From both side I can ping system on both side.
I can ssh or luci into openwrt of remote system.
The firewall rules look OK and this was working and stopped.
What files will help?
From both side I can ping system on both side.
I can ssh or luci into openwrt of remote system.
The firewall rules look OK and this was working and stopped.
What files will help?
What changed?
Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ip route show
wg show
Please show this for both sides
root@SalemOpenWrt:~# ubus call system board
{
"kernel": "5.15.150",
"hostname": "SalemOpenWrt",
"system": "ARMv7 Processor rev 1 (v7l)",
"model": "Linksys WRT3200ACM",
"board_name": "linksys,wrt3200acm",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.3",
"revision": "r23809-234f1a2efa",
"target": "mvebu/cortexa9",
"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
}
}
root@SalemOpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'x'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config device
option name 'wan'
option macaddr 'x'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option type 'bridge'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:t'
list ports 'lan2:u*'
list ports 'lan3:t'
config bridge-vlan
option device 'br-lan'
option vlan '2'
list ports 'lan1:t'
list ports 'lan3:t'
config bridge-vlan
option device 'br-lan'
option vlan '4'
list ports 'lan1:t'
list ports 'lan3:t'
list ports 'lan4:u*'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'lan1:t'
list ports 'lan3:t'
config bridge-vlan
option device 'br-lan'
option vlan '11'
list ports 'lan1:t'
list ports 'lan3:t'
config bridge-vlan
option device 'br-lan'
option vlan '12'
list ports 'lan1:t'
list ports 'lan3:t'
config bridge-vlan
option device 'br-lan'
option vlan '13'
list ports 'lan1:t'
list ports 'lan3:t'
config bridge-vlan
option device 'br-lan'
option vlan '14'
list ports 'lan1:t'
list ports 'lan3:t'
config bridge-vlan
option device 'br-lan'
option vlan '16'
list ports 'lan1:t'
list ports 'lan3:t'
config bridge-vlan
option device 'br-lan'
option vlan '17'
list ports 'lan1:t'
list ports 'lan3:t'
config bridge-vlan
option device 'br-lan'
option vlan '18'
list ports 'lan1:t'
list ports 'lan3:t'
config bridge-vlan
option device 'br-lan'
option vlan '19'
list ports 'lan1:t'
list ports 'lan3:t'
config interface 'vlan4'
option proto 'static'
option device 'br-lan.4'
option ipaddr '192.168.4.1'
option netmask '255.255.255.0'
config interface 'vlan11w'
option proto 'static'
option device 'br-lan.11'
option ipaddr '192.168.11.1'
option netmask '255.255.255.0'
config interface 'vlan10l'
option proto 'static'
option device 'br-lan.10'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
config interface 'vlan12p'
option proto 'static'
option device 'br-lan.12'
option ipaddr '192.168.12.1'
option netmask '255.255.255.0'
config interface 'vlan1'
option proto 'static'
option device 'br-lan.1'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
config interface 'vlan13i'
option proto 'static'
option device 'br-lan.13'
option ipaddr '192.168.13.1'
option netmask '255.255.255.0'
config interface 'vlan14o'
option proto 'static'
option device 'br-lan.14'
option ipaddr '192.168.14.1'
option netmask '255.255.255.0'
config interface 'vlan16m1'
option proto 'none'
option device 'br-lan.16'
config interface 'vlan17m2'
option proto 'none'
option device 'br-lan.17'
config interface 'vlan18m3'
option proto 'none'
option device 'br-lan.18'
config interface 'vlan19m4'
option proto 'none'
option device 'br-lan.19'
config interface 'vlan2'
option proto 'none'
option device 'br-lan.2'
config device
option name 'br-lan.11'
option type '8021q'
option ifname 'br-lan'
option vid '11'
option ipv6 '0'
config interface 'vlan20m5'
option proto 'static'
option device 'br-lan.20'
config device
option name 'br-lan.10'
option type '8021q'
option ifname 'br-lan'
option vid '10'
config interface 'vlan15vpn'
option proto 'wireguard'
option private_key ''
option listen_port '51820'
list addresses '192.168.15.1/24'
config wireguard_vlan15vpn
option description 'Kevin Cell'
option public_key 'x='
