Ip error: can't access internet

psherman · August 19, 2023, 8:05pm

oh... the WG interface is a different issue entirely. WG should not cause a DHCP failure. So we're dealing with two different issues.

Reset to defaults.
Test connectivity
add WG interface
test connectivity.
stop here.... post your configs. We'll help you add a guest network.

ilcobrapizzica · August 19, 2023, 8:11pm

I did it.
Another person controlled my configuration and was perfect.
I followed the guide in this website.
He told me that the problem was wireguard and the solution are pbr.
I try with pbr but I don’t find a solution.
I would like only 2 network.
One with vpn and one without.
How can I do?
I want the vpn work only on one device, but with pbr and static up and MAC address I didn’t obtain a solution.

psherman · August 19, 2023, 8:22pm

if you want the lan to go through the WG interface and the guest network to go through the standard wan, you will need PBR (or manually configured routes)... PBR is the easiest way.

But your original issue was not at all related to the VPN/routing at all... instead, it seemed that your guest network was not working with DHCP.

So, the DHCP issue must be fixed first...
Therefore, my recommendation is simple:

If all goes well, this will result in your lan having normal connectivity via the VPN.

Then, we'll add the guest network. It will also go through the VPN at first.
Once all of that is done, you can setup PBR to steer the guest network through the normal wan.

ilcobrapizzica · August 19, 2023, 8:26pm

Ok.
I’ll do it tomorrow.
I continue here or I’ll open another topic?

psherman · August 19, 2023, 8:31pm

Let’s get through the creation of the guest network in this thread. Then you can open a new thread for the pbr issue.

ilcobrapizzica · August 20, 2023, 5:20am

I made a fresh install of the firmware and I configured wireguard again.
And I create a wifi for test.
All works correctly.

root@OpenWrt:~# cat /etc/config/network

  

config interface 'loopback'

option device 'lo'

option proto 'static'

option ipaddr '127.0.0.1'

option netmask '255.0.0.0'

  

config globals 'globals'

option ula_prefix 'fd4e:84b5:945d::/48'

  

config device

option name 'br-lan'

option type 'bridge'

list ports 'lan1'

list ports 'lan2'

list ports 'lan3'

list ports 'lan4'

  

config interface 'lan'

option device 'br-lan'

option proto 'static'

option ipaddr '192.168.1.1'

option netmask '255.255.255.0'

option ip6assign '60'

  

config interface 'wan'

option device 'wan'

option proto 'dhcp'

  

config interface 'wan6'

option device 'wan'

option proto 'dhcpv6'

  

config interface 'wg0'

option proto 'wireguard'

option private_key 'xxxxxxxxxxxxx'

list addresses '10.14.0.2/16'

list dns '162.252.172.57'

list dns '149.154.159.92'

  

config wireguard_wg0

option description 'ixxxxxxf'

option public_key 'xxxxxxxxxxx'

list allowed_ips '0.0.0.0/0'

option endpoint_host 'xxxxxxxxxx'

option endpoint_port '51820'

option route_allowed_ips '1'

root@OpenWrt:~# cat /etc/config/wireless

  

config wifi-device 'radio0'

option type 'mac80211'

option path 'platform/18000000.wmac'

option channel '1'

option band '2g'

option htmode 'HT20'

option disabled '1'

  

config wifi-iface 'default_radio0'

option device 'radio0'

option network 'lan'

option mode 'ap'

option ssid 'OpenWrt'

option encryption 'none'

  

config wifi-device 'radio1'

option type 'mac80211'

option path '1a143000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'

option channel 'auto'

option band '5g'

option htmode 'HT20'

option cell_density '0'

