No LAN-Access from wireguard client

Hi there,

I have the sage issue as described in this topic:

the suggestions given in the above thread didn't work for me.
The strange thing is my wiregurad insstallation/configuration running on a RAV Power WD-03 works fine.
Trying to do the same setup on a Fritzbox 7412 doesn't work.

The connect itself works fine. From the WG-Client I can access the LAN-Adress of the WRT-router, but nothing more within my LAN.

Is there any idea where I can have a look at to make it work ?

Thanks in advice

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \

Also post the configuration on the client side.

so, here we go. I hope all needed information is there.
As you can see there are two wireguard interfaces. Let's talk about wg1, that is the latest attempt and bridged with the LAN Interface (no separate Firewall-zone)

root@OpenWrt:~# uci export network
package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd2c:c6f7:2e1c::/48'

config atm-bridge 'atm'
	option vpi '1'
	option vci '32'
	option encaps 'llc'
	option payload 'bridged'
	option nameprefix 'dsl'

config dsl 'dsl'
	option annex 'b'
	option tone 'av'
	option ds_snr_offset '0'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0'
	option proto 'dhcp'

config device 'lan_eth0_dev'
	option name 'eth0'
	option macaddr '38:10:D5:3A:61:18'

config interface 'wan'
	option ifname 'dsl0'
	option proto 'static'
	option netmask '255.255.255.0'
	list dns '172.17.1.11'
	option ipaddr '172.17.1.220'
	option gateway '172.17.1.1'

config device 'wan_dsl0_dev'
	option name 'dsl0'
	option macaddr 'xxxxxx'

config interface 'WLAN'
	option ifname 'wlan0'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.178.1'
	list dns '172.17.1.11'
	option delegate '0'
	option force_link '0'
	option type 'bridge'

config interface 'wifi'
	option ifname 'WLAN2'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.150.1'
	list dns '172.17.1.11'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'xxx'
	option listen_port '51823'
	list addresses '10.14.0.0/16'

config wireguard_wg0
	option public_key 'Txm//0c2rgtFwC1OmDEc='
	option description 'iPhone'
	list allowed_ips '10.14.0.3/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

config interface 'wg1'
	option proto 'wireguard'
	option private_key 'xxx'
	option listen_port '51823'
	list addresses '10.14.0.0/16'

config wireguard_wg1
	option description 'iPhone'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option public_key 'xxc='
	list allowed_ips '10.14.0.3/32'

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
	option htmode 'HT20'
	option country 'DE'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'OpenWrt'
	option key 'xxxxx'
	option encryption 'psk2'
	option disabled '1'

config wifi-iface 'wifinet1'
	option ssid 'OpenWrt'
	option device 'radio0'
	option mode 'ap'
	option network 'WLAN'
	option ifname 'WLAN2'
	option key 'xxxxx'
	option encryption 'psk2'

root@OpenWrt:~# uci export dhcp; uci export firewall
package dhcp

config dnsmasq
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option confdir '/tmp/dnsmasq.d'
	option localservice '0'

config dhcp 'lan'
	option interface 'lan'
	option ignore '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'WLAN'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'WLAN'

config dhcp 'wifi'
	option start '100'
	option leasetime '12h'
	option interface 'wifi'
	option limit '190'

package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option network 'lan wg1'

config include
	option path '/etc/firewall.user'

config zone
	option input 'ACCEPT'
	option name 'WLAN'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'WLAN wifi'
	option log '1'

config forwarding
	option dest 'lan'
	option src 'WLAN'

config forwarding
	option dest 'WLAN'
	option src 'lan'

config rule
	option src 'WLAN'
	option name 'all'
	option target 'ACCEPT'
	option dest 'lan'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '51823'
	option name 'Allow-Wireguard-Inbound'
	option src '*'

config zone
	option name 'wg'
	option input 'ACCEPT'
	option network 'wg0'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option dest 'lan'
	option src 'wg'

config rule
	option dest 'lan'
	option src 'wg'
	option name 'wg'
	option target 'ACCEPT'

config forwarding
	option dest 'wg'
	option src 'lan'

config zone
	option name 'wglan'
	option input 'ACCEPT'
	option forward 'REJECT'
	option network 'wg1'
	option output 'ACCEPT'

config forwarding
	option dest 'lan'
	option src 'wglan'

config rule
	option src_port '51823'
	option src '*'
	option name 'wg incomming'
	option dest '*'
	option target 'ACCEPT'
	list proto 'udp'

config rule
	option src '*'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '51823'
	option name 'Allow-Wiregurad-Inbound'


root@OpenWrt:~# head -n -0 /etc/firewall.user
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

