eth0 proto kernel metric 256 pref medium
default dev warp proto static metric 1024 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local fd01:5ca1:ab1e:8353:2283:e81c:1490:2238 dev warp table local proto kernel metric 0 pref medium
anycast fda0:a0eb:3c56:: dev br-lan table local proto kernel metric 0 pref medium
local fda0:a0eb:3c56::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev ifb4eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-guest table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
local fe80::3c9f:dff:feae:5663 dev ifb4eth0 table local proto kernel metric 0 pref medium
local fe80::4262:31ff:fe15:1c4 dev eth0 table local proto kernel metric 0 pref medium
local fe80::4262:31ff:fe15:1c5 dev br-lan table local proto kernel metric 0 pref medium
local fe80::4262:31ff:fe15:1c7 dev br-guest table local proto kernel metric 0 pref medium
ff00::/8 dev br-lan table local proto kernel metric 256 pref medium
ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
ff00::/8 dev br-guest table local proto kernel metric 256 pref medium
ff00::/8 dev ifb4eth0 table local proto kernel metric 256 pref medium
ff00::/8 dev warp table local proto kernel metric 256 pref medium
ip rule show; iptables-save -c
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
# Generated by iptables-save v1.8.3 on Mon Dec 13 12:14:12 2021
*nat
:PREROUTING ACCEPT [334:131744]
:INPUT ACCEPT [23:1652]
:OUTPUT ACCEPT [43:2944]
:POSTROUTING ACCEPT [5:321]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:postrouting_guest_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:postrouting_warpvpn_rule - [0:0]
:prerouting_guest_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:prerouting_warpvpn_rule - [0:0]
:zone_guest_postrouting - [0:0]
:zone_guest_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
:zone_warpvpn_postrouting - [0:0]
:zone_warpvpn_prerouting - [0:0]
[335:131806] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[78:16359] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[257:115447] -A PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i br-guest -m comment --comment "!fw3" -j zone_guest_prerouting
[0:0] -A PREROUTING -i warp -m comment --comment "!fw3" -j zone_warpvpn_prerouting
[198:11395] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o br-guest -m comment --comment "!fw3" -j zone_guest_postrouting
[193:11074] -A POSTROUTING -o warp -m comment --comment "!fw3" -j zone_warpvpn_postrouting
[0:0] -A zone_guest_postrouting -m comment --comment "!fw3: Custom guest postrouting rule chain" -j postrouting_guest_rule
[0:0] -A zone_guest_prerouting -m comment --comment "!fw3: Custom guest prerouting rule chain" -j prerouting_guest_rule
[0:0] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[78:16359] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[0:0] -A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[257:115447] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[257:115447] -A zone_wan_prerouting -j MINIUPNPD
[193:11074] -A zone_warpvpn_postrouting -m comment --comment "!fw3: Custom warpvpn postrouting rule chain" -j postrouting_warpvpn_rule
[193:11074] -A zone_warpvpn_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_warpvpn_prerouting -m comment --comment "!fw3: Custom warpvpn prerouting rule chain" -j prerouting_warpvpn_rule
COMMIT
# Completed on Mon Dec 13 12:14:12 2021
# Generated by iptables-save v1.8.3 on Mon Dec 13 12:14:12 2021
*raw
:PREROUTING ACCEPT [1403:283799]
:OUTPUT ACCEPT [2245:342238]
:zone_guest_helper - [0:0]
:zone_lan_helper - [0:0]
[1061:159251] -A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
[0:0] -A PREROUTING -i br-guest -m comment --comment "!fw3: guest CT helper assignment" -j zone_guest_helper
[0:0] -A OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp
[0:0] -A zone_guest_helper -p udp -m comment --comment "!fw3: Amanda backup and archiving proto" -m udp --dport 10080 -j CT --helper amanda
[0:0] -A zone_guest_helper -p udp -m comment --comment "!fw3: RAS proto tracking" -m udp --dport 1719 -j CT --helper RAS
