I'm using Luci. I have 2 subnets that are in the same zone:
cluster
lan
I was previously able to ping devices in the cluster subnet (172.16.0.1/24) from 192.162.1.1/24, but screwed with some settings and now all I get are ICMP timeouts when pinging.
I've been toggling various settings, but can't seem to get an ICMP response. The difference between rules and routes and throwing me off a bit in the interface, but lost access to my nodes in this subnet from any of my devices.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
There's a lot in your config, so we might need to go back to basics. Another possible issue is that you are running snapshot -- if you don't actually need to do this, you could run the current stable release, just in case there are any bugs in the snapshot that could affect things.
so it seems if I add a static IPv4 route where the interface is Cluster and target is 172.16.0.1/24 I'm able to SSH and ping nodes in the Cluster subnet from my lan subnet. I'm a little confused by this.
Is this what is needed to be done for networks in the same zone but different subnets?
But you have a lot happening.... the issue may be related to the fact that you have a route for 0.0.0.0/0 for the VPN... this is probably forcing everything through the tunnel rather than allowing the locally connected subnets to be routed to each other.
These routes are wrong anyway.... they need to be ending with .0 (i.e. 192.168.1.0/24) -- otherwise you are specifying the host at 192.168.1.1, not the subnet.
I thought only specifying a single host was denoted by /32 in that case? But good to know. However, ideally I don't have any routes defined at all. If they aren't necessary, do you have any tips for what else could be breaking this?
Honestly, I'm not positive... it would take a bit of untangling to figure it out because you have several non-standard rules and routes in the network config. I'd recommend going back to basics, starting with just the lan and cluster networks (and of course the wan)... they should all route without any special rules or routes. Then add those additional rules one at a time.
For example... do you want all of your outbound traffic to use the tunnel? If so, there are easier ways of handling that -- just enable route allowed IPs on the WG peer config.
Ok, let me wipe Wireguard config completely because for this current issue, I'm not even using any of the wireguard specific stuff.
I've wiped all routes, traffic rules and ipv4 rules. However, despite all that, I still cannot ping my nodes in the 172.16.0.0/24 subnet unless I add the route explicitly.
Looks like I needed to do a reboot. Back in business after wiping everything! VPN is broken now, but maybe I can work on that as a separate problem to simplify and will post if I have issues. Any chance you recommend a good guide for configuring that correctly?