Netmaker + OpenWRT unable to ping local devices

hattedtudor · August 29, 2023, 4:08pm

I am using netmaker as a wireguard management service. I have set it up with the following:

netmaker server on a vps (10.184.25.0/24)
a host as ingress on the vps (10.184.25.1/24)
a host as egress on my openwrt home router. (10.184.25.2/24) the home router is also my primary gateway for my lan

the egress configuration is setup with a CIDR 192.168.1.0/24 with NAT for egress traffic enabled. some things i have confirmed working so far:

from the vps i can successfully ping 10.184.25.2
from the vps i can successfully ping 192.168.1.1
from the home router i can successfully ping 10.184.25.1
from the home router i can successfully ping 192.168.1.2

but, from the vps i cannot ping 192.168.1.2

# from the vps ping some other device on my lan
ping 192.168.1.2
From 10.184.25.2 icmp_seq=1 Destination Port Unreachable

i think i have confirmed that ip forwarding is enabled on the openwrt router:

# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

and it seems that both network interfaces are up

ifconfig br-lan

br-lan    Link encap:Ethernet  HWaddr my:mac:addr  
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:xx errors:0 dropped:29 overruns:0 frame:0
          TX packets:xx errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:xx (xx.x GiB)  TX bytes:xx (xx.x GiB)

ifconfig netmaker

netmaker  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.184.25.2  P-t-P:10.184.25.2  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
          RX packets:xx errors:0 dropped:7 overruns:0 frame:0
          TX packets:xx errors:0 dropped:1 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:xx(x.x KiB)  TX bytes:xx (x.x KiB)

the networking world is somewhat new to me. i would guess there is something in the firewall / iptables that is dropping this but i dont really know how to debug further and am looking for some guidance. Thanks!

psherman · August 29, 2023, 4:14pm

Let's see your config in more detail:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

hattedtudor · August 29, 2023, 4:21pm

cat /etc/config/network 

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'auto'

config interface 'lan'
	option ifname 'eth1'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option hostname 'my-host-name'
	option ipaddr '192.168.1.1'
	option ieee1905managed '1'
	option igmp_snooping '0'

config interface 'wan'
	option ifname 'eth0'
	option proto 'dhcp'
	option hostname 'my-host-name'
	option metric '10'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0t 1 2 3 5'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 4'

config switch_ext
	option device 'switch0'
	option name 'QosPtMode'
	option port_id '1'
	option mode 'dscp'
	option status 'enable'

config switch_ext
	option device 'switch0'
	option name 'QosPtMode'
	option port_id '2'
	option mode 'dscp'
	option status 'enable'

config switch_ext
	option device 'switch0'
	option name 'QosPtMode'
	option port_id '3'
	option mode 'dscp'
	option status 'enable'

config switch_ext
	option device 'switch0'
	option name 'QosPtMode'
	option port_id '4'
	option mode 'dscp'
	option status 'enable'

config switch_ext
	option device 'switch0'
	option name 'QosPtMode'
	option port_id '5'
	option mode 'dscp'
	option status 'enable'

config interface 'guest'
	option ifname 'guest'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.9.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

cat /etc/config/firewall 

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option disabled '0'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'
	option enabled '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fe80::/10'
	option src_port '547'
	option dest_ip 'fe80::/10'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'
	option reload '1'

config rule
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include 'qcanssecm'
	option type 'script'
	option path '/etc/firewall.d/qca-nss-ecm'
	option family 'any'
	option reload '0'

config include 'gls2s'
	option type 'script'
	option path '/var/etc/gls2s.include'
	option reload '1'

config include 'glfw'
	option type 'script'
	option path '/usr/bin/glfw.sh'
	option reload '1'

config include 'glqos'
	option type 'script'
	option path '/usr/sbin/glqos.sh'
	option reload '1'

config include 'mwan3'
	option type 'script'
	option path '/var/etc/mwan3.include'
	option reload '1'

config zone 'guestzone'
	option name 'guestzone'
	option network 'guest'
	option forward 'REJECT'
	option output 'ACCEPT'
	option input 'REJECT'

config forwarding 'guestzone_fwd'
	option src 'guestzone'
	option dest 'wan'
	option enabled '1'

config rule 'guestzone_dhcp'
	option name 'guestzone_DHCP'
	option src 'guestzone'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'

config rule 'guestzone_dns'
	option name 'guestzone_DNS'
	option src 'guestzone'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'

config rule 'sambasharewan'
	option src 'wan'
	option dest_port '137 138 139 445'
	option dest_proto 'tcpudp'
	option target 'DROP'

config rule 'sambasharelan'
	option src 'lan'
	option dest_port '137 138 139 445'
	option dest_proto 'tcpudp'
	option target 'ACCEPT'

config rule 'glservice_rule'
	option name 'glservice'
	option dest_port '83'
	option proto 'tcp udp'
	option src 'wan'
	option target 'ACCEPT'
	option enabled '0'

hattedtudor · August 29, 2023, 4:23pm

ubus call system board
{
	"kernel": "4.4.60",
	"hostname": "my-host-name",
	"system": "ARMv7 Processor rev 5 (v7l)",
	"model": "Qualcomm Technologies, Inc. IPQ4019\/AP-DK04.1-C3",
	"release": {
		"distribution": "OpenWrt",
		"version": "Chaos Calmer",
		"revision": "r48067",
		"codename": "chaos_calmer",
		"target": "ipq806x\/generic",
		"description": "OpenWrt Chaos Calmer 15.05.1"
	}
}

psherman · August 29, 2023, 4:28pm

This looks like it is not an official OpenWrt release. It is likely a fork from OpenWrt -- and an ancient and unsupported one at that (OpenWrt 15.05 is 8 years old and long since EOL). Between the vendor customizations (which can significantly affect how OpenWrt functions) and the age of the distribution that it was based on, this is not supportable here.

You will need to ask the vendor or the maintainer of the firmware you are using for assistance.

hattedtudor · August 29, 2023, 4:38pm

ughh yea i was afraid of that, you are right about everything - it is a fork that came bundled with the router. i will reach out to them thanks.

psherman · August 29, 2023, 4:39pm

Yeah, sorry that we can't help here, but the vendor is the best bet. good luck!

hattedtudor · August 29, 2023, 5:56pm

For posterity I have asked the same question in the GL-iNet forums

Also,

@luochongjun - thanks for volunteering your help for GL-iNet related issues on this forum. tagging you for visibility feel free to continue the conversation there

psherman · August 30, 2023, 3:02pm

This topic was automatically closed after 22 hours. New replies are no longer allowed.