LAN not accessing remote Wireguard hosts while OpenWrt router does

kalon33 · September 11, 2021, 11:30pm

I set up an openWRT 21.02 router (192.168.1.1) as a Wireguard client, with multiple hosts connected to it through WiFi and ethernet (192.168.1.x). I put Wireguard wg0 interface also in LAN zone, as I would like to be able to connect to remote hosts behind the Wireguard server (192.168.0.x) from my local machines.

My OpenWRT router can properly ping and access remote machines through the WireGuard VPN, but hosts connected on its LAN can't.

Why? I spent hours on it and still not found a solution. I announce through DHCP a 192.168.0.0/24 via 192.168.1.1 route, and a traceroute from a local machine to 192.168.0.2 for example indicates that packets are sent to 192.168.1.1 but stuck there.

Thanks a lot for your help and sorry if it's a stupid question.

vgaetera · September 12, 2021, 12:55am

https://openwrt.org/docs/guide-user/services/vpn/wireguard/extras#site-to-site

kalon33 · September 12, 2021, 7:35am

Sure, I followed the tutorial, and, as I said, I can properly access machines through vpn from the router, but not from the machines connected to the router LAN, even if I defined on these ones routes through the router.

vgaetera · September 12, 2021, 7:43am

A site-to-site connection can provide LAN-to-LAN access of each peer in both directions.
Check out the troubleshooting section in the wiki to collect the diagnostics.

kalon33 · September 12, 2021, 7:56am

Log and status:

# logread -e vpn; netstat -l -n -p | grep -e "^udp\s.*\s-$"
Sun Sep 12 09:23:56 2021 daemon.notice netifd: Interface 'vpn' is setting up now
Sun Sep 12 09:23:56 2021 daemon.notice netifd: Interface 'vpn' is now down
Sun Sep 12 09:23:58 2021 daemon.notice netifd: Interface 'vpn' is setting up now
Sun Sep 12 09:23:58 2021 daemon.notice netifd: Interface 'vpn' is now up
Sun Sep 12 09:23:58 2021 daemon.notice netifd: Network device 'vpn' link is up
Sun Sep 12 09:23:58 2021 user.notice firewall: Reloading firewall due to ifup of vpn (vpn)
udp        0      0 0.0.0.0:59503           0.0.0.0:*                           -
udp        0      0 :::59503                :::*                                -

Runtime configuration:

# pgrep -f -a wg; wg show; wg showconf vpn
40 kworker/0:1-wg-
457 kworker/1:1-wg-
3385 wg-crypt-vpn
interface: vpn
  public key: **************
  private key: (hidden)
  listening port: 59503

peer: ******************
  endpoint: xxx.xxx.xxx.xxx:yyyyy
  allowed ips: 192.168.27.64/27, 192.168.0.0/24
  latest handshake: (System clock wound backward; connection problems may ensue.)
  transfer: 3.68 KiB received, 40.77 KiB sent
  persistent keepalive: every 25 seconds
[Interface]
ListenPort = 59503
PrivateKey = ********************

[Peer]
PublicKey = ********************
AllowedIPs = 192.168.27.64/27, 192.168.0.0/24
Endpoint = xxx.xxx.xxx.xxx:yyyyy
PersistentKeepalive = 25