  

config wifi-iface 'default_radio1'

option device 'radio1'

option network 'lan'

option mode 'ap'

option ssid 'test'

option encryption 'sae'

option key 'xxxxxxxxxxxxx'

root@OpenWrt:~# cat /etc/config/dhcp

  

config dnsmasq

option domainneeded '1'

option boguspriv '1'

option filterwin2k '0'

option localise_queries '1'

option rebind_protection '1'

option rebind_localhost '1'

option local '/lan/'

option domain 'lan'

option expandhosts '1'

option nonegcache '0'

option cachesize '1000'

option authoritative '1'

option readethers '1'

option leasefile '/tmp/dhcp.leases'

option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'

option nonwildcard '1'

option localservice '1'

option ednspacket_max '1232'

option filter_aaaa '0'

option filter_a '0'

  

config dhcp 'lan'

option interface 'lan'

option start '100'

option limit '150'

option leasetime '12h'

option dhcpv4 'server'

option dhcpv6 'server'

option ra 'server'

option ra_slaac '1'

list ra_flags 'managed-config'

list ra_flags 'other-config'

  

config dhcp 'wan'

option interface 'wan'

option ignore '1'

  

config odhcpd 'odhcpd'

option maindhcp '0'

option leasefile '/tmp/hosts/odhcpd'

option leasetrigger '/usr/sbin/odhcpd-update'

option loglevel '4'

root@OpenWrt:~# cat /etc/config/firewall

  

config defaults

option input 'REJECT'

option output 'ACCEPT'

option forward 'REJECT'

option synflood_protect '1'

  

config zone

option name 'lan'

list network 'lan'

option input 'ACCEPT'

option output 'ACCEPT'

option forward 'ACCEPT'

option mtu_fix '1'

  

config zone

option name 'wan'

list network 'wan'

list network 'wan6'

option input 'REJECT'

option output 'ACCEPT'

option forward 'REJECT'

option masq '1'

option mtu_fix '1'

  

config forwarding

option src 'lan'

option dest 'wan'

  

config rule

option name 'Allow-DHCP-Renew'

option src 'wan'

option proto 'udp'

option dest_port '68'

option target 'ACCEPT'

option family 'ipv4'

  

config rule

option name 'Allow-Ping'

option src 'wan'

option proto 'icmp'

option icmp_type 'echo-request'

option family 'ipv4'

option target 'ACCEPT'

  

config rule

option name 'Allow-IGMP'

option src 'wan'

option proto 'igmp'

option family 'ipv4'

option target 'ACCEPT'

  

config rule

option name 'Allow-DHCPv6'

option src 'wan'

option proto 'udp'

option dest_port '546'

option family 'ipv6'

option target 'ACCEPT'

  

config rule

option name 'Allow-MLD'

option src 'wan'

option proto 'icmp'

option src_ip 'fe80::/10'

list icmp_type '130/0'

list icmp_type '131/0'

list icmp_type '132/0'

list icmp_type '143/0'

option family 'ipv6'

option target 'ACCEPT'

  

config rule

option name 'Allow-ICMPv6-Input'

option src 'wan'

option proto 'icmp'

list icmp_type 'echo-request'

list icmp_type 'echo-reply'

list icmp_type 'destination-unreachable'

list icmp_type 'packet-too-big'

list icmp_type 'time-exceeded'

list icmp_type 'bad-header'

list icmp_type 'unknown-header-type'

list icmp_type 'router-solicitation'

list icmp_type 'neighbour-solicitation'

list icmp_type 'router-advertisement'

list icmp_type 'neighbour-advertisement'

option limit '1000/sec'

option family 'ipv6'

option target 'ACCEPT'

  

config rule

option name 'Allow-ICMPv6-Forward'

option src 'wan'

option dest '*'

option proto 'icmp'

list icmp_type 'echo-request'

list icmp_type 'echo-reply'

list icmp_type 'destination-unreachable'

list icmp_type 'packet-too-big'

list icmp_type 'time-exceeded'

list icmp_type 'bad-header'

list icmp_type 'unknown-header-type'

option limit '1000/sec'

option family 'ipv6'

option target 'ACCEPT'

