[SOLVED] Wireguard with openwrt 23.05.4 can't open any site, ping works

burnone · January 13, 2025, 1:35pm

Hi there.

Since I've hit the roadblock I'm going to ask here. I've setup WG (multiple times and reverted back) but sadly only handshake works. And pings. But when I try to visit any page, local page internet, it just times out. Although when I run tcpdump on openwrt I can see some traffic: ping examples: https://termbin.com/56e2

This my current /etc/config/firewall setting:

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone 'guest'
	option name 'guest'
	option network 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding 'guest_wan'
	option src 'guest'
	option dest 'wan'

config rule 'guest_dns'
	option name 'Allow-DNS-Guest'
	option src 'guest'
	option dest_port '53'
	option proto 'tcp udp'
	option target 'ACCEPT'

config rule 'guest_dhcp'
	option name 'Allow-DHCP-Guest'
	option src 'guest'
	option dest_port '67'
	option proto 'udp'
	option family 'ipv4'
	option target 'ACCEPT'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'
	list network 'lan'
	list network 'vpn'

config forwarding
	option src 'vpn'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'vpn'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'vpn'
	option src 'wan'
	option src_dport '51820'
	option dest_ip '10.10.50.1'
	option dest_port '51820'

This my /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd30:ac1a:e1b9::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '100.64.0.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'pppoe'
	option username 'secret'
	option password 'secret'
	option ipv6 'auto'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'

config device 'guest_dev'
	option type 'bridge'
	option name 'br-guest'

config interface 'guest'
	option proto 'static'
	option device 'br-guest'
	option ipaddr '192.168.3.1/24'

config interface 'vpn'
	option proto 'wireguard'
	option private_key 'secret'
	option listen_port '51820'
	list dns '100.64.0.1'
	list addresses '10.10.50.1/24'
	list addresses 'fdde:adc0:0c1e:50::1/64'

config device
	option name 'vpn'

config wireguard_vpn
	option description 'xa2'
	option public_key 'secret'
	option private_key 'secret'
	list allowed_ips '10.10.50.2/24'
	option endpoint_host 'secret.duckdns.org'
	option endpoint_port '51820'

This is tcpdum -n -i when searching on duckduckgo "what is my ip"