option private_key 'x='
option preshared_key 'c='
option route_allowed_ips '1'
option endpoint_port '51820'
list allowed_ips '192.168.15.10/32'
config wireguard_vlan15vpn
option description 'Kevin PC'
option public_key 'x='
option private_key 'x='
option preshared_key 'x='
option route_allowed_ips '1'
option endpoint_port '51820'
list allowed_ips '192.168.15.12/32'
config wireguard_vlan15vpn
option description 'Tablet'
option public_key 'x='
option private_key 'x='
option preshared_key 'xo='
list allowed_ips '192.168.15.14/32'
option endpoint_port '51820'
config interface 'SiteToSite'
option proto 'wireguard'
option private_key 'x='
option listen_port '51821'
list addresses '172.16.1.1/32'
config wireguard_SiteToSite
option description 'Seaside'
option public_key 'IN//BsD4='
option route_allowed_ips '1'
option endpoint_host 'xx.xx.xx.xx'
option endpoint_port '51821'
option persistent_keepalive '25'
list allowed_ips '192.168.212.0/24'
list allowed_ips '192.168.210.0/24'
list allowed_ips '172.16.1.0/24'
list allowed_ips '192.168.211.0/24'
list allowed_ips '192.168.213.0/24'
list allowed_ips '192.168.214.0/24'
list allowed_ips '192.168.215.0/24'
root@SalemOpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config zone
option name 'VLAN4'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'vlan4'
config forwarding
option src 'VLAN4'
option dest 'wan'
config zone
option name 'VLAN11W'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'vlan11w'
config zone
option name 'VLAN10L'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'vlan10l'
config zone
option name 'VLAN12P'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'vlan12p'
config zone
option name 'VLAN1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'vlan1'
config forwarding
option src 'VLAN11W'
option dest 'VLAN1'
config forwarding
option src 'VLAN11W'
option dest 'VLAN4'
config forwarding
option src 'VLAN11W'
option dest 'VLAN10L'
config forwarding
option src 'VLAN11W'
option dest 'VLAN12P'
config forwarding
option src 'VLAN11W'
option dest 'wan'
config forwarding
option src 'VLAN4'
option dest 'VLAN1'
config forwarding
option src 'VLAN4'
option dest 'VLAN10L'
config forwarding
option src 'VLAN4'
option dest 'VLAN11W'
config forwarding
option src 'VLAN4'
option dest 'VLAN12P'
config forwarding
option src 'VLAN1'
option dest 'VLAN4'
config forwarding
option src 'VLAN10L'
option dest 'VLAN4'
config forwarding
option src 'VLAN12P'
option dest 'VLAN4'
config forwarding
option src 'VLAN10L'
option dest 'VLAN1'
config forwarding
option src 'VLAN10L'
option dest 'VLAN11W'
config forwarding
option src 'VLAN10L'
option dest 'VLAN12P'
config forwarding
option src 'VLAN10L'
option dest 'wan'
config forwarding
option src 'VLAN1'
option dest 'VLAN10L'
config forwarding
option src 'VLAN12P'
option dest 'VLAN10L'
config forwarding
option src 'VLAN12P'
option dest 'VLAN1'
config forwarding
option src 'VLAN12P'
option dest 'VLAN11W'
config forwarding
option src 'VLAN12P'
option dest 'wan'
config forwarding
option src 'VLAN1'
option dest 'VLAN12P'
config forwarding
option src 'VLAN1'
option dest 'VLAN11W'
config forwarding
option src 'VLAN1'
option dest 'wan'
config zone
option name 'VLAN13I'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'vlan13i'
config zone
option name 'VLAN14O'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'vlan14o'
config zone
option name 'VLAN15V'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'vlan15vpn'
config forwarding
option src 'VLAN13I'
option dest 'VLAN1'
config forwarding
option src 'VLAN13I'
option dest 'VLAN4'
config forwarding
option src 'VLAN13I'
option dest 'VLAN10L'
config forwarding
option src 'VLAN13I'
option dest 'VLAN11W'
config forwarding
option src 'VLAN13I'
option dest 'VLAN12P'
config forwarding
option src 'VLAN13I'
option dest 'VLAN14O'
config forwarding
option src 'VLAN13I'
option dest 'VLAN15V'
config forwarding
option src 'VLAN13I'
option dest 'wan'
config forwarding
option src 'VLAN1'
option dest 'VLAN13I'
config forwarding
option src 'VLAN4'
option dest 'VLAN13I'
config forwarding
option src 'VLAN10L'
option dest 'VLAN13I'