[0:0] -A zone_guest_helper -p tcp -m comment --comment "!fw3: Q.931 proto tracking" -m tcp --dport 1720 -j CT --helper Q.931
[0:0] -A zone_guest_helper -p tcp -m comment --comment "!fw3: IRC DCC connection tracking" -m tcp --dport 6667 -j CT --helper irc
[0:0] -A zone_guest_helper -p tcp -m comment --comment "!fw3: PPTP VPN connection tracking" -m tcp --dport 1723 -j CT --helper pptp
[0:0] -A zone_guest_helper -p tcp -m comment --comment "!fw3: SIP VoIP connection tracking" -m tcp --dport 5060 -j CT --helper sip
[0:0] -A zone_guest_helper -p udp -m comment --comment "!fw3: SIP VoIP connection tracking" -m udp --dport 5060 -j CT --helper sip
[0:0] -A zone_guest_helper -p udp -m comment --comment "!fw3: SNMP monitoring connection tracking" -m udp --dport 161 -j CT --helper snmp
[0:0] -A zone_guest_helper -p udp -m comment --comment "!fw3: TFTP connection tracking" -m udp --dport 69 -j CT --helper tftp
[0:0] -A zone_lan_helper -p udp -m comment --comment "!fw3: Amanda backup and archiving proto" -m udp --dport 10080 -j CT --helper amanda
[0:0] -A zone_lan_helper -p udp -m comment --comment "!fw3: RAS proto tracking" -m udp --dport 1719 -j CT --helper RAS
[0:0] -A zone_lan_helper -p tcp -m comment --comment "!fw3: Q.931 proto tracking" -m tcp --dport 1720 -j CT --helper Q.931
[0:0] -A zone_lan_helper -p tcp -m comment --comment "!fw3: IRC DCC connection tracking" -m tcp --dport 6667 -j CT --helper irc
[0:0] -A zone_lan_helper -p tcp -m comment --comment "!fw3: PPTP VPN connection tracking" -m tcp --dport 1723 -j CT --helper pptp
[0:0] -A zone_lan_helper -p tcp -m comment --comment "!fw3: SIP VoIP connection tracking" -m tcp --dport 5060 -j CT --helper sip
[0:0] -A zone_lan_helper -p udp -m comment --comment "!fw3: SIP VoIP connection tracking" -m udp --dport 5060 -j CT --helper sip
[0:0] -A zone_lan_helper -p udp -m comment --comment "!fw3: SNMP monitoring connection tracking" -m udp --dport 161 -j CT --helper snmp
[0:0] -A zone_lan_helper -p udp -m comment --comment "!fw3: TFTP connection tracking" -m udp --dport 69 -j CT --helper tftp
COMMIT
# Completed on Mon Dec 13 12:14:12 2021
# Generated by iptables-save v1.8.3 on Mon Dec 13 12:14:12 2021
*mangle
:PREROUTING ACCEPT [1413:284383]
:INPUT ACCEPT [767:163068]
:FORWARD ACCEPT [641:109429]
:OUTPUT ACCEPT [2253:345566]
:POSTROUTING ACCEPT [2771:448707]
[0:0] -A FORWARD -o br-guest -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone guest MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i br-guest -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone guest MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Mon Dec 13 12:14:12 2021
# Generated by iptables-save v1.8.3 on Mon Dec 13 12:14:12 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:forwarding_guest_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:forwarding_warpvpn_rule - [0:0]
:input_guest_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:input_warpvpn_rule - [0:0]
:output_guest_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:output_warpvpn_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_guest_dest_ACCEPT - [0:0]
:zone_guest_dest_REJECT - [0:0]
:zone_guest_forward - [0:0]
:zone_guest_input - [0:0]
:zone_guest_output - [0:0]
:zone_guest_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
:zone_warpvpn_dest_ACCEPT - [0:0]
:zone_warpvpn_dest_REJECT - [0:0]
:zone_warpvpn_forward - [0:0]
:zone_warpvpn_input - [0:0]
:zone_warpvpn_output - [0:0]
:zone_warpvpn_src_REJECT - [0:0]
[20:1284] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[750:161940] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[301:23736] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[10:404] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[148:18491] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[301:119713] -A INPUT -i eth0 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i br-guest -m comment --comment "!fw3" -j zone_guest_input
[0:0] -A INPUT -i warp -m comment --comment "!fw3" -j zone_warpvpn_input
