using the most recent version of OpenWrt I can connect a (linux) client to my OpenWrt router that is directly connected to the internet.
But I can not reach any clients on the lan behind the OpenWrt router. What step am I missing?
Current OpenWrt config; (omitted config that does not seem relevant)
uci show network
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd26:f2ad:1ec4::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.wan=interface
network.wan.ifname='eth1.2'
network.wan.proto='dhcp'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='0 1 2 3 5t'
network.@switch_vlan[0].vid='1'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='4 6t'
network.@switch_vlan[1].vid='2'
network.WireGuard=interface
network.WireGuard.proto='wireguard'
network.WireGuard.private_key='xxx'
network.WireGuard.addresses='10.0.0.254/24'
network.WireGuard.listen_port='51820'
network.@wireguard_WireGuard[0]=wireguard_WireGuard
network.@wireguard_WireGuard[0].description='xxx'
network.@wireguard_WireGuard[0].route_allowed_ips='1'
network.@wireguard_WireGuard[0].endpoint_port='51820'
network.@wireguard_WireGuard[0].public_key='xxx'
network.@wireguard_WireGuard[0].allowed_ips='0.0.0.0/0'
uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan IOT servers servers_30 WireGuard' #I have several interfaces omited from the above network config that all are in the lan firewall zone
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.wg=rule
firewall.wg.name='Allow-WireGuard'
firewall.wg.src='wan'
firewall.wg.proto='udp'
firewall.wg.target='ACCEPT'
#routing on ubuntu client
ip route
default via 192.168.1.1 dev wlp4s0 proto dhcp metric 600
10.0.0.0/24 dev wg0 proto kernel scope link src 10.0.0.100
169.254.0.0/16 dev wlp4s0 scope link metric 1000
192.168.1.0/24 dev wlp4s0 proto kernel scope link src 192.168.1.246 metric 600
ip addr (on ubuntu client)
3: wlp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether e4:a7:a0:66:00:8f brd ff:ff:ff:ff:ff:ff
inet 192.168.1.246/24 brd 192.168.1.255 scope global dynamic noprefixroute wlp4s0
valid_lft 38536sec preferred_lft 38536sec
inet6 fe80::97ea:a0a2:d0f2:649a/64 scope link noprefixroute
valid_lft forever preferred_lft forever
5: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.0.0.100/24 scope global wg0
valid_lft forever preferred_lft forever
What step am I missing to have my client be able to connect to the lan network freely?
Please run the following commands on the openwrt router (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
uci export network; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru;
Can you also explain the network topology. What's connected to what?
OpenWrt router directly connected to ISP. pingable from the internet.
Ubuntu client getting 192.168.1.xxx ip from OpenWrt when connecting via wifi.
Then I can reach everything with client as I am on local network.
Then I switch to a different wifi hotspot outside of my local lan and I can oonly still ping 10.0.0.254 (openwrt wireguard interface)
But for a moment there earlier it did work after I made the changes you suggested
uci export network; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> iptables-save -c; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru;
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd26:f2ad:1ec4::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
config interface 'wan'
option ifname 'eth1.2'
option proto 'dhcp'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5t'
option vid '1'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
option vid '2'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '40'
option ports '0t 1t 5t'
config switch_vlan
option device 'switch0'
option vlan '4'
option vid '50'
option ports '0t 1t 5t'
config switch_vlan
option device 'switch0'
option vlan '5'
option vid '60'
option ports '0t 1t 5t'
config switch_vlan
option device 'switch0'
option vlan '6'
option vid '70'
option ports '0t 1t 5t'
config interface 'guest'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '10.5.0.1'
option ifname 'eth0.50'
config interface 'IOT'
option proto 'static'
option type 'bridge'
option netmask '255.255.255.0'
option ifname 'eth0.60'
option ipaddr '10.6.0.1'
config interface 'servers'
option proto 'static'
option ipaddr '10.20.0.1'
option netmask '255.252.0.0'
option ifname '@lan'
config interface 'servers_30'
option ifname '@lan'
option proto 'static'
option ipaddr '10.30.0.1'
option netmask '255.252.0.0'
config interface 'WireGuard'
option proto 'wireguard'
option private_key ''
list addresses '10.0.0.254/24'
option listen_port '51820'
config wireguard_WireGuard
option description 'thinkpad'
option route_allowed_ips '1'
option endpoint_port '51820'
option public_key ''
list allowed_ips '10.0.0.100/32'
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan IOT servers servers_30 WireGuard'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone 'guest'
option name 'guest'
option network 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config forwarding 'guest_wan'
option src 'guest'
option dest 'wan'
config rule 'guest_dns'
option name 'Allow-DNS-Guest'
option src 'guest'
option dest_port '53'
option proto 'tcp udp'
option target 'ACCEPT'
config rule 'guest_dhcp'
option name 'Allow-DHCP-Guest'
option src 'guest'
option dest_port '67'
option family 'ipv4'
option proto 'udp'
option target 'ACCEPT'
config rule
list proto 'all'
option name 'Block-WAN-IOT'
list src_ip '10.6.0.1/24'
option dest 'wan'
option target 'DROP'
option src 'lan'
option family 'ipv4'
