Lan interface to > Wireguard & Wifi Interface to > WAN

I'm trying to only enable Wireguard for wired lan interface. I created a Wifi Interface and Wifi firewall zone seperately.

I do not need VPNBypass, do I?

I had to disable masquarading for WAN else the router itself did not have a working connection (Wired LAN worked). After disabling WAN masquarading it router connected, but surprisingly through vpn.

I'm trying to have WiFi out of VPN. Does this look good?

Also, (using 21.02.3 with previous firewall thingie) I don't want to enable "all input" from the Wifi Zone, do I need to create "allow DHCP in" rule and disable input field of Wifi Zone? Is this how it's done?

  • From Wifi Zone to This Device (input)
  • Dest. Port 68
  • TCP, ipv4
  • Accept

I'm really confused what Ur trying to do?

But if you want wire guard that can acces your lan and wan network.

I think that you probably want to have lan to wan acces?
Or is it a offline network?

Could you please upload Ur /etc/config/network config or UCI show network?

It's a bad idea if this is your router to run wan and lan inside the same interface because there is no firewall then.

Also masquerade needs to be on on the wan firewall, only IPv6 is big enough that every device in your home network could get a IP address, probably IPv6 still will being using masquerade (I'm not sure Dow)

You need something like:
Lan -> wan
Wlan -> wan
Wire guard -> wan and lan masquerade on
Wan -> nothing masquerade on

But don't bridge your wan trough your lan or wlan, can't think of a single reason except maybe mesh or clients.

Yeah you get your lan working trough VPN because your lan makes a connection trough VPN that masquerade that IP, that part makes sense, but how it reached the wan?

If I understand it correctly still learning, lets call it the firewall pointers.

You make zone that zone can go to a different zone and can receive from zone.

The receive zone you don't need to be adjusted because they will be automatic being made by the forward zone (go to zone).

(Packet is the message that a device send trough the internet)

Every packet will be checked for a connection state.

A Interface lan has a DHCP running in range 192.168.2.x
Has firewall zone lan attached to it, that zone only can reach the wan zone.


A Interface wlan has a DHCP running in range 192.168.3.x
Has firewall zone wlan attached to it, that zone also only can reach the wan zone.

Wan are all the devices outside your home (websites, Minecraft servers etc)
Lan and wlan are all the devices inside your home.

The wan can't reach your lan/wlan.
Unless the devices on your WLAN/lan network first have made a connection to a device on the wan.

Because if the device inside your home network makes the connection first, the message back from the wan will be checked if there is a connection between the two. And if that connection state is not invalid then the message from the wan to WLAN/lan will be accepted.

Also this can be bypassed by port forwarding but thats only needed if a device outside your home (wan) needs to established the connection first on the inside of your home.

That why you needed to forward wireguard.

1 Like

Can you elaborate? Before you can elaborate I might as well simply state what it was I was trying to do.

  • I will have my wired PC connecting to the Wireguard VPN server (I don't use LAN to -> WAN forwarding because I don't want the PC to ever go outside of the WG-Wireguard tunnel)

  • I would like to have my router to also connect to the VPN server (for its own connections such as NTP time sync etc.) but it's not very important.

  • I need my laptop out of the VPN and just work normally (hence forwarding Wifi_Zone to -> WAN)

Edit: Problem is that in my scenario masquarading should be on both for LAN and WLAN zones?

You need to use a package such as PBR (policy based routing) to create rules for your networks (i.e. the subnet that is setup for wired vs the one setup for wifi).

Masquerading should be enabled on the WAN and VPN firewall zones, and disabled on your LAN zone(s) (both LAN and WLAN).

1 Like

Do you have wireguard running on a router inside a different network?


Do you have wireguard running on your router and connect for example your laptop to it form a unsafe wifi network?

U can use ssh/SCP to get the files.
Windows winscp is usefull for understanding the filesystem, it's like a file browser inside the router.

Browse to /etc/configs/network and /etc/configs/firewall and upload them inside two code blocks here.

Or open a terminal when connected to the network.
Linux and windows type:

ssh root@your_gateway_ip 

Login with your password like luci
Then use uci to show the network configs.

uci show network


uci show firewall 

Copy the output you get from the console inside two code blocks here.

Thanks mate. I think I only need to create a policy for the Wifi subnet (192.168.x.x/24) to -> WAN interface since wireguard interface is already the default gateway. I'm testing this configuration now:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.