config forwarding
option src 'VLAN11W'
option dest 'VLAN13I'
config forwarding
option src 'VLAN12P'
option dest 'VLAN13I'
config forwarding
option src 'VLAN14O'
option dest 'VLAN13I'
config forwarding
option src 'VLAN15V'
option dest 'VLAN13I'
config forwarding
option src 'VLAN14O'
option dest 'VLAN1'
config forwarding
option src 'VLAN14O'
option dest 'VLAN4'
config forwarding
option src 'VLAN14O'
option dest 'VLAN10L'
config forwarding
option src 'VLAN14O'
option dest 'VLAN11W'
config forwarding
option src 'VLAN14O'
option dest 'VLAN12P'
config forwarding
option src 'VLAN14O'
option dest 'VLAN15V'
config forwarding
option src 'VLAN14O'
option dest 'wan'
config forwarding
option src 'VLAN4'
option dest 'VLAN14O'
config forwarding
option src 'VLAN10L'
option dest 'VLAN14O'
config forwarding
option src 'VLAN11W'
option dest 'VLAN14O'
config forwarding
option src 'VLAN12P'
option dest 'VLAN14O'
config forwarding
option src 'VLAN15V'
option dest 'VLAN14O'
config forwarding
option src 'VLAN15V'
option dest 'VLAN1'
config forwarding
option src 'VLAN15V'
option dest 'VLAN4'
config forwarding
option src 'VLAN15V'
option dest 'VLAN10L'
config forwarding
option src 'VLAN15V'
option dest 'VLAN11W'
config forwarding
option src 'VLAN15V'
option dest 'VLAN12P'
config forwarding
option src 'VLAN15V'
option dest 'wan'
config forwarding
option src 'VLAN4'
option dest 'VLAN15V'
config forwarding
option src 'VLAN10L'
option dest 'VLAN15V'
config forwarding
option src 'VLAN11W'
option dest 'VLAN15V'
config forwarding
option src 'VLAN12P'
option dest 'VLAN15V'
config zone
option name 'VLAN16M1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'vlan16m1'
config zone
option name 'VLAN17M2'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'vlan17m2'
config zone
option name 'VLAN19M4'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'vlan19m4'
config zone
option name 'VLAN18M3'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'vlan18m3'
config forwarding
option src 'VLAN16M1'
option dest 'VLAN17M2'
config forwarding
option src 'VLAN16M1'
option dest 'VLAN18M3'
config forwarding
option src 'VLAN16M1'
option dest 'VLAN19M4'
config forwarding
option src 'VLAN17M2'
option dest 'VLAN16M1'
config forwarding
option src 'VLAN17M2'
option dest 'VLAN18M3'
config forwarding
option src 'VLAN17M2'
option dest 'VLAN19M4'
config forwarding
option src 'VLAN18M3'
option dest 'VLAN17M2'
config forwarding
option src 'VLAN19M4'
option dest 'VLAN17M2'
config forwarding
option src 'VLAN19M4'
option dest 'VLAN16M1'
config forwarding
option src 'VLAN19M4'
option dest 'VLAN18M3'
config forwarding
option src 'VLAN18M3'
option dest 'VLAN16M1'
config forwarding
option src 'VLAN18M3'
option dest 'VLAN19M4'
config zone
option name 'VLAN2M'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'vlan2'
config forwarding
option src 'VLAN2M'
option dest 'VLAN16M1'
config forwarding
option src 'VLAN2M'
option dest 'VLAN17M2'
config forwarding
option src 'VLAN2M'
option dest 'VLAN18M3'
config forwarding
option src 'VLAN2M'
option dest 'VLAN19M4'
config forwarding
option src 'VLAN16M1'
option dest 'VLAN2M'
config forwarding
option src 'VLAN17M2'
option dest 'VLAN2M'
config forwarding
option src 'VLAN18M3'
option dest 'VLAN2M'
config forwarding
option src 'VLAN19M4'
option dest 'VLAN2M'
config redirect
option dest 'VLAN10L'
option target 'DNAT'
option name 'http'
option family 'ipv4'
list proto 'tcp'
option src 'wan'
option src_dport '80'
option dest_ip '192.168.10.141'
option dest_port '80'
config redirect
option dest 'VLAN10L'
option target 'DNAT'
option name 'https'
option family 'ipv4'
list proto 'tcp'
option src 'wan'
option src_dport '443'
option dest_ip '192.168.10.141'
option dest_port '443'
config redirect
option dest 'VLAN10L'
option target 'DNAT'
option name 'mqtt'
option family 'ipv4'
list proto 'tcp'
option src 'wan'
option src_dport '8883'
option dest_ip '192.168.10.141'
option dest_port '8883'
config redirect
option dest 'VLAN10L'
option target 'DNAT'
option name 'ssh seaside'
list proto 'tcp'
option src 'wan'
option src_dport '22'
