Good morning,
I have two Wireguard interfaces running:
- One connects to a Mullvad Wireguard server and is for VPN traffic from my home network. I use Policy Based routing to allow, for example, traffic from certain devices to be redirected back over the WAN
- One is to allow me to pick up the static IP assigned to me via my ISP and is useful when I'm overseas and want to watch, say Netflix; I appear from my standard, domestic IP address
For the second interface - the one I use to appear from my domestic IP address - I'd also like to be able to access other devices on my LAN. I can't get this bit working.
- My LAN is on 192.168.1.1/24
- My wg interface is on 10.0.0.1/24. (Possibly) crucially, under the interface config, Firewall Mark is set to 0x10000. I found I had to set this to allow both wg interfaces (as a Mullvad client, and as a server) to work correctly
- I have a policy-based rule to ensure that traffic from 10.0.0.1/24 responds over the WAN
So, I'd like clients connect to the 10.0.0.1/24 to be able to communicate to clients in 192.168.1.1/24. This is the bit I'm stuck with.
Here's my firewall config
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option network 'wan wan6'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone 'guest'
option name 'guest'
option output 'ACCEPT'
option network 'guest'
option input 'REJECT'
option forward 'REJECT'
config rule 'guest_dhcp'
option name 'guest_DHCP'
option src 'guest'
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
config rule 'guest_dns'
option name 'guest_DNS'
option src 'guest'
option target 'ACCEPT'
option proto 'tcpudp'
option dest_port '53'
config zone 'streaming'
option output 'ACCEPT'
option name 'streaming'
option network 'streaming'
option input 'ACCEPT'
option forward 'ACCEPT'
config rule 'streaming_dhcp'
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
option src 'streaming'
option name 'streaming_DHCP'
config rule 'streaming_dns'
option target 'ACCEPT'
option proto 'tcpudp'
option dest_port '53'
option src 'streaming'
option name 'streaming_DNS'
config zone
option forward 'REJECT'
option output 'ACCEPT'
option name 'wgzone'
option masq '1'
option mtu_fix '1'
option network 'wg'
option input 'REJECT'
config forwarding
option dest 'wgzone'
option src 'guest'
config forwarding
option dest 'wan'
option src 'streaming'
config forwarding
option dest 'wgzone'
option src 'streaming'
config rule
option src '*'
option target 'ACCEPT'
option proto 'udp'
option dest_port '1234'
option name 'Allow-Wireguard-Inbound'
config forwarding
option dest 'wan'
option src 'lan'
config forwarding
option dest 'wgzone'
option src 'lan'
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option name 'wgserver'
option forward 'ACCEPT'
option masq '1'
option network 'wgserver'
config forwarding
option dest 'wgserver'
option src 'lan'
config forwarding
option dest 'wgserver'
option src 'wan'
config forwarding
option dest 'lan'
option src 'wgserver'
config forwarding
option dest 'wan'
option src 'wgserver'
Here's my network config. Sensitive details redacted, of course
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd8c:4d35:43aa::/48'
config interface 'lan'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option ifname 'eth1.1'
config interface 'wan'
option ifname 'eth0.2'
option proto 'pppoe'
option username ''
option password ''
option peerdns '0'
option dns '84.200.69.80 84.200.70.40'
option ipv6 'auto'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 0t'
config interface 'guest'
option proto 'static'
option ipaddr '192.168.4.1'
option netmask '255.255.255.0'
option type 'bridge'
config interface 'wg'
option proto 'wireguard'
option private_key ''
option listen_port '51820'
list addresses '10.99.57.166/32'
option force_link '1'
config wireguard_wg
option public_key ''
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'
option endpoint_host '185.16.85.130'
option endpoint_port '51820'
option persistent_keepalive '25'
config route
config interface 'streaming'
option proto 'static'
option type 'bridge'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
config interface 'wgserver'
option proto 'wireguard'
option private_key ''
option listen_port '1234'
option fwmark '0x10000'
list addresses '10.0.0.1/24'
config wireguard_wgserver
option public_key ''
option route_allowed_ips '1'
option persistent_keepalive '25'
option description 'tec'
list allowed_ips '10.0.0.2/32'
I suspect this is a simple firewall issue, but I can't put my finger on it. It's also possible that I've missed something when creating the interface (do I need to add 192.168.1.1/24 to the list addresses?)
Is anybody able to assist?
Kind regards