Dear all,
Using Youhua 1200 (mt7621at) with OpenWrt 19.07.3.
Problem: As soon as I turn on a VPN client connection (on the VLAN) the LAN has no internet access, independant if it's Wireguard or OpenVPN. The VLAN has internet access via VPN as expected.
Working: Therefore when VPN is off, LAN and VLAN have internet access.
It's very strange, as on my main router I have an identical setup with OpenVPN client on a VLAN (the only difference being that I use there route no pull and the VPN kicks in at specific internet destination IPs).
So the setup is pretty simple (client router):
- Ports 1 and 2 on LAN
- Ports 3 and 4 on VLAN -> linked to VPN client
fyi, on the home router the wireguard port is not used by any other instance, nor is any ip used by another instance.
My network on the client router, which makes problems (example with wireguard)
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'blabla'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.100.1'
option netmask '255.255.255.0'
option delegate '0'
list dns '1.1.1.1'
config device 'lan_eth0_1_dev'
option name 'eth0.1'
option macaddr 'blabla'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
option peerdns '0'
list dns '1.1.1.1'
list dns '9.9.9.9'
config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr 'blabla'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config interface 'wwan'
option proto 'dhcp'
option peerdns '0'
list dns '1.1.1.1'
list dns '9.9.9.9'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '1 2 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0 6t'
option vid '2'
config switch_vlan
option device 'switch0'
option vlan '3'
option ports '3 4 6t'
option vid '4'
config interface 'VLAN4'
option ifname 'eth0.4'
option proto 'static'
option netmask '255.255.255.0'
option type 'bridge'
option ipaddr '192.168.140.1'
list dns '1.1.1.1'
list dns '9.9.9.9'
config interface 'wg1'
option proto 'wireguard'
list addresses '10.8.8.2/32'
option private_key 'blabla'
config wireguard_wg1
option persistent_keepalive '25'
option public_key 'blabla'
option description 'blabla'
option endpoint_port '1194'
option endpoint_host 'blabla'
option preshared_key 'blabla'
option route_allowed_ips '1'
list allowed_ips '0.0.0.0/1'
list allowed_ips '128.0.0.0/1'
list allowed_ips '::/0'
my firewall on the client router
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6 wwan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'vlan4_fw'
option output 'ACCEPT'
option network 'VLAN4'
option input 'REJECT'
option forward 'REJECT'
config forwarding
option dest 'wan'
option src 'vlan4_fw'
config zone
option network 'wg1'
option name 'wg1fw'
option mtu_fix '1'
option input 'REJECT'
option forward 'REJECT'
option masq '1'
option output 'ACCEPT'
config forwarding
option dest 'wg1fw'
option src 'vlan4_fw'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option name 'v4DNS'
option src 'vlan4_fw'
option dest_port '53 853 1053 5453'
config rule
option target 'ACCEPT'
option dest_port '67-68'
option name 'v4DHCP'
option src 'vlan4_fw'
option proto 'udp'
Do I have an issue with my firewall rules, how can I track down the problem ?
Cheers blinton