Hi Experts,
i've this setup :
Router Ftth of the vendor (192.168.1.1) -> Router OpenWrt Lan : 192.168.100.X and Wan 192.168.1.100 (With Wireguard VPN configured -> wireless network & lan attacched on Openwrt Router)
Below the configuration:
root@OpenWrt:~# ubus call system board
{
"kernel": "5.15.167",
"hostname": "OpenWrt",
"system": "MediaTek MT7621 ver:1 eco:3",
"model": "D-Team Newifi D2",
"board_name": "d-team,newifi-d2",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.5",
"revision": "r24106-10cc5fcd00",
"target": "ramips/mt7621",
"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd79:5ae8:8da4::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.100.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'static'
option ipaddr '192.168.1.100'
option netmask '255.255.255.0'
option gateway '192.168.1.1'
list dns '84.200.69.80'
list dns '84.200.70.40'
config interface 'PRIVATE_VPN_ITA'
option proto 'wireguard'
option private_key 'XXX'
option mtu '1412'
list addresses '10.34.178.1/16'
list dns '10.35.53.1'
list dns '84.200.69.80'
config device
option name 'PRIVATE_VPN_ITA'
option ipv6 '0'
config wireguard_PRIVATE_VPN_ITA
option description 'Imported peer configuration'
option public_key 'XXXXXXXXXXXXXXXXXXX'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
option endpoint_host 'it-mil.pvdata.host'
option endpoint_port '3389'
option persistent_keepalive '25'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'wan-local-wg'
option src 'wan'
option dest_port '50377'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'VPN_ITA'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'PRIVATE_VPN_ITA'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config forwarding
option src 'lan'
option dest 'VPN_ITA'
config rule
option src 'wan'
option dest 'VPN_ITA'
option target 'ACCEPT'
option name 'Wireguard_OUT_RULE'
option family 'ipv4'
list proto 'tcp'
list proto 'udp'
config forwarding
option src 'lan'
option dest 'wan'
root@OpenWrt:~# wg show
interface: PRIVATE_VPN_ITA
public key: (hidden)
private key: (hidden)
listening port: 33637
peer: (hidden)
endpoint: 80.239.178.58:3389
allowed ips: 0.0.0.0/0, ::/0
latest handshake: 1 minute, 53 seconds ago
transfer: 1.29 KiB received, 4.62 KiB sent
persistent keepalive: every 25 seconds
root@OpenWrt:~#
I want to route all lan traffic (excluding the router 192.168.100.1) on Zone VPN_ITA and when i try to remove lan -> wan zone (remaning only VPN_ITA) forwarding all my traffic goes down and returns this message:
ping 8.8.8.8
From OpenWrt.lan (192.168.100.1) icmp_seq=63 Destination Port Unreachable
Thanks,
Regards