[Solved] Routing Riddle driving me crazy

Hi,
I have somehow managed to have added a "Route", that really drives my crazy.
I see it in the Routing info,

its the line in "Active IPv4 Routes"
"lan" -> 192.168.112.2 being sent to Gateway 192.168.0.1

I searched all settings, also the "known" config files -> I cant find it.

The config belongs to a dumb AP with guest-wifi and a wireguard server on a R7800 with openWrt 23.05.

Can you help me out with any idea / clue, how to find out where I accidentally did configure this line - and how I can get rid of it?

many many thx in advance

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

ubus system board

root@szne_nighthawk1_rumpel_195:~# ubus call system board
{
        "kernel": "5.15.134",
        "hostname": "szne_nighthawk1_rumpel_195",
        "system": "ARMv7 Processor rev 0 (v7l)",
        "model": "Netgear Nighthawk X4S R7800",
        "board_name": "netgear,r7800",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.0",
                "revision": "r23497-6637af95aa",
                "target": "ipq806x/generic",
                "description": "OpenWrt 23.05.0 r23497-6637af95aa"
        }
}
root@szne_nighthawk1_rumpel_195:~#

cat /etc/config/network

root@szne_nighthawk1_rumpel_195:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.2'
        list ports 'eth1.1'

config interface 'lan'
        option device 'br-lan'
        option ipv6 '0'
        option proto 'static'
        option netmask '255.255.255.0'
        option gateway '192.168.0.1'
        option ipaddr '192.168.0.195'
        list dns '192.168.0.171'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '6t 4 3 2 1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '2'
        option ports '0t 5'

config interface 'guest1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.195.1'
        option device 'wifi_bridge'

config device
        option type 'bridge'
        option name 'wifi_bridge'

config interface 'wg_s2s_amopsz'
        option proto 'wireguard'
        option private_key 'qJxJ7++cZy95RlS1Y='
        option listen_port '51823'

config wireguard_wg_s2s_amopsz 's2s_vpn_site_bmopsz'
        option public_key 'MZ7RTNrnhc++3EOu8zWU='
        option preshared_key 'WHYjb++/b4gO8Tp7zvY='
        option description 'Site B, e.ation.me'
        list allowed_ips '192.168.112.0/24'
        list allowed_ips 'fdee:eeee:efff::/48'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option endpoint_host 'e.ation.me'
        option endpoint_port '51823'

root@szne_nighthawk1_rumpel_195:~#

Firewall

root@szne_nighthawk1_rumpel_195:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option masq '1'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg_s2s_amopsz'

config zone 'guest'
        option name 'guest'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'
        list network 'guest1'

config rule 'guest_dns'
        option name 'Allow-DNS-Guest'
        option src 'guest'
        option dest_port '53'
        option proto 'tcp udp'
        option target 'ACCEPT'

config rule 'guest_dhcp'
        option name 'Allow-DHCP-Guest'
        option src 'guest'
        option src_port '68'
        option dest_port '67'
        option proto 'udp'
        option family 'ipv4'
        option target 'ACCEPT'

config forwarding
        option dest 'lan'

config forwarding
        option src 'guest'
        option dest 'lan'

config rule
        option name 'dhcp ok'
        option dest 'lan'
        option dest_port '53'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'dns ok'
        list dest_ip '192.168.0.1'
        list dest_ip '192.168.0.171'
        option dest_port '67'
        option target 'ACCEPT'
        option dest 'lan'
        option enabled '0'

config rule
        option dest 'lan'
        option target 'DROP'
        option name 'drop all guest traffic'
        option enabled '0'

config rule
        option name 'drop guest'
        option src 'guest'
        list src_ip '192.168.195.0/24'
        option dest 'lan'
        list dest_ip '192.168.0.0/24'
        option target 'REJECT'
        list proto 'all'

root@szne_nighthawk1_rumpel_195:~#

Try putting the wireguard network into its own firewall zone, and then allowing forwarding from that new zone > lan zone.

