LInksys EA7300 w/ WireGuard Server

upp · January 6, 2024, 6:38pm

Newbie here. I installed Openwrt on the EA7300 along with WireGuard server. This is not the main router but connected to Deco X60 which is connected to BWG-210 gateway with IP Passthru. When EA7300 is setup as a router then WG works fine. But when I change the EA7300 to bridge mode, LAN-to-LAN connection to deco X60, wireguard stops working. The reason for bridge mode is to have access to all deco connected devices, mainly cameras.
Q1. Is there a way to get access to devices connected to Deco when EA7300 is set in router mode.
Deco 192.168.68.1. DHCP 192.168.68.100 to 250
EA7300 192.168.68.2. DHCP 192.168.68.10 to 99

Q2. Is it possible to get WG working with EA7300 in bridge mode.

Thanks

badulesia · January 6, 2024, 6:51pm

Please provide these infos (redacted) for each device.

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall

The description of your network is not that clear. Maybe you could provide a diagram?
What is the role of each device?

upp · January 6, 2024, 7:11pm

Will post those soon. ATT gateway modem BWG-210 provides Internet, connected via Ethernet to Deco X60 which is the main router. Deco gets the public IP since BWG-210 is set to Ip Passthru and all routing, wireless firewall disabled on the ATT BWG210.

Then from Deco EA 7300 is connected with a Ethernet

LAN - WAN when EA7300 is set as router and LAN to LAN when EA7300 is set as Bridge. EA7300 wireless is not enabled. And Only a computer is connected to EA 7300.

DEco X60 has all WiFi devices, NVR, IOT..
Hope this clarifies

psherman · January 6, 2024, 7:34pm

What you want to do can be achieved fairly easily.... there are two ways to do it:

Use masquerading on the OpenWrt upstream connection

or

if your deco supports static routes, we can use that and not enable masquerading.

Option 1 is the easiest and requires only adjustments to OpenWrt. We only need the network and firewall files to be able to help resolve the issues (it would also be useful to see a remote peer device's config).

Also, you'll need to make sure that your deco is port forwarding properly to your OpenWrt device.

badulesia · January 6, 2024, 7:50pm

Ok it clearer.
As the Deco X60 is the main router, than the EA7300 would simply act as an AP.

You must connect the EA7300 with a LAN port to the switch. DHCP should me managed by the X60 only.
Wireguard can be managed by the EA7300, but you must add some firewall rules.
Assign wireguard interface to a new zone (VPN in this example)

config zone
        option name 'VPN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'Wireguard'
        option masq '1'

config forwarding
        option src 'lan'
        option dest 'VPN'

config forwarding
        option src 'VPN'
        option dest 'lan'

psherman · January 6, 2024, 8:11pm

Actually, this won't work...

badulesia:

config zone
        option name 'VPN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'Wireguard'
        option masq '1'

It is the lan zone that needs to be masqueraded, not the VPN zone.

badulesia · January 6, 2024, 8:26pm

I must confess that my secondary goal by answering was for you to check on this

upp · January 6, 2024, 8:47pm

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	list network 'test'

config forwarding
	option src 'vpn'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'vpn'

Note my WG interface is named as Test. This DID NOT work.

upp · January 6, 2024, 8:54pm

How do i do that? I checked Masquerading box for LAN in Luci and did not work.

Thanks

mk24 · January 6, 2024, 8:55pm

As noted, masq needs to be only on the lan zone and not the vpn zone. Then a vpn->lan connection will appear to come from the OpenWrt router's IP on the LAN. The LAN devices and main router do not need to be aware of the IP subnet(s) used on the VPN.

Forwarding from lan to VPN (where a LAN device can initiate a connection to a VPN device) is not going to work simply when masquerading is in place. It is the same situation as accepting incoming connections from the Internet when

upp · January 6, 2024, 8:58pm

Thanks, I did not see this response.

"Use masquerading on the OpenWrt upstream connection"
How do i do this.

Port forwarding in Deco works as I can Switch to Router Mode on EA7300 and Wireguard lets me in.
The Bridge is the issue. I think the bridge will let me access other devices in the network, than router setup in EA 7300

psherman · January 6, 2024, 9:05pm

Start by removing the masquerading on the vpn zone

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'test'

Then enable masquerading on the lan zone:

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	list network 'lan'

you can delete this:

If this doesn't solve the issue, please post the complete files:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

upp · January 6, 2024, 9:23pm

That did NOT work. attaching files

{
"kernel": "5.15.134",
"hostname": "OpenWrt",
"system": "MediaTek MT7621 ver:1 eco:3",
"model": "Linksys EA7300 v1",
"board_name": "linksys,ea7300-v1",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.0",
"revision": "r23497-6637af95aa",
"target": "ramips/mt7621",
"description": "OpenWrt 23.05.0 r23497-6637af95aa"
}
}

/*********************Firewall**********/

/**************. FIREWALL **************

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	list network 'lan'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'VPN'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'test'

config forwarding
	option src 'VPN'
	option dest 'lan'

************* END FIREWALL *********


root@OpenWrt:/etc/config# cat network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd97:8e9b:029a::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config device
	option name 'lan1'
	option macaddr '58:ef:68:c1:40:a0'

config device
	option name 'lan2'
	option macaddr '58:ef:68:c1:40:a0'

config device
	option name 'lan3'
	option macaddr '58:ef:68:c1:40:a0'

config device
	option name 'lan4'
	option macaddr '58:ef:68:c1:40:a0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.68.2'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'wan'
	option macaddr '58:ef:68:c1:40:a0'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'test'
	option proto 'wireguard'
	option private_key ‘XXXXXXX’
	option listen_port '51820'
	list addresses '192.168.9.1/24'
	list addresses 'fd00:9::1/64'

config wireguard_test
	option description 'wgIphone'
	option public_key 'FssvpguusuVaRJTRELtt+TUyH02gGX6aUobaR6TaoHA='
	option private_key ''
	option preshared_key ''
	list allowed_ips '192.168.9.4/32'
	list allowed_ips 'fd00:9::4/128'
/******** End NETWORK

psherman · January 6, 2024, 9:31pm

Your lan needs a gateway (and usually DNS, too):

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.68.2'
	option netmask '255.255.255.0'
	option gateway '192.168.68.1'
	option dns '192.168.68.1'
	option ip6assign '60'

I'm guessing the main router is at 192.168.68.1 above... if that is true, this should do the trick.

If not, let's see your remote peer config.

mk24 · January 6, 2024, 9:31pm

What does work? Do the following tests:

Run wg on the 7300 CLI. It should show a handshake received from the iPhone and the iPhone's Internet IPv4.
From the 7300, ping 192.168.9.4 should be answered by the iPhone.
If you go to 192.168.9.1 on the iPhone web browser, you should get LuCI from the 7300.
If you go to 192.168.68.2 on the iPhone, you should also get LuCI from the 7300.
192.168.68.1 on the phone should bring the Deco's web interface.

Make sure that 192.168.68.0/24 is within the allowed_ips on the iPhone.

badulesia · January 6, 2024, 9:49pm

Original info that I used to set this firewall rule.

upp · January 6, 2024, 10:29pm

I did not add the Gateway and DNS but it is Working Now. I simply turned off the EA7300 and turned it back on.

One change I see is the WG interface "test" is now RED instead of the usal Green. Can I delete the WAN and WAN6 Interface as it is not being used in Bridge Mode.

Thanks

badulesia · January 6, 2024, 10:38pm

You just needed to restart the interface. Rebooting the device also did this.

You can. I did this.

system · January 16, 2024, 10:40pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.