option dest_ip '192.168.10.141'
option dest_port '22'
option src_ip 'xx.xx.xx.xx'
config redirect
option dest 'VLAN10L'
option target 'DNAT'
option name 'server ssh'
option family 'ipv4'
list proto 'tcp'
option src 'wan'
option src_ip '162.254.35.211'
option src_dport '9443'
option dest_ip '192.168.10.141'
option dest_port '22'
config redirect
option dest 'VLAN10L'
option target 'DNAT'
option name 'ssh'
list proto 'tcp'
option src 'wan'
option src_dport '9922'
option dest_ip '192.168.10.141'
option dest_port '22'
config redirect
option dest 'VLAN10L'
option target 'DNAT'
option name 'mysql'
list proto 'tcp'
option src 'wan'
option src_dport '3306'
option dest_ip '192.168.10.225'
option dest_port '3306'
config redirect
option target 'DNAT'
option name 'na7kr'
option src 'wan'
option src_dport '8443'
option dest_port '22'
list proto 'tcp'
option dest 'VLAN10L'
option dest_ip '192.168.10.129'
config zone
option name 'VLAN20'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'vlan20m5'
config forwarding
option src 'VLAN20'
option dest 'VLAN16M1'
config forwarding
option src 'VLAN20'
option dest 'VLAN17M2'
config forwarding
option src 'VLAN20'
option dest 'VLAN18M3'
config forwarding
option src 'VLAN20'
option dest 'VLAN19M4'
config forwarding
option src 'VLAN16M1'
option dest 'VLAN20'
config forwarding
option src 'VLAN17M2'
option dest 'VLAN20'
config forwarding
option src 'VLAN18M3'
option dest 'VLAN20'
config forwarding
option src 'VLAN19M4'
option dest 'VLAN20'
config redirect
option dest 'VLAN15V'
option target 'DNAT'
option name 'VPN'
list proto 'udp'
option src 'wan'
option src_dport '51820'
option dest_ip '192.168.15.1'
option dest_port '51820'
option family 'ipv4'
config forwarding
option src 'wan'
option dest 'VLAN15V'
config redirect
option dest 'VLAN13I'
option target 'DNAT'
option name 'meshWireGuard'
list proto 'udp'
option src 'wan'
option src_dport '5525-5535'
option dest_port '5526-5535'
option dest_ip '192.168.13.219'
config redirect
option dest 'VLAN10L'
option target 'DNAT'
option name 'ssh Ansible'
list proto 'tcp'
option src 'wan'
option src_dport '9923'
option dest_ip '192.168.10.133'
option dest_port '22'
config zone
option name 'SiteToSide'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'SiteToSite'
option masq '1'
config forwarding
option src 'SiteToSide'
option dest 'VLAN1'
config forwarding
option src 'SiteToSide'
option dest 'VLAN4'
config forwarding
option src 'SiteToSide'
option dest 'VLAN10L'
config forwarding
option src 'SiteToSide'
option dest 'VLAN11W'
config forwarding
option src 'SiteToSide'
option dest 'VLAN12P'
config forwarding
option src 'SiteToSide'
option dest 'VLAN13I'
config forwarding
option src 'SiteToSide'
option dest 'VLAN14O'
config forwarding
option src 'SiteToSide'
option dest 'VLAN15V'
config forwarding
option src 'SiteToSide'
option dest 'wan'
config forwarding
option src 'VLAN1'
option dest 'SiteToSide'
config forwarding
option src 'VLAN4'
option dest 'SiteToSide'
config forwarding
option src 'VLAN10L'
option dest 'SiteToSide'
config forwarding
option src 'VLAN11W'
option dest 'SiteToSide'
config forwarding
option src 'VLAN12P'
option dest 'SiteToSide'
config forwarding
option src 'VLAN13I'
option dest 'SiteToSide'
config forwarding
option src 'VLAN14O'
option dest 'SiteToSide'
config forwarding
option src 'VLAN15V'
option dest 'SiteToSide'
config redirect
option dest 'SiteToSide'
option target 'DNAT'
option name 'SitetoSite'
option family 'ipv4'
list proto 'udp'
option src 'wan'
option src_dport '51821'
option dest_ip '10.10.10.1'
option dest_port '51821'
config redirect
option dest 'VLAN10L'
option target 'DNAT'
option name 'ssh mail'
option family 'ipv4'
list proto 'tcp'
option src 'wan'
option src_ip '162.254.35.211'
option src_dport '22'
option dest_ip '192.168.10.141'
option dest_port '22'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/firewall.include'
root@SalemOpenWrt:~# ip route show
default via xx.xx.xx.xx dev wan proto static src xx.xx.xx.xx
xx.xx.xx.xx via xx.xx.xx.xx dev wan proto static
xx.xx.xx.xx/24 dev wan proto kernel scope link src xx.xx.xx.xx
