I am having a strange issue. I am trying to forward a wireguard connection from external to my router through the wan to the lan to forward it from there to my 2nd router that uses mwan3 for dual wan access However, I have set up my firwall rules (redirect/traffic rules) to forward this from wan to lan and yet no traffic is shown on the lan side.
my firewall rules are:
config defaults
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option flow_offloading '1'
config zone
option name 'wan'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
option masq6 '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list device 'wan'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'DROP'
list network 'lan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'WG'
list proto 'udp'
option src 'wan'
option dest 'lan'
option target 'ACCEPT'
option dest_port '<my port>'
option src_port '<my port>'
When I look at "tcpdump -i wan port -n" I see the traffic hitting my wan, but when I look at "tcpdump -i lan port -n" nothing appears.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall # if you omitted rules in previous
cat /etc/config/network (desired network to forward traffic to is for interface "lan_sl"
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd64:eb2d:147d::/48'
config interface 'lan'
option device 'br-lan'
option proto 'dhcp'
option force_link '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
config interface 'lan_main'
option proto 'static'
option type 'bridge'
option device 'br-lan-Main'
option ipaddr '10.10.10.7'
option netmask '255.255.255.0'
list dns '10.10.10.2'
config interface 'wan'
option proto 'dhcp'
option device 'wan'
option delegate '0'
config interface 'wan6'
option proto 'dhcpv6'
option device 'wan'
option reqaddress 'try'
option reqprefix '56'
option peerdns '0'
list dns '8.8.8.8'
list dns '8.8.4.4'
list dns '1.1.1.1'
list dns '1.0.0.1'
option ip6assign '64'
option ip6table 'local'
config interface 'lan_sl'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '64'
list ip6class 'local'
list ip6class 'wan6'
list dns '8.8.8.8'
list dns '8.8.4.4'
list dns '1.1.1.1'
list dns '1.0.0.1'
option broadcast '192.168.1.255'
option device 'br-lan-sl'
config device
option type 'bridge'
option name 'br-lan-sl'
list ports 'lan4'
option bridge_empty '1'
config device
option type 'bridge'
option name 'br-lan-Main'
list ports 'lan3'
option bridge_empty '1'
cat /etc/config/firewall
config defaults
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option flow_offloading '1'
config zone
option name 'lan'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
list network 'lan'
config zone
option name 'lan_main'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'DROP'
list network 'lan_main'
config zone
option name 'wan'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
option masq6 '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config zone
option name 'lan_sl'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'DROP'
list network 'lan_sl'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
list icmp_type 'bad-header'
list icmp_type 'destination-unreachable'
list icmp_type 'echo-reply'
list icmp_type 'echo-request'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'unknown-header-type'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan_sl'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan_sl'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config forwarding
option src 'lan_sl'
option dest 'wan'
config rule
option name 'WG SL'
list proto 'udp'
option src 'wan'
option dest 'lan_sl'
option target 'ACCEPT'
option dest_port '<my port>'
option src_port '<my port>'
config rule
option name 'Support-UDP-Traceroute'
list proto 'udp'
option target 'REJECT'
option src 'wan'
option family 'ipv4'
option dest_port '33434-33689'
I have a number of other networks running across this router, but the only connection to the wan should be over interface "lan_sl" through firewall "lan_sl". The other networks are simply connected to my 2nd lan network through my house (my main lan, and an administrative lan).
I also did remove the previously mentioned device 'wan', which was simply a test to see if that was causing an issue, and I had neglected to remove that previously.
Not sure if spaces are allowed in a name to be sure use a hyphen instead of a space: option name 'WG-SL
using src_port is usually not working as the clients usually use a random port, you need the source destination port i.e. src_dport.
So remove: option src_port '<my port>' and replace it with option src_dport '<my port>'
Spaces are allowed. I did remove src_port and got it working. I needed to specify the destination address (the 2nd wan on my 2nd router, which is my main router) that hosts mwan3. I will mark as solved.