Unable to access vlan via wireguard

smo83 · September 21, 2022, 3:17pm

Hi guys,
yeah i know there are already alot of topics about similar issues but they did not solve my problem. Maybe because of my additional vpn for all outgoing traffic of vlan.44.
The problem I am unable to solve is that clients connected via wireguard cann not access my server within the vlan.44.
In this case my mobile phone can connect to the wireguard over the mobile network and can access the luci interface on vlan.44 (192.168.44.1). But i am unable to access any other devices within the 192.168.44.0/24 network.

cat network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd3e:f85f:fb99::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'eth1:t*'

config bridge-vlan
	option device 'br-lan'
	option vlan '44'
	list ports 'eth1:t'

config device
	option name 'eth1'
	option macaddr (hidden)

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'lan44'
	option device 'br-lan.44'
	option proto 'static'
	option ipaddr '192.168.44.1'
	option netmask '255.255.255.0'

config device
	option vid '1'
	option type '8021q'
	option name 'br-lan.1'
	option ifname 'br-lan'

config device
	option vid '44'
	option ifname 'br-lan'
	option name 'br-lan.44'
	option type '8021q'

config device
	option name 'eth0'
	option macaddr (hidden)

config interface 'wan'
	option device 'eth0'
	option proto 'pppoe'
	option username (hidden)
	option password (hidden)
	option ipv6 'auto'

config interface 'wan6'
	option device 'eth0'
	option proto 'dhcpv6'

config interface 'nordlynx'
	option proto 'wireguard'
	list addresses '10.5.0.2/32'
	option private_key (hidden)

config wireguard_nordlynx
	option endpoint_port '51820'
	option public_key (hidden)
	option description 'NL'
	option endpoint_host (hidden)
	option persistent_keepalive '25'
	list allowed_ips '0.0.0.0/0'

config route
	option table '10'
	option target '0.0.0.0/0'
	option interface 'nordlynx'

config rule
	option in 'lan44'
	option lookup '10'

config route
	option table '11'
	option target '0.0.0.0/0'
	option interface 'wan'

config rule
	option in 'lan'
	option lookup '11'

config interface 'wg0'
	option proto 'wireguard'
	option private_key (hidden)
	option listen_port '6666'
	list addresses '10.0.0.1/24'

config wireguard_wg0
	option description 'phone'
	option public_key (hidden) 
	option private_key (hidden)
	option preshared_key (hidden)
	option persistent_keepalive '25'
	option route_allowed_ips '1'
	list allowed_ips '10.0.0.10/32'

config route
	option table '9'
	option interface 'lan44'
	option target '0.0.0.0/0'

config rule
	option lookup '9'
	option in 'wg0'

cat firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option forward 'REJECT'


config zone
	option name 'lan44'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan44'

config zone
	option name 'wg0'
	option input 'ACCEPT'
	option output 'ACCEPT'
	list network 'wg0'
	option forward 'ACCEPT'

config zone
	option name 'nordlynx'
	option input 'DROP'
	option forward 'DROP'
	list network 'nordlynx'
	option masq '1'
	option output 'DROP'

config forwarding
	option src 'wg0'
	option dest 'lan44'

config forwarding
	option src 'lan44'
	option dest 'nordlynx'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option dest_port '6666'
	option src 'wan'
	option name 'wan-local-wg'
	option target 'ACCEPT'
	list proto 'udp'

smo83 · September 22, 2022, 9:51pm

Update:
as soon as i disable the route of table 10 i am able to access the vlan.44 via wireguard but than the vlan.44 has no network connection.

pavelgl · September 23, 2022, 7:06am

This means there are routing issues.

Enabling masquerading ~~on the wg0~~ zone should solve your problem, but the correct way would be to debug this complicated configuration.

What is the purpose of this?

Correction: Enable masquerading on the lan44 zone.

smo83 · September 23, 2022, 7:42am

Hi Pavel thanks for your reply.
The idea of this setup is that the vlan44 has only access to the internet using the nordlynx wireguard. This works great for a few weeks. Now I try to use the wg0 to allow external hosts to join my vlan44 network (my phone) so that I am able to reach my server from everywhere.
With the route I tried to to allow a route from wg0 into vlan44

smo83 · September 26, 2022, 7:01pm

Enabling masquerading ~~on the wg0~~ zone should solve your problem, but the correct way would be to debug this complicated configuration.

yes you are right. this works as soon as i masquerading zone wg0 => vlan44 but as you already mentioned i am not happy with this.
BTW masquerading vlan44 => nordlynx did not work