hi forum,
i ask for help. i already looked at similar topics but couldn't solve my issue.
i was running openwrt on rpi4 for the whole year already without major problems.
mostly on wulfy23's snapshots, currently on stable 21.02.1. but the problem is not build-related.
i recently moved. before i had cable-internet. now fiber.
setup before: cable-modem (fritzbox 6660) > rpi4 wireguard > lan (some avm devices that collect the clients)
setup now: fiber-modem (fritzbox 5530) > rpi4 wireguard > lan (some avm devices that collect the clients)
now the lan clients can't browse the web anymore. browser won't load any webpages. opkg update won't work. so like dns or nat problem. although i can ping ip's and domains (they resolve) from all lan-clients. wireguard is connected and working.
so technically internet works, wireguard is up. ping into wireguard tunnel ip's also answers. wget i.e. is working from lan through wireguard.
i really do not understand.
uci show vpn-policy-routing:
root@vpn_pi:~# uci show vpn-policy-routing
vpn-policy-routing.config=vpn-policy-routing
vpn-policy-routing.config.enabled='0'
vpn-policy-routing.config.verbosity='2'
vpn-policy-routing.config.strict_enforcement='1'
vpn-policy-routing.config.src_ipset='0'
vpn-policy-routing.config.dest_ipset='0'
vpn-policy-routing.config.resolver_ipset='dnsmasq.ipset'
vpn-policy-routing.config.ipv6_enabled='0'
vpn-policy-routing.config.ignored_interface='vpnserver wgserver'
vpn-policy-routing.config.boot_timeout='30'
vpn-policy-routing.config.iptables_rule_option='append'
vpn-policy-routing.config.procd_reload_delay='1'
vpn-policy-routing.config.webui_enable_column='0'
vpn-policy-routing.config.webui_protocol_column='0'
vpn-policy-routing.config.webui_chain_column='0'
vpn-policy-routing.config.webui_show_ignore_target='0'
vpn-policy-routing.config.webui_sorting='1'
vpn-policy-routing.config.webui_supported_protocol='tcp' 'udp' 'tcp udp' 'icmp' 'all'
vpn-policy-routing.@include[0]=include
vpn-policy-routing.@include[0].path='/etc/vpn-policy-routing.netflix.user'
vpn-policy-routing.@include[0].enabled='0'
vpn-policy-routing.@include[1]=include
vpn-policy-routing.@include[1].path='/etc/vpn-policy-routing.aws.user'
vpn-policy-routing.@include[1].enabled='0'
uci show network:
network.loopback=interface
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.loopback.device='lo'
network.lan=interface
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.delegate='0'
network.lan.defaultroute='0'
network.lan.device='eth0'
network.lan.ipaddr='192.168.177.1'
network.lan_eth0_dev=device
network.lan_eth0_dev.name='eth0'
network.lan_eth0_dev.ipv6='0'
network.wan=interface
network.wan.device='eth1'
network.wan.proto='static'
network.wan.ipaddr='192.168.178.4'
network.wan.netmask='255.255.255.0'
network.wan.gateway='192.168.178.1'
network.wan.hostname='router'
network.wan_eth1_dev=device
network.wan_eth1_dev.name='eth1'
network.wan_eth1_dev.ipv6='0'
network.wg0=interface
network.wg0.proto='wireguard'
network.wg0.listen_port='51820'
network.wg0.private_key='***'
network.wg0.addresses='xx.xx.xx.xxx/32'
network.wg0.delegate='0'
network.@wireguard_wg0[0]=wireguard_wg0
network.@wireguard_wg0[0].route_allowed_ips='1'
network.@wireguard_wg0[0].description='wireguard'
network.@wireguard_wg0[0].allowed_ips='0.0.0.0/0'
network.@wireguard_wg0[0].public_key='***'
network.@wireguard_wg0[0].endpoint_host='xxx.xxx.xxx.xx'
network.@wireguard_wg0[0].endpoint_port='xxxx'
network.@wireguard_wg0[0].persistent_keepalive='25'
network.@device[2]=device
network.@device[2].name='br-lan'
network.@device[2].type='bridge'
network.@device[2].ipv6='0'
network.@device[2].ports='eth0'
network.@device[3]=device
network.@device[3].name='wg0'
network.@device[3].ipv6='0'
network.@device[3].mtu='1420'
uci show firewall
root@vpn_pi:~# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.@defaults[0].drop_invalid='1'
firewall.@zone[0]=zone
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].input='REJECT'
firewall.@zone[0].forward='REJECT'
firewall.@zone[0].masq='1'
firewall.@zone[0].mtu_fix='1'
firewall.@zone[0].name='wg'
firewall.@zone[0].family='ipv4'
firewall.@zone[0].network='wg0'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].family='ipv4'
firewall.@zone[1].network='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[0].enabled='0'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[1].enabled='0'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[2].enabled='0'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[3].enabled='0'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[4].enabled='0'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[5].enabled='0'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[6].enabled='0'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[7].dest='wg'
firewall.@rule[7].family='ipv4'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[8].dest='wg'
firewall.@rule[8].family='ipv4'
firewall.@rule[9]=rule
firewall.@rule[9].name='Support-UDP-Traceroute'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest_port='33434:33689'
firewall.@rule[9].proto='udp'
firewall.@rule[9].family='ipv4'
firewall.@rule[9].target='REJECT'
firewall.@rule[9].enabled='0'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@include[0].reload='1'
firewall.@zone[2]=zone
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='ACCEPT'
firewall.@zone[2].name='lan'
firewall.@zone[2].family='ipv4'
firewall.@zone[2].network='lan'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wg'
wg show
root@vpn_pi:~# wg show
interface: wg0
public key: ***
private key: (hidden)
listening port: 51820
peer: ***
endpoint: xxx.xxx.xxx.xx:xxxx
allowed ips: 0.0.0.0/0
latest handshake: 11 seconds ago
transfer: 12.32 MiB received, 1.63 MiB sent
persistent keepalive: every 25 seconds
ifconfig wg0
root@vpn_pi:~# ifconfig wg0
wg0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:xx.xx.xx.xxx P-t-P:xx.xx.xx.xxx Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MTU:1420 Metric:1
RX packets:15919 errors:0 dropped:0 overruns:0 frame:0
TX packets:26365 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:12926300 (12.3 MiB) TX bytes:1732696 (1.6 MiB)
ip route list table all | grep wg
root@vpn_pi:~# ip route list table all | grep wg
default dev wg0 proto static scope link
local xx.xx.xx.xxx dev wg0 table local proto kernel scope host src xx.xx.xx.xxx
on the old cable-connection i got an real public ip.
new fiber-connection serves a 'lan'-address, i.e. 100.96.12.43 to my fiber-box. public-ip from isp is different than the ip my fiber-box gets assigned from isp.