172.16.1.0/24 dev SiteToSite proto static scope link
192.168.1.0/24 dev br-lan.1 proto kernel scope link src 192.168.1.1
192.168.4.0/24 dev br-lan.4 proto kernel scope link src 192.168.4.1
192.168.10.0/24 dev br-lan.10 proto kernel scope link src 192.168.10.1
192.168.11.0/24 dev br-lan.11 proto kernel scope link src 192.168.11.1
192.168.12.0/24 dev br-lan.12 proto kernel scope link src 192.168.12.1
192.168.13.0/24 dev br-lan.13 proto kernel scope link src 192.168.13.1
192.168.14.0/24 dev br-lan.14 proto kernel scope link src 192.168.14.1
192.168.15.0/24 dev vlan15vpn proto kernel scope link src 192.168.15.1
192.168.15.10 dev vlan15vpn proto static scope link
192.168.15.12 dev vlan15vpn proto static scope link
192.168.210.0/24 dev SiteToSite proto static scope link
192.168.211.0/24 dev SiteToSite proto static scope link
192.168.212.0/24 dev SiteToSite proto static scope link
192.168.213.0/24 dev SiteToSite proto static scope link
192.168.214.0/24 dev SiteToSite proto static scope link
192.168.215.0/24 dev SiteToSite proto static scope link
root@SalemOpenWrt:~# wg show
interface: vlan15vpn
public key: x=
private key: (hidden)
listening port: 51820
peer: x=
preshared key: (hidden)
allowed ips: 192.168.15.10/32
peer: x=
preshared key: (hidden)
allowed ips: 192.168.15.12/32
peer: x=
preshared key: (hidden)
allowed ips: 192.168.15.14/32
interface: SiteToSite
public key: x=
private key: (hidden)
listening port: 51821
peer: Ix=
endpoint: xx.xx.xx.xx:51821
allowed ips: 192.168.212.0/24, 192.168.210.0/24, 172.16.1.0/24, 192.168.211.0/24, 192.168.213.0/24, 192.168.214.0/24, 192.168.215.0/24
latest handshake: 34 seconds ago
transfer: 686.81 MiB received, 730.55 MiB sent
persistent keepalive: every 25 seconds
Other Side
root@SeaSideOpenWrt:~# ubus call system board
{
"kernel": "5.15.150",
"hostname": "SeaSideOpenWrt",
"system": "ARMv7 Processor rev 1 (v7l)",
"model": "Linksys WRT3200ACM",
"board_name": "linksys,wrt3200acm",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.3",
"revision": "r23809-234f1a2efa",
"target": "mvebu/cortexa9",
"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
}
}
root@SeaSideOpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd22:d2ec:92a5::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'wan'
option macaddr 'X'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option type 'bridge'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
option type 'bridge'
config bridge-vlan
option device 'br-lan'
option vlan '201'
list ports 'lan1:t'
config device
option type '8021q'
option ifname 'br-lan'
option vid '201'
option name 'br-lan.201'
config interface 'vlan201'
option proto 'static'
option device 'br-lan.201'
option ipaddr '192.168.201.1'
option netmask '255.255.255.0'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:t'
config bridge-vlan
option device 'br-lan'
option vlan '210'
list ports 'lan1:t'
config bridge-vlan
option device 'br-lan'
option vlan '211'
list ports 'lan1:t'
list ports 'lan2:u*'
list ports 'lan3:u*'
config device
option type '8021q'
option ifname 'br-lan'
option vid '210'
option name 'br-lan.210'
config device
option type '8021q'
option ifname 'br-lan'
option vid '211'
option name 'br-lan.211'
config interface 'vlan210'
option proto 'static'
option device 'br-lan.210'
option ipaddr '192.168.210.1'
option netmask '255.255.255.0'
config interface 'vlan211'
option proto 'static'
option device 'br-lan.211'
option ipaddr '192.168.211.1'
option netmask '255.255.255.0'
config bridge-vlan
option device 'br-lan'
option vlan '212'
list ports 'lan1:u*'
config bridge-vlan
option device 'br-lan'
option vlan '213'
list ports 'lan1:t'
list ports 'lan4:u*'
config bridge-vlan
option device 'br-lan'
option vlan '214'
list ports 'lan1:t'
config interface 'vlan213i'
option proto 'static'
option device 'br-lan.213'
option ipaddr '192.168.213.1'
option netmask '255.255.255.0'
config interface 'vlan214o'
option proto 'static'
option device 'br-lan.214'
option ipaddr '192.168.214.1'
option netmask '255.255.255.0'
config interface 'vlan60'
option proto 'static'
option device 'br-lan.60'
option ipaddr '10.60.1.1'
