Firewall looks totally fine.
How about /etc/config/network? (be sure to redact your WG keys and any other sensitive info)
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '1234:1234:1234::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
option ipv6 '0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.2.2'
option gateway '192.168.2.1'
list dns '8.8.8.8'
config device
option name 'eth0.2'
option macaddr '12:12:12:12:12:12'
option ipv6 '0'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
config interface 'tun0'
option proto 'none'
option device 'tun0'
config interface 'wg0'
option proto 'wireguard'
option private_key '1234321='
list addresses '12.12.12.12'
option peerdns '0'
list dns '123.123.123.123'
config wireguard_wg0
option description '1234'
option public_key '1234321='
option endpoint_host '123.123.123.123'
option endpoint_port '51820'
option persistent_keepalive '25'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::0/0'
option route_allowed_ips '1'
config device
option name 'wg0'
option ipv6 '0'
Do you also have OpenVPN or some other tunnel running besides the WG interface shown?
I wonder if you need to add a static route into your OpenWrt system...
192.168.1.0/24 via 192.168.2.1
I do - but it's not running. Wiregaurd (wg0) is faster.
Where?
In the LuCI web interface > Network > Static Routes
YES!!! That's done it. I can now successfully ping all 3 IPs from either network!
THANK YOU SO MUCH for all your help and for seeing this through!
My final question for you is regarding mDNS. I have a device on the VLAN which is not being discovered by software on the default network (though if I connect to my VLAN wifi the software finds it just fine). My understanding is that the software broadcasts a discovery packet within the network segment, using UDP port 987. I guess it's not making it across to the VLAN, even though mDNS is set on the UDM (it's actually on by default). Any immediate thoughts on what else to try? I'm getting confused by repeaters, reflectors and relays - not sure if they are different or the same thing.
I did find this, which suggests that it's a specific problem on the UDM. Just want to make sure I shouldn't be making any more firewall adjustments or even setting something mDNS related on the C7.
mdns and other autodiscovery protocols do not route across networks. That is where the mdns reflector/repeater comes into play. This method doesn't catch all of these protocols, but generally allows the traffic to flow for most. The C7 should not have any impact here because everything remains on the same subnet. To verify that this is true, you could temporarily try setting the DHCP server on VLAN2 to issue the gateway address 192.168.2.1 so that the C7 is not in play (renew the client DHCP leases to pick up this change).
However, the article you linked may well be the issue on the UDM. I don't have a UDM (I'm still using an older USG), so I can't confirm or refute the issue and fix. I used to be active on the UI forums, but gave that up for reasons.... but you might also do some searching/reading or post a question there if the article you found doesn't help resolve the issue.
I'll do some more digging over on the UI forums as you suggest.
Wow - what a week! I've learned a LOT thanks to your guidance, patience and tenacity. Thank you again!
1 Like
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.