# ip address show; ip route show table all
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1508 qdisc mq state UP qlen 1024
    link/ether 24:f5:a2:c5:ad:40 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::26f5:a2ff:fec5:ad40/64 scope link 
       valid_lft forever preferred_lft forever
3: lan4@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN qlen 1000
    link/ether 24:f5:a2:c5:ad:40 brd ff:ff:ff:ff:ff:ff
4: lan3@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN qlen 1000
    link/ether 24:f5:a2:c5:ad:40 brd ff:ff:ff:ff:ff:ff
5: lan2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 24:f5:a2:c5:ad:40 brd ff:ff:ff:ff:ff:ff
6: lan1@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN qlen 1000
    link/ether 24:f5:a2:c5:ad:40 brd ff:ff:ff:ff:ff:ff
7: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 26:f5:a2:c5:ad:40 brd ff:ff:ff:ff:ff:ff
    inet 192.168.5.41/24 brd 192.168.5.255 scope global wan
       valid_lft forever preferred_lft forever
    inet6 2a01:e0a:a3b:30a0:24f5:a2ff:fec5:ad40/64 scope global dynamic noprefixroute 
       valid_lft 86261sec preferred_lft 86261sec
    inet6 fe80::24f5:a2ff:fec5:ad40/64 scope link 
       valid_lft forever preferred_lft forever
11: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 24:f5:a2:c5:ad:40 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fd8f:c47c:8ab7::1/60 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::26f5:a2ff:fec5:ad40/64 scope link 
       valid_lft forever preferred_lft forever
13: wlan2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP qlen 1000
    link/ether 24:f5:a2:c5:ad:43 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::26f5:a2ff:fec5:ad43/64 scope link 
       valid_lft forever preferred_lft forever
14: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP qlen 1000
    link/ether 24:f5:a2:c5:ad:41 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::26f5:a2ff:fec5:ad41/64 scope link 
       valid_lft forever preferred_lft forever
15: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq master br-lan state DOWN qlen 1000
    link/ether 24:f5:a2:c5:ad:42 brd ff:ff:ff:ff:ff:ff
16: vpn: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
    link/[65534] 
    inet 192.168.27.88/32 brd 255.255.255.255 scope global vpn
       valid_lft forever preferred_lft forever
default via 192.168.5.254 dev wan  src 192.168.5.41 
83.159.44.229 via 192.168.5.254 dev wan 
192.168.0.0/24 dev vpn scope link 
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1 
192.168.5.0/24 dev wan scope link  src 192.168.5.41 
192.168.27.64/27 dev vpn scope link 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
broadcast 192.168.1.0 dev br-lan table local scope link  src 192.168.1.1 
local 192.168.1.1 dev br-lan table local scope host  src 192.168.1.1 
broadcast 192.168.1.255 dev br-lan table local scope link  src 192.168.1.1 
broadcast 192.168.5.0 dev wan table local scope link  src 192.168.5.41 
local 192.168.5.41 dev wan table local scope host  src 192.168.5.41 
broadcast 192.168.5.255 dev wan table local scope link  src 192.168.5.41 
local 192.168.27.88 dev vpn table local scope host  src 192.168.27.88 
default from 2a01:e0a:a3b:30a0::/64 via fe80::224:d4ff:fec2:5f28 dev wan  metric 512 
2a01:e0a:a3b:30a0::/64 dev wan  metric 256 
unreachable 2a01:e0a:a3b:30a0::/64 dev lo  metric 2147483647 
fd8f:c47c:8ab7::/64 dev br-lan  metric 1024 
unreachable fd8f:c47c:8ab7::/48 dev lo  metric 2147483647 
fe80::/64 dev eth0  metric 256 
fe80::/64 dev br-lan  metric 256 
fe80::/64 dev wan  metric 256 
fe80::/64 dev wlan2  metric 256 
fe80::/64 dev wlan1  metric 256 
local ::1 dev lo table local  metric 0 
anycast 2a01:e0a:a3b:30a0:: dev wan table local  metric 0 
local 2a01:e0a:a3b:30a0:24f5:a2ff:fec5:ad40 dev wan table local  metric 0 
anycast fd8f:c47c:8ab7:: dev br-lan table local  metric 0 
local fd8f:c47c:8ab7::1 dev br-lan table local  metric 0 
anycast fe80:: dev eth0 table local  metric 0 
anycast fe80:: dev br-lan table local  metric 0 
anycast fe80:: dev wan table local  metric 0 
anycast fe80:: dev wlan2 table local  metric 0 
anycast fe80:: dev wlan1 table local  metric 0 
local fe80::24f5:a2ff:fec5:ad40 dev wan table local  metric 0 
local fe80::26f5:a2ff:fec5:ad40 dev eth0 table local  metric 0 
local fe80::26f5:a2ff:fec5:ad40 dev br-lan table local  metric 0 
local fe80::26f5:a2ff:fec5:ad41 dev wlan1 table local  metric 0 
local fe80::26f5:a2ff:fec5:ad43 dev wlan2 table local  metric 0 
multicast ff00::/8 dev eth0 table local  metric 256 
multicast ff00::/8 dev br-lan table local  metric 256 
multicast ff00::/8 dev wan table local  metric 256 
multicast ff00::/8 dev vpn table local  metric 256 
multicast ff00::/8 dev wlan2 table local  metric 256 
multicast ff00::/8 dev wlan1 table local  metric 256