> head -n -0 /etc/firewall.user;
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 172.17.1.81/24 brd 172.17.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
5: br-WLAN: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.178.1/24 brd 192.168.178.255 scope global br-WLAN
       valid_lft forever preferred_lft forever
8: WLAN2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-WLAN state UP group default qlen 1000
    inet 192.168.150.1/24 brd 192.168.150.255 scope global WLAN2
       valid_lft forever preferred_lft forever
9: wg1: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.14.0.0/16 brd 10.14.255.255 scope global wg1
       valid_lft forever preferred_lft forever
default via 172.17.1.1 dev br-lan proto static src 172.17.1.81 
10.14.0.0/16 dev wg1 proto kernel scope link src 10.14.0.0 
10.14.0.3 dev wg1 proto static scope link 
172.17.1.0 dev wg1 proto static scope link 
172.17.1.0/24 dev br-lan proto kernel scope link src 172.17.1.81 
192.168.150.0/24 dev WLAN2 proto kernel scope link src 192.168.150.1 
192.168.178.0/24 dev br-WLAN proto kernel scope link src 192.168.178.1 
local 10.14.0.0 dev wg1 table local proto kernel scope host src 10.14.0.0 
broadcast 10.14.0.0 dev wg1 table local proto kernel scope link src 10.14.0.0 
broadcast 10.14.255.255 dev wg1 table local proto kernel scope link src 10.14.0.0 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 172.17.1.0 dev br-lan table local proto kernel scope link src 172.17.1.81 
local 172.17.1.81 dev br-lan table local proto kernel scope host src 172.17.1.81 
broadcast 172.17.1.255 dev br-lan table local proto kernel scope link src 172.17.1.81 
broadcast 192.168.150.0 dev WLAN2 table local proto kernel scope link src 192.168.150.1 
local 192.168.150.1 dev WLAN2 table local proto kernel scope host src 192.168.150.1 
broadcast 192.168.150.255 dev WLAN2 table local proto kernel scope link src 192.168.150.1 
broadcast 192.168.178.0 dev br-WLAN table local proto kernel scope link src 192.168.178.1 
local 192.168.178.1 dev br-WLAN table local proto kernel scope host src 192.168.178.1 
broadcast 192.168.178.255 dev br-WLAN table local proto kernel scope link src 192.168.178.1 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

You probably want to remove your private keys from the info you pasted above.

Now onto specifics, why do you have two seemingly identical wireguard interfaces? And two firewall rules for allowing port 51823? Delete one of each so you're not working with duplicate interfaces/firewall rules.

As for the remaining interface, you can delete the 'list addresses' line. What's the config on the client device?

Delete the duplicate wg1. Also clean up the firewall from unnecessary zones. Assign wg0 in lan zone. The allow inbound wireguard rules are not used as the lan is your internet upstream and the lan zone accepts everything.
Fix the address to a valid host address, like 10.14.0.1/16
The route_allowed_ips is not needed for the peer.

Thanks for you quick replies !
I made the suggested changes, but the effect is still the same.

Here is my client configuration:

Adresses 10.14.0.3/35
DNS servers: 172.17.1.11 (also tried the WRT-one ...81)

Endpoint: dyndnsadress:51823
allowed IPs 0.0.0.0/0

This is invalid. Try 10.14.0.3/32

sorry typo. It is /32 :upside_down_face:

Post again the above configs to see how it looks now.

now it looks like that:

package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd2c:c6f7:2e1c::/48'

config atm-bridge 'atm'
	option vpi '1'
	option vci '32'
	option encaps 'llc'
	option payload 'bridged'
	option nameprefix 'dsl'

config dsl 'dsl'
	option annex 'b'
	option tone 'av'
	option ds_snr_offset '0'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0'
	option proto 'dhcp'

config device 'lan_eth0_dev'
	option name 'eth0'
	option macaddr '38:10:D5:3A:61:18'

config interface 'wan'
	option ifname 'dsl0'
	option proto 'static'
	option netmask '255.255.255.0'
	list dns '172.17.1.11'
	option ipaddr '172.17.1.220'
	option gateway '172.17.1.1'

config device 'wan_dsl0_dev'
	option name 'dsl0'
	option macaddr '38:10:D5:3A:61:1C'

config interface 'WLAN'
	option ifname 'wlan0'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.178.1'
	list dns '172.17.1.11'
	option delegate '0'
	option force_link '0'
	option type 'bridge'

config interface 'wifi'
	option ifname 'WLAN2'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.150.1'
	list dns '172.17.1.11'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'xxx'
	option listen_port '51823'
	list addresses '10.14.0.1/16'

config wireguard_wg0
	option public_key 'xxx'
	option description 'iPhone'
	list allowed_ips '10.14.0.3/32'
	option persistent_keepalive '25'

