Netmaker + OpenWRT 22.03.5 unable to ping local devices

Installing and Using OpenWrt
1

This is a follow up on the original post. It has been locked because the firmware was not an official supported version for this forum. I have since been able to reproduce the same issue on a fresh install of OpenWRT 22.03.5

i havent done much of anything besides set up a local network.

explanation of issue

  • netmaker server on a vps (10.184.25.0/24)
  • a host as ingress on the vps (10.184.25.1/24)
  • a host as egress on the openwrt router (10.184.25.2/24)

the egress configuration is setup with a CIDR 192.168.1.0/24 with NAT for egress traffic enabled. some things i have confirmed working so far:

  • from the vps i can successfully ping 10.184.25.2
  • from the vps i can successfully ping 192.168.1.1
  • from the home router i can successfully ping 10.184.25.1
  • from the home router i can successfully ping 192.168.1.2

but, from the vps i cannot ping 192.168.1.2

# from the vps ping some other device on my lan
ping 192.168.1.2
From 10.184.25.2 icmp_seq=1 Destination Port Unreachable

network info

# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

# ubus call system board
{
	"kernel": "5.10.176",
	"hostname": "OpenWrt",
	"system": "ARMv7 Processor rev 5 (v7l)",
	"model": "GL.iNet GL-B2200",
	"board_name": "glinet,gl-b2200",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.5",
		"revision": "r20134-5f15225c1e",
		"target": "ipq40xx/generic",
		"description": "OpenWrt 22.03.5 r20134-5f15225c1e"
	}
}

cat /etc/config/network

# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdca:55cd:f68b::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 5 0'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 0'


root@OpenWrt:~# cat /etc/config/firewall
config defaults
	option syn_flood	1
	option input		ACCEPT
	option output		ACCEPT
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1

config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option masq		1
	option mtu_fix		1

config forwarding
	option src		lan
	option dest		wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

# Allow IPv4 ping
config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-MLD
	option src		wan
	option proto		icmp
	option src_ip		fe80::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#	option src		lan
#	option src_ip	192.168.45.2
#	option dest		wan
#	option proto	tcp
#	option target	REJECT

# block a specific mac on wan
#config rule
#	option dest		wan
#	option src_mac	00:11:22:33:44:66
#	option target	REJECT

# block incoming ICMP traffic on a zone
#config rule
#	option src		lan
#	option proto	ICMP
#	option target	DROP

# port redirect port coming in on wan to lan
#config redirect
#	option src			wan
#	option src_dport	80
#	option dest			lan
#	option dest_ip		192.168.16.235
#	option dest_port	80
#	option proto		tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#	option src		wan
#	option src_dport	22001
#	option dest		lan
#	option dest_port	22
#	option proto		tcp

### FULL CONFIG SECTIONS
#config rule
#	option src		lan
#	option src_ip	192.168.45.2
#	option src_mac	00:11:22:33:44:55
#	option src_port	80
#	option dest		wan
#	option dest_ip	194.25.2.129
#	option dest_port	120
#	option proto	tcp
#	option target	REJECT

#config redirect
#	option src		lan
#	option src_ip	192.168.45.2
#	option src_mac	00:11:22:33:44:55
#	option src_port		1024
#	option src_dport	80
#	option dest_ip	194.25.2.129
#	option dest_port	120
#	option proto	tcp
2

The netmaker interface is not assigned to any firewall zone, so the default REJECT policy for the forward chain is used.

Considering the netmaker network as trusted, you could add the interface (device) to the lan zone.

uci add_list firewall.@zone[0].device='netmaker'
uci commit firewall
fw4 restart

Also make sure 192.168.1.2 accepts connections originating outside its lan subnet.

1 Like
3

Where is the net maker config on the openwrt router? It
Would also need to be present in some form in the firewall.

You might also need a route on your vps

192.168.1.0/24 via 10.84.25.2

Meanwhile, have you considered using wireguard for this purpose? It is really easy to setup this type of config and wireguard is pretty simple to get running in general.

1 Like
4

Does Netmaker even support OpenWrt?
And even if it does, consider carefully before vendor lock-in yourself for no reason.
The native WireGuard implementation can most likely offer you a qualitatively higher level of integration and community support.

1 Like
5

Hey thanks for all of the replies here:

Does Netmaker even support OpenWrt?

Yes according to their docs they have binaries that are meant to run on openwrt. their docs have been a bit disappointing and their support is all through discord... i much prefer an actual forum like this but i digress.

Meanwhile, have you considered using wireguard for this purpose

Netmaker I believe is a tool that sets up wireguard, and i think the selling point is all configuration is done through a web interface and changes to the network are then automatically proliferated to all of the clients. I've never used wireguard before so i was hoping for this to be somewhat plug and play but it has been unfortunately not been the case, mostly because this is all new to me.

@psherman if you have any good resources for setting up wireguard with openwrt please let me know.

You might also need a route on your vps

On the vps i currently have the following:

ip route show | grep "192.168.1"
192.168.1.0/24 via 10.184.25.1 dev netmaker

i think that is correct(?) the vps is set up route 192.168.1.* traffic to the ip 10.184.25.1 which is the main entry point to the network.

Considering the netmaker network as trusted, you could add the interface (device) to the lan zone.

uci add_list firewall.@zone[0].device='netmaker'
uci commit firewall
fw4 restart

This is what i believe the solution is. Thank you for the help. Ive been trying to read the OpenWRT documentation and wrap my head around all of the different concepts. This seems like a really simple thing that if i had an ounce of understanding would be a no-brainer. If you guys have any good introductory references to the key terms and concepts of OpenWRT and networking in general please share them i am very interested in learning more.

consider carefully before vendor lock-in yourself for no reason.

yes totally, i initially chose netmaker because i am not familiar with a lot of these concepts the idea of a service that helps manage this was appealing. ill do more research and try to understand how much benefit netmaker is truly providing

1 Like
6

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.