Good morning,
I've just made the switch to OpenWRT from dd-wrt and am trying to replicate my settings.
I have:
-
My principal wired, 5Ghz and 2.4Ghz networks all on the same subnet. All clients on this subnet are routed through a Wireguard interface with a few exceptions required (e.g. my TV for Netflix access)
-
A guest wireless network (on a separate subnet) This is routed through a Wireguard interface
-
A third wireless network (on a separate subnet) that is not routed through the wiregurad interface
Here's what the firewall zones look like:
I'm using @stangri's policy-based routing packages to allow certain clients on the principal networks to bypass the Wireguard interface:
config vpn-policy-routing 'config'
option verbosity '2'
option ipv6_enabled '0'
option ipset_enabled '1'
option dnsmasq_enabled '0'
option strict_enforcement '1'
option boot_timeout '30'
option chain_control '1'
option enabled '1'
config policy
option name 'TV'
option local_address '192.168.1.100'
option interface 'wan'
option proto 'tcp'
option chain 'PREROUTING'
config policy
option chain 'PREROUTING'
option interface 'wan'
option name 'Hello'
option local_address '192.168.1.102'
option proto 'tcp'
config policy
option proto 'tcp'
option chain 'PREROUTING'
option interface 'wan'
option name 'Homerun'
option local_address '192.168.1.101'
The principal networks work fine: all traffic, except those clients which I choose to exclude, passes through the Wireguard interface.
However, neither of the other two subnets have any connectivity out to the 'big wide world'. I can connect to those networks fine and clients receive a DHCP address, but that's all.
I'm sure this is a simple firewall / IPTABLEs problem, but I've been staring at it for a while now and can't crack it. Is anybody able to direct me to my mistake(s)?
/etc/configs/network:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd8c:4d35:43aa::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth1.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option ifname 'eth0.2'
option proto 'pppoe'
option username ''
option password ''
option peerdns '0'
option dns '84.200.69.80 84.200.70.40'
option ipv6 'auto'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 0t'
config interface 'guest'
option proto 'static'
option ipaddr '192.168.4.1'
option netmask '255.255.255.0'
option type 'bridge'
option dns '84.200.69.80 84.200.70.40'
config interface 'naked'
option proto 'static'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option type 'bridge'
option dns '84.200.69.80 84.200.70.40'
config interface 'wg'
option proto 'wireguard'
option private_key ''
option listen_port '51820'
list addresses ''
option force_link '1'
config wireguard_wg
option public_key ''
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'
option endpoint_host ''
option endpoint_port '51820'
option persistent_keepalive '25'
/etc/configs/firewall:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option network 'wan wan6'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone 'guest'
option name 'guest'
option output 'ACCEPT'
option network ' '
option forward 'ACCEPT'
option input 'REJECT'
config rule 'guest_dhcp'
option name 'guest_DHCP'
option src 'guest'
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
config rule 'guest_dns'
option name 'guest_DNS'
option src 'guest'
option target 'ACCEPT'
option proto 'tcpudp'
option dest_port '53'
config zone 'naked'
option name 'naked'
option output 'ACCEPT'
option network ' '
option forward 'ACCEPT'
option input 'REJECT'
config rule 'naked_dhcp'
option name 'naked_DHCP'
option src 'naked'
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
config rule 'naked_dns'
option name 'naked_DNS'
option src 'naked'
option target 'ACCEPT'
option proto 'tcpudp'
option dest_port '53'
config zone
option forward 'REJECT'
option output 'ACCEPT'
option name 'wgzone'
option masq '1'
option mtu_fix '1'
option network 'wg'
option input 'REJECT'
config forwarding
option dest 'wgzone'
option src 'guest'
config forwarding
option dest 'wan'
option src 'naked'
config forwarding
option dest 'wan'
option src 'lan'
config forwarding
option dest 'wgzone'
option src 'lan'
Please let me know if there's anything I need to provide to help resolve this.
Many thanks and best wishes,
- ti
