Hello. I'm trying to configure an Openwrt Netgear EX3700 to operate under another router (connected by ethernet to the device's only port), with the sole purpose of passing its wireless traffic through a VPN tunnel.
Ideally, I would want the configuration to be agnostic about the settings of the "other router" it's plugged into, so that it can be portable — it would work plugged in to (mostly) any router that provides it with internet access. I think I have to accept double NAT to do this.
Even when I have DHCP set to authoritative (under Network > DHCP and DNS in Luci), and check “Force DHCP on this network even if another server is detected” (under Interfaces > LAN > DHCP server > Advanced Settings), my ability to access the Openwrt router settings over wifi (either through Luci or SSH) is inconsistent when it is connected to Otherrouter, although it does successfully provide internet access derived from Otherrouter on its wireless network. When internet access is working, ‘arp -a’ doesn’t show a device matching the Openwrt router’s MAC address on the network.
I imagined the Openwrt router might have an IP conflict with the Otherrouter, so I changed its IP, but the problem persisted. If I boot up the Openwrt router without it being connected to Otherrouter, then I can access it both through Luci and SSH. I have managed to install wireguard, and followed the configuration steps at Mullvad’s site, but it’s now reporting that the networking device is not present.
I feel as though I'm probably missing something fairly basic. I offer all the usual apologies for my ignorance, and I would greatly appreciate anyone who can help point me in the right direction. Can anyone tell why double NAT isn't working, and do I even need it for wireguard to function?
root@OpenWrt:~# ubus call system board; uci export network; uci export dhcp; uci export firewall; head -n -0 /etc/firewall.user; iptab
les-save -c; ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
{
"kernel": "4.14.195",
"hostname": "OpenWrt",
"system": "MediaTek MT7620A ver:2 eco:6",
"model": "Netgear EX3700/EX3800",
"board_name": "ex3700",
"release": {
"distribution": "OpenWrt",
"version": "19.07.4",
"revision": "r11208-ce6496d796",
"target": "ramips/mt7620",
"description": "OpenWrt 19.07.4 r11208-ce6496d796"
}
}
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fde9:c8e3:ee46::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.1.1'
config device 'lan_eth0_dev'
option name 'eth0'
option macaddr '3c:37:86:47:5f:01'
config interface 'moretoteale'
option proto 'dhcp'
option peerdns '0'
option auto '0'
config interface 'Mullvad'
option proto 'wireguard'
option private_key 'a3XLSSSdA2FcIkDEjtuaddeIXFnydXaDijfkyqPHxAc='
option listen_port '32'
list addresses '10.66.144.236'
option force_link '1'
config wireguard_Mullvad
option public_key '6aYNW1nHXw+MD6Q9jNe7Is3WVdIL9eNyOs9Paunxch4='
option endpoint_host '104.200.129.202'
option endpoint_port '51820'
option route_allowed_ips '1'
list allowed_ips '0.0.0.0/0'
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
list dhcp_option '6,10.64.0.1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan moretoteale'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'WGZONE'
option mtu_fix '1'
option input 'REJECT'
option forward 'REJECT'
option masq '1'
option output 'ACCEPT'
option network 'Mullvad'
config forwarding
option dest 'WGZONE'
option src 'lan'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Generated by iptables-save v1.8.3 on Thu Sep 24 08:16:01 2020
*nat
:PREROUTING ACCEPT [2644:543640]
:INPUT ACCEPT [25:7669]
:OUTPUT ACCEPT [90:8280]
:POSTROUTING ACCEPT [90:8280]
:postrouting_WGZONE_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_WGZONE_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_WGZONE_postrouting - [0:0]
:zone_WGZONE_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[2644:543640] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[1881:316631] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[763:227009] -A PREROUTING -i wlan0 -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i Mullvad -m comment --comment "!fw3" -j zone_WGZONE_prerouting
[1155:79155] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[3:984] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[5:1488] -A POSTROUTING -o wlan0 -m comment --comment "!fw3" -j zone_lan_postrouting
[1065:70875] -A POSTROUTING -o Mullvad -m comment --comment "!fw3" -j zone_WGZONE_postrouting
[1065:70875] -A zone_WGZONE_postrouting -m comment --comment "!fw3: Custom WGZONE postrouting rule chain" -j postrouting_WGZONE_rule
[1065:70875] -A zone_WGZONE_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_WGZONE_prerouting -m comment --comment "!fw3: Custom WGZONE prerouting rule chain" -j prerouting_WGZONE_rule
[8:2472] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[2644:543640] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Thu Sep 24 08:16:01 2020
# Generated by iptables-save v1.8.3 on Thu Sep 24 08:16:01 2020
*mangle
:PREROUTING ACCEPT [7792:1262538]
:INPUT ACCEPT [3149:577533]
:FORWARD ACCEPT [3082:218069]
:OUTPUT ACCEPT [2430:1096733]
:POSTROUTING ACCEPT [5516:1316114]