14:30:34.145313 IP 10.10.50.2.44589 > 213.229.249.40.8080: Flags [S], seq 3989339694, win 65535, options [mss 1240,sackOK,TS val 392961 ecr 0,nop,wscale 9], length 0
14:30:34.402206 IP 10.10.50.2.44591 > 213.229.249.40.8080: Flags [S], seq 513857391, win 65535, options [mss 1240,sackOK,TS val 392986 ecr 0,nop,wscale 9], length 0
14:30:34.825319 IP 10.10.50.2.44587 > 213.229.249.40.8080: Flags [S], seq 2770720660, win 65535, options [mss 1240,sackOK,TS val 393028 ecr 0,nop,wscale 9], length 0
14:30:34.825508 IP 10.10.50.2.44585 > 213.229.249.40.8080: Flags [S], seq 3818810195, win 65535, options [mss 1240,sackOK,TS val 393028 ecr 0,nop,wscale 9], length 0
14:30:35.015328 IP 10.10.50.2.44593 > 213.229.249.40.8080: Flags [S], seq 1470963243, win 65535, options [mss 1240,sackOK,TS val 393048 ecr 0,nop,wscale 9], length 0
14:30:35.265330 IP 10.10.50.2.44595 > 213.229.249.40.8080: Flags [S], seq 3841814223, win 65535, options [mss 1240,sackOK,TS val 393073 ecr 0,nop,wscale 9], length 0
14:30:36.015471 IP 10.10.50.2.44593 > 213.229.249.40.8080: Flags [S], seq 1470963243, win 65535, options [mss 1240,sackOK,TS val 393148 ecr 0,nop,wscale 9], length 0
14:30:36.255289 IP 10.10.50.2.44595 > 213.229.249.40.8080: Flags [S], seq 3841814223, win 65535, options [mss 1240,sackOK,TS val 393173 ecr 0,nop,wscale 9], length 0
14:30:38.025233 IP 10.10.50.2.44593 > 213.229.249.40.8080: Flags [S], seq 1470963243, win 65535, options [mss 1240,sackOK,TS val 393348 ecr 0,nop,wscale 9], length 0
14:30:38.265187 IP 10.10.50.2.44595 > 213.229.249.40.8080: Flags [S], seq 3841814223, win 65535, options [mss 1240,sackOK,TS val 393373 ecr 0,nop,wscale 9], length 0
14:30:42.025365 IP 10.10.50.2.44593 > 213.229.249.40.8080: Flags [S], seq 1470963243, win 65535, options [mss 1240,sackOK,TS val 393749 ecr 0,nop,wscale 9], length 0
14:30:42.170270 IP 10.10.50.2.44589 > 213.229.249.40.8080: Flags [S], seq 3989339694, win 65535, options [mss 1240,sackOK,TS val 393764 ecr 0,nop,wscale 9], length 0
14:30:42.265309 IP 10.10.50.2.44595 > 213.229.249.40.8080: Flags [S], seq 3841814223, win 65535, options [mss 1240,sackOK,TS val 393774 ecr 0,nop,wscale 9], length 0
14:30:42.410290 IP 10.10.50.2.44591 > 213.229.249.40.8080: Flags [S], seq 513857391, win 65535, options [mss 1240,sackOK,TS val 393788 ecr 0,nop,wscale 9], length 0
14:30:45.745342 IP 10.10.50.2.44690 > 100.64.0.1.53: 31154+ AAAA? incoming.telemetry.mozilla.org. (48)
14:30:45.745342 IP 10.10.50.2.64010 > 100.64.0.1.53: 11257+ A? incoming.telemetry.mozilla.org. (48)
14:30:45.747125 IP 100.64.0.1.53 > 10.10.50.2.44690: 31154 NXDomain 0/0/0 (48)
14:30:45.748799 IP 100.64.0.1.53 > 10.10.50.2.64010: 11257 NXDomain 0/0/0 (48)
14:30:50.065271 IP 10.10.50.2.44593 > 213.229.249.40.8080: Flags [S], seq 1470963243, win 65535, options [mss 1240,sackOK,TS val 394552 ecr 0,nop,wscale 9], length 0
14:30:50.290244 IP 10.10.50.2.44595 > 213.229.249.40.8080: Flags [S], seq 3841814223, win 65535, options [mss 1240,sackOK,TS val 394576 ecr 0,nop,wscale 9], length 0
14:30:52.985348 IP 10.10.50.2.44102 > 142.250.180.174.443: Flags [P.], seq 3036878079:3036878103, ack 2821333468, win 203, options [nop,nop,TS val 394843 ecr 3138526055], length 24
14:30:52.985605 IP 10.10.50.2.44102 > 142.250.180.174.443: Flags [F.], seq 24, ack 1, win 203, options [nop,nop,TS val 394844 ecr 3138526055], length 0
14:30:52.985606 IP 10.10.50.2.61200 > 100.64.0.1.53: 6215+ AAAA? android.clients.google.com. (44)
14:30:52.985606 IP 10.10.50.2.34502 > 100.64.0.1.53: 63693+ A? android.clients.google.com. (44)
14:30:52.993371 IP 142.250.180.174.443 > 10.10.50.2.44102: Flags [R], seq 2821333468, win 0, length 0
14:30:53.016562 IP 100.64.0.1.53 > 10.10.50.2.61200: 6215 1/1/0 CNAME android.l.google.com. (138)
