VLANs unable to access wireguard peers

Hi everyone,

I think I am missing something obvious here.

I have my OpenWRT setup as a wireguard "server" (interface REM_VPN) and can connect with my phone to it using mobile data. From my trusted HOME network I can ping the phone and vice versa. All good, the happy path.

At my parent's home their router also supports remote access and provides a respective wireguard config. I set that up, created a new wireguard interface on my OpenWRT router (HAM_VPN), fired it up and it seems to work fine. Pinging my parents' router from my OpenWRT works fine. Curling the web interface of the router works as well.

However, I am not able to get access to that router working from my trusted network. The same network which can access devices on REM_VPN just fine.

I cannot really produce a minimum example because I am quite late in the configuration process and setting up OpenWRT again takes quite some time - even with backups.

My respective interface definitions:

config interface 'HOME_VLAN'
	option proto 'static'
	option device 'eth0.10'
	option ipaddr '10.0.10.1'
	option netmask '255.255.255.0'

config interface 'REM_VPN'
	option proto 'wireguard'
	option private_key '<private-key>'
	option listen_port '56550'
	list addresses '10.0.11.1/24'

config wireguard_REM_VPN
	option description 'Phone'
	option public_key '<public-key>'
	option private_key '<private-key>'
	option preshared_key '<preshared-key>'
	list allowed_ips '10.0.11.12/32'
	option route_allowed_ips '1'

config interface 'HAM_VPN'
	option proto 'wireguard'
	option private_key '<private-key>'
	list addresses '192.168.178.202/24'

config wireguard_HAM_VPN
	option description 'FritzHAM'
	option public_key '<public-key>'
	option preshared_key '<public-key>'
	list allowed_ips '192.168.178.1/32'
	option route_allowed_ips '1'
	option endpoint_host '<parents-router-address>'
	option endpoint_port '59250'
	option persistent_keepalive '25'

My firewall config:

config zone
	option name 'Z_REM'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'REM_VPN'

config zone
	option name 'Z_REM_HAM'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'HAM_VPN'

config forwarding
	option src 'Z_REM'
	option dest 'Z_HOME'

config forwarding
	option src 'Z_HOME'
	option dest 'Z_REM'

config forwarding
	option src 'Z_REM_HOME'
	option dest 'Z_HOME'

config forwarding
	option src 'Z_HOME'
	option dest 'Z_REM_HAM'

I want to treat HAM_VPN similar to wan but I first tried to make the two configurations as similar as possible to detect my issue.
There are no rules defined except for

config rule
	option name 'Wireguard HOME'
	option src 'wan'
	option dest_port '56550'
	option target 'ACCEPT'
	list proto 'udp'

It doesn't seem to be a connection issue since the handshake is fine and I can curl the remote router's web interface from my router's cli.

I just messed up with the routing of my trusted network but I don't know where.
Anyone has an idea?

Small snippets of config files are not nearly as useful as you think they might be. Let's start with providing full configs. We need:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall

Remember to redact passwords, MAC addresses and any public IP addresses you may have.

Thanks for the help. I though there might be something along wrong subnet mask or similar you would spot directly.

ubus call system board

{
	"kernel": "5.15.150",
	"hostname": "OpenWrt",
	"system": "Intel(R) Celeron(R) CPU N3350 @ 1.10GHz",
	"model": "Default string Default string",
	"board_name": "default-string-default-string",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.3",
		"revision": "r23809-234f1a2efa",
		"target": "x86/64",
		"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
	}
}

/etc/config/firewall (note that pbr is deactivated) in Luci:


config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'MGMT'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'MGMT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'MGMT'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'MGMT'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'MGMT'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'Z_HOME'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'HOME_VLAN'

config zone
	option name 'Z_GUEST'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'GUEST_VLAN'

config zone
	option name 'Z_ISO1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'ISO1_VLAN'

config zone
	option name 'Z_WORK'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'WORK_VLAN'

config rule
	option name 'HOME DNS'
	option src 'Z_HOME'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'GUEST DNS'
	option src 'Z_GUEST'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'ISO1 DNS'
	option src 'Z_ISO1'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'MEDIA VPN DNS'
	option src 'Z_MED_VPN'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'WORK DNS'
	option src 'Z_WORK'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'HOME DHCP'
	option src 'Z_HOME'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option name 'GUEST DHCP'
	option src 'Z_GUEST'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option name 'ISO1 DHCP'
	option src 'Z_ISO1'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option name 'WORK DHCP'
	option src 'Z_WORK'
	option dest_port '67-68'
	option target 'ACCEPT'

config forwarding
	option src 'Z_HOME'
	option dest 'wan'

