Here are my configs. My set up is:
- a guest network directed over my wan
- a 'family' network which uses dnsmasq+unbound with cleanbrowsing.org's 'family filter' (over TLS) with traffic directed over my VPN provider
- my lan interface which uses dnsmasq+stubby (possibly of interest to @rainmaverick; see my dhcp config) for DNS over TLS and which directs traffic over my VPN provider (with a couple of clients excluded)
- my 'phone home' wireguard server is in my lan firewall zone, and traffic is directed over the wan interface (useful if I need to appear from my ISP-provided (static) IP address.
@risc I think the key bits for running both wireguard interfaces alongside each other are:
option append_local_rules '! -d 192.168.0.0/16' in config vpn-policy-routing 'config'
and ensuring that route_allowed_ips is removed or set to 0 in config wireguard_wgserver
@stangri I'll roll-back to the older build this evening and populate the list of supported interfaces, as requested
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd2c:dd09:d634::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth1.1'
option proto 'static'
option ipaddr '192.168.100.1'
option ip6assign '60'
option netmask '255.255.255.0'
config interface 'wan'
option ifname 'eth0.2'
option proto 'pppoe'
option username '<redacted>'
option password '<redacted>'
option ipv6 'auto'
option peerdns '0'
option dns '84.200.69.80 84.200.70.40'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option peerdns '0'
option dns '2001:1608:10:25::1c04:b12f 2001:1608:10:25::9249:d69b'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 0t'
config interface 'streaming'
option proto 'static'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option type 'bridge'
config interface 'guest'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '10.0.0.1'
option type 'bridge'
config interface 'wgserver'
option proto 'wireguard'
option private_key '<redacted>'
option listen_port '52000'
list addresses '192.168.99.1/24'
config interface 'mullvad'
option proto 'wireguard'
option private_key '<redacted>'
option force_link '1'
list addresses '10.99.57.166/32'
config wireguard_wgserver
option public_key '<redacted>'
list allowed_ips '192.168.99.3/32'
option persistent_keepalive '25'
option description 'pixel'
config wireguard_mullvad
list allowed_ips '0.0.0.0/0'
option persistent_keepalive '25'
option public_key '<redacted>'
option description 'gb2'
option endpoint_host '185.16.85.130'
config interface 'MODEM'
option proto 'static'
option ifname 'eth0.2'
option ipaddr '192.168.2.2'
option netmask '255.255.255.0'
config interface 'family'
option proto 'static'
option ipaddr '172.16.1.1'
option netmask '255.255.255.0'
option type 'bridge'
/etc/config/firewall
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
option name 'guest_dhcp'
option src 'guest'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'guest_dns'
option src 'guest'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'family_dns'
option src 'family'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
option name 'family_dhcp'
option src 'family'
config rule
option src 'wan'
option target 'ACCEPT'
option proto 'udp'
option dest_port '52000'
option name 'Allow-Wireguard-Inbound'
config rule
option src 'guest'
option dest_ip '192.168.2.1'
option target 'DROP'
option name 'Disable Modem Access Guest'
option dest 'wan'
config rule
option src 'family'
option name 'Disable Modem Access Family'
option dest_ip '192.168.2.1'
option target 'DROP'
option dest 'wan'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan streaming wgserver'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'mullvad wan wan6 MODEM'
config include
option path '/etc/firewall.user'
config zone
option forward 'REJECT'
option output 'ACCEPT'
option name 'guest'
option input 'REJECT'
option network 'guest'
config forwarding
option dest 'wan'
option src 'guest'
config forwarding
option dest 'wan'
option src 'lan'
config zone
option forward 'REJECT'
option output 'ACCEPT'
option name 'family'
option input 'REJECT'
option network 'family'
config forwarding
option dest 'wan'
option src 'family'
config redirect 'adblock_dns'
option name 'Adblock DNS'
option src 'lan'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
option dest_ip '192.168.100.1'
config redirect 'adblock_dns_guest'
option name 'Adblock DNS Guest'
option src 'guest'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
option dest_ip '10.0.0.1'
config redirect 'adblock_dns_family'
option name 'Adblock DNS Family'
option src 'family'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
option dest_ip '172.16.1.1'
/etc/config/dhcp
config dnsmasq 'main'
option domainneeded '1'
option localise_queries '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option serversfile '/tmp/adb_list.overall'
option nonwildcard '1'
option localservice '1'
list notinterface 'guest'
list notinterface 'family'
option dnssec '1'
option dnsseccheckunsigned '1'
option rebind_protection '1'
option noresolv '1'
list server '127.0.0.1#5453'
config dnsmasq 'guest'
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/guest/'
option domain 'guest'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases.guest'
option serversfile '/tmp/adb_list.overall'
option nonwildcard '1'
option localservice '1'
option noresolv '1'
list interface 'guest'
list notinterface 'lo'
option dnssec '1'
option dnsseccheckunsigned '1'
list server '185.228.168.9'
list server '185.228.169.9'
config dnsmasq 'family'
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/family/'
option domain 'family'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases.family'
option serversfile '/tmp/adb_list.overall'
option nonwildcard '1'
option localservice '1'
option noresolv '1'
list interface 'family'
list notinterface 'lo'
option dnssec '1'
option dnsseccheckunsigned '1'
list server '127.0.0.1#53535'
config dhcp 'lan'
option instance 'main'
option interface 'lan'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
option start '100'
option limit '150'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'streaming'
option leasetime '12h'
option instance 'main'
option interface 'streaming'
option start '100'
option limit '150'
config dhcp 'guests'
option start '100'
option limit '150'
option instance 'guest'
option interface 'guest'
option leasetime '1h'
config dhcp 'familysafe'
option start '100'
option leasetime '12h'
option limit '150'
option instance 'family'
option interface 'family'
config host
option name 'HDHomerun'
option dns '1'
option mac '<redacted>'
option ip '192.168.100.101'
config host
option name 'TV'
option dns '1'
option mac '<redacted>'
option ip '192.168.100.100'
config host
option name 'Hello'
option dns '1'
option mac '<redacted>'
option ip '192.168.100.102'
config host
option name 'Hue'
option dns '1'
option mac '<redacted>'
option ip '192.168.100.119'
/etc/config/vpr-policy-routing
config policy
option chain 'PREROUTING'
option interface 'wan'
option name 'TV'
option local_address '192.168.100.100'
option proto 'tcp udp'
config policy
option chain 'PREROUTING'
option interface 'wan'
option name 'Hello'
option local_address '192.168.100.102'
option proto 'tcp udp'
config policy
option chain 'PREROUTING'
option interface 'wan'
option name 'Hue'
option local_address '192.168.100.119'
option proto 'tcp udp'
config policy
option chain 'PREROUTING'
option name 'Private'
option interface 'mullvad'
option local_address '192.168.100.1/24'
option proto 'tcp udp'
config policy
option chain 'PREROUTING'
option name 'Family'
option local_address '172.16.1.1/24'
option interface 'mullvad'
option proto 'tcp udp'
config vpn-policy-routing 'config'
option verbosity '2'
option ipv6_enabled '0'
option ipset_enabled '1'
option dnsmasq_enabled '0'
option strict_enforcement '1'
list ignored_interface 'wgserver'
option append_local_rules '! -d 192.168.0.0/16'
option enabled '1'
option boot_timeout '120'