option netmask '255.255.255.0'
config bridge-vlan
option device 'br-lan'
option vlan '60'
list ports 'lan1:t'
config device
option name 'br-lan.213'
option type '8021q'
option ifname 'br-lan'
option vid '213'
config interface '27'
option proto 'none'
option device 'br-lan.27'
config bridge-vlan
option device 'br-lan'
option vlan '27'
list ports 'lan1:t'
config interface 'vlan212p'
option proto 'static'
option device 'br-lan.212'
option ipaddr '192.168.212.1'
option netmask '255.255.255.0'
config interface 'vlan215vpn'
option proto 'wireguard'
option private_key 'x='
option listen_port '51820'
list addresses '192.168.215.1/24'
config wireguard_vlan215vpn
option description 'Kevin Cell'
option public_key 'x='
option private_key 'x='
option preshared_key 'x='
list allowed_ips '192.168.215.10/32'
option route_allowed_ips '1'
config interface 'SiteToSide'
option proto 'wireguard'
option private_key 'x='
option listen_port '51821'
list addresses '172.16.1.2/32'
config wireguard_SiteToSide
option description 'Salem'
option public_key 'x='
option route_allowed_ips '1'
option endpoint_host 'x.x.x.x'
option endpoint_port '51821'
option persistent_keepalive '25'
list allowed_ips '192.168.10.0/24'
list allowed_ips '172.16.1.0/24'
list allowed_ips '192.168.11.0/24'
list allowed_ips '192.168.12.0/24'
list allowed_ips '192.168.13.0/24'
list allowed_ips '192.168.14.0/24'
list allowed_ips '192.168.15.0/24'
config wireguard_vlan215vpn
option description 'laptop'
option public_key 'x='
option private_key 'x='
option preshared_key 'x='
list allowed_ips '192.168.215.11/32'
option route_allowed_ips '1'
root@SeaSideOpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'vlan201'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'vlan201'
config forwarding
option src 'vlan201'
option dest 'lan'
config forwarding
option src 'vlan201'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'vlan201'
config zone
option name 'VLAN211W'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'vlan211'
config zone
option name 'VLAN210L'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'vlan210'
config forwarding
option src 'VLAN210L'
option dest 'lan'
config forwarding
option src 'VLAN210L'
option dest 'vlan201'
config forwarding
option src 'VLAN210L'
option dest 'VLAN211W'
config forwarding
option src 'VLAN210L'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'VLAN210L'
config forwarding
option src 'vlan201'
option dest 'VLAN210L'
config forwarding
option src 'VLAN211W'
option dest 'VLAN210L'
config forwarding
option src 'VLAN211W'
option dest 'lan'
config forwarding
option src 'VLAN211W'
option dest 'vlan201'
config forwarding
option src 'VLAN211W'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'VLAN211W'
config forwarding
option src 'vlan201'
option dest 'VLAN211W'
config zone
option name 'VLAN215VPN'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'vlan215vpn'
config forwarding
option src 'VLAN215VPN'
option dest 'lan'
config forwarding
option src 'VLAN215VPN'
option dest 'vlan201'
config forwarding
option src 'VLAN215VPN'
option dest 'VLAN210L'
config forwarding
option src 'VLAN215VPN'
option dest 'VLAN211W'
config forwarding
option src 'VLAN215VPN'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'VLAN215VPN'
config forwarding
option src 'vlan201'
option dest 'VLAN215VPN'
config forwarding
option src 'VLAN210L'
option dest 'VLAN215VPN'
config forwarding
option src 'VLAN211W'
option dest 'VLAN215VPN'
config redirect
option dest 'VLAN215VPN'
option target 'DNAT'
option name 'VPN'
list proto 'udp'
option src 'wan'
option src_dport '51820'
option dest_ip '192.168.215.1'
option dest_port '51820'
option family 'ipv4'
config zone
option name 'VLAN212P'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'vlan60'
list network 'vlan212p'
config zone
option name 'VLAN214O'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'vlan214o'
config forwarding
option src 'VLAN212P'
option dest 'lan'
config forwarding
option src 'VLAN212P'
option dest 'vlan201'
config forwarding
option src 'VLAN212P'
option dest 'VLAN210L'
config forwarding
