Static route didn't work

changchichung · September 15, 2021, 1:10pm

I have an old openwrt router (12.09 , 192.168.0.252 , 192.168.20.254)

I'm trying to replace this old router to new one(19.07 , 192.168.0.250)
the new router has already establish a wireguard VPN tunnel to new 192.168.20.x network
there are some static route in the old one.

network configuration

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

#config interface 'lan'
#	option ifname 'eth0.1'
#	option type 'bridge'
#	option proto 'static'
#	option ipaddr '192.168.20.254'
#	option netmask '255.255.255.0'

config interface 'wan'
	option ifname 'eth1'
	option proto 'static'
	option ipaddr '219.84.111.111'
	option netmask '255.255.255.0'

config switch
	option name 'eth0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'eth0'
	option vlan '1'
	option ports '0t 2 3 4'

config switch_vlan
	option device 'eth0'
	option vlan '2'
	option ports '0t 1'

config interface 'backbone'
	option ifname 'eth0.2'
	option proto 'static'
	option ipaddr 192.168.0.252 
	option netmask '255.255.255.0'

as you can see , I disable to interface eth0.1 (192.168.20.254)
then I add a new static route , traffic go to 192.168.20.x network goes to 192.168.0.250 (the new one with wireguard VPN)

ip r

192.168.0.0/24 dev eth0.2  proto kernel  scope link  src 192.168.0.252 
192.168.1.0/24 via 192.168.0.1 dev eth0.2  proto static 
192.168.11.0/24 via 192.168.0.1 dev eth0.2  proto static 
192.168.20.0/24 via 192.168.0.250 dev eth0.2 
192.168.22.0/24 dev ipsec0  scope link

I can ping the new router ( 192.168.0.250 ) in old one.

root@OpenWrt:~# ping 192.168.0.250
PING 192.168.0.250 (192.168.0.250): 56 data bytes
64 bytes from 192.168.0.250: seq=0 ttl=64 time=1.014 ms
64 bytes from 192.168.0.250: seq=1 ttl=64 time=0.637 ms
64 bytes from 192.168.0.250: seq=2 ttl=64 time=0.625 ms
64 bytes from 192.168.0.250: seq=3 ttl=64 time=0.727 ms

--- 192.168.0.250 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.625/0.750/1.014 ms

and I also can ping the remote gateway

root@OpenWrt:~# ping -c 2 192.168.20.254
PING 192.168.20.254 (192.168.20.254): 56 data bytes
64 bytes from 192.168.20.254: seq=0 ttl=63 time=8.465 ms
64 bytes from 192.168.20.254: seq=1 ttl=63 time=7.536 ms

--- 192.168.20.254 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 7.536/8.000/8.465 ms

so route from old router to new router via wireguard is working.

but I can not ping the remote gateway on my client

2021-09-15 21:05:45 [mini@s006 ~]$ traceroute 192.168.20.254
traceroute to 192.168.20.254 (192.168.20.254), 30 hops max, 60 byte packets
 1  192.168.1.254 (192.168.1.254)  5.289 ms  5.499 ms  5.756 ms
 2  bbs252.abc.com (192.168.0.252)  0.264 ms  0.270 ms  0.258 ms
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *

the route is correct , goes to default gw first , the default tw route to old router (192.168.0.252), then the routing is missing .

I already disable the firewall in old router for testing , so should not be a firewall issue.
But I don't see what's wrong with the routing .

Any suggestions would be appreciated!

I will try to draw a illustraion on bussiness time and upload it !

trendy · September 15, 2021, 1:22pm

Either you have not allowed the source network over the wireguard tunnel, or the other side doesn't know about the source network and you'll have to either add a static route too or enable masquerade.

changchichung · September 15, 2021, 1:34pm

I'm not sure I'm following you .
Do you mean enable masq to wireguard interface in the new router ?
or enable masq to which interface in the old router ?

trendy · September 15, 2021, 1:43pm

Is there a return route on the other side of the tunnel for the lan behind the old router?

changchichung · September 15, 2021, 1:44pm

yes ,

ip r on the remote gateway

192.168.0.0/24 dev wg0 proto static scope link 
192.168.1.0/24 dev wg0 proto static scope link 
192.168.5.0/24 dev wg0 proto static scope link

mk24 · September 15, 2021, 1:48pm

A diagram would really help here.

The other side's route back to the .1.X network needs to have the gateway set to the tunnel IP of the other router. Consider you have two routers which hold an IP on their respective LAN as well as an IP on the VPN tunnel.

A: 192.168.0.254 and 192.168.20.1
B: 192.168.1.254 and 192.168.20.2

Static route on A: 192.168.1.0/24 via 192.168.20.2
Static route on B: 192.168.0.0/24 via 192.168.20.1

If A and B are not the main routers of their respective LAN you also need to install routes on those main routers:
Static route on 192.168.0.1 (A main router): 192.168.1.0/24 via 192.168.0.254
Static route on 192.168.1.1 (B main router): 192.168.0.0/24 via 192.168.1.254

NAT translates the source address of the packet to be the VPN IP of gateway router rather than the original source. This makes it unnecessary to install a route back to the original source LAN at the far end, as the other network already knows how to send the return packet rather than seeing it come from an unknown LAN IP.