config forwarding
	option src 'Z_GUEST'
	option dest 'wan'

config forwarding
	option src 'Z_ISO1'
	option dest 'wan'

config forwarding
	option src 'Z_WORK'
	option dest 'wan'

config forwarding
	option src 'Z_HOME'
	option dest 'MGMT'

config forwarding
	option src 'Z_HOME'
	option dest 'Z_GUEST'

config rule
	option name 'HOME_VLAN mDNS'
	list proto 'udp'
	option src 'Z_HOME'
	option src_port '5353'
	option dest_port '5353'
	option target 'ACCEPT'
	list dest_ip '224.0.0.251'

config rule
	option name 'GUEST_VLAN mDNS'
	list proto 'udp'
	option src 'Z_GUEST'
	option src_port '5353'
	option dest_port '5353'
	option target 'ACCEPT'
	list dest_ip '224.0.0.251'

config rule
	option name 'TV'
	option src 'Z_GUEST'
	option dest 'Z_HOME'
	list dest_ip '10.0.10.33'
	option target 'ACCEPT'

config redirect
	option dest 'MGMT'
	option target 'DNAT'
	option name 'Webserver HTTP'
	list proto 'tcp'
	option src 'wan'
	option src_dport '80'
	option dest_ip '10.0.1.31'
	option dest_port '80'

config redirect
	option dest 'MGMT'
	option target 'DNAT'
	option name 'Webserver HTTPS'
	list proto 'tcp'
	option src 'wan'
	option src_dport '443'
	option dest_ip '10.0.1.31'
	option dest_port '443'

config zone
	option name 'Z_REM'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'REM_VPN'

config zone
	option name 'Z_REM_HAM'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'HAM_VPN'

config rule
	option name 'Wireguard HOME'
	option src 'wan'
	option dest_port '56550'
	option target 'ACCEPT'
	list proto 'udp'

config rule
	option name 'Wireguard Media'
	option src 'wan'
	option dest_port '63223'
	option target 'ACCEPT'
	list proto 'udp'

config forwarding
	option src 'Z_REM'
	option dest 'wan'

config forwarding
	option src 'Z_REM'
	option dest 'MGMT'

config forwarding
	option src 'Z_REM'
	option dest 'Z_GUEST'

config forwarding
	option src 'Z_REM'
	option dest 'Z_HOME'

config forwarding
	option src 'Z_HOME'
	option dest 'Z_REM'

config forwarding
	option src 'Z_HOME'
	option dest 'Z_WORK'

config rule
	option name 'mDNS HOME'
	list proto 'udp'
	option src 'Z_HOME'
	option dest_port '5353'
	option target 'ACCEPT'
	list dest_ip '224.0.0.251'

config rule
	option name 'mDNS GUEST'
	list proto 'udp'
	option src 'Z_GUEST'
	option dest_port '5353'
	option target 'ACCEPT'
	list dest_ip '224.0.0.251'

config rule
	option name 'USBIP - Work'
	option src 'Z_WORK'
	option dest 'Z_HOME'
	list dest_ip '10.0.10.237'
	option target 'ACCEPT'

config redirect
	option dest 'MGMT'
	option target 'DNAT'
	option name 'PIA Forwarding'
	option src 'wan'
	option src_dport '56631'
	option dest_ip '10.0.1.31'
	option dest_port '28861'

config zone
	option name 'Z_MED_VPN'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'MEDIA_VPN'

config rule
	option name 'VPN Media Jelly'
	option src 'Z_MED_VPN'
	option dest 'MGMT'
	list dest_ip '10.0.1.31'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'
	list proto 'icmp'

config forwarding
	option src 'Z_HOME'
	option dest 'Z_REM_HAM'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

/etc/config/dhcp


config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dnsmasq 'General_dns'
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases.MGMT'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '0'

config dhcp 'MGMT'
	option interface 'MGMT'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option instance 'General_dns'

config dhcp 'HOME_VLAN'
	option interface 'HOME_VLAN'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option instance 'General_dns'

config dhcp 'GUEST_VLAN'
	option interface 'GUEST_VLAN'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option instance 'General_dns'

config dhcp 'ISO1_VLAN'
	option interface 'ISO1_VLAN'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option instance 'General_dns'

config dhcp 'WORK_VLAN'
	option interface 'WORK_VLAN'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option instance 'General_dns'

config host
	option name 'TV'
	option ip '10.0.10.33'
	list mac '<redacted>'

config host
	option name 'tower'
	list mac '<redacted>'
	option ip '10.0.1.31'

config host
	option name 'wifi-ap'
	list mac '<redacted>'
	option ip '10.0.1.21'