[641:109429] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[37:4418] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[604:105011] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i br-guest -m comment --comment "!fw3" -j zone_guest_forward
[0:0] -A FORWARD -i warp -m comment --comment "!fw3" -j zone_warpvpn_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[20:1284] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[2238:345822] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[1663:307292] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[3:96] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[1:40] -A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_wan_output
[1:40] -A OUTPUT -o br-guest -m comment --comment "!fw3" -j zone_guest_output
[570:38354] -A OUTPUT -o warp -m comment --comment "!fw3" -j zone_warpvpn_output
[146:68431] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[153:51114] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[10:404] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 200/sec --limit-burst 500 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[1:40] -A zone_guest_dest_ACCEPT -o br-guest -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_guest_dest_REJECT -o br-guest -m comment --comment "!fw3" -j reject
[0:0] -A zone_guest_forward -m comment --comment "!fw3: Custom guest forwarding rule chain" -j forwarding_guest_rule
[0:0] -A zone_guest_forward -m comment --comment "!fw3: Zone guest to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_guest_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_guest_forward -m comment --comment "!fw3" -j zone_guest_dest_REJECT
[0:0] -A zone_guest_input -m comment --comment "!fw3: Custom guest input rule chain" -j input_guest_rule
[0:0] -A zone_guest_input -m comment --comment "!fw3: GuestDNS" -j ACCEPT
[0:0] -A zone_guest_input -p udp -m udp --dport 67:68 -m comment --comment "!fw3: GuestDHCP" -j ACCEPT
[0:0] -A zone_guest_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_guest_input -m comment --comment "!fw3" -j zone_guest_src_REJECT
[1:40] -A zone_guest_output -m comment --comment "!fw3: Custom guest output rule chain" -j output_guest_rule
[1:40] -A zone_guest_output -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
[0:0] -A zone_guest_src_REJECT -i br-guest -m comment --comment "!fw3" -j reject
[3:96] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[604:105011] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[604:105011] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[604:105011] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to warpvpn forwarding policy" -j zone_warpvpn_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[148:18491] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -s 169.254.0.0/16 -p tcp -m comment --comment "!fw3: BlockLinkLocal" -j DROP
[0:0] -A zone_lan_input -s 169.254.0.0/16 -p udp -m comment --comment "!fw3: BlockLinkLocal" -j DROP
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[148:18491] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[3:96] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[3:96] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[148:18491] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[1:40] -A zone_wan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -j MINIUPNPD
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[301:119713] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[2:168] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[299:119545] -A zone_wan_input -j MINIUPNPD
[299:119545] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[1:40] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[1:40] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[299:119545] -A zone_wan_src_REJECT -i eth0 -m comment --comment "!fw3" -j reject
[126:6384] -A zone_warpvpn_dest_ACCEPT -o warp -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[1048:136981] -A zone_warpvpn_dest_ACCEPT -o warp -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_warpvpn_dest_REJECT -o warp -m comment --comment "!fw3" -j reject