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option proto 'udp'
option target 'ACCEPT'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Generated by iptables-save v1.8.3 on Fri Dec 18 14:10:22 2020
*nat
:PREROUTING ACCEPT [6447:462816]
:INPUT ACCEPT [1888:153429]
:OUTPUT ACCEPT [862:63629]
:POSTROUTING ACCEPT [67:8570]
:postrouting_guest_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_guest_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_guest_postrouting - [0:0]
:zone_guest_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[6447:462816] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[1154:64204] -A PREROUTING -i br-IOT -m comment --comment "!fw3" -j zone_lan_prerouting
[3651:306116] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i WireGuard -m comment --comment "!fw3" -j zone_lan_prerouting
[488:28292] -A PREROUTING -i eth1.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[1154:64204] -A PREROUTING -i br-guest -m comment --comment "!fw3" -j zone_guest_prerouting
[2258:156238] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o br-IOT -m comment --comment "!fw3" -j zone_lan_postrouting
[67:8570] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o WireGuard -m comment --comment "!fw3" -j zone_lan_postrouting
[2191:147668] -A POSTROUTING -o eth1.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o br-guest -m comment --comment "!fw3" -j zone_guest_postrouting
[0:0] -A zone_guest_postrouting -m comment --comment "!fw3: Custom guest postrouting rule chain" -j postrouting_guest_rule
[1154:64204] -A zone_guest_prerouting -m comment --comment "!fw3: Custom guest prerouting rule chain" -j prerouting_guest_rule
[67:8570] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[4805:370320] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[2191:147668] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[2191:147668] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[488:28292] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Fri Dec 18 14:10:22 2020
# Generated by iptables-save v1.8.3 on Fri Dec 18 14:10:22 2020
*mangle
:PREROUTING ACCEPT [74423:43201892]
:INPUT ACCEPT [9440:870934]
:FORWARD ACCEPT [61821:42114704]
:OUTPUT ACCEPT [7065:869776]
:POSTROUTING ACCEPT [68820:42976684]
[717:40020] -A FORWARD -o eth1.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[712:39056] -A FORWARD -i eth1.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Fri Dec 18 14:10:22 2020
# Generated by iptables-save v1.8.3 on Fri Dec 18 14:10:22 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_guest_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_guest_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_guest_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_guest_dest_ACCEPT - [0:0]
:zone_guest_dest_REJECT - [0:0]
:zone_guest_forward - [0:0]
:zone_guest_input - [0:0]
:zone_guest_output - [0:0]
:zone_guest_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_DROP - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[9440:870934] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[4962:562929] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[456:18744] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[0:0] -A INPUT -i br-IOT -m comment --comment "!fw3" -j zone_lan_input
[2820:237786] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i WireGuard -m comment --comment "!fw3" -j zone_lan_input
[1658:70219] -A INPUT -i eth1.2 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i br-guest -m comment --comment "!fw3" -j zone_guest_input
[61821:42114704] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[60846:42031662] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i br-IOT -m comment --comment "!fw3" -j zone_lan_forward
[975:83042] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i WireGuard -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth1.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i br-guest -m comment --comment "!fw3" -j zone_guest_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[7027:865248] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[6125:798131] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -o br-IOT -m comment --comment "!fw3" -j zone_lan_output
[12:3424] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o WireGuard -m comment --comment "!fw3" -j zone_lan_output
[890:63693] -A OUTPUT -o eth1.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o br-guest -m comment --comment "!fw3" -j zone_guest_output
[813:33722] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[456:18744] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_guest_dest_ACCEPT -o br-guest -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_guest_dest_REJECT -o br-guest -m comment --comment "!fw3" -j reject
[0:0] -A zone_guest_forward -m comment --comment "!fw3: Custom guest forwarding rule chain" -j forwarding_guest_rule
[0:0] -A zone_guest_forward -m comment --comment "!fw3: Zone guest to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_guest_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_guest_forward -m comment --comment "!fw3" -j zone_guest_dest_REJECT
[0:0] -A zone_guest_input -m comment --comment "!fw3: Custom guest input rule chain" -j input_guest_rule
[0:0] -A zone_guest_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Allow-DNS-Guest" -j ACCEPT
[0:0] -A zone_guest_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Allow-DNS-Guest" -j ACCEPT
[0:0] -A zone_guest_input -p udp -m udp --dport 67 -m comment --comment "!fw3: Allow-DHCP-Guest" -j ACCEPT
