I have eth0.200 and a wireguard interface (vpsgw) set with both the same routing table (ip4table + ip6table = 20). Clients aren't able to communicate to the internet - wondering what I may have missed?
I'm trying to understand why when both network interfaces have the same routing table why the traffic from eth0.666 isn't going thru - a forward rule exist between 'untrusted' to 'vpsgw' it should work?
root@meow:~# ip route show table 20
default dev vpsgw proto static scope link
10.100.100.0/24 dev vpsgw proto static scope link
172.17.200.0/24 dev eth0.200 proto static scope link
root@meow:~# tcpdump -i eth0.200 icmp
12:07:03.071483 IP 172.17.200.250 > dns.google: ICMP echo request, id 1, seq 45977, length 40
12:07:03.071520 IP 172.17.200.1 > 172.17.200.250: ICMP dns.google protocol 1 port 39361 unreachable, length 68
my default
root@meow:~# ip route
default via 192.168.12.1 dev eth1 proto static src 192.168.12.103
45.61.184.24 via 192.168.12.1 dev eth1 proto static
172.66.0.0/24 dev eth0.666 proto kernel scope link src 172.66.0.1
192.168.12.0/24 dev eth1 proto kernel scope link src 192.168.12.103
192.168.44.0/24 dev br-lan proto kernel scope link src 192.168.44.1
export
root@meow:~# uci export
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option domain 'gfm'
option local '/gfm/'
option noresolv '1'
list server '127.0.0.1#5453'
list server '0::1#5453'
config dhcp 'lan'
option interface 'lan'
option leasetime '12h'
option ra 'server'
option ra_management '1'
option ra_default '1'
option start '20'
option dhcpv6 'server'
option limit '50'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'surfshark'
option interface 'surfshark'
option start '200'
option limit '220'
option leasetime '12h'
config dhcp 'untrusted'
option leasetime '12h'
option ra_default '1'
option start '20'
option dhcpv6 'server'
option limit '50'
option ra 'server'
option interface 'untrusted'
option ra_management '1'
config host
option mac 'C6:63:35:F0:0C:66'
option ip '172.17.200.250'
option name 'myvm'
option dns '1'
config host
option mac 'C6:63:35:F0:0C:86'
option ip '172.66.0.99'
option name 'test2'
option dns '1'
package dhcp-opkg
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
package dropbear
config dropbear
option PasswordAuth 'on'
option RootPasswordAuth 'on'
option Port '22'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option input 'ACCEPT'
option masq6 '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option enabled '0'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config include
option path '/etc/firewall.nat6'
option name 'nat6'
option reload '1'
config zone
option name 'surfshark'
option device 'eth0.666'
option input 'ACCEPT'
option forward 'ACCEPT'
option network 'surfshark'
option output 'ACCEPT'
config rule
option name 'Allow-vlan666-Ping'
option src 'surfshark'
option target 'ACCEPT'
option proto 'icmp'
config rule
option name 'vlan666-to-router'
option src 'surfshark'
option target 'ACCEPT'
config forwarding
option dest 'vpsgw'
option src 'surfshark'
config zone
option name 'untrusted'
option device 'eth0.200'
option input 'ACCEPT'
option forward 'ACCEPT'
option network 'untrusted'
option output 'ACCEPT'
config rule
option name 'Allow-vlan200-Ping'
option src 'untrusted'
option target 'ACCEPT'
option proto 'icmp'
config rule
option name 'vlan200-to-router'
option src 'untrusted'
option target 'ACCEPT'
config forwarding
option dest 'vpsgw'
option src 'untrusted'
config zone
option device 'vpsgw'
option masq6 '1'
option forward 'REJECT'
option masq '1'
option output 'ACCEPT'
option input 'REJECT'
option network 'vpsgw'
option name 'vpsgw'
package luci
config core 'main'
option lang 'auto'
option mediaurlbase '/luci-static/bootstrap'
option resourcebase '/luci-static/resources'
option ubuspath '/ubus/'
config extern 'flash_keep'
option uci '/etc/config/'
option dropbear '/etc/dropbear/'
option openvpn '/etc/openvpn/'
option passwd '/etc/passwd'
option opkg '/etc/opkg.conf'
option firewall '/etc/firewall.user'
option uploads '/lib/uci/upload/'
config internal 'languages'
config internal 'sauth'
option sessionpath '/tmp/luci-sessions'
option sessiontime '3600'
config internal 'ccache'
option enable '1'
config internal 'themes'
option Bootstrap '/luci-static/bootstrap'
config internal 'apply'
option rollback '90'
option holdoff '4'
option timeout '5'
option display '1.5'
config internal 'diag'
option dns 'openwrt.org'
option ping 'openwrt.org'
option route 'openwrt.org'
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdb6:bf3f:ddd8::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.44.1'
option ipv6 'on'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth1'
option proto 'dhcpv6'
option reqaddress 'force'
option reqprefix 'no'
option defaultroute '1'
config interface 'surfshark'
option ifname 'eth0.666'
option netmask '255.255.255.0'