# ip rule show; iptables-save -c
0:	from all lookup local 
1:	from all iif br-lan lookup 100 
32766:	from all lookup main 
32767:	from all lookup default 
# Generated by iptables-save v1.8.7 on Sun Sep 12 09:49:43 2021
*nat
:PREROUTING ACCEPT [1917:346495]
:INPUT ACCEPT [291:24728]
:OUTPUT ACCEPT [950:71645]
:POSTROUTING ACCEPT [192:14002]
:postrouting_OpenVPN_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_OpenVPN_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_OpenVPN_postrouting - [0:0]
:zone_OpenVPN_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[1964:349499] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[1410:258712] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i tap0 -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i vpn -m comment --comment "!fw3" -j zone_lan_prerouting
[554:90787] -A PREROUTING -i wan -m comment --comment "!fw3" -j zone_wan_prerouting
[1540:181168] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[8:2110] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o tap0 -m comment --comment "!fw3" -j zone_lan_postrouting
[86:5228] -A POSTROUTING -o vpn -m comment --comment "!fw3" -j zone_lan_postrouting
[1348:167166] -A POSTROUTING -o wan -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A zone_OpenVPN_postrouting -m comment --comment "!fw3: Custom OpenVPN postrouting rule chain" -j postrouting_OpenVPN_rule
[0:0] -A zone_OpenVPN_prerouting -m comment --comment "!fw3: Custom OpenVPN prerouting rule chain" -j prerouting_OpenVPN_rule
[94:7338] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[1410:258712] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -p tcp -m tcp --dport 10000:20000 -m comment --comment "!fw3: Tel VOIP" -j DNAT --to-destination 192.168.1.185:10000-20000
[46:2944] -A zone_lan_prerouting -p udp -m udp --dport 10000:20000 -m comment --comment "!fw3: Tel VOIP" -j DNAT --to-destination 192.168.1.185:10000-20000
[1:60] -A zone_lan_prerouting -p tcp -m tcp --dport 5060:5061 -m comment --comment "!fw3: SIP Tel VOIP" -j DNAT --to-destination 192.168.1.185:5060-5061
[0:0] -A zone_lan_prerouting -p udp -m udp --dport 5060:5061 -m comment --comment "!fw3: SIP Tel VOIP" -j DNAT --to-destination 192.168.1.185:5060-5061
[1348:167166] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[1348:167166] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[554:90787] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Sun Sep 12 09:49:43 2021
# Generated by iptables-save v1.8.7 on Sun Sep 12 09:49:43 2021
*mangle
:PREROUTING ACCEPT [106674:95658316]
:INPUT ACCEPT [2505:276132]
:FORWARD ACCEPT [103478:95207713]
:OUTPUT ACCEPT [2576:262773]
:POSTROUTING ACCEPT [105892:95458238]
[321:19148] -A FORWARD -o wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[315:18520] -A FORWARD -i wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sun Sep 12 09:49:43 2021
# Generated by iptables-save v1.8.7 on Sun Sep 12 09:49:43 2021
*filter
:INPUT ACCEPT [1:52]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_OpenVPN_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_OpenVPN_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_OpenVPN_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_OpenVPN_dest_ACCEPT - [0:0]
:zone_OpenVPN_forward - [0:0]
:zone_OpenVPN_input - [0:0]
:zone_OpenVPN_output - [0:0]
:zone_OpenVPN_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[407:39666] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[2103:236726] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[1366:166782] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[4:240] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[298:26731] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i tap0 -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i vpn -m comment --comment "!fw3" -j zone_lan_input
[439:43213] -A INPUT -i wan -m comment --comment "!fw3" -j zone_wan_input
[103478:95207713] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[102389:95057484] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1089:150229] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i tap0 -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i vpn -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i wan -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[407:39666] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[2083:215827] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[1200:148428] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[12:3428] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o tap0 -m comment --comment "!fw3" -j zone_lan_output
[1:84] -A OUTPUT -o vpn -m comment --comment "!fw3" -j zone_lan_output
[870:63887] -A OUTPUT -o wan -m comment --comment "!fw3" -j zone_wan_output
[47:4826] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[392:38387] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[4:240] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_OpenVPN_forward -m comment --comment "!fw3: Custom OpenVPN forwarding rule chain" -j forwarding_OpenVPN_rule
[0:0] -A zone_OpenVPN_forward -m comment --comment "!fw3: Zone OpenVPN to lan forwarding policy" -j zone_lan_dest_ACCEPT
[0:0] -A zone_OpenVPN_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_OpenVPN_forward -m comment --comment "!fw3" -j zone_OpenVPN_dest_ACCEPT
[0:0] -A zone_OpenVPN_input -m comment --comment "!fw3: Custom OpenVPN input rule chain" -j input_OpenVPN_rule
[0:0] -A zone_OpenVPN_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_OpenVPN_input -m comment --comment "!fw3" -j zone_OpenVPN_src_ACCEPT
[0:0] -A zone_OpenVPN_output -m comment --comment "!fw3: Custom OpenVPN output rule chain" -j output_OpenVPN_rule
[0:0] -A zone_OpenVPN_output -m comment --comment "!fw3" -j zone_OpenVPN_dest_ACCEPT
[12:3428] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_ACCEPT -o tap0 -m comment --comment "!fw3" -j ACCEPT
[401:24152] -A zone_lan_dest_ACCEPT -o vpn -m comment --comment "!fw3" -j ACCEPT
[1089:150229] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[1089:150229] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[499:30008] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to OpenVPN forwarding policy" -j zone_OpenVPN_dest_ACCEPT
[99:5940] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[400:24068] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[298:26731] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[298:26731] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[13:3512] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[13:3512] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[297:26679] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i tap0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i vpn -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[73:4416] -A zone_wan_dest_ACCEPT -o wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[1387:179692] -A zone_wan_dest_ACCEPT -o wan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[439:43213] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[439:43213] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[870:63887] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[870:63887] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[439:43213] -A zone_wan_src_REJECT -i wan -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sun Sep 12 09:49:43 2021