[576:36864] -A FORWARD -o Mullvad -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone WGZONE MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i Mullvad -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone WGZONE MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Thu Sep 24 08:16:01 2020
# Generated by iptables-save v1.8.3 on Thu Sep 24 08:16:01 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_WGZONE_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_WGZONE_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_WGZONE_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_WGZONE_dest_ACCEPT - [0:0]
:zone_WGZONE_dest_REJECT - [0:0]
:zone_WGZONE_forward - [0:0]
:zone_WGZONE_input - [0:0]
:zone_WGZONE_output - [0:0]
:zone_WGZONE_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[1050:123896] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[2100:453689] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[1195:181923] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[4:256] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[466:136765] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[439:135001] -A INPUT -i wlan0 -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i Mullvad -m comment --comment "!fw3" -j zone_WGZONE_input
[3082:218069] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[3082:218069] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i wlan0 -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i Mullvad -m comment --comment "!fw3" -j zone_WGZONE_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[1050:123896] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[1384:974613] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[1102:923461] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[5:1640] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[277:49512] -A OUTPUT -o wlan0 -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o Mullvad -m comment --comment "!fw3" -j zone_WGZONE_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[4:256] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_WGZONE_dest_ACCEPT -o Mullvad -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[3082:218069] -A zone_WGZONE_dest_ACCEPT -o Mullvad -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_WGZONE_dest_REJECT -o Mullvad -m comment --comment "!fw3" -j reject
[0:0] -A zone_WGZONE_forward -m comment --comment "!fw3: Custom WGZONE forwarding rule chain" -j forwarding_WGZONE_rule
[0:0] -A zone_WGZONE_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_WGZONE_forward -m comment --comment "!fw3" -j zone_WGZONE_dest_REJECT
[0:0] -A zone_WGZONE_input -m comment --comment "!fw3: Custom WGZONE input rule chain" -j input_WGZONE_rule
[0:0] -A zone_WGZONE_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_WGZONE_input -m comment --comment "!fw3" -j zone_WGZONE_src_REJECT
[0:0] -A zone_WGZONE_output -m comment --comment "!fw3: Custom WGZONE output rule chain" -j output_WGZONE_rule
[0:0] -A zone_WGZONE_output -m comment --comment "!fw3" -j zone_WGZONE_dest_ACCEPT
[0:0] -A zone_WGZONE_src_REJECT -i Mullvad -m comment --comment "!fw3" -j reject
[5:1640] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[277:49512] -A zone_lan_dest_ACCEPT -o wlan0 -m comment --comment "!fw3" -j ACCEPT
[3082:218069] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[3082:218069] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to WGZONE forwarding policy" -j zone_WGZONE_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[905:271766] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[905:271766] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[282:51152] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[282:51152] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[466:136765] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[439:135001] -A zone_lan_src_ACCEPT -i wlan0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[0:0] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[0:0] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
COMMIT
# Completed on Thu Sep 24 08:16:01 2020
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
9: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
12: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.1.157/24 brd 192.168.1.255 scope global wlan0
valid_lft forever preferred_lft forever
13: Mullvad: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
inet 10.66.144.236/32 brd 255.255.255.255 scope global Mullvad
valid_lft forever preferred_lft forever
default dev Mullvad proto static scope link
104.200.129.202 via 192.168.1.1 dev wlan0 proto static
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.157
local 10.66.144.236 dev Mullvad table local proto kernel scope host src 10.66.144.236
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
broadcast 192.168.1.0 dev wlan0 table local proto kernel scope link src 192.168.1.157
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
local 192.168.1.157 dev wlan0 table local proto kernel scope host src 192.168.1.157
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
broadcast 192.168.1.255 dev wlan0 table local proto kernel scope link src 192.168.1.157
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
(I should maybe mention that I tried also to join a wireless network "moretoteale" as a client using the 5gHz radio, while hosting the other network "Teale" on the other radio, but I had no more luck with that than with ethernet.)