Then reboot the router.

did it (tried) - see output, plus reboot,
routing line still there:

root@szne_nighthawk1_rumpel_195:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.2'
        list ports 'eth1.1'

config interface 'lan'
        option device 'br-lan'
        option ipv6 '0'
        option proto 'static'
        option netmask '255.255.255.0'
        option gateway '192.168.0.1'
        option ipaddr '192.168.0.195'
        list dns '192.168.0.171'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '6t 4 3 2 1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '2'
        option ports '0t 5'

config interface 'guest1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.195.1'
        option device 'wifi_bridge'

config device
        option type 'bridge'
        option name 'wifi_bridge'

config interface 'wg_s2s_amopsz'
        option proto 'wireguard'
        option private_key 'qJx0t5RlS1Y='
        option listen_port '51823'

config wireguard_wg_s2s_amopsz 's2s_vpn_site_bmopsz'
        option public_key 'MZ7EOu8zWU='
        option preshared_key 'WHYjbgO8Tp7zvY='
        option description 'Site B, e.diskstation.me'
        list allowed_ips '192.168.112.0/24'
        list allowed_ips 'fdee:eeee:efff::/48'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option endpoint_host 'e.diskstation.me'
        option endpoint_port '51823'

root@szne_nighthawk1_rumpel_195:~#
root@szne_nighthawk1_rumpel_195:~#
root@szne_nighthawk1_rumpel_195:~#
root@szne_nighthawk1_rumpel_195:~#
root@szne_nighthawk1_rumpel_195:~#
root@szne_nighthawk1_rumpel_195:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option masq '1'
        option forward 'ACCEPT'
        list network 'lan'

config zone 'guest'
        option name 'guest'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'
        list network 'guest1'

config rule 'guest_dns'
        option name 'Allow-DNS-Guest'
        option src 'guest'
        option dest_port '53'
        option proto 'tcp udp'
        option target 'ACCEPT'

config rule 'guest_dhcp'
        option name 'Allow-DHCP-Guest'
        option src 'guest'
        option src_port '68'
        option dest_port '67'
        option proto 'udp'
        option family 'ipv4'
        option target 'ACCEPT'

config forwarding
        option dest 'lan'

config forwarding
        option src 'guest'
        option dest 'lan'

config rule
        option name 'dhcp ok'
        option dest 'lan'
        option dest_port '53'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'dns ok'
        list dest_ip '192.168.0.1'
        list dest_ip '192.168.0.171'
        option dest_port '67'
        option target 'ACCEPT'
        option dest 'lan'
        option enabled '0'

config rule
        option dest 'lan'
        option target 'DROP'
        option name 'drop all guest traffic'
        option enabled '0'

config rule
        option name 'drop guest'
        option src 'guest'
        list src_ip '192.168.195.0/24'
        option dest 'lan'
        list dest_ip '192.168.0.0/24'
        option target 'REJECT'
        list proto 'all'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wg_s2s_amopsz'

config forwarding
        option src 'vpn'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'vpn'

root@szne_nighthawk1_rumpel_195:~#

route command looks like this (still):


root@szne_nighthawk1_rumpel_195:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         fritz.lan       0.0.0.0         UG    0      0        0 br-lan
192.168.0.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.112.0   *               255.255.255.0   U     0      0        0 wg_s2s_amopsz
192.168.112.2   fritz.lan       255.255.255.255 UGH   0      0        0 br-lan
192.168.195.0   *               255.255.255.0   U     0      0        0 wifi_bridge
root@szne_nighthawk1_rumpel_195:~#

I see that your WG interface doesn't have an address specified. Is that 192.168.112.2?

While you're at it... Try removing the listen port (it's not necessary here, unless this device is also listening for inbound connections.

config interface 'wg_s2s_amopsz'
        option proto 'wireguard'
        option private_key 'qJx0t5RlS1Y='
	list addresses '192.168.112.2/24'

Also, unrelated, but your bridge here is odd...

If you want to add the physical wan port to be 'just another port' -- do it like this instead:

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '6t 5 4 3 2 1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '2'
        option ports '0t'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1.1'

No, i do not specify an adress. i did not know which and for what purpose.
192.168.112.2 is a NAS in Network B.
This router (192.168.0.195) is in Network A.
I can connect to all devices from Network A via wireguard to Network B.
Just this one address -192.168.112.2- is sent from the router back to the standard Gateway. I saw it in traceroute and then in the routing table ...

Is this tunnel traversing the internet at large? In other words, are networks A and B separated by the internet, or is there a physically local link between them?

This has been generated by the site2site wireguard script. Yes . this is site2site, bi-directional listening for inbound i assume, thats by purpose

where did you copy this from?
this list addresses '192.168.112.2/24' is strange, i cant find it anywhere in my post

internet in between / separated

That was my proposed edit based on an assumption that the local address of that device should be 192.168.112.2. (note that it is in a code formatting, but not a quote). However, that was not a valid assumption, so just ignore it.