option src 'VLAN212P'
option dest 'VLAN211W'
config forwarding
option src 'VLAN212P'
option dest 'VLAN214O'
config forwarding
option src 'VLAN212P'
option dest 'VLAN215VPN'
config forwarding
option src 'VLAN212P'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'VLAN212P'
config forwarding
option src 'vlan201'
option dest 'VLAN212P'
config forwarding
option src 'VLAN210L'
option dest 'VLAN212P'
config forwarding
option src 'VLAN211W'
option dest 'VLAN212P'
config forwarding
option src 'VLAN214O'
option dest 'VLAN212P'
config forwarding
option src 'VLAN215VPN'
option dest 'VLAN212P'
config forwarding
option src 'VLAN214O'
option dest 'lan'
config forwarding
option src 'VLAN214O'
option dest 'vlan201'
config forwarding
option src 'VLAN214O'
option dest 'VLAN210L'
config forwarding
option src 'VLAN214O'
option dest 'VLAN211W'
config forwarding
option src 'VLAN214O'
option dest 'VLAN215VPN'
config forwarding
option src 'VLAN214O'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'VLAN214O'
config forwarding
option src 'vlan201'
option dest 'VLAN214O'
config forwarding
option src 'VLAN210L'
option dest 'VLAN214O'
config forwarding
option src 'VLAN211W'
option dest 'VLAN214O'
config forwarding
option src 'VLAN215VPN'
option dest 'VLAN214O'
config zone
option name 'vlan213'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'vlan213i'
config forwarding
option src 'vlan213'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'vlan213'
config forwarding
option src 'vlan213'
option dest 'lan'
config forwarding
option src 'vlan213'
option dest 'vlan201'
config forwarding
option src 'vlan213'
option dest 'VLAN210L'
config forwarding
option src 'vlan213'
option dest 'VLAN211W'
config forwarding
option src 'vlan213'
option dest 'VLAN212P'
config forwarding
option src 'vlan213'
option dest 'VLAN214O'
config forwarding
option src 'vlan201'
option dest 'vlan213'
config forwarding
option src 'VLAN210L'
option dest 'vlan213'
config forwarding
option src 'VLAN211W'
option dest 'vlan213'
config forwarding
option src 'VLAN212P'
option dest 'vlan213'
config forwarding
option src 'VLAN214O'
option dest 'vlan213'
config zone
option name 'mesh27'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network '27'
config redirect
option dest 'VLAN210L'
option target 'DNAT'
option name 'HTTP'
list proto 'tcp'
option src 'wan'
option src_dport '80'
option dest_ip '192.168.210.163'
option dest_port '80'
option family 'ipv4'
config redirect
option dest 'VLAN210L'
option target 'DNAT'
option name 'HTTPS'
list proto 'tcp'
option src 'wan'
option src_dport '443'
option dest_ip '192.168.210.163'
option dest_port '443'
option family 'ipv4'
config redirect
option dest 'VLAN210L'
option target 'DNAT'
option name 'SSH4'
list proto 'tcp'
option src 'wan'
option src_dport '224'
option dest_ip '192.168.210.163'
option dest_port '22'
option family 'ipv4'
config redirect
option dest 'VLAN210L'
option target 'DNAT'
option name 'SSH3'
list proto 'tcp'
option src 'wan'
option src_dport '223'
option dest_ip '192.168.210.125'
option dest_port '22'
config redirect
option dest 'VLAN210L'
option target 'DNAT'
option name 'SSH'
list proto 'tcp'
option src 'wan'
option src_dport '22'
option dest_ip '192.168.210.139'
option dest_port '22'
option family 'ipv4'
config redirect
option dest 'VLAN210L'
option target 'DNAT'
option name 'SSH2'
list proto 'tcp'
option src 'wan'
option src_dport '222'
option dest_ip '10.60.1.8'
option dest_port '22'
option family 'ipv4'
config redirect
option dest 'VLAN210L'
option target 'DNAT'
option name 'ssh5'
list proto 'tcp'
option src 'wan'
option src_dport '225'
option dest_ip '192.168.210.105'
option dest_port '22'
option family 'ipv4'
config redirect
option dest 'VLAN210L'
option target 'DNAT'
option name 'sip'
option src 'wan'
option src_dport '5060'
option dest_ip '192.168.210.105'
option dest_port '5060'
option family 'ipv4'
config zone
option name 'SiteToSite'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'SiteToSide'
option masq '1'
config forwarding
option src 'SiteToSite'
option dest 'lan'
config forwarding
option src 'SiteToSite'