option ipaddr '172.66.0.1'
option proto 'static'
config interface 'untrusted'
option ifname 'eth0.200'
option netmask '255.255.255.0'
option ip6assign '64'
option ipaddr '172.17.200.1'
option proto 'static'
option ip4table '20'
option ip6table '20'
config interface 'vpsgw'
option private_key 'x
list addresses '10.100.100.10/24'
list addresses 'x::10/64'
option proto 'wireguard'
option mtu '1350'
option ip4table '20'
option ip6table '20'
config wireguard_vpsgw 'wgserver'
option public_key x
option description x
option preshared_key x
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
option endpoint_host x
option persistent_keepalive '19'
option endpoint_port '88'
option route_allowed_ips '1'
package rpcd
config rpcd
option socket '/var/run/ubus.sock'
option timeout '30'
config login
option username 'root'
option password '$p$root'
list read '*'
list write '*'
package stubby
config stubby 'global'
option manual '0'
option trigger 'wan'
list dns_transport 'GETDNS_TRANSPORT_TLS'
option tls_authentication '1'
option tls_query_padding_blocksize '128'
option appdata_dir '/var/lib/stubby'
option edns_client_subnet_private '1'
option idle_timeout '10000'
option round_robin_upstreams '1'
list listen_address '127.0.0.1@5453'
list listen_address '0::1@5453'
config resolver
option address '2606:4700:4700::1111'
option tls_auth_name 'cloudflare-dns.com'
config resolver
option address '2606:4700:4700::1001'
option tls_auth_name 'cloudflare-dns.com'
config resolver
option address '1.1.1.1'
option tls_auth_name 'cloudflare-dns.com'
config resolver
option address '1.0.0.1'
option tls_auth_name 'cloudflare-dns.com'
package system
config system
option ttylogin '0'
option log_size '64'
option urandom_seed '0'
option hostname 'meow'
option timezone 'EST5EDT,M3.2.0,M11.1.0'
option zonename 'America/New York'
config timeserver 'ntp'
option enabled '1'
option enable_server '0'
list server '0.openwrt.pool.ntp.org'
list server '1.openwrt.pool.ntp.org'
list server '2.openwrt.pool.ntp.org'
list server '3.openwrt.pool.ntp.org'
package ucitrack
config network
option init 'network'
list affects 'dhcp'
list affects 'radvd'
config wireless
list affects 'network'
config firewall
option init 'firewall'
list affects 'luci-splash'
list affects 'qos'
list affects 'miniupnpd'
config olsr
option init 'olsrd'
config dhcp
option init 'dnsmasq'
list affects 'odhcpd'
config odhcpd
option init 'odhcpd'
config dropbear
option init 'dropbear'
config httpd
option init 'httpd'
config fstab
option exec '/sbin/block mount'
config qos
option init 'qos'
config system
option init 'led'
option exec '/etc/init.d/log reload'
list affects 'luci_statistics'
list affects 'dhcp'
config luci_splash
option init 'luci_splash'
config upnpd
option init 'miniupnpd'
config ntpclient
option init 'ntpclient'
config samba
option init 'samba'
config tinyproxy
option init 'tinyproxy'
package uhttpd
config uhttpd 'main'
list listen_http '0.0.0.0:80'
list listen_http '[::]:80'
list listen_https '0.0.0.0:443'
list listen_https '[::]:443'
option redirect_https '1'
option home '/www'
option rfc1918_filter '1'
option max_requests '3'
option max_connections '100'
option cert '/etc/uhttpd.crt'
option key '/etc/uhttpd.key'
option cgi_prefix '/cgi-bin'
list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
option script_timeout '60'
option network_timeout '30'
option http_keepalive '20'
option tcp_keepalive '1'
config cert 'defaults'
option days '730'
option key_type 'rsa'
option bits '2048'
option ec_curve 'P-256'
option country 'ZZ'
option state 'Somewhere'
option location 'Unknown'
option commonname 'OpenWrt'
package vpn-policy-routing
config vpn-policy-routing 'config'
option enabled '0'
option verbosity '2'
option strict_enforcement '1'
option src_ipset '0'
option dest_ipset '0'
option resolver_ipset 'dnsmasq.ipset'
option ipv6_enabled '0'
list ignored_interface 'vpnserver wgserver'
option boot_timeout '30'
option iptables_rule_option 'append'
option procd_reload_delay '1'
option webui_enable_column '0'
option webui_protocol_column '0'
option webui_chain_column '0'
option webui_show_ignore_target '0'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
config include
option path '/etc/vpn-policy-routing.netflix.user'
option enabled '0'
config include
option path '/etc/vpn-policy-routing.aws.user'
option enabled '0'
What I was trying to do:
- put two interfaces in the same routing table
- clients on the non-wireguard interfaces but using the same route table will use it as the internet gateway without needing to do a 'lookup' rule - this seems to work in theory but getting filtered by openwrt by default...
this is a roundabout way of asking - must I always use lookup rules to achieve what I wanted? I sorta expected rule.lookup not be needed if both interfaces share the common route table + have forwarding zones enabled.
