Unable to ping devices in a different subnet

I'm using Luci. I have 2 subnets that are in the same zone:

  • cluster
  • lan

I was previously able to ping devices in the cluster subnet (172.16.0.1/24) from 192.162.1.1/24, but screwed with some settings and now all I get are ICMP timeouts when pinging.

I've been toggling various settings, but can't seem to get an ICMP response. The difference between rules and routes and throwing me off a bit in the interface, but lost access to my nodes in this subnet from any of my devices.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
root@OpenWrt:~# ubus call system board
{
	"kernel": "6.1.63",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "Dynalink DL-WRX36",
	"board_name": "dynalink,dl-wrx36",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "SNAPSHOT",
		"revision": "r24455-df167450a5",
		"target": "qualcommax/ipq807x",
		"description": "OpenWrt SNAPSHOT r24455-df167450a5"
	}
}

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd0b:c24d:66f8::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '8.8.8.8'
	list dns '8.8.4.4'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option peerdns '0'
	list dns '2001:4860:4860::8888'
	list dns '2001:4860:4860::8844'

config device
	option type 'bridge'
	option name 'br-vpn'
	option bridge_empty '1'
	list ports 'lan1'

config interface 'vpn'
	option proto 'static'
	option device 'br-vpn'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
	list dns '192.168.1.1'

config interface 'WGVPN'
	option proto 'wireguard'
	option nohostroute '1'

config rule
	option src '192.168.10.1/24'
	option in 'vpn'
	option lookup '3'

config wireguard_WGVPN
	option description 'us-lax-wg-201.conf'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::0/0'
	option endpoint_port '51820'

config device
	option type 'bridge'
	option name 'br-guest'
	list ports 'lan2'
	option bridge_empty '1'

config interface 'guest'
	option proto 'static'
	option device 'br-guest'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	list dns '1.1.1.1'

config device
	option type 'bridge'
	option name 'ClusterBridge'
	list ports 'lan3'
	option bridge_empty '1'

config interface 'Cluster'
	option proto 'static'
	option device 'ClusterBridge'
	option ipaddr '172.16.0.1'
	option netmask '255.255.255.0'

config route
	option interface 'WGVPN'
	option target '0.0.0.0/0'
	option table '3'

config rule
	option in 'lan'
	option out 'Cluster'
	option dest '172.16.0.1/24'

config route
	option interface 'lan'
	option target '192.168.1.1/24'

Firewall

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'vpn'
	list network 'Cluster'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'WGVPN'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'vpn'
	list network 'Cluster'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'WGVPN'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'wan'

config rule
	option name 'Guest-DHCP'
	list proto 'udp'
	option src 'guest'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	option name 'Guest DNS'
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'G2L'
	option src 'guest'
	option dest 'lan'
	option target 'ACCEPT'
	list proto 'all'

config rule
	option name 'L2G'
	list proto 'all'
	option src 'lan'
	option dest 'guest'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option src 'wan'
	option src_dport '51820'
	option dest_ip '172.16.0.10'
	option dest_port '51820'
	list proto 'udp'
	option enabled '0'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option src 'guest'
	option src_dport '51820'
	option dest_ip '172.16.0.10'
	option dest_port '51820'
	option enabled '0'

config rule
	option dest 'lan'
	option target 'ACCEPT'
	list dest_ip '172.16.0.20'
	list dest_ip '172.16.0.30'
	list dest_ip '172.16.0.10'
	list proto 'all'
	option src '*'

config redirect
	option dest 'lan'
	option target 'DNAT'
	list proto 'tcp'
	option src 'lan'
	option src_dport '22'
	option dest_port '22'
	option enabled '0'

There's a lot in your config, so we might need to go back to basics. Another possible issue is that you are running snapshot -- if you don't actually need to do this, you could run the current stable release, just in case there are any bugs in the snapshot that could affect things.

That said, delete these:

Then reboot and try again.

so it seems if I add a static IPv4 route where the interface is Cluster and target is 172.16.0.1/24 I'm able to SSH and ping nodes in the Cluster subnet from my lan subnet. I'm a little confused by this.

Is this what is needed to be done for networks in the same zone but different subnets?

Normally, no.

But you have a lot happening.... the issue may be related to the fact that you have a route for 0.0.0.0/0 for the VPN... this is probably forcing everything through the tunnel rather than allowing the locally connected subnets to be routed to each other.


I've disabled all rules and all routes except lan as shown in the photo.

It's weird that I still can't hit nodes in the 172.16.0.1/24 subnet when this is the case I feel.

When Cluster is re-enabled it works. All while WGVPN is disabled.

These routes are wrong anyway.... they need to be ending with .0 (i.e. 192.168.1.0/24) -- otherwise you are specifying the host at 192.168.1.1, not the subnet.

I thought only specifying a single host was denoted by /32 in that case? But good to know. However, ideally I don't have any routes defined at all. If they aren't necessary, do you have any tips for what else could be breaking this?

Honestly, I'm not positive... it would take a bit of untangling to figure it out because you have several non-standard rules and routes in the network config. I'd recommend going back to basics, starting with just the lan and cluster networks (and of course the wan)... they should all route without any special rules or routes. Then add those additional rules one at a time.

For example... do you want all of your outbound traffic to use the tunnel? If so, there are easier ways of handling that -- just enable route allowed IPs on the WG peer config.

Ok, let me wipe Wireguard config completely because for this current issue, I'm not even using any of the wireguard specific stuff.

I've wiped all routes, traffic rules and ipv4 rules. However, despite all that, I still cannot ping my nodes in the 172.16.0.0/24 subnet unless I add the route explicitly.

If that doesn't fix the issue, post the updated config.

1 Like

Looks like I needed to do a reboot. Back in business after wiping everything! VPN is broken now, but maybe I can work on that as a separate problem to simplify and will post if I have issues. Any chance you recommend a good guide for configuring that correctly?

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.