14:30:53.017068 IP 100.64.0.1.53 > 10.10.50.2.34502: 63693 8/0/0 CNAME android.l.google.com., A 142.251.209.14, A 142.251.209.46, A 142.250.180.142, A 216.58.204.238, A 142.250.180.174, A 216.58.204.142, A 216.58.205.46 (190)
14:30:53.042205 IP 10.10.50.2.44943 > 142.251.209.14.443: Flags [S], seq 2948178608, win 65535, options [mss 1240,sackOK,TS val 394853 ecr 0,nop,wscale 9], length 0
14:30:53.050213 IP 142.251.209.14.443 > 10.10.50.2.44943: Flags [S.], seq 2463808230, ack 2948178609, win 65535, options [mss 1380,sackOK,TS val 4066075941 ecr 394853,nop,wscale 8], length 0
14:30:53.070212 IP 10.10.50.2.44943 > 142.251.209.14.443: Flags [.], ack 1, win 146, options [nop,nop,TS val 394855 ecr 4066075941], length 0
14:30:53.090322 IP 10.10.50.2.44943 > 142.251.209.14.443: Flags [P.], seq 1:580, ack 1, win 146, options [nop,nop,TS val 394856 ecr 4066075941], length 579
14:30:53.098118 IP 142.251.209.14.443 > 10.10.50.2.44943: Flags [.], ack 580, win 1048, options [nop,nop,TS val 4066075988 ecr 394856], length 0
14:30:53.114743 IP 142.251.209.14.443 > 10.10.50.2.44943: Flags [P.], seq 1:219, ack 580, win 1048, options [nop,nop,TS val 4066076005 ecr 394856], length 218
14:30:53.140208 IP 10.10.50.2.44943 > 142.251.209.14.443: Flags [.], ack 219, win 148, options [nop,nop,TS val 394863 ecr 4066076005], length 0
14:30:53.150147 IP 10.10.50.2.44943 > 142.251.209.14.443: Flags [P.], seq 580:644, ack 219, win 148, options [nop,nop,TS val 394863 ecr 4066076005], length 64
14:30:53.162676 IP 142.251.209.14.443 > 10.10.50.2.44943: Flags [.], ack 644, win 1048, options [nop,nop,TS val 4066076053 ecr 394863], length 0
14:30:53.170340 IP 10.10.50.2.44943 > 142.251.209.14.443: Flags [.], seq 644:1872, ack 219, win 148, options [nop,nop,TS val 394864 ecr 4066076005], length 1228
14:30:53.178171 IP 142.251.209.14.443 > 10.10.50.2.44943: Flags [.], ack 1872, win 1044, options [nop,nop,TS val 4066076068 ecr 394864], length 0
14:30:53.185167 IP 10.10.50.2.44943 > 142.251.209.14.443: Flags [P.], seq 1872:2083, ack 219, win 148, options [nop,nop,TS val 394867 ecr 4066076053], length 211
14:30:53.192955 IP 142.251.209.14.443 > 10.10.50.2.44943: Flags [.], ack 2083, win 1044, options [nop,nop,TS val 4066076083 ecr 394867], length 0
14:30:53.465412 IP 142.251.209.14.443 > 10.10.50.2.44943: Flags [P.], seq 219:1243, ack 2083, win 1044, options [nop,nop,TS val 4066076356 ecr 394867], length 1024
14:30:53.465555 IP 142.251.209.14.443 > 10.10.50.2.44943: Flags [P.], seq 1243:1421, ack 2083, win 1044, options [nop,nop,TS val 4066076356 ecr 394867], length 178
14:30:53.465611 IP 142.251.209.14.443 > 10.10.50.2.44943: Flags [P.], seq 1421:1448, ack 2083, win 1044, options [nop,nop,TS val 4066076356 ecr 394867], length 27
14:30:53.522269 IP 10.10.50.2.44943 > 142.251.209.14.443: Flags [.], ack 1421, win 156, options [nop,nop,TS val 394899 ecr 4066076356], length 0
14:30:53.525394 IP 142.251.209.14.443 > 10.10.50.2.44943: Flags [P.], seq 1421:1448, ack 2083, win 1044, options [nop,nop,TS val 4066076416 ecr 394867], length 27
14:30:53.540202 IP 10.10.50.2.44943 > 142.251.209.14.443: Flags [.], ack 1448, win 156, options [nop,nop,TS val 394903 ecr 4066076356], length 0
14:30:53.545145 IP 10.10.50.2.44943 > 142.251.209.14.443: Flags [.], ack 1448, win 156, options [nop,nop,TS val 394903 ecr 4066076416,nop,nop,sack 1 {1421:1448}], length 0
14:30:58.242265 IP 10.10.50.2.11872 > 100.64.0.1.53: 27394+ AAAA? contile.services.mozilla.com. (46)
14:30:58.242265 IP 10.10.50.2.3108 > 100.64.0.1.53: 28597+ A? contile.services.mozilla.com. (46)
14:30:58.242832 IP 100.64.0.1.53 > 10.10.50.2.11872: 27394 NXDomain 0/0/0 (46)
14:30:58.243214 IP 100.64.0.1.53 > 10.10.50.2.3108: 28597 NXDomain 0/0/0 (46)