  

config rule

option name 'Allow-IPSec-ESP'

option src 'wan'

option dest 'lan'

option proto 'esp'

option target 'ACCEPT'

  

config rule

option name 'Allow-ISAKMP'

option src 'wan'

option dest 'lan'

option dest_port '500'

option proto 'udp'

option target 'ACCEPT'

  

config include 'pbr'

option fw4_compatible '1'

option type 'script'

option path '/usr/share/pbr/pbr.firewall.include'

  

config zone

option name 'vpn'

option input 'REJECT'

option output 'ACCEPT'

option forward 'REJECT'

list network 'wg0'

option masq '1'

  

config forwarding

option src 'lan'

option dest 'vpn'

psherman · August 20, 2023, 5:51am

ok... good.

Now, to make a guest network (wifi only)... add this to your network config:

config device
    option name 'br-guest'
    option type 'bridge'

config interface 'guest'
    option device 'br-guest'
    option proto 'static'
    option ipaddr '192.168.5.1'
    option netmask '255.255.255.0'

And this to your dhcp file:

config dhcp 'guest'
    option interface 'guest'
    option dhcpv4 'server'
    option start '100'
    option limit '150'
    option leasetime '12h'

Then add the following to your firewall file:

config zone
    option name 'guest'
    list network 'guest'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'

config forwarding
    option src 'guest'
    option dest 'wan'

config forwarding
    option src 'guest'
    option dest 'vpn'

config rule
	option name 'Allow-Guest-DHCP'
	list proto 'udp'
	option target 'ACCEPT'
	option src 'guest'
	option dest_port '67-68'

config rule
	option name 'Allow-Guest-DNS'
	option target 'ACCEPT'
	option src 'guest'
	option dest_port '53'

Now, create a new SSID and connect it with the guest network. That should produce a working guest network (which will use the VPN). Test that and let me know what happens.

ilcobrapizzica · August 20, 2023, 7:01am

Thank you.
You are my hero.
Now I've the last problem to solve.
All the network work only under VPN.
I don't know how to exclude it.
I made many test, but without success.
Screenshot 2023-08-20 alle 08.59.48

psherman · August 20, 2023, 7:05am

Glad the network is working in general.

Create a new thread for PBR - this way, it will reach the right audience.

vgaetera · August 20, 2023, 7:15am

Typo here:

PBR doesn't work for LAN network - #3 by vgaetera

psherman · August 20, 2023, 7:17am

Thanks for catching thst!

ilcobrapizzica · August 20, 2023, 7:22am

I don't find the error in my file.
It seems correct.
I have the exact text you show

psherman · August 20, 2023, 7:23am

The typo was in what I provided. You might have implemented it correctly, despite my mistake.

hnyman · August 20, 2023, 7:30am

You might edit the config above to reflect the intended correct values.

psherman · August 20, 2023, 7:32am

Done. Thanks for the reminder.

ilcobrapizzica · August 20, 2023, 7:46am

This is my file.
But I copied and paste what he wrote:

root@OpenWrt:~#  cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd4e:84b5:945d::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option metric '0'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'wg0'
	option proto 'wireguard'
	option private_key '******************************'
	list addresses '10.14.0.2/16'
	list dns '162.252.172.57'
	list dns '149.154.159.92'
	option metric '10'

config wireguard_wg0
	option description 'it-mil-2.conf'
	option public_key '***************************'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '**********************'
	option endpoint_port '51820'
	option route_allowed_ips '1'

config device
	option name 'br-guest'
	option type 'bridge'

config interface 'guest'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.5.1'
	option netmask '255.255.255.0'

psherman · August 20, 2023, 7:54am

This is wrong (and was my typo originally, now fixed above). Make the device br-guest

ilcobrapizzica · August 20, 2023, 8:00am

Thank you very much.
Now I understand the error.

ilcobrapizzica · August 20, 2023, 8:06am

My configuration now works perfectly.

system · August 30, 2023, 8:07am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.