Need help on home network

nyakoneko · February 2, 2021, 9:50pm

Hi guys, I have an issue with my current home network configuration. I followed the Mullvad guide to setup Wireguard on a router with OpenWRT. I was able to make wireguard work, but inside the LAN, devices are not able to reach each other (Destination host unreachable). And I need to be able to do so.

My configuration is as follows:
ISP Cable Modem/Wifi turned into Bridged -> Linksys E3200 with OpenWRT (wifi disabled) -> TP-Link Archer AX50 as wirless router

I think I need to modify something in OpenWRT, but I'm not sure what. All the configuration on openwrt is default plus the modification I followed in the guide. Maybe it is something related to Firewall zones or VLAN. I disabled NAT in the wifi router. Maybe I need to disable DHCP in the openwrt router (i don't know how).

Your help will be much appreciated
Thank you!

vgaetera · February 2, 2021, 10:32pm

Please collect the output and post it to pastebin.com redacting the private parts:

ubus call system board; uci show network; uci show firewall; wg show; \
ip address show; ip route show table all; ip rule show; iptables-save

In addition, clarify the source and destination IPs when you try to access the host.

nyakoneko · February 2, 2021, 11:15pm

Thank you for the reply!

https://pastebin.com/jxWKrtXa

What im trying is to be able to use peer to peer access on my devices like video games or software like Parsec (I was able to do so before configuring the router with openwrt and wireguard). A simple test i did is ping from one computer to another:

PS C:\Users\patri> ping 192.168.0.116

Pinging 192.168.0.116 with 32 bytes of data:
Reply from 192.168.0.118: Destination host unreachable.
Reply from 192.168.0.118: Destination host unreachable.
Reply from 192.168.0.118: Destination host unreachable.
Reply from 192.168.0.118: Destination host unreachable.

Ping statistics for 192.168.0.116:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

118 is the source pc and 116 destination pc

Thank you!

vgaetera · February 3, 2021, 12:40am

Add a static route on OpenWrt to the subnet 192.168.0.0/24 via the IP of your downstream router.

If the issue persists, post the VPN-PBR config:

uci show vpn-policy-routing

nyakoneko · February 3, 2021, 12:55am

Like this?. 192.168.0.1 is the IP of the Tp-link router (I think is what you refer as downstream). 255.255.255.0 is the netmask used on that router. Should I restart the router after each change?.
https://imgur.com/a/I8TS8GL

I went ahead and ran that command:

root@OpenWrt:~# uci show vpn-policy-routing
vpn-policy-routing.config=vpn-policy-routing
vpn-policy-routing.config.strict_enforcement='1'
vpn-policy-routing.config.src_ipset='0'
vpn-policy-routing.config.dest_ipset='dnsmasq.ipset'
vpn-policy-routing.config.supported_interface=''
vpn-policy-routing.config.boot_timeout='30'
vpn-policy-routing.config.iptables_rule_option='append'
vpn-policy-routing.config.iprule_enabled='0'
vpn-policy-routing.config.webui_sorting='1'
vpn-policy-routing.config.webui_supported_protocol='tcp' 'udp' 'tcp udp' 'icmp' 'all'
vpn-policy-routing.config.enabled='1'
vpn-policy-routing.config.verbosity='1'
vpn-policy-routing.config.ipv6_enabled='1'
vpn-policy-routing.config.webui_enable_column='1'
vpn-policy-routing.config.webui_protocol_column='1'
vpn-policy-routing.config.webui_chain_column='1'
vpn-policy-routing.@include[0]=include
vpn-policy-routing.@include[0].path='/etc/vpn-policy-routing.netflix.user'
vpn-policy-routing.@include[1]=include
vpn-policy-routing.@include[1].path='/etc/vpn-policy-routing.aws.user'
vpn-policy-routing.@policy[0]=policy
vpn-policy-routing.@policy[0].src_port='6112'
vpn-policy-routing.@policy[0].dest_port='6112'
vpn-policy-routing.@policy[0].name='GW2'
vpn-policy-routing.@policy[0].interface='wan'

Thank you!

vgaetera · February 3, 2021, 1:16am

Currently the Linksys router has no route to the subnet 192.168.0.0/24.

Assuming that the TP-Link router is in the router mode, it should have an IP address in the subnet 192.168.1.0/24 to be able to properly communicate with your Linksys router.
This IP should be used as a gateway to the 192.168.0.0/24 subnet.

Otherwise, consider switching the TP-Link router to the AP mode.

See also: Router vs switch vs gateway and NAT

nyakoneko · February 3, 2021, 1:50am

Ok, understood. Yes, the IP on that subnet of the TP-Link was 192.168.1.222. I have modified it and restarted both routers but no luck.

I Went ahead and changed the TPlink router as AP. Same results , destination host unrecheable

vgaetera · February 3, 2021, 2:31am

Make sure to reconnect the clients.
Allow pings from outside the local subnet in the Windows firewall.
Exclude the local subnets as destination from all policies on OpenWrt:

uci set vpn-policy-routing.@policy[0].dest_addr="!192.168.0.0/23"
uci commit vpn-policy-routing
/etc/init.d/vpn-policy-routing restart

Check routing and connectivity from OpenWrt:

ip route get 192.168.0.118
traceroute 192.168.0.118
ping -w 3 192.168.0.118

If you switched the TP-Link router to the AP mode, verify that all your clients received DHCP leases on OpenWrt in the 192.168.1.0/24 subnet.