Persistent configuration:


# uci show network; uci show firewall; crontab -l
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd8f:c47c:8ab7::/48'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='lan1' 'lan2' 'lan3' 'lan4'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.@device[1]=device
network.@device[1].name='wan'
network.@device[1].macaddr='26:f5:a2:c5:ad:40'
network.wan=interface
network.wan.device='wan'
network.wan.proto='dhcp'
network.wan6=interface
network.wan6.device='wan'
network.wan6.proto='dhcpv6'
network.@rule[0]=rule
network.@rule[0].in='lan'
network.@rule[0].lookup='100'
network.VPN=interface
network.VPN.proto='static'
network.VPN.device='tap0'
network.vpn=interface
network.vpn.proto='wireguard'
network.vpn.private_key='************************'
network.vpn.addresses='192.168.27.88/32'
network.wgserver=wireguard_vpn
network.wgserver.public_key='*******************'
network.wgserver.endpoint_host='83.159.44.229'
network.wgserver.endpoint_port='28482'
network.wgserver.route_allowed_ips='1'
network.wgserver.persistent_keepalive='25'
network.wgserver.allowed_ips='192.168.27.64/27' '192.168.0.0/24'
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan' 'VPN' 'vpn'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan' 'wan6'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[9]=rule
firewall.@rule[9].name='Support-UDP-Traceroute'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest_port='33434:33689'
firewall.@rule[9].proto='udp'
firewall.@rule[9].family='ipv4'
firewall.@rule[9].target='REJECT'
firewall.@rule[9].enabled='false'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[2]=zone
firewall.@zone[2].name='OpenVPN'
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='ACCEPT'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='OpenVPN'
firewall.@forwarding[1].dest='lan'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].src='lan'
firewall.@forwarding[2].dest='OpenVPN'
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].name='Tel VOIP'
firewall.@redirect[0].src='lan'
firewall.@redirect[0].src_dport='10000-20000'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].dest_ip='192.168.1.185'
firewall.@redirect[1]=redirect
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].name='SIP Tel VOIP'
firewall.@redirect[1].src='lan'
firewall.@redirect[1].src_dport='5060-5061'
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].dest_ip='192.168.1.185'
* * * * * date -s 2030-01-01; /etc/init.d/sysntpd restart

Nota: I redacted sensitive information, and did not provide IPv6 rules as the VPN is IPv4 only.

vgaetera · September 12, 2021, 8:04am

Try this:

uci set firewall.@zone[0].masq="1"
uci commit firewall
/etc/init.d/firewall restart
uci -q delete network.@rule[0]
uci commit network
/etc/init.d/network restart

Then check if the issue persists.

kalon33 · September 12, 2021, 8:59am

What's the purpose of this part? It seems that with masquerading enabled in firewall, I'm able to ping my machines now. Thanks a lot!

vgaetera · September 12, 2021, 9:15am

The purpose of that rule is unclear as no routes are present in the corresponding table.
Since it works like that, the cause of the issue should be on the other side of the tunnel.

system · September 22, 2021, 9:16am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.