No internet from command line

intrepid · October 30, 2024, 1:03pm

There's a SiteA, managed by an OPNSense router, which has internet.
Then there's a siteB, managed by OpenWRT, connected with an ethernet cable cable with SiteA.

There's a Wireguard site-to-site connection between SiteA and SiteB. Through this tunnel, SiteB gets internet connection. SiteB have two vlans setup (1 and 41) and I can reach all devices on SiteA from both vlans and internet.

The problem I'm facing is this is not working when I try to reach internet from OpenWRT itself. For example, I can't download packages. I assume I'm missing some route or firewall configuration to make this work, but I'm not sure what.

The error message:

ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
ping: sendto: Operation not permitted

I'm using OpenWrt 23.05.3 on a Ubiquiti EdgeRouter 4 and most config has been done through the LuCI GUI.

Here's the contents of /etc/config/network:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix [REDACTED]::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        option igmp_snooping '1'
        option multicast_querier '0'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option delegate '0'
        option defaultroute '0'

config interface 'wan'
        option device 'lan0'
        option proto 'dhcp'

config interface 'SIteToSite'
        option proto 'wireguard'
        option private_key '[REDACTED]'
        option listen_port '51820'
        list addresses '192.168.75.2/24'

config wireguard_SIteToSite
        option description 'OPNSense'
        option public_key '[REDACTED]'
        option endpoint_host '192.168.50.1'
        option endpoint_port '51820'
        list allowed_ips '0.0.0.0/0'
        option route_allowed_ips '1'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1'
        list ports 'lan2'

config bridge-vlan
        option device 'br-lan'
        option vlan '41'
        list ports 'lan2:t'

config interface 'private'
        option proto 'static'
        option device 'br-lan.41'
        option ipaddr '192.168.51.1'
        option netmask '255.255.255.0'

config device
        option name 'SIteToSite'
        option multicast '1'

Interfaces:

Route table within OpenWRT:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         *               0.0.0.0         U     0      0        0 SIteToSite
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan.1
192.168.50.0    *               255.255.255.248 U     0      0        0 lan0
192.168.51.0    *               255.255.255.0   U     0      0        0 br-lan.41
192.168.75.0    *               255.255.255.0   U     0      0        0 SIteToSite

A traceroute from a working device in vlan 41 in SiteB (notice the default gateway of the vlan (192.168.51.1) is routing to the wireguard gateway (192.168.75.1) and from there is reaching internet):

traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
 1  172.18.144.1 (172.18.144.1)  0.481 ms  0.422 ms  0.198 ms
 2  myopenwrt.lan (192.168.51.1)  2.790 ms  2.778 ms  2.857 ms
 3  192.168.75.1 (192.168.75.1)  4.113 ms  4.792 ms  4.730 ms
 4  10.0.13.92 (10.0.13.92)  4.621 ms  5.074 ms  4.741 ms
 5  172.16.17.97 (172.16.17.97)  5.300 ms  5.454 ms  5.636 ms
 6  10.220.107.86 (10.220.107.86)  10.760 ms  3.737 ms  3.683 ms
 7  * * *
 8  [REDACTED]
 9  [REDACTED]
10  [REDACTED]
11  one.one.one.one (1.1.1.1)  22.077 ms  22.070 ms  21.977 ms

Thank you very much for your support.

pavelgl · October 30, 2024, 2:04pm

This usually means restrictive firewall rules in the output chain of the device.
What zone is SIteToSite assigned to? Default policies?

You use wireguard to connect two devices that are on the same subnet.
Out of curiosity, is this a test setup or some sort of security measure?

intrepid · October 30, 2024, 3:42pm

Thank you very much for the answer. SIteToSite has a dedicated zone called wg0_zone

The first one is what makes internet working within the mentioned vlan 1 and 41. Maybe I need to add something different to work within local even if the origin is the same IP range?

The wireguard is there for security reasons because I don't trust the physical path where the cable is going through. If someone physically disconnects the cable and connects their own device, they won't get access to the private network. Maybe it's a little overkill for the purpose but it seems to be (mostly) working.

pavelgl · October 30, 2024, 3:56pm

Change the default output policy of the wireguard firewall zone to accept.

intrepid · October 30, 2024, 4:18pm

Thank you. That worked!
But... why?

mk24 · October 30, 2024, 4:21pm

Packets that originate from a process inside the router, such as ping or traceroute run on the CLI, are "output." Your original configuration was blocking them.

Packets forwarded from another zone are not considered by the three default rules on that page ("Forward" refers to forwarding between networks in the same zone, not between zones). Interzone forwards are always blocked unless a separate rule allows them. If you use blanket option forwards, they are summarized by the forwarding arrows on the left side.

system · November 9, 2024, 4:21pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.