config host
	option name 'pve'
	list mac '<redacted>'
	option ip '10.0.1.32'

config host
	option name 'switch-1'
	list mac '<redacted>'
	option ip '10.0.1.11'

config host
	option name 'switch-2'
	list mac '<redacted>'
	option ip '10.0.1.12'

config domain
	option name '<redacted>'
	option ip '10.0.1.31'

config domain
	option name '<redacted>'
	option ip '10.0.1.31'

config domain
	option name '<redacted>'
	option ip '10.0.1.31'

config domain
	option name '<redacted>'
	option ip '10.0.1.31'

config domain
	option name '<redacted>'
	option ip '10.0.1.31'

config domain
	option name '<redacted>'
	option ip '10.0.1.31'

config domain
	option name '<redacted>'
	option ip '10.0.1.31'

config domain
	option name '<redacted>'
	option ip '10.0.1.31'

config domain
	option name '<redacted>'
	option ip '10.0.1.31'

config domain
	option name '<redacted>'
	option ip '10.0.1.31'

config domain
	option name '<redacted>'
	option ip '10.0.1.31'

config domain
	option name '<redacted>'
	option ip '10.0.1.31'

config domain
	option name '<redacted>'
	option ip '10.0.1.31'

config domain
	option name '<redacted>'
	option ip '10.0.1.31'

config domain
	option name '<redacted>'
	option ip '10.0.1.31'

config domain
	option name '<redacted>'
	option ip '10.0.1.31'

config domain
	option name '<redacted>'
	option ip '10.0.1.31'

config domain
	option name '<redacted>'
	option ip '10.0.1.31'

config domain
	option name '<redacted>'
	option ip '10.0.1.31'

config domain
	option name '<redacted>'
	option ip '10.0.1.31'

config domain
	option name '<redacted>'
	option ip '10.0.1.31'

config domain
	option name '<redacted>'
	option ip '10.0.1.31'

config domain
	option name '<redacted>'
	option ip '10.0.1.31'

config domain
	option name '<redacted>'
	option ip '10.0.1.31'

config domain
	option name '<redacted>'
	option ip '10.0.1.31'

config domain
	option name '<redacted>'
	option ip '10.0.1.31'

config domain
	option name '<redacted>'
	option ip '10.0.1.31'

config domain
	option name '<redacted>'
	option ip '10.0.1.31'

config domain
	option name '<redacted>'
	option ip '10.0.1.31'

config domain
	option name '<redacted>'
	option ip '10.0.1.31'

config domain
	option name '<redacted>'
	option ip '10.0.1.31'

config domain
	option name '<redacted>'
	option ip '10.0.1.31'

config domain
	option name '<redacted>'
	option ip '10.0.1.31'

config domain
	option name '<redacted>'
	option ip '10.0.1.31'

config domain
	option name '<redacted>'
	option ip '10.0.1.31'

config domain
	option name '<redacted>'
	option ip '10.0.1.31'

config domain
	option name '<redacted>'
	option ip '10.0.1.31'

/etc/config/network


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd0f:8235:0c3f::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '4'
	option name 'eth0.4'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '10'
	option name 'eth0.10'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '11'
	option name 'eth0.11'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '20'
	option name 'eth0.20'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '30'
	option name 'eth0.30'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config interface 'MGMT'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '10.0.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'HOME_VLAN'
	option proto 'static'
	option device 'eth0.10'
	option ipaddr '10.0.10.1'
	option netmask '255.255.255.0'

config interface 'GUEST_VLAN'
	option proto 'static'
	option device 'eth0.4'
	option ipaddr '10.0.4.1'
	option netmask '255.255.255.0'

config interface 'ISO1_VLAN'
	option proto 'static'
	option device 'eth0.20'
	option ipaddr '10.0.20.1'
	option netmask '255.255.255.0'

config interface 'WORK_VLAN'
	option proto 'static'
	option device 'eth0.30'
	option ipaddr '10.0.30.1'
	option netmask '255.255.255.0'

config interface 'REM_VPN'
	option proto 'wireguard'
	option private_key '<redacted>'
	option listen_port '56550'
	list addresses '10.0.11.1/24'

config interface 'HAM_VPN'
	option proto 'wireguard'
	option private_key '<redacted>'
	list addresses '192.168.178.202/24'

config wireguard_REM_VPN
	option description 'Phone'
	option public_key '<redacted>'
	option private_key '<redacted>'
	option preshared_key '<redacted>'
	list allowed_ips '10.0.11.12/32'
	option route_allowed_ips '1'

config wireguard_REM_VPN
	option description 'Laptop'
	option public_key '<redacted>'
	option private_key '<redacted>'
	option preshared_key '<redacted>'
	list allowed_ips '10.0.11.11/32'
	option route_allowed_ips '1'