It looks like your endpoint_host, e.diskstation.me is improperly resolving to that. endpoint_host needs to be the public IP of the other site (The name is misleading because it is often a router not an endpoint). Wireguard will install a /32 route to that IP to be sure that encrypted packets leave by the regular wan route instead of being routed into the tunnel. This can be prevented by setting hostroute to 0 but you should almost never need to do that.

yeah looks better:

root@szne_nighthawk1_rumpel_195:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1.1'

config interface 'lan'
        option device 'br-lan'
        option ipv6 '0'
        option proto 'static'
        option netmask '255.255.255.0'
        option gateway '192.168.0.1'
        option ipaddr '192.168.0.195'
        list dns '192.168.0.171'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '6t 4 3 2 1 5'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '2'
        option ports '0t'

config interface 'guest1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.195.1'
        option device 'wifi_bridge'

config device
        option type 'bridge'
        option name 'wifi_bridge'

config interface 'wg_s2s_amopsz'
        option proto 'wireguard'
        option private_key 'qJxJ75RlS1Y='
        option listen_port '51823'

config wireguard_wg_s2s_amopsz 's2s_vpn_site_bmopsz'
        option public_key 'MZ7RTNrn3EOu8zWU='
        option preshared_key 'WHYjb78Tp7zvY='
        option description 'Site B, e.diskstation.me'
        list allowed_ips '192.168.112.0/24'
        list allowed_ips 'fdee:eeee:efff::/48'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option endpoint_host 'e.diskstation.me'
        option endpoint_port '51823'

root@szne_nighthawk1_rumpel_195:~#

Sorry .. I understand a little bit what you say, but not enough to take some action / try to edit something. my endpoint 'e.diskstation.me' resolvs to a public ip. All traffic sent from 192.168.0.0/24 to 192.168.112.0/24 works perfect. Only one IP is doing different - the 192.168.112.2 . Please see this traceroutes:

C:\Users\m>tracert 192.168.112.30

Routenverfolgung zu JSZE2-120J [192.168.112.30]
über maximal 30 Hops:

  1    <1 ms    <1 ms    <1 ms  fritz.lan [192.168.0.1]
  2    <1 ms    <1 ms    <1 ms  192.168.0.195
  3    12 ms    11 ms    11 ms  192.168.112.1
  4    12 ms    11 ms    11 ms  JSZE2-120J [192.168.112.30]

Ablaufverfolgung beendet.
-----------------------------------------------------------------------------------
C:\Users\m>tracert 192.168.112.2

Routenverfolgung zu 192.168.112.2 über maximal 30 Hops

  1    <1 ms    <1 ms    <1 ms  fritz.lan [192.168.0.1]
  2    <1 ms    <1 ms    <1 ms  192.168.0.195
  3     1 ms    <1 ms    <1 ms  fritz.lan [192.168.0.1]
  4     *        *        *     Zeitüberschreitung der Anforderung.
  5     *     ^C
C:\Users\yo sepp>

you see? in the second case, the router is sending the packet back to the Standard Gateway ..

You specify an endpoint, WireGuard will take that endpoint and route it via its WAN to escape the tunnel that is the normal modus operandi.

I concur with @psherman that it could be the endpoint not resolving to a public IP address.

Alternatively your WG interface does not have an address (I know there are some which say you do not need it and sometimes it will work without but I have seen strange things coming from the lack of an IP address)
Maybe it is the lack of the IP address which is causing you this trouble?

I would start by giving your WG interface on both side an ip address: list addresses '10.10.10.1/24' on one side and list addresses '10.10.10.2/24' on the other side (the WG subnet must be different from all other subnets on both sides)

You should also allow 10.10.10.2/32 on the ip address 10.10.10.1/24 side
(list allowed_ips '10.10.10.2/32) and 10.10.10.1/32 on the 10.10.10.2/24 side (list allowed_ips '10.10.10.1/32)

Reboot afterwards.
If that does not help than remove the endpoint, you actually only need an endpoint on one side.
If that solves the problem it is the endpoint not properly resolving.