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
	option htmode 'HT20'
	option country 'DE'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'OpenWrt'
	option key 'xxx'
	option encryption 'psk2'
	option disabled '1'

config wifi-iface 'wifinet1'
	option ssid 'OpenWrt'
	option device 'radio0'
	option mode 'ap'
	option network 'WLAN'
	option ifname 'WLAN2'
	option key 'xxx'
	option encryption 'psk2'

package dhcp

config dnsmasq
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option confdir '/tmp/dnsmasq.d'
	option localservice '0'

config dhcp 'lan'
	option interface 'lan'
	option ignore '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'WLAN'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'WLAN'

config dhcp 'wifi'
	option start '100'
	option leasetime '12h'
	option interface 'wifi'
	option limit '190'

package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option network 'lan wg0'

config include
	option path '/etc/firewall.user'

config zone
	option input 'ACCEPT'
	option name 'WLAN'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'WLAN wifi'
	option log '1'

config forwarding
	option dest 'lan'
	option src 'WLAN'

config forwarding
	option dest 'WLAN'
	option src 'lan'

config rule
	option src 'WLAN'
	option name 'all'
	option target 'ACCEPT'
	option dest 'lan'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 172.17.1.81/24 brd 172.17.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
5: br-WLAN: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.178.1/24 brd 192.168.178.255 scope global br-WLAN
       valid_lft forever preferred_lft forever
6: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.14.0.1/16 brd 10.14.255.255 scope global wg0
       valid_lft forever preferred_lft forever
7: WLAN2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-WLAN state UP group default qlen 1000
    inet 192.168.150.1/24 brd 192.168.150.255 scope global WLAN2
       valid_lft forever preferred_lft forever
default via 172.17.1.1 dev br-lan proto static src 172.17.1.81 
10.14.0.0/16 dev wg0 proto kernel scope link src 10.14.0.1 
172.17.1.0/24 dev br-lan proto kernel scope link src 172.17.1.81 
192.168.150.0/24 dev WLAN2 proto kernel scope link src 192.168.150.1 
192.168.178.0/24 dev br-WLAN proto kernel scope link src 192.168.178.1 
broadcast 10.14.0.0 dev wg0 table local proto kernel scope link src 10.14.0.1 
local 10.14.0.1 dev wg0 table local proto kernel scope host src 10.14.0.1 
broadcast 10.14.255.255 dev wg0 table local proto kernel scope link src 10.14.0.1 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 172.17.1.0 dev br-lan table local proto kernel scope link src 172.17.1.81 
local 172.17.1.81 dev br-lan table local proto kernel scope host src 172.17.1.81 
broadcast 172.17.1.255 dev br-lan table local proto kernel scope link src 172.17.1.81 
broadcast 192.168.150.0 dev WLAN2 table local proto kernel scope link src 192.168.150.1 
local 192.168.150.1 dev WLAN2 table local proto kernel scope host src 192.168.150.1 
broadcast 192.168.150.255 dev WLAN2 table local proto kernel scope link src 192.168.150.1 
broadcast 192.168.178.0 dev br-WLAN table local proto kernel scope link src 192.168.178.1 
local 192.168.178.1 dev br-WLAN table local proto kernel scope host src 192.168.178.1 
broadcast 192.168.178.255 dev br-WLAN table local proto kernel scope link src 192.168.178.1 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
package dhcp

config dnsmasq
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option confdir '/tmp/dnsmasq.d'
	option localservice '0'

config dhcp 'lan'
	option interface 'lan'
	option ignore '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'WLAN'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'WLAN'

config dhcp 'wifi'
	option start '100'
	option leasetime '12h'
	option interface 'wifi'
	option limit '190'

package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option network 'lan wg0'

config include
	option path '/etc/firewall.user'

