In the past, i could go into firewall zone settings and change lan > wireguard interface to lan > wan. then disable the wireguard interface, and i would have internet access on my network without wireguard. Not anymore since i switched to a new ISP and home, and im wondering what i can do to fix that. The new ISP required me to make a virtual wan interface with a number and to pppoe with username and passport, i wonder if this can be the cause. my previous ISP required no such things.
here is my firewall settings with wireguard enabled:
root@MainRouter:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
option masq '1'
list network 'wan'
list network 'wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'surfshark'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'surfshark'
config rule
option name 'exceptions'
option src 'lan'
list src_ip '192.168.1.179'
list src_ip '192.168.1.151'
option dest 'wan'
option target 'ACCEPT'
option enabled '0'
config zone
option name 'ovpntest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option family 'ipv4'
list network 'surfsharkovpn'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/pbr.firewall.include'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'ntp'
list proto 'udp'
option src 'lan'
option src_dport '123'
option dest_port '123'
list src_mac '3C:52:A1:49:18:D1'
list src_mac '3C:52:A1:ED:9A:D6'
list src_mac '3C:52:A1:ED:9C:CA'
list src_mac '3C:52:A1:ED:A6:F4'
list src_mac 'F0:A7:31:18:8F:C2'
list src_mac '98:25:4A:BA:35:B2'
list src_mac '24:2F:D0:30:A3:96'
list src_mac '24:2F:D0:30:97:FC'
list src_mac '24:2F:D0:30:9E:DE'
list src_mac '24:2F:D0:30:9A:A8'
list src_mac '40:AE:30:50:DA:6C'
config zone
option name 'Guestwlan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'ABC'
config rule
option name 'Block Cams and devices from Interwebz'
option src 'lan'
option dest 'surfshark'
option target 'REJECT'
list proto 'all'
list src_ip '192.168.1.117'
list src_ip '192.168.1.235'
list src_ip '192.168.1.182'
list src_ip '192.168.1.129'
list src_ip '192.168.1.145'
list src_ip '192.168.1.180'
list src_ip '192.168.1.185'
list src_ip '192.168.1.166'
list src_ip '192.168.1.172'
list src_ip '192.168.1.248'
list src_ip '192.168.1.218'
list src_ip '192.168.1.109'
list src_ip '192.168.1.242'
list src_ip '192.168.1.210'
list src_ip '192.168.1.158'
list src_ip '192.168.1.102'
list src_ip '192.168.1.162'
list src_ip '192.168.1.202'
list src_ip '192.168.1.140'
list src_ip '192.168.1.113'
list src_ip '192.168.1.128'
list src_ip '192.168.1.138'
list src_ip '192.168.1.227'
config rule
option name 'guestDHCP'
list proto 'udp'
option src 'Guestwlan'
option dest_port '67'
option target 'ACCEPT'
config rule
option name 'GuestDNS'
option src 'Guestwlan'
option dest_port '53'
option target 'ACCEPT'
config forwarding
option src 'Guestwlan'
option dest 'surfshark'
config rule
option name 'Block Android Panels from internet'
option src 'lan'
list src_ip '192.168.1.107'
option dest 'surfshark'
option target 'REJECT'
option enabled '0'
config rule
option name 'temp'
list proto 'udp'
option src 'lan'
option dest 'surfshark'
option target 'DROP'
list src_ip '192.168.1.184'
option enabled '0'
config forwarding
option src 'lan'
option dest 'surfshark'
config rule
option src 'lan'
option dest 'wan'
option target 'REJECT'
option name 'Reject Huawei traffic'
list src_ip '192.168.1.113'
list src_ip '192.168.1.227'
And here my network interfaces:
root@MainRouter:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd24:536a:b9a7::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
option ipv6 '0'
option igmp_snooping '1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option delegate '0'
config interface 'wan'
option device 'wan.200'
option proto 'pppoe'
option type 'bridge'
option username 'ABC'
option password 'ABC'
option ipv6 'auto'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
config interface 'surfshark'
option proto 'wireguard'
option private_key 'ABC'
option metric '0'
option delegate '0'
option mtu '1360'
list addresses '10.69.80.95/32'
list addresses 'fc00:bbbb:bbbb:bb01::6:505e/128'
list dns '100.64.0.63'
config interface 'surfsharkovpn'
option proto 'none'
option device 'tun0'
option delegate '0'
option auto '0'
config device 'guest_dev'
option name 'br-guest'
config interface 'ABC'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
list dns '8.8.8.8'
config wireguard_surfshark
option description 'de-fra-wg-004.conf'
option public_key 'ABC'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::0/0'
option endpoint_host 'ABC'
option endpoint_port '51820'
option route_allowed_ips '1'
option persistent_keepalive '25'
config device
option type '8021q'
option ifname 'wan'
option vid '200'
option name 'wan.200'