Hi egc, thx 4 your help / thoughts

I think I understood and implemented correctly.
unfortunatly - no change (both router full reboot)

Here are the route / network configs of the two routers after change:

192.168.0.195 (= dumb AP with WG, gateway is 192.168.0.1):

root@szne_nighthawk1_rumpel_195:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         fritz.lan       0.0.0.0         UG    0      0        0 br-lan
10.10.10.0      *               255.255.255.0   U     0      0        0 wg_s2s_a                            mopsz
10.10.10.1      *               255.255.255.255 UH    0      0        0 wg_s2s_a                            mopsz
192.168.0.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.112.0   *               255.255.255.0   U     0      0        0 wg_s2s_a                            mopsz
192.168.112.2   fritz.lan       255.255.255.255 UGH   0      0        0 br-lan
192.168.195.0   *               255.255.255.0   U     0      0        0 wifi_bri                            dge
root@szne_nighthawk1_rumpel_195:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1.1'

config interface 'lan'
        option device 'br-lan'
        option ipv6 '0'
        option proto 'static'
        option netmask '255.255.255.0'
        option gateway '192.168.0.1'
        option ipaddr '192.168.0.195'
        list dns '192.168.0.171'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '6t 4 3 2 1 5'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '2'
        option ports '0t'

config interface 'guest1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.195.1'
        option device 'wifi_bridge'

config device
        option type 'bridge'
        option name 'wifi_bridge'

config interface 'wg_s2s_amopsz'
        option proto 'wireguard'
        option private_key 'OBRE'
        option listen_port '51823'
        list addresses '10.10.10.2/24'

config wireguard_wg_s2s_amopsz 's2s_vpn_site_bmopsz'
        option public_key '6TRg'
        option preshared_key '4sxx'
        option description 'Site B, e.diskstation.me'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option endpoint_host 'e.diskstation.me'
        option endpoint_port '51823'
        list allowed_ips '192.168.112.0/24'
        list allowed_ips 'fdee:eeee:efff::/48'
        list allowed_ips '10.10.10.1/32'

root@szne_nighthawk1_rumpel_195:~#

Router 192 168.112.1 (main router in Network, sends internet traffic to 192.168.111.1 , connect to the 192.168.0.195 via wireguard)


  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 23.05.0, r23497-6637af95aa
 -----------------------------------------------------
root@Enginyra_Main_Router_Nighthawk:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.111.1   0.0.0.0         UG    0      0        0 eth0.2
10.10.10.0      *               255.255.255.0   U     0      0        0 wg_s2s_bmopsz
10.10.10.2      *               255.255.255.255 UH    0      0        0 wg_s2s_bmopsz
81.3.204.21     192.168.111.1   255.255.255.255 UGH   0      0        0 eth0.2
192.168.0.0     *               255.255.255.0   U     0      0        0 wg_s2s_bmopsz
192.168.3.0     *               255.255.255.0   U     0      0        0 br-guest
192.168.111.0   *               255.255.255.0   U     0      0        0 eth0.2
192.168.112.0   *               255.255.255.0   U     0      0        0 br-lan
root@Enginyra_Main_Router_Nighthawk:~#
root@Enginyra_Main_Router_Nighthawk:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.112.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipv6 '0'
        option delegate '0'

config interface 'wan'
        option device 'eth0.2'
        option proto 'static'
        option ipaddr '192.168.111.250'
        option netmask '255.255.255.0'
        option gateway '192.168.111.1'
        option ipv6 '0'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 0t'

config interface 'wwan'
        option proto 'dhcp'

config device 'guest_dev'
        option type 'bridge'
        option name 'br-guest'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '192.168.3.1/24'

config interface 'wg_s2s_bmopsz'
        option proto 'wireguard'
        option private_key 'EELm'
        option listen_port '51823'
        list addresses '10.10.10.1/24'

config wireguard_wg_s2s_bmopsz 's2s_vpn_site_amopsz'
        option public_key '3Yhm'
        option preshared_key '4sxx'
        option description 'Site A, m.hopto.org'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option endpoint_host 'm.hopto.org'
        option endpoint_port '51823'
        list allowed_ips '192.168.0.0/24'
        list allowed_ips 'fdff:ffff:fffe::/48'
        list allowed_ips '10.10.10.2/32'

Riddle is unsolved,
but I reached my goal and could make it working:

  1. Took a backup of the router 192.168.0.195 from a time before experimenting with the site2site WG Script -> no problem in the Routing Table present

  2. Run the Wg site2site scipt on the router, and took more or less the firewall and network config after all changes you adviced me to try (learned a lot!, thank you):

  • own VPN Firewall Zone with Forwarding to Lan
  • IP Adress für WG Interface / allowed IPs
  • some clean up (bridge, switch)

--> Router works as designed in a nice clean setup.
--> No wired routing table

thx 2 everybody that tried to solve and made my setting / knowledge better!

