It seems you are mixing firewall and routing.
The firewall config has nothing to do with bridging or routing.
Firewall defines access permissions.
Routing defines priorities and directions.
While it is possible to mark traffic with firewall to determine routing, that is another story.
To give an extract of my routing tables :
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0
10.0.10.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
Let's say I want to have site-to-site access to 192.168.10.0/24
If I ping 192.168.20.0 which I am not supposed to ping, it is picked up by the second rule.
So br-lan breaks Wireguard setup. How to solve this?
No, it will take the default
route as you have no explicit route to 192.168.20.0/24
:
ip route show
ip route get 192.168.20.1
I have default gateway, it is:
0.0.0.0 xxxxxxxxxxxx 0.0.0.0 UG 0 0 0 eth1
Let's say my firewall 10.0.10.1 or any machine on br-lan example 10.0.10.20 will pick-up
10.0.10.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
What's the rest of your routing table?
You'd better stop using deprecated net-tools
.
Current Utilities for Networking and Traffic Control
Here is the complete and exact routing table
default via xxxxx dev eth1 proto static src xxxxxxxxxxxxxxx
10.0.10.0/24 dev wg0 proto kernel scope link src 10.0.10.1
10.0.10.2 dev wg0 proto static scope link
10.90.20.0/24 dev wg0 proto static scope link
xxxxxxxxxx/24 dev eth1 proto kernel scope link src xxxxxxxxxxxxxx
192.168.9.0/24 dev br-lan proto kernel scope link src 192.168.9.1
xxxxxxxxxxx via xxxxxxxxxxxxxxx dev eth1 proto static
From firewall and br-lan, I can ping 10.90.30.0/24 this is the problem.
We should assign lan and wg0 to the same firewall zone.
What is this on the network? How is it connected?
192.168.9.0 br-lan local network on site A
10.0.10.0/24 wg0 network
10.90.20.0/24 remote network (vlan) on site B
10.90.30.0/24 remote network (vlan) on site B
How come that Wireguard is picking-up 10.90.30.0/24?
ip route get 10.90.30.1
ip route get 10.90.30.254
10.90.30.254 via 10.90.30.254 dev eth1 src yyyyyyyyyyyyyyyyyy uid 0
cache
yyyyyyyyyyyyyyyyyyyyy is a public address.
So it is the firewall on site B which is faulty?
It means 10.90.30.254
should be routed via the eth1
interface.
If you can ping it, it is reachable.
It doesn't mean that 10.90.30.254
is in the same network that you think of.
It may be a part of the upstream networking, i.e. your ISP.
How come that I have acccess to non-routable machines on my ISP network. It seems unreal.
I can ping 10.90.30.1 but there is no such machine on my network.
OK, I understand, it could be the TV network or Fiber module or SIP phone or someting like that.
So I should not be using 10.90.3.0/24 on site A for clarity.
This is normal, many ISPs host their services in private networks reachable only by their clients.
This is a large ISP provider in France (third rank).
Many thanks. Bye bye!
It is a big joke, I have access to several machines on 192.168.2.0/24, 192.168.3.0/24, 192.168.4.0/24 ...
How can I avoid receiving those routes from DHCP? May I loose my fiber module (ONT) wich is on a separate link?
You can override the default route with another route.
Or, filter traffic by source/destination with firewall.
It should be similar to the following:
- http://www.bcp38.info/
- OpenWrt packages:
Although, in my opinion it should not bother you.
Usually your ISP takes care of it.
Avoid receiving them from where?
Can bcp38 block communications with my external fiber ONT?
The reason I am asking is that I am not on site B and this could be a problem to loose fiber ...