[0:0] -A zone_guest_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_guest_input -m comment --comment "!fw3" -j zone_guest_src_REJECT
[0:0] -A zone_guest_output -m comment --comment "!fw3: Custom guest output rule chain" -j output_guest_rule
[0:0] -A zone_guest_output -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
[0:0] -A zone_guest_src_REJECT -i br-guest -m comment --comment "!fw3" -j reject
[0:0] -A zone_lan_dest_ACCEPT -o br-IOT -m comment --comment "!fw3" -j ACCEPT
[79:14252] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_ACCEPT -o WireGuard -m comment --comment "!fw3" -j ACCEPT
[975:83042] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -s 10.6.0.0/24 -m comment --comment "!fw3: Block-WAN-IOT" -j zone_wan_dest_DROP
[975:83042] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[67:10828] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[2820:237786] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[2820:237786] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[12:3424] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[12:3424] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i br-IOT -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[2820:237786] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i WireGuard -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[28:3268] -A zone_wan_dest_ACCEPT -o eth1.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[1770:132639] -A zone_wan_dest_ACCEPT -o eth1.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_DROP -o eth1.2 -m comment --comment "!fw3" -j DROP
[0:0] -A zone_wan_dest_REJECT -o eth1.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[1658:70219] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[25:8273] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[820:28224] -A zone_wan_input -p udp -m comment --comment "!fw3: Allow-WireGuard" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[813:33722] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[890:63693] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[890:63693] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[813:33722] -A zone_wan_src_REJECT -i eth1.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Fri Dec 18 14:10:22 2020
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
8: br-IOT: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 10.6.0.1/24 brd 10.6.0.255 scope global br-IOT
valid_lft forever preferred_lft forever
10: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 10.5.0.1/24 brd 10.5.0.255 scope global br-guest
valid_lft forever preferred_lft forever
12: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
inet 10.20.0.1/14 brd 10.23.255.255 scope global br-lan
valid_lft forever preferred_lft forever
inet 10.30.0.1/14 brd 10.31.255.255 scope global br-lan
valid_lft forever preferred_lft forever
14: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 82.197.207.131/22 brd 82.197.207.255 scope global eth1.2
valid_lft forever preferred_lft forever
15: WireGuard: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
inet 10.0.0.254/24 brd 10.0.0.255 scope global WireGuard
valid_lft forever preferred_lft forever
default via 82.197.204.1 dev eth1.2 proto static src 82.197.207.131
10.0.0.0/24 dev WireGuard proto kernel scope link src 10.0.0.254
10.0.0.100 dev WireGuard proto static scope link
10.5.0.0/24 dev br-guest proto kernel scope link src 10.5.0.1
10.6.0.0/24 dev br-IOT proto kernel scope link src 10.6.0.1
10.20.0.0/14 dev br-lan proto kernel scope link src 10.20.0.1
10.28.0.0/14 dev br-lan proto kernel scope link src 10.30.0.1
82.197.204.0/22 dev eth1.2 proto kernel scope link src 82.197.207.131
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
broadcast 10.0.0.0 dev WireGuard table local proto kernel scope link src 10.0.0.254
local 10.0.0.254 dev WireGuard table local proto kernel scope host src 10.0.0.254
broadcast 10.0.0.255 dev WireGuard table local proto kernel scope link src 10.0.0.254
broadcast 10.5.0.0 dev br-guest table local proto kernel scope link src 10.5.0.1
local 10.5.0.1 dev br-guest table local proto kernel scope host src 10.5.0.1
broadcast 10.5.0.255 dev br-guest table local proto kernel scope link src 10.5.0.1
broadcast 10.6.0.0 dev br-IOT table local proto kernel scope link src 10.6.0.1
local 10.6.0.1 dev br-IOT table local proto kernel scope host src 10.6.0.1
broadcast 10.6.0.255 dev br-IOT table local proto kernel scope link src 10.6.0.1
broadcast 10.20.0.0 dev br-lan table local proto kernel scope link src 10.20.0.1
local 10.20.0.1 dev br-lan table local proto kernel scope host src 10.20.0.1
broadcast 10.23.255.255 dev br-lan table local proto kernel scope link src 10.20.0.1
broadcast 10.28.0.0 dev br-lan table local proto kernel scope link src 10.30.0.1
local 10.30.0.1 dev br-lan table local proto kernel scope host src 10.30.0.1
broadcast 10.31.255.255 dev br-lan table local proto kernel scope link src 10.30.0.1
broadcast 82.197.204.0 dev eth1.2 table local proto kernel scope link src 82.197.207.131
local 82.197.207.131 dev eth1.2 table local proto kernel scope host src 82.197.207.131
broadcast 82.197.207.255 dev eth1.2 table local proto kernel scope link src 82.197.207.131
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
Change AllowedIPs = 10.0.0.254/32 on the client to AllowedIPs = 0.0.0.0/0 if you want to access LAN devices and have your internet connection routed through the openwrt router. Otherwise change AllowedIPs = to include all the various subnets for the LANs you want to access remotely.