I post the whole config of the working router, i cant see any difference to the non working case, besides the routing table now looking good. the other router (WG Point) setting is unchanged to last post


  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 23.05.0, r23497-6637af95aa
 -----------------------------------------------------
root@szne_nighthawk1_rumpel_195:~#
root@szne_nighthawk1_rumpel_195:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         fritz.lan       0.0.0.0         UG    0      0        0 br-lan
10.10.10.0      *               255.255.255.0   U     0      0        0 wg_s2s_amopsz
10.10.10.1      *               255.255.255.255 UH    0      0        0 wg_s2s_amopsz
82.218.250.45   fritz.lan       255.255.255.255 UGH   0      0        0 br-lan
192.168.0.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.112.0   *               255.255.255.0   U     0      0        0 wg_s2s_amopsz
192.168.195.0   *               255.255.255.0   U     0      0        0 wifi_bridge
root@szne_nighthawk1_rumpel_195:~# ubus call system board
{
        "kernel": "5.15.134",
        "hostname": "szne_nighthawk1_rumpel_195",
        "system": "ARMv7 Processor rev 0 (v7l)",
        "model": "Netgear Nighthawk X4S R7800",
        "board_name": "netgear,r7800",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.0",
                "revision": "r23497-6637af95aa",
                "target": "ipq806x/generic",
                "description": "OpenWrt 23.05.0 r23497-6637af95aa"
        }
}
root@szne_nighthawk1_rumpel_195:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1.1'

config interface 'lan'
        option device 'br-lan'
        option ipv6 '0'
        option proto 'static'
        option netmask '255.255.255.0'
        option gateway '192.168.0.1'
        option ipaddr '192.168.0.195'
        list dns '192.168.0.171'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '6t 4 3 2 1 5'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '2'
        option ports '0t'

config interface 'guest1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.195.1'
        option device 'wifi_bridge'

config device
        option type 'bridge'
        option name 'wifi_bridge'

config interface 'wg_s2s_amopsz'
        option proto 'wireguard'
        option private_key 'OBRE='
        option listen_port '51823'
        list addresses '10.10.10.2/24'


config wireguard_wg_s2s_amopsz 's2s_vpn_site_bmopsz'
        option public_key '6TRg='
        option preshared_key '4sxx='
        option description 'Site B, e.diskstation.me'
        list allowed_ips '192.168.112.0/24'
        list allowed_ips 'fdee:eeee:efff::/48'
        list allowed_ips '10.10.10.1/32'
        option persistent_keepalive '25'
        option endpoint_host 'e.diskstation.me'
        option endpoint_port '51823'
        option route_allowed_ips '1'



        root@szne_nighthawk1_rumpel_195:~#
root@szne_nighthawk1_rumpel_195:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option masq '1'
        option forward 'ACCEPT'
        list network 'lan'

config zone 'guest'
        option name 'guest'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'
        list network 'guest1'

config rule 'guest_dns'
        option name 'Allow-DNS-Guest'
        option src 'guest'
        option dest_port '53'
        option proto 'tcp udp'
        option target 'ACCEPT'

config rule 'guest_dhcp'
        option name 'Allow-DHCP-Guest'
        option src 'guest'
        option src_port '68'
        option dest_port '67'
        option proto 'udp'
        option family 'ipv4'
        option target 'ACCEPT'

config forwarding
        option dest 'lan'

config forwarding
        option src 'guest'
        option dest 'lan'

config rule
        option name 'dhcp ok'
        option dest 'lan'
        option dest_port '53'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'dns ok'
        list dest_ip '192.168.0.1'
        list dest_ip '192.168.0.171'
        option dest_port '67'
        option target 'ACCEPT'
        option dest 'lan'
        option enabled '0'

config rule
        option dest 'lan'
        option target 'DROP'
        option name 'drop all guest traffic'
        option enabled '0'

config rule
        option name 'drop guest'
        option src 'guest'
        list src_ip '192.168.195.0/24'
        option dest 'lan'
        list dest_ip '192.168.0.0/24'
        option target 'REJECT'
        list proto 'all'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wg_s2s_amopsz'

config forwarding
        option src 'vpn'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'vpn'

1 Like

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.