config wireguard_HAM_VPN
	option description 'FritzHAM'
	option public_key '<redacted>'
	option preshared_key '<redacted>'
	list allowed_ips '192.168.178.1/32'
	option route_allowed_ips '1'
	option endpoint_host '<redacted>'
	option endpoint_port '59250'
	option persistent_keepalive '25'

config interface 'MEDIA_VPN'
	option proto 'wireguard'
	option private_key '<redacted>'
	option listen_port '63223'
	list addresses '10.0.12.1/32'

config wireguard_MEDIA_VPN
	option description 'Phone'
	option public_key '<redacted>'
	option private_key '<redacted>'
	option preshared_key '<redacted>'
	list allowed_ips '10.0.12.11/32'
	option route_allowed_ips '1'

config wireguard_MEDIA_VPN
	option description 'User1'
	option public_key '<redacted>'
	option private_key '<redacted>'
	option preshared_key '<redacted>'
	list allowed_ips '10.0.12.12/32'
	option route_allowed_ips '1'

config wireguard_MEDIA_VPN
	option description 'Laptop'
	option public_key '<redacted>'
	option private_key '<redacted>'
	option preshared_key '<redacted>'
	list allowed_ips '10.0.12.13/32'
	option route_allowed_ips '1'

config wireguard_MEDIA_VPN
	option description 'User2'
	option public_key '<redacted>'
	option private_key '<redacted>'
	option preshared_key '<redacted>'
	list allowed_ips '10.0.12.14/32'
	option route_allowed_ips '1'

Thanks for taking the time

A lot of information to digest and I just had a quick look so might be talking rubbish :wink:

It looks like you have setup two WG servers and one WG client to your parents home.
(technically WG is a peer to peer setup but for simplicity we use server and client)

One potential problem I see is that the WG subnet 192.168.178.0/24 might be the same as the parents router subnet?
WG is a routed solution needing three different subnets (the server, the client and WG itself have to have different subnets).

In your case you might get away with it as you do not masquerade on the WG interface.
But this means that the parents router has to have your subnet(s) as allowed IPs both to allow traffic and to make a route back.
I would check this first

1 Like

Thanks, I'll have a look! Be right back

Yes, that's the same subnet as my parents' router's subnet.

So you say a correct setup would be

Parents' LAN: 192.168.178.0/24
My HOME LAN: 10.0.10.0/24

The wireguard peers:
192.168.100.1/32
192.168.100.2/32
or any other network that's neither my network subnet nor my parents'.

Is that correct?

I know, I can easily edit my part of the config to reflect that and give my HAM_VPN interface a static IP of 192.168.100.2 and could set the peer's address to 192.168.100.1.

The config was generated by my parents' FritzBox, however. I don't remember and can't look right now, but I am pretty sure it didn't give me any options to configure that differently.

You are right, though. On my REM_VPN network I have 10.0.10.0/24 for HOME, 10.0.11.0/24 for WG and whatever my carrier is giving my mobile. That's three networks and makes sense to me now that you're mentioning it.

EDIT: Stupidly, I just remembered that I had it working at the beginning of this year. I dug up the old config from a backup but the wireguard interface / peer is the same as posted above.

Correct but your WG servers address on the parents router should be 192.168.100.1/24 and the peers 192.168.100.X/32

But as said if you have set as peer allowed IPs on your parents router not only your current WG address 192.168.178.202 but also your home subnet 10.0.10.0/24 then it could already work.
You need to set the home subnet in any case beside the peer address, so try that first.
Setting the home subnet is necessary as you are not Masquerading the WG traffic on your end.

That actually did the trick ...
I set the Masquerading checkmark on my REM_VPN zone and now, I can ping the remote router and access the router's config page.

I don't know what masquerading means and I am going to research that a little but I feel it's that my router "repacks" my traffic to be sent under the HAM_VPN's ip?

If you are happy I am happy. :+1:

From a best practice perspective it is not the optimal setup but it does work and does no harm :slight_smile:

1 Like

For what it's worth. You got me thinking and I had another look into the other router's menu.

The AVM Fritz!Box does prompt during wireguard config generation whether this is supposed to be site-to-site setup or whether it's a single device setup.

I guess at the time, I selected the single device setup. That's maybe why it doesn't work without masquerading the zone.

I will generate another config with the site to site options and see if that gets me further. Currently, I can interact with all of the other network's devices but the IPTV for example doesn't work.

For any German readers out there, this turned out to be a good article:

It's behind a paywall, though. I am pretty sure, I am not allowed to paste the content here.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.