option dest 'vlan201'
config forwarding
option src 'SiteToSite'
option dest 'VLAN210L'
config forwarding
option src 'SiteToSite'
option dest 'VLAN211W'
config forwarding
option src 'SiteToSite'
option dest 'VLAN212P'
config forwarding
option src 'SiteToSite'
option dest 'vlan213'
config forwarding
option src 'SiteToSite'
option dest 'VLAN214O'
config forwarding
option src 'SiteToSite'
option dest 'VLAN215VPN'
config forwarding
option src 'SiteToSite'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'SiteToSite'
config forwarding
option src 'vlan201'
option dest 'SiteToSite'
config forwarding
option src 'VLAN210L'
option dest 'SiteToSite'
config forwarding
option src 'VLAN211W'
option dest 'SiteToSite'
config forwarding
option src 'VLAN212P'
option dest 'SiteToSite'
config forwarding
option src 'vlan213'
option dest 'SiteToSite'
config forwarding
option src 'VLAN214O'
option dest 'SiteToSite'
config forwarding
option src 'VLAN215VPN'
option dest 'SiteToSite'
config redirect
option dest 'SiteToSite'
option target 'DNAT'
option name 'siteTo Site'
option family 'ipv4'
list proto 'udp'
option src 'wan'
option src_dport '51821'
option dest_ip '10.10.10.2'
option dest_port '51821'
root@SeaSideOpenWrt:~# ip route show
default via xx.xx.0.1 dev wan src xx.xx.xx.xx
10.60.1.0/24 dev br-lan.60 scope link src 10.60.1.1
xx.xx.0.0/20 dev wan scope link src xx.xx.xx.xx
xx.xx.xx.xx via xx.xx.0.1 dev wan
172.16.1.0/24 dev SiteToSide scope link
192.168.1.0/24 dev br-lan.1 scope link src 192.168.1.1
192.168.10.0/24 dev SiteToSide scope link
192.168.11.0/24 dev SiteToSide scope link
192.168.12.0/24 dev SiteToSide scope link
192.168.13.0/24 dev SiteToSide scope link
192.168.14.0/24 dev SiteToSide scope link
192.168.15.0/24 dev SiteToSide scope link
192.168.201.0/24 dev br-lan.201 scope link src 192.168.201.1
192.168.210.0/24 dev br-lan.210 scope link src 192.168.210.1
192.168.211.0/24 dev br-lan.211 scope link src 192.168.211.1
192.168.212.0/24 dev br-lan.212 scope link src 192.168.212.1
192.168.213.0/24 dev br-lan.213 scope link src 192.168.213.1
192.168.214.0/24 dev br-lan.214 scope link src 192.168.214.1
192.168.215.0/24 dev vlan215vpn scope link src 192.168.215.1
192.168.215.10 dev vlan215vpn scope link
192.168.215.11 dev vlan215vpn scope link
root@SeaSideOpenWrt:~# wg show
interface: vlan215vpn
public key: x=
private key: (hidden)
listening port: 51820
peer: x=
preshared key: (hidden)
endpoint: 172.56.153.37:38452
allowed ips: 192.168.215.10/32
latest handshake: 16 hours, 28 minutes, 12 seconds ago
transfer: 135.69 KiB received, 36.25 KiB sent
peer: x=
preshared key: (hidden)
allowed ips: 192.168.215.11/32
interface: SiteToSide
public key: x=
private key: (hidden)
listening port: 51821
peer: x=
endpoint: xx.xx.xx.xx:51821
allowed ips: 192.168.10.0/24, 172.16.1.0/24, 192.168.11.0/24, 192.168.12.0/24, 192.168.13.0/24, 192.168.14.0/24, 192.168.15.0/24
latest handshake: 5 seconds ago
transfer: 96.68 MiB received, 94.09 MiB sent
persistent keepalive: every 25 seconds
There are a couple of (small) things which could use attention but that is probably not the main problem.
The wg show command shows a lot of traffic so I would concentrate on what has changed and what is not working.
Maybe the problem is not the routers but some clients you want to reach?
A simple thing to try, just reboot both routers.
One thing that will prevent site to site VPN from working is an IP conflict. All of your networks must have independent non-overlapping subnets, including the immediate WAN at each Wireguard terminal router. A common situation is that site A's WAN is 192.168.1.0/24 from a typical ISP provided box, and that range overlaps site B's LAN. Router A now has two conflicting route entries for packets with a destination of 192.168.1.0/24. This prevents packets from A intended for the B LAN from going into the tunnel.
So if you have changed the ISP arrangement at one of the sites, that may be the problem.
I can ping all systems just can not access pages or ssh any host.
Rebooted both end
Also removed 192.168.1.0/24 on both ends from the firewall