Good evening.
Briefly I have openwrt 22.0.3 installed in an RPI working as "router on a stick". See this link, please:
Basically the cable that comes from the ONT of my ISP connects to port 8 of the Switch (VLAN 12 - WAN). Switch port 1 is connected to the RPI with openwrt installed (VLAN 1- LAN). Then all the devices on my network, including the access point, connects to ports 2-7 on the Switch.
The system works or worked very well until I added new features to openwrt such as the configuration of a vpn wireguard from AZIREVPN , as well as DNS OVER HTTPS.
At this moment I have the wireguard working and I have internet on all devices. However, when I update the lists in openwrt, the following error appears:
* opkg_download: Check your network settings and connectivity. The opkg update command failed with code 6.
Despite having read a lot about openwrt and its settings lately, I still have many doubts, especially in the firewall zones, dns forwardings, etc.
I leave the result of the following commands of my network;
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '2a0e:1c80:4:3c95::/64'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'LAN'
option device 'br-lan'
option netmask '255.255.255.0'
option ip6assign '60'
option proto 'static'
list ipaddr '192.168.2.1'
config interface 'WAN'
option proto 'dhcp'
option device 'eth0.12'
option force_link '1'
config device
option name 'Wireguard'
option mtu '1420'
config device
option name 'openvpn'
option ipv6 '0'
option mtu '1420'
config interface 'wan6'
option proto 'dhcpv6'
option device 'eth0.12'
option reqaddress 'try'
option reqprefix 'auto'
config interface 'wg'
option proto 'wireguard'
option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
list addresses '10.0.28.999/19'
list addresses '2a0e:1c80:4:2000::1d99/64'
config wireguard_wg
option description 'azirevpn'
option public_key 'yyyyyyyyyyyyyyyyyyyyyyyyyy'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
option route_allowed_ips '1'
option endpoint_host 'nl1.wg.azirevpn.net'
option endpoint_port '51820'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
option port '53'
option readethers '1'
option doh_backup_noresolv '-1'
option noresolv '1'
list doh_backup_server '/mask.icloud.com/'
list doh_backup_server '/mask-h2.icloud.com/'
list doh_backup_server '/use-application-dns.net/'
list doh_backup_server '127.0.0.1#5054'
list doh_backup_server '127.0.0.1#5053'
list server '/mask.icloud.com/'
list server '/mask-h2.icloud.com/'
list server '/use-application-dns.net/'
list server '127.0.0.1#5054'
list server '127.0.0.1#5053'
list server '10.0.0.1'
list server '2a0e:1c80:4:2000::1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'VLAN1'
option interface 'VLAN1'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'LAN'
option interface 'LAN'
option limit '150'
option leasetime '12h'
option start '20'
option netmask '255.255.255.0'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'ACCEPT'
config rule
option name 'Allow-DHCP-Renew'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
option src 'WAN'
config rule
option name 'Allow-Ping'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
option src 'WAN'
config rule
option name 'Allow-IGMP'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
option src 'WAN'
config rule
option name 'Allow-DHCPv6'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
option src 'WAN'
config rule
option name 'Allow-MLD'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
option src 'WAN'
config rule
option name 'Allow-ICMPv6-Input'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option src 'WAN'
config rule
option name 'Allow-ICMPv6-Forward'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option src 'WAN'
config rule
option name 'Allow-IPSec-ESP'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
option src 'WAN'
config rule
option name 'Allow-ISAKMP'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option src 'WAN'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'LAN'
config zone
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
option forward 'REJECT'
option name 'WAN'
list network 'WAN'
list network 'wan6'
config rule
list proto 'udp'
option src '*'
list src_ip '192.168.2.5'
option src_port '25550'
option dest '*'
list dest_ip '192.168.2.1'
option target 'ACCEPT'
config rule 'wg'
option name 'Allow-WireGuard'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
option src 'WAN'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Wireguard'
list proto 'udp'
option dest_ip '192.168.2.5'
option src_dport '25550'
option dest_port '25550'
option src 'WAN'
config redirect
option target 'DNAT'
option name 'Wireguard LAN'
option src 'lan'
option dest_ip '192.168.2.5'
option src_dport '25550'
option dest_port '25550'
option dest 'WAN'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/pbr.firewall.include'
config forwarding
option src 'WAN'
option dest 'lan'
config zone
option name 'wan6zone'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config zone
option name 'wgzone'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'WAN'
list network 'wan6'
list network 'wg'
config forwarding
option src 'lan'
option dest 'wgzone'
Some advice in order to improve the stability and functioning of the system, i appreciate!
Best regards