Why is my OpenWrt routing not working as expected

I hope I am just missing something simple here. I have a OpenWRT router with a Wireguard VPN running, everything routing through the VPN, which is all working fine. I have put a route in place so that any traffic I want to go to the lan that is on the Wan side of my router is routed through my wan not my VPN. It works from the router, but not from connected devices.

So just to be clear:

RouterVPN ( with VPN

RouterGW ( which the above routers wan is connected to.

A PC (

If I ssh in to RouterVPN I am able to ping If I ping from PC I get "Destination port unreachable"

My routing table looks like this (RouterVPN):

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface       U     0      0        0 WG0         UG    0      0        0 eth1 UH    0      0        0 WG0
78.XXX.XXX.134 UGH   0      0        0 eth1       U     0      0        0 WG0   U     0      0        0 eth1   U     0      0        0 br-lan

WG0 is the VPN interface. eth1 is the WAN interface. br-lan is the LAN interface.

I know all of the Metrics are the same value, but I don't know where on an OpenWRT I can look to change this.

So as far as I can tell it routes just fine when I am on the router, but not on connected devices.

I am fair confident the routes for are coming from the VPN Routing Policy, which has these two policies in it:

Policies Comment, interface and at least one other field are required. Multiple local and remote addresses/devices/domains and ports can be space separated. Placeholders below represent just the format/syntax and will not be used if fields are left blank.

Name    Local addresses / devices   Local ports Remote addresses / domains  Remote ports    Interface   
tolan    0-65535    0-65535     WAN
toVPN           0-65535           0-65535     WG0

If someone who know way more about networking with OpenWRT than I do can advise please I would greatly appreciate it.

NOTE: I have remote access to the Router, so I can't try deleting and adding routes, as I will lose connection, I need to be very careful, as I will not have onsite access for months.

Thank you in advance.

Firewall rules/zones?

1 Like

Hi Sorry, I guess I should have thought to add them. Thanks

FW rules:

-N forwarding_WGZone_rule
-N forwarding_lan_rule
-N forwarding_rule
-N forwarding_wan_rule
-N input_WGZone_rule
-N input_lan_rule
-N input_rule
-N input_wan_rule
-N output_WGZone_rule
-N output_lan_rule
-N output_rule
-N output_wan_rule
-N reject
-N syn_flood
-N zone_WGZone_dest_ACCEPT
-N zone_WGZone_dest_REJECT
-N zone_WGZone_forward
-N zone_WGZone_input
-N zone_WGZone_output
-N zone_WGZone_src_REJECT
-N zone_lan_dest_ACCEPT
-N zone_lan_forward
-N zone_lan_input
-N zone_lan_output
-N zone_lan_src_ACCEPT
-N zone_wan_dest_ACCEPT
-N zone_wan_dest_REJECT
-N zone_wan_forward
-N zone_wan_input
-N zone_wan_output
-N zone_wan_src_REJECT
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i WG0 -m comment --comment "!fw3" -j zone_WGZone_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i WG0 -m comment --comment "!fw3" -j zone_WGZone_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o WG0 -m comment --comment "!fw3" -j zone_WGZone_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_WGZone_dest_ACCEPT -o WG0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_WGZone_dest_ACCEPT -o WG0 -m comment --comment "!fw3" -j ACCEPT
-A zone_WGZone_dest_REJECT -o WG0 -m comment --comment "!fw3" -j reject
-A zone_WGZone_forward -m comment --comment "!fw3: Custom WGZone forwarding rule chain" -j forwarding_WGZone_rule
-A zone_WGZone_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_WGZone_forward -m comment --comment "!fw3" -j zone_WGZone_dest_REJECT
-A zone_WGZone_input -m comment --comment "!fw3: Custom WGZone input rule chain" -j input_WGZone_rule
-A zone_WGZone_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_WGZone_input -m comment --comment "!fw3" -j zone_WGZone_src_REJECT
-A zone_WGZone_output -m comment --comment "!fw3: Custom WGZone output rule chain" -j output_WGZone_rule
-A zone_WGZone_output -m comment --comment "!fw3" -j zone_WGZone_dest_ACCEPT
-A zone_WGZone_src_REJECT -i WG0 -m comment --comment "!fw3" -j reject
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to WGZone forwarding policy" -j zone_WGZone_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject

Sorry only permitted one image, so I joined two SS together. General settings, then Traffic rules.

No port forwarding
No nat rules
no custom rules

Hope that helps. Thank you again.

uci -q delete firewall.lan_wan
uci set firewall.lan_wan="rule"
uci set firewall.lan_wan.name="Allow-LAN-WAN"
uci set firewall.lan_wan.src="lan"
uci set firewall.lan_wan.dest="wan"
uci set firewall.lan_wan.dest_ip=""
uci set firewall.lan_wan.proto="all"
uci set firewall.lan_wan.target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart

Thank you for that, it looks great. I tried a quick GUI thing that worked. I will implement this later when I get a chance.

Thank you for your help.

1 Like