Still only able to ping the openwrt wireguard interface at 10.0.0.0.254 when not connected to lan
client config:
ip route
default via 192.168.43.1 dev wlp4s0 proto dhcp metric 600
10.0.0.0/24 dev wg0 proto kernel scope link src 10.0.0.100
169.254.0.0/16 dev wlp4s0 scope link metric 1000
192.168.43.0/24 dev wlp4s0 proto kernel scope link src 192.168.43.29 metric 600
wg
interface: wg0
public key: xxx
private key: (hidden)
listening port: 33617
peer: xxx
endpoint: xxx:51820
allowed ips: 0.0.0.0/0
latest handshake: 2 minutes, 5 seconds ago
transfer: 19.04 KiB received, 80.88 KiB sent
persistent keepalive: every 25 seconds
root@rootpad:/etc/wireguard# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s31f6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether c8:5b:76:72:f3:b6 brd ff:ff:ff:ff:ff:ff
3: wlp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether e4:a7:a0:66:00:8f brd ff:ff:ff:ff:ff:ff
inet 192.168.43.29/24 brd 192.168.43.255 scope global dynamic noprefixroute wlp4s0
valid_lft 3589sec preferred_lft 3589sec
inet6 fe80::cf0e:a1bb:afe4:70f3/64 scope link noprefixroute
valid_lft forever preferred_lft forever
5: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.0.0.100/24 scope global wg0
valid_lft forever preferred_lft forever
root@rootpad:/etc/wireguard# ping 10.0.0.254
PING 10.0.0.254 (10.0.0.254) 56(84) bytes of data.
64 bytes from 10.0.0.254: icmp_seq=1 ttl=64 time=43.4 ms
64 bytes from 10.0.0.254: icmp_seq=2 ttl=64 time=37.6 ms
64 bytes from 10.0.0.254: icmp_seq=3 ttl=64 time=74.4 ms
^Z
[11]+ Stopped ping 10.0.0.254
ping 192.168.1.141
PING 192.168.1.141 (192.168.1.141) 56(84) bytes of data.
^Z
[19]+ Stopped ping 192.168.1.141
^Z
[13]+ Stopped ping 192.168.1.1
root@rootpad:/etc/wireguard# ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
From 10.0.0.254 icmp_seq=1 Destination Host Unreachable
From 10.0.0.254 icmp_seq=2 Destination Host Unreachable
From 10.0.0.254 icmp_seq=3 Destination Host Unreachable
openwrt config
wg
interface: WireGuard
public key: xxx
private key: (hidden)
listening port: 51820
peer: xxx
endpoint: 192.168.1.246:33617 #this is the local ip of client from the dhcp lease when connected to the openwrt directly. Not sure why it is not automatically updating to 192.168.43.29 (the dhcp lease I am getting when tethered)
allowed ips: 10.0.0.100/32
latest handshake: 1 minute, 14 seconds ago
transfer: 2.94 KiB received, 2.08 KiB sent
ip route
default via 82.197.204.1 dev eth1.2 proto static src 82.197.207.131
10.0.0.0/24 dev WireGuard proto kernel scope link src 10.0.0.254
10.0.0.100 dev WireGuard proto static scope link
10.5.0.0/24 dev br-guest proto kernel scope link src 10.5.0.1
10.6.0.0/24 dev br-IOT proto kernel scope link src 10.6.0.1
10.20.0.0/14 dev br-lan proto kernel scope link src 10.20.0.1
10.28.0.0/14 dev br-lan proto kernel scope link src 10.30.0.1
82.197.204.0/22 dev eth1.2 proto kernel scope link src 82.197.207.131
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
Ahh that might be it, I am not using wg-quick and I am not even restarting the wg interface on the client. I assumed that was not needed as the changes are reflected directly when running the wg command.