config zone
	option input 'ACCEPT'
	option name 'WLAN'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'WLAN wifi'
	option log '1'

config forwarding
	option dest 'lan'
	option src 'WLAN'

config forwarding
	option dest 'WLAN'
	option src 'lan'

config rule
	option src 'WLAN'
	option name 'all'
	option target 'ACCEPT'
	option dest 'lan'

root@OpenWrt:~# ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 172.17.1.81/24 brd 172.17.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
5: br-WLAN: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.178.1/24 brd 192.168.178.255 scope global br-WLAN
       valid_lft forever preferred_lft forever
6: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.14.0.1/16 brd 10.14.255.255 scope global wg0
       valid_lft forever preferred_lft forever
7: WLAN2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-WLAN state UP group default qlen 1000
    inet 192.168.150.1/24 brd 192.168.150.255 scope global WLAN2
       valid_lft forever preferred_lft forever
default via 172.17.1.1 dev br-lan proto static src 172.17.1.81 
10.14.0.0/16 dev wg0 proto kernel scope link src 10.14.0.1 
172.17.1.0/24 dev br-lan proto kernel scope link src 172.17.1.81 
192.168.150.0/24 dev WLAN2 proto kernel scope link src 192.168.150.1 
192.168.178.0/24 dev br-WLAN proto kernel scope link src 192.168.178.1 
broadcast 10.14.0.0 dev wg0 table local proto kernel scope link src 10.14.0.1 
local 10.14.0.1 dev wg0 table local proto kernel scope host src 10.14.0.1 
broadcast 10.14.255.255 dev wg0 table local proto kernel scope link src 10.14.0.1 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 172.17.1.0 dev br-lan table local proto kernel scope link src 172.17.1.81 
local 172.17.1.81 dev br-lan table local proto kernel scope host src 172.17.1.81 
broadcast 172.17.1.255 dev br-lan table local proto kernel scope link src 172.17.1.81 
broadcast 192.168.150.0 dev WLAN2 table local proto kernel scope link src 192.168.150.1 
local 192.168.150.1 dev WLAN2 table local proto kernel scope host src 192.168.150.1 
broadcast 192.168.150.255 dev WLAN2 table local proto kernel scope link src 192.168.150.1 
broadcast 192.168.178.0 dev br-WLAN table local proto kernel scope link src 192.168.178.1 
local 192.168.178.1 dev br-WLAN table local proto kernel scope host src 192.168.178.1 
broadcast 192.168.178.255 dev br-WLAN table local proto kernel scope link src 192.168.178.1 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default

From interface WLAN and wifi delete the dns.

Delete this rule, you have forwardings already in place:

config rule
	option src 'WLAN'
	option name 'all'
	option target 'ACCEPT'
	option dest 'lan'

Run fw3 restart ; iptables-save -c and paste here the output.

thanks again for your support. Here is the output:

root@OpenWrt:~# iptables -save -c
iptables v1.8.3 (legacy): option "(null)" requires an argument
Try `iptables -h' or 'iptables --help' for more information.
root@OpenWrt:~# iptables-save -c
# Generated by iptables-save v1.8.3 on Wed May 13 06:50:38 2020
*nat
:PREROUTING ACCEPT [91:6876]
:INPUT ACCEPT [30:2367]
:OUTPUT ACCEPT [141:9820]
:POSTROUTING ACCEPT [144:9940]
:postrouting_WLAN_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:prerouting_WLAN_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:zone_WLAN_postrouting - [0:0]
:zone_WLAN_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
[91:6876] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[45:3885] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[46:2991] -A PREROUTING -i wg0 -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i br-WLAN -m comment --comment "!fw3" -j zone_WLAN_prerouting
[0:0] -A PREROUTING -i WLAN2 -m comment --comment "!fw3" -j zone_WLAN_prerouting
[144:9940] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[111:7792] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[3:120] -A POSTROUTING -o wg0 -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o br-WLAN -m comment --comment "!fw3" -j zone_WLAN_postrouting
[0:0] -A POSTROUTING -o WLAN2 -m comment --comment "!fw3" -j zone_WLAN_postrouting
[0:0] -A zone_WLAN_postrouting -m comment --comment "!fw3: Custom WLAN postrouting rule chain" -j postrouting_WLAN_rule
[0:0] -A zone_WLAN_prerouting -m comment --comment "!fw3: Custom WLAN prerouting rule chain" -j prerouting_WLAN_rule
[114:7912] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[91:6876] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
COMMIT
# Completed on Wed May 13 06:50:39 2020
# Generated by iptables-save v1.8.3 on Wed May 13 06:50:39 2020
*mangle
:PREROUTING ACCEPT [7228:8338980]
:INPUT ACCEPT [7158:8332831]
:FORWARD ACCEPT [29:1903]
:OUTPUT ACCEPT [2888:1025837]
:POSTROUTING ACCEPT [2888:1025837]
COMMIT
# Completed on Wed May 13 06:50:39 2020
# Generated by iptables-save v1.8.3 on Wed May 13 06:50:39 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_WLAN_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:input_WLAN_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:output_WLAN_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_WLAN_dest_ACCEPT - [0:0]
:zone_WLAN_forward - [0:0]
:zone_WLAN_input - [0:0]
:zone_WLAN_output - [0:0]
:zone_WLAN_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_dest_REJECT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
[124:12252] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[7029:8320279] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[6988:8316963] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[24:1460] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[24:2228] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[17:1088] -A INPUT -i wg0 -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i br-WLAN -m comment --comment "!fw3" -j zone_WLAN_input
[0:0] -A INPUT -i WLAN2 -m comment --comment "!fw3" -j zone_WLAN_input
[29:1903] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[29:1903] -A FORWARD -i wg0 -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i br-WLAN -m comment --comment "!fw3" -j zone_WLAN_forward
[0:0] -A FORWARD -i WLAN2 -m comment --comment "!fw3" -j zone_WLAN_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[124:12252] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[2759:1013369] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[2642:1005181] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[117:8188] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o wg0 -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o br-WLAN -m comment --comment "!fw3" -j zone_WLAN_output
[0:0] -A OUTPUT -o WLAN2 -m comment --comment "!fw3" -j zone_WLAN_output
[3:192] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[26:1711] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[24:1460] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_WLAN_dest_ACCEPT -o br-WLAN -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_WLAN_dest_ACCEPT -o WLAN2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_WLAN_forward -m comment --comment "!fw3: Custom WLAN forwarding rule chain" -j forwarding_WLAN_rule
[0:0] -A zone_WLAN_forward -m comment --comment "!fw3: Zone WLAN to lan forwarding policy" -j zone_lan_dest_ACCEPT
[0:0] -A zone_WLAN_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_WLAN_forward -m comment --comment "!fw3" -j zone_WLAN_dest_ACCEPT
[0:0] -A zone_WLAN_input -m comment --comment "!fw3: Custom WLAN input rule chain" -j input_WLAN_rule
[0:0] -A zone_WLAN_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_WLAN_input -m comment --comment "!fw3" -j zone_WLAN_src_ACCEPT
[0:0] -A zone_WLAN_output -m comment --comment "!fw3: Custom WLAN output rule chain" -j output_WLAN_rule
[0:0] -A zone_WLAN_output -m comment --comment "!fw3" -j zone_WLAN_dest_ACCEPT
[0:0] -A zone_WLAN_src_ACCEPT -i br-WLAN -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_WLAN_src_ACCEPT -i WLAN2 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[117:8188] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_ACCEPT -o wg0 -m comment --comment "!fw3" -j ACCEPT
[29:1903] -A zone_lan_dest_REJECT -o br-lan -m comment --comment "!fw3" -j reject
[0:0] -A zone_lan_dest_REJECT -o wg0 -m comment --comment "!fw3" -j reject
[29:1903] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[29:1903] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to WLAN forwarding policy" -j zone_WLAN_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[29:1903] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_REJECT
[41:3316] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[41:3316] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[117:8188] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[117:8188] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[24:2228] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[17:1088] -A zone_lan_src_ACCEPT -i wg0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
COMMIT

Change the forward from REJECT to ACCEPT.
That will fix the wg0<->lan forwarding. Forwarding with Wifi should be already in place.

result is still the same...

I think a static route is missing in your network config to your wg interface, e.g.

config route
	option interface 'wg0'
	option target '10.14.0.0'
	option netmask '255.255.255.0'

Try adding route_allowed_ips back to your peer config.

1 Like

That is already there, as directly connected.
10.14.0.0/16 dev wg0 proto kernel scope link src 10.14.0.1

I also had to set a route to the LAN-Adresses for not doing NAT on the WRT.

1 Like

You can always treat a beer to the project!
Please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.