I have no idea what else to try been searching for lots of documentation if my firewall stuff is wrong, tried without port forwarding (as described in https://openwrt.org/docs/guide-user/services/vpn/wireguard/server) tried following some luci guides like: https://www.youtube.com/watch?v=sFEff3geYdU (current settings are from that guide) some other stuff, my own stuff... it just goes like this: handshake works, I can see pings working tried different size of mtu with ping and it works, but when accessing web pages or using any android network app it just times out...

egc · January 13, 2025, 1:43pm

For starters remove list network 'lan' it is already accounted for in the lan zone

Reboot and test again while I will review the rest of your setup

lleachii · January 13, 2025, 1:43pm

This rule seems odd.

Usually you create an input rule to allow the WG traffic from the Internet.

egc · January 13, 2025, 1:51pm

It looks like you are using WireGuard as a Server to connect from outside to your home?

If so you also need to have a rule forwarding traffic to your lan:

The redirect rule for port 51820 should be a simple traffic rule as already explained by @lleachii

burnone · January 13, 2025, 1:51pm

Same. Can't access any site, nor on wan nor on lan e.g. 10.10.50.1

egc · January 13, 2025, 1:55pm

You can remove this:

Your IP address is wrong that is not an RFC1918 address

burnone · January 13, 2025, 2:19pm

I've removed stuff:
/etc/config/firewall


config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone 'guest'
	option name 'guest'
	option network 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding 'guest_wan'
	option src 'guest'
	option dest 'wan'

config rule 'guest_dns'
	option name 'Allow-DNS-Guest'
	option src 'guest'
	option dest_port '53'
	option proto 'tcp udp'
	option target 'ACCEPT'

config rule 'guest_dhcp'
	option name 'Allow-DHCP-Guest'
	option src 'guest'
	option dest_port '67'
	option proto 'udp'
	option family 'ipv4'
	option target 'ACCEPT'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'
	list network 'vpn'

config forwarding
	option src 'vpn'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'vpn'

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd30:ac1a:e1b9::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'pppoe'
	option username 'secret'
	option password 'secret'
	option ipv6 'auto'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'

config device 'guest_dev'
	option type 'bridge'
	option name 'br-guest'

config interface 'guest'
	option proto 'static'
	option device 'br-guest'
	option ipaddr '192.168.3.1/24'

config interface 'vpn'
	option proto 'wireguard'
	option private_key 'secret'
	option listen_port '51820'
	list dns '192.168.1.1'
	list addresses '10.10.50.1/24'
	list addresses 'fdde:adc0:0c1e:50::1/64'

config wireguard_vpn
	option description 'xa2'
	option public_key 'secret'
	option private_key 'secret'
	list allowed_ips '10.10.50.2/24'
	option endpoint_host 'secret.duckdns.org'
	option endpoint_port '51820'
	option route_allowed_ips '1'

Now I don't get a handshake.

Doraemon309 · January 13, 2025, 3:35pm

It's interesting to come across a case like the one I encountered!

egc · January 13, 2025, 4:00pm

To be sure we are on the same page you are setting up a WireGuard "Server" to connect from outside to your home?

If so you need to allow port 51820:
add to /etc/config/firewall:

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

and also you have to allow traffic from vpn to lan
add to /etc/config/firewall:

config forwarding
	option src 'vpn'
	option dest 'lan'

Reboot and test again

burnone · January 13, 2025, 5:12pm

Yes I'm trying to setup WireGuard "Server" to connect from outside to my home.

Now I get a handshake and after clearing ff cache in android I can reach sites!

So what was really the issue? And I would gladly to somehow save those firewall wg related stuff for future restoration! Thank you egc!

My update firewall config:

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone 'guest'
	option name 'guest'
	option network 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding 'guest_wan'
	option src 'guest'
	option dest 'wan'

config rule 'guest_dns'
	option name 'Allow-DNS-Guest'
	option src 'guest'
	option dest_port '53'
	option proto 'tcp udp'
	option target 'ACCEPT'

config rule 'guest_dhcp'
	option name 'Allow-DHCP-Guest'
	option src 'guest'
	option dest_port '67'
	option proto 'udp'
	option family 'ipv4'
	option target 'ACCEPT'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'
	list network 'vpn'

config forwarding
	option src 'vpn'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'vpn'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

config forwarding
	option src 'vpn'
	option dest 'lan'

egc · January 13, 2025, 7:20pm

Glad it is solved.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

The main problem was this:

system · January 23, 2025, 7:20pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.