I don't know how to describe this any better.
The issue is:
I have my router (R7800) behind a Unitymedia ConnectBox.
The Connectbox is runninger on 192.168.1.1
The WAN IP of the R7800 is 192.168.1.9 and is configured as DMZ
The LAN is running on 192.168.8.0/24
This is all working fine.
I'm also running an OpenVPN server. Now what I'm trying to do is:
Wake up my PC from the router.
Connect to my PC from a VPN client (PC is running linux and is runninger dropbear in initramfs so I can type in my LUKS password)
What happens right now is:
Works but I had to use the wakeonlan package where I could specify the broadcast IP as 192.168.8.255. Etherwake did not work.
This is the weird thing. If I connect to the router via SSH and then from there connect to my PC it works.
If I connect directly from my VPN client it doesn't work and the connection just times out.
Once the PC is running though I can connect just fine.
I had all of this working on my old router running Openwrt (WNDR3700)
Now I also tried to enable firewall logging but couldn't see anything interesting.
So in my understanding my VPN routing seems to work. The firewall should be ok, so I don't understand what's causing this.
The only difference is, that once the PC is running the network is in bridge mode, but it has the same IP so I don't get it.
Is the router configured to forward traffic between the VPN and the LAN?
When you connect through the VPN, the PC receives a connection from an IP address in the range of the VPN, not the LAN. Is the firewall in the PC configured to admit such connections?
Yes. I can access the router via it's lan IP from the client PC.
Also once my PC has fully booted I can access it via it's lan IP as well.
Router: 192.168.8.1
PC: 192.168.8.2
Also here are my configs below. Let me know if you need anything else.
/etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option flow_offloading '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule 'Allow_OpenVPN_Inbound'
option target 'ACCEPT'
option src '*'
option proto 'tcp'
option dest_port '443'
config zone 'vpn'
option name 'vpn'
option network 'vpn0'
option input 'ACCEPT'
option forward 'REJECT'
option output 'ACCEPT'
option masq '1'
config forwarding
option dest 'wan'
option src 'lan'
config forwarding
option dest 'lan'
option src 'vpn'
config forwarding
option dest 'wan'
option src 'vpn'
config forwarding
option dest 'vpn'
option src 'lan'
I managed to find a fix.
I'm using the kernel cmd line's ip= attribute.
I didn't set the netmask and gateway. This didn't cause any issues before but now I switched to ip=dhcp briefly and it worked so I then added my manual IP again and added gateway and netmask. Now everything works.