Hi everyone,
I have a mesh network with 4 Linksys MX5300 nodes, all running the OpenWrt snapshot main build from November 18, 2024. I’m using BATMAN V to manage the mesh, following the configuration suggested in the OpenWrt wiki: BATMAN mesh setup.
The network is divided into two VLANs: one for clients and one for guests. For DNS and DHCP, I use unbound and odhcpd instead of dnsmasq and odhcpd-ipv6only, as described in the unbound README.
The three secondary nodes act as dumb access points in the mesh. To keep them minimal, I’ve disabled odhcpd, unbound, and the firewall on these nodes.
I use WireGuard to access my home network remotely from my laptop. The configuration works partially: I can access the main node/router and a Raspberry Pi connected via Ethernet to the router, but I can’t reach other nodes or devices on the network.
Here’s what I’ve tried so far:
I’ve enabled bidirectional forwarding between the LAN and WireGuard zones in the firewall.
I’ve ensured that the secondary nodes only route within the LAN, as WireGuard is configured exclusively in /etc/config/network on the main node. Adding the route on secondary nodes doesn’t solve the issue.
The only workaround I’ve found is to enable masquerading for the LAN zone. This resolves the issue, but I’m unsure if this is the best solution or just a temporary fix.
Does anyone know what might be causing this behavior or how to properly resolve it?
If enabling Masquerading on the LAN zone solves your problem , then the cause can be that the LAN clients you are trying to connect to have their own firewall and do only allow traffic from their own subnet and not from the WG subnet.
So solution can be that you tweak the local firewall of your lan clients to also allow the WG subnet.
If that is not possible or not feasible you can masquerade the WG subnet instead of everything you ar masquerading now e.g. where in stead of 172.31.31.0/24 you set your own WG subnet:
/etc/config/firewall:
config nat
option name 'SNAT-WGserver'
option src 'lan'
option src_ip '172.31.31.0/24'
option target 'MASQUERADE'
list proto 'all'
option enabled '1'
I am not big fan of Masquerading, you loose access control and logging but in a typical soho environment and if you are the only WG user that is usually not a problem
Your explanation about the local firewalls on LAN clients makes sense, and it’s definitely something I’ll double-check. However, I should clarify that the secondary mesh nodes I’m unable to reach have the firewall service completely disabled, as they are configured as dumb access points. This might actually be part of the problem—perhaps I need to rethink whether disabling the firewall on those nodes is the right approach in this scenario.
Regarding masquerading: I’ve already tried enabling masquerading specifically for the WireGuard subnet, but unfortunately, it didn’t resolve the issue. For now, the only firewall configuration I have on the main node is the following:
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-Ping'
option src '*'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '500/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '500/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config zone
option name 'guest'
list network 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config forwarding
option src 'guest'
option dest 'wan'
config rule
option name 'Allow-DNS-Guest'
option src 'guest'
option dest_port '53'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Allow-DHCP-Guest'
option src 'guest'
option dest_port '67'
option proto 'udp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6-Guest'
option src 'guest'
option dest_port '547'
option proto 'udp'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Forward-IPv6-for-unicorn'
option src 'wan'
option dest 'lan'
option dest_ip '::b46/-64'
option family 'ipv6'
option proto 'tcp udp'
option target 'ACCEPT'
config redirect
option name 'Forward-IPv4-for-unicorn'
option src 'wan'
option src_dport '51413'
option dest 'lan'
option dest_ip '192.168.1.239'
option dest_port '51413'
option proto 'tcp udp'
config zone
option name 'wg'
list network 'wg0'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config forwarding
option src 'wg'
option dest 'wan'
config forwarding
option src 'wan'
option dest 'wg'
config forwarding
option src 'lan'
option dest 'wg'
config forwarding
option src 'wg'
option dest 'lan'
config rule
option name 'Allow-Wireguard-Inbound'
option target 'ACCEPT'
option src '*'
option proto 'udp'
option dest_port '51820'
config redirect
option name 'The Lounge HTTP'
option src 'wan'
option src_dport '80'
option dest 'lan'
option dest_ip '192.168.1.240'
option dest_port '80'
option proto 'tcp'
config redirect
option name 'The Lounge HTTPS'
option src 'wan'
option src_dport '443'
option dest 'lan'
option dest_ip '192.168.1.240'
option dest_port '443'
option proto 'tcp'
config rule
option name 'Forward-IPv6-TheLounge-HTTP-HTTPS'
option src 'wan'
option dest 'lan'
option dest_ip '::b47/-64'
option family 'ipv6'
option proto 'tcp'
option dest_port '80 443'
option target 'ACCEPT'
If you have any suggestions based on this current setup, I’d love to hear them. Thanks again for your help—I appreciate the insight!
Solution found. Actually the problem was only with the secondary nodes in my mesh network. I configured a static route via LuCI, disabled masquerading on all zones except WAN, and was immediately able to communicate with the nodes, which act as dumb APs.