Of course you also have to make sure the firewall is allowing traffic. Assuming you trust everything on both LANs, you can just put all LAN and VPN interfaces into the existing lan zone, and make sure forwarding is allowed within that zone.

changchichung · September 16, 2021, 1:52am

here is the diagram.

my goals

remove the old 192.168.20.0 networks
a. delete the interface in 192.168.0.252
b. deattach the cable to 192.168.20.0 network
create a new 192.168.20.0 networks in new office with wireguard using two new openwrt router (19.07)
DONE.
from all test clients can ping to new 192.168.20.54 and vice versa
I have trouble here.

changchichung · September 16, 2021, 4:28am

after some modification , now I can ping from new router to 2 clients.

192.168.0.250 to 192.168.0.2

root@HQ_VPN_ROUTER:~# ping -c 2 192.168.0.2
PING 192.168.0.2 (192.168.0.2): 56 data bytes
64 bytes from 192.168.0.2: seq=0 ttl=64 time=1.456 ms
64 bytes from 192.168.0.2: seq=1 ttl=64 time=1.196 ms

192.168.0.250 to 192.168.1.6

root@HQ_VPN_ROUTER:~# ping -c 2 192.168.1.6
PING 192.168.1.6 (192.168.1.6): 56 data bytes
64 bytes from 192.168.1.6: seq=0 ttl=64 time=1.417 ms
64 bytes from 192.168.1.6: seq=1 ttl=64 time=1.060 ms

and to remote gateway

192.168.0.250 to 192.168.20.254

root@HQ_VPN_ROUTER:~# ping -c 2 192.168.20.254
PING 192.168.20.254 (192.168.20.254): 56 data bytes
64 bytes from 192.168.20.254: seq=0 ttl=64 time=9.528 ms
64 bytes from 192.168.20.254: seq=1 ttl=64 time=7.488 ms

and to the old IPSEC VPN

root@HQ_VPN_ROUTER:~# ping -c 2 192.168.28.40
PING 192.168.28.40 (192.168.28.40): 56 data bytes
64 bytes from 192.168.28.40: seq=0 ttl=62 time=19.257 ms
64 bytes from 192.168.28.40: seq=1 ttl=62 time=17.689 ms

everything looks great here !!!!
here is the routing table , I attach a cable to 192.168.1.0 network to new router(192.168.0.250) this morning ( not shown on diagram)

10.2.3.11 dev wg0 proto static scope link 
10.2.3.20 dev wg0 proto static scope link 
192.168.0.0/24 dev br-lan0 proto kernel scope link src 192.168.0.250 
192.168.1.0/24 dev br-lan1 proto kernel scope link src 192.168.1.253 
192.168.5.0/24 dev wg0 proto static scope link 
192.168.20.0/24 dev wg0 proto static scope link 
192.168.28.0/24 via 192.168.0.252 dev br-lan0

but on the remote gateway , there's another story.

from 192.168.20.254 to 192.168.0.250

root@TP_VPN_ROUTER:~# ping -c 2 192.168.0.250
PING 192.168.0.250 (192.168.0.250): 56 data bytes
64 bytes from 192.168.0.250: seq=0 ttl=64 time=7.938 ms
64 bytes from 192.168.0.250: seq=1 ttl=64 time=9.880 ms

BUT , can not go to any other 192.168.0.0 client

root@TP_VPN_ROUTER:~# ping -c 2 192.168.0.2
PING 192.168.0.2 (192.168.0.2): 56 data bytes

--- 192.168.0.2 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss

routing table

10.2.3.2 dev wg0 proto static scope link 
10.2.3.11 dev wg0 proto static scope link 
192.168.0.0/24 dev wg0 proto static scope link 
192.168.1.0/24 dev wg0 proto static scope link 
192.168.5.0/24 dev wg0 proto static scope link 
192.168.20.0/24 dev br-lan proto kernel scope link src 192.168.20.254 linkdown

traceroute result

root@TP_VPN_ROUTER:~# traceroute 192.168.0.2
traceroute to 192.168.0.2 (192.168.0.2), 30 hops max, 46 byte packets
 1  10.2.3.2 (10.2.3.2)  6.729 ms  5.574 ms  5.884 ms
 2  *  *  *
 3  *  *  *
 4  *  *  *
 5  *  *  *
 6  *  *  *
 7  *  *  *
 8  *  *  *
 9  *  *  *
10  *  *  *

and can not got to 192.168.1.0 network

root@TP_VPN_ROUTER:~# ping -c 2 192.168.1.6
PING 192.168.1.6 (192.168.1.6): 56 data bytes

--- 192.168.1.6 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss

and traceroute

root@TP_VPN_ROUTER:~# traceroute 192.168.1.6
traceroute to 192.168.1.6 (192.168.1.6), 30 hops max, 46 byte packets
 1  10.2.3.2 (10.2.3.2)  7.658 ms  7.628 ms  6.356 ms
 2  *  *  *
 3  *  *  *
 4  *  *  *
 5  *  *  *
 6  *  *  *
 7  *  *  *
 8  *  *  *
 9  *  *  *
10  *  *  *

The traffic has been transferred from 192.168.20.254 to 10.2.3.2
But 10.2.3.2 does not know what's the next hop.

so , as usual , Any suggestions would be appreciated! thanks !