[0:0] -A zone_warpvpn_forward -m comment --comment "!fw3: Custom warpvpn forwarding rule chain" -j forwarding_warpvpn_rule
[0:0] -A zone_warpvpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_warpvpn_forward -m comment --comment "!fw3" -j zone_warpvpn_dest_REJECT
[0:0] -A zone_warpvpn_input -m comment --comment "!fw3: Custom warpvpn input rule chain" -j input_warpvpn_rule
[0:0] -A zone_warpvpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_warpvpn_input -m comment --comment "!fw3" -j zone_warpvpn_src_REJECT
[570:38354] -A zone_warpvpn_output -m comment --comment "!fw3: Custom warpvpn output rule chain" -j output_warpvpn_rule
[570:38354] -A zone_warpvpn_output -m comment --comment "!fw3" -j zone_warpvpn_dest_ACCEPT
[0:0] -A zone_warpvpn_src_REJECT -i warp -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Mon Dec 13 12:14:12 2021
uci show network
uci show network
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fda0:a0eb:3c56::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.mtu='1500'
network.lan.ipaddr='192.168.7.1'
network.lan.igmp_snooping='1'
network.lan.ifname='eth1 eth2'
network.lan.dns='1.1.1.1'
network.wan=interface
network.wan.proto='dhcp'
network.wan.broadcast='1'
network.wan.ifname='eth0'
network.wan.hostname='OpenWrt'
network.wan.release='1'
network.wan.clientid='014062311501C4'
network.wan.peerdns='0'
network.wan.dns='1.1.1.1'
network.wan6=interface
network.wan6.ifname='eth0'
network.wan6.proto='dhcpv6'
network.guest=interface
network.guest.proto='static'
network.guest.ipaddr='192.168.3.1'
network.guest.netmask='255.255.255.0'
network.guest.type='bridge'
network.guest.ifname='eth3 eth2.3'
network.guest.dns='1.1.1.1'
network.warp=interface
network.warp.proto='wireguard'
network.warp.mtu='1280'
network.warp.force='1'
network.warp.dns='1.1.1.1'
network.warp.private_key='[redacted]'
network.warp.disabled='0'
network.warp.addresses='172.16.0.2/32' 'fd01:5ca1:ab1e:8353:2283:e81c:x:x/128'
network.@wireguard_warp[0]=wireguard_warp
network.@wireguard_warp[0].public_key='bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo='
network.@wireguard_warp[0].description='cfwarp'
network.@wireguard_warp[0].route_allowed_ips='1'
network.@wireguard_warp[0].endpoint_host='engage.cloudflareclient.com'
network.@wireguard_warp[0].endpoint_port='2408'
network.@wireguard_warp[0].persistent_keepalive='24'
network.@wireguard_warp[0].allowed_ips='0.0.0.0/0' '::/0'
uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_rate='200/s'
firewall.@defaults[0].synflood_burst='500'
firewall.@defaults[0].tcp_ecn='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[2]=zone
firewall.@zone[2].name='guest'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].network='guest'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].mtu_fix='1'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='wan'
firewall.@forwarding[1].src='guest'
firewall.@rule[9]=rule
firewall.@rule[9].target='ACCEPT'
firewall.@rule[9].src='guest'
firewall.@rule[9].name='GuestDNS'
firewall.@rule[9].proto='all'
firewall.@rule[9].dest_port='53'
firewall.@rule[10]=rule
firewall.@rule[10].enabled='1'
firewall.@rule[10].target='ACCEPT'
firewall.@rule[10].src='guest'
firewall.@rule[10].name='GuestDHCP'
firewall.@rule[10].proto='udp'
firewall.@rule[10].dest_port='67-68'
firewall.@rule[11]=rule
firewall.@rule[11].name='BlockLinkLocal'
firewall.@rule[11].proto='tcp udp'
firewall.@rule[11].src_ip='169.254.0.0/16'
firewall.@rule[11].target='DROP'
firewall.@rule[11].src='lan'
firewall.@zone[3]=zone
firewall.@zone[3].network='warp'
firewall.@zone[3].forward='REJECT'
firewall.@zone[3].name='warpvpn'
firewall.@zone[3].output='ACCEPT'
firewall.@zone[3].input='REJECT'
firewall.@zone[3].masq='1'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].dest='warpvpn'
firewall.@forwarding[2].src='lan'
firewall.miniupnpd=include
firewall.miniupnpd.type='script'
firewall.miniupnpd.path='/usr/share/miniupnpd/firewall.include'
firewall.miniupnpd.family='any'
firewall.miniupnpd.reload='1'
note: while there is config for miniupnpd, the package is NOT enabled.