No ipv4 connectivity on wireguard but ipv6 works

I'm running a wireguard vpn (cloudflare warp) on bt home hub 5a and all seems to behave well except whenever I get a new wan address (~ once every 24h) where the tunnel is established, ipv6 requests work but the ipv4 ones don't.
Most of the times restarting the wireguard interface a couple of times solves the problem but sometimes it doesn't. Any idea what causes this? and how to solve it?

Keep in mind that wan is ipv4 only and ipv6 is provided by the vpn.
I tried different MTU values on both wan and vpn to no avail, the one I'm using currently give me the most stable speeds.
I test connectivity by pinging ipv4 ips (8.8.8.8) vs ipv6 (2001:4860:4860::8888), so that rules out DNS issues.

/etc/config/network
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'dd5d:1dd2:2300::/48'
        option packet_steering '1'

config atm-bridge 'atm'
        option encaps 'llc'
        option payload 'bridged'
        option nameprefix 'dsl'
        option vci '38'
        option vpi '0'

config dsl 'dsl'
        option ds_snr_offset '0'
        option annex 'a2p'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config device
        option name 'lan1'
        option macaddr '34:8a:ae:d6:6d:e2'

config device
        option name 'lan2'
        option macaddr '34:8a:ae:d6:6d:e2'

config device
        option name 'lan3'
        option macaddr '34:8a:ae:d6:6d:e2'

config device
        option name 'lan4'
        option macaddr '34:8a:ae:d6:6d:e2'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'dsl0'
        option macaddr '34:8a:ae:d6:6d:e3'

config interface 'wan'
        option device 'dsl0'
        option proto 'pppoe'
        option username '*'
        option password '*'
        option peerdns '0'
        option ipv6 '0'
        option keepalive '60 5'
        option mtu '1452'

config interface 'warp'
        option proto 'wireguard'
        option private_key '*'
        list addresses '2606:4700:110:8acd:78a2:1220:6989:5304/128'
        list addresses '172.16.0.2/32'
        option peerdns '0'
        option mtu '1392'
        
config wireguard_warp
        option description 'cloudflare_warp'
        option public_key 'bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo='
        list allowed_ips '::/0'
        list allowed_ips '0.0.0.0/0'
        option route_allowed_ips '1'
        option endpoint_host 'engage.cloudflareclient.com'
        option endpoint_port '2408'
        option persistent_keepalive '25'

config route
        option interface 'wan'
        option target '0.0.0.0/0'
        option table 'novpn'

config rule
        option in 'loopback'
        option lookup 'novpn'
        option uidrange '123-123'

config rule
        option in 'loopback'
        option lookup 'novpn'
        option uidrange '999-999'

config rule
        option in 'lan'
        option dest '80.249.64.0/20'
        option lookup 'novpn'

config rule
        option in 'lan'
        option src '192.168.1.254/32'
        option lookup 'novpn'
/etc/config/firewall
config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'warp'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'warp'
        option masq6 '1'

config forwarding
        option src 'lan'
        option dest 'warp'

config rule
        option name 'novpn-AT'
        list proto 'tcp'
        option src 'lan'
        option dest 'wan'
        list dest_ip '80.249.64.0/20'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'novpn-qBitTorrent'
        option family 'ipv4'
        option src 'lan'
        list src_ip '192.168.1.254/32'
        option dest 'wan'
        option target 'ACCEPT'
        list proto 'all
ip route show table all
default dev pppoe-wan table novpn scope link 
default dev warp scope link 
41.108.96.1 dev pppoe-wan scope link  src 41.108.106.110 
162.159.192.1 via 41.108.96.1 dev pppoe-wan 
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1 
local 41.108.106.110 dev pppoe-wan table local scope host  src 41.108.106.110 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
local 172.16.0.2 dev warp table local scope host  src 172.16.0.2 
broadcast 192.168.1.0 dev br-lan table local scope link  src 192.168.1.1 
local 192.168.1.1 dev br-lan table local scope host  src 192.168.1.1 
broadcast 192.168.1.255 dev br-lan table local scope link  src 192.168.1.1 
2606:4700:110:8acd:78a2:1220:6989:5304 dev warp  metric 256 
dd5d:1dd2:2300::/64 dev br-lan  metric 1024 
unreachable dd5d:1dd2:2300::/48 dev lo  metric 2147483647 
fe80::/64 dev eth0  metric 256 
fe80::/64 dev wlan1  metric 256 
fe80::/64 dev br-lan  metric 256 
fe80::/64 dev wlan0  metric 256 
fe80::/64 dev dsl0  metric 256 
default dev warp  metric 1024 
local ::1 dev lo table local  metric 0 
local 2606:4700:110:8acd:78a2:1220:6989:5304 dev warp table local  metric 0 
anycast dd5d:1dd2:2300:: dev br-lan table local  metric 0 
local dd5d:1dd2:2300::1 dev br-lan table local  metric 0 
anycast fe80:: dev eth0 table local  metric 0 
anycast fe80:: dev wlan1 table local  metric 0 
anycast fe80:: dev br-lan table local  metric 0 
anycast fe80:: dev wlan0 table local  metric 0 
anycast fe80:: dev dsl0 table local  metric 0 
local fe80::368a:aeff:fed6:6de2 dev br-lan table local  metric 0 
local fe80::368a:aeff:fed6:6de3 dev dsl0 table local  metric 0 
local fe80::368a:aeff:fed6:6de4 dev wlan1 table local  metric 0 
local fe80::368a:aeff:fed6:6de5 dev wlan0 table local  metric 0 
local fe80::5811:83ff:fead:9352 dev eth0 table local  metric 0 
multicast ff00::/8 dev eth0 table local  metric 256 
multicast ff00::/8 dev br-lan table local  metric 256 
multicast ff00::/8 dev wlan1 table local  metric 256 
multicast ff00::/8 dev wlan0 table local  metric 256 
multicast ff00::/8 dev dsl0 table local  metric 256 
multicast ff00::/8 dev warp table local  metric 256

The routing table is taken when the problem occurs or when everything works fine?

it's the same routing table in both cases

Then when the problem occurs run a tcpdump with both ipv4 and ipv6. If the packets go outbound to the tunnel but there is no return in IPv4, notify your vpn provider to investigate if they receive the packets and if they send back the responses.

1 Like