#after reboot no wg interface present on client. client is connected to lan
root@rootpad:~# wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.0.0.100/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n
root@rootpad:~# wg
interface: wg0
public key: xxx
private key: (hidden)
listening port: 33617
fwmark: 0xca6c
peer: xxx
endpoint: 82.197.207.131:51820
allowed ips: 0.0.0.0/0
latest handshake: 9 seconds ago
transfer: 92 B received, 180 B sent
persistent keepalive: every 25 seconds
root@rootpad:~# ip route
default via 192.168.1.1 dev wlp4s0 proto dhcp metric 600
10.0.0.0/24 dev wg0 proto kernel scope link src 10.0.0.100
169.254.0.0/16 dev wlp4s0 scope link metric 1000
192.168.1.0/24 dev wlp4s0 proto kernel scope link src 192.168.1.246 metric 600
#i can ping openwrt wg interface
root@rootpad:~# ping 10.0.0.254
PING 10.0.0.254 (10.0.0.254) 56(84) bytes of data.
64 bytes from 10.0.0.254: icmp_seq=1 ttl=64 time=4.24 ms
64 bytes from 10.0.0.254: icmp_seq=2 ttl=64 time=4.53 ms
64 bytes from 10.0.0.254: icmp_seq=3 ttl=64 time=4.36 ms
^Z
[1]+ Stopped ping 10.0.0.254
#i can ping a lan client
root@rootpad:~# ping 192.168.1.141
PING 192.168.1.141 (192.168.1.141) 56(84) bytes of data.
64 bytes from 192.168.1.141: icmp_seq=1 ttl=64 time=6.73 ms
64 bytes from 192.168.1.141: icmp_seq=2 ttl=64 time=4.38 ms
^Z
[2]+ Stopped ping 192.168.1.141
root@rootpad:~# ip route
default via 192.168.43.1 dev wlp4s0 proto dhcp metric 600
10.0.0.0/24 dev wg0 proto kernel scope link src 10.0.0.100
169.254.0.0/16 dev wlp4s0 scope link metric 1000
192.168.43.0/24 dev wlp4s0 proto kernel scope link src 192.168.43.29 metric 600
#switching to tethered connection for client, not restarting wg0 interface
#can no longer ping a client on lan
root@rootpad:~# ping 192.168.1.141
PING 192.168.1.141 (192.168.1.141) 56(84) bytes of data.
^Z
[3]+ Stopped ping 192.168.1.141
#restarting wg0
root@rootpad:~# wg-quick down wg0
[#] ip -4 rule delete table 51820
[#] ip -4 rule delete table main suppress_prefixlength 0
[#] ip link delete dev wg0
[#] iptables-restore -n
root@rootpad:~# wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.0.0.100/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n
root@rootpad:~# wg
interface: wg0
public key: xxx
private key: (hidden)
listening port: 33617
fwmark: 0xca6c
peer: xxx
endpoint: 82.197.207.131:51820
allowed ips: 0.0.0.0/0
transfer: 0 B received, 296 B sent
persistent keepalive: every 25 seconds
#still can not ping client on lan
root@rootpad:~# ping 192.168.1.141
PING 192.168.1.141 (192.168.1.141) 56(84) bytes of data.
^Z
[4]+ Stopped ping 192.168.1.141
# can't even ping openwrt wg interface anymore
root@rootpad:~# ping 10.0.0.254
PING 10.0.0.254 (10.0.0.254) 56(84) bytes of data.
^Z
[5]+ Stopped ping 10.0.0.254
root@rootpad:~#
default via 192.168.43.1 dev wlp4s0 proto dhcp metric 600
10.0.0.0/24 dev wg0 proto kernel scope link src 10.0.0.100 metric 50
169.254.0.0/16 dev wlp4s0 scope link metric 1000
192.168.43.0/24 dev wlp4s0 proto kernel scope link src 192.168.43.29 metric 600
May I ask why? I used it to create a unique SRC - DST port pair for my Wireguard client-server pairs as it seemed that the ListenPort is also used as source port for clients.
Ephemeral ports are supposed to be allocated dynamically using a method that guarantees to get a free port, thus binding a specific port has a chance to encounter a collision.
There's no point when the client is behind NAT.
It should be better for security/privacy to avoid predictable behavior.
You are absolutely right and that explains why it doesn't work on one of my clients (that is behind NAT) all others are Router = VPN Client which means it works.