Hello I have problems with wireguard and the lan network, I need to access resources in the lan but I find problems since the IP of wireguard is not the same as the lan network, I have a separate lan zone for wg0 and activated masq, probe with snat redirection but i can't manage to use a lan ip, and some lan resources block me for sending from another segment. How could I redirect to lan but with an ip of the lan network? Thanks!
post the contents of your /etc/config/network and /etc/config/firewall files for review (please remove any public information and keys, but do not hide the RFC1918 addresses since they don't reveal anything private about your network). The community here can review to see if there are any errors and/or better methods of configuring WG and you main network.
That said, Windows is known to have default firewall rules that restrict connections from networks other than the one it is on (i.e. other VLANs/subnets blocked). Some other systems (IIRC, Synology NAS boxes as an example) may also do this... so check the local firewall rules and settings on each of the systems that is causing you headaches.
Finally, your title is possibly not accurate -- are you really trying to log the martians, or just resolve the routing/firewall type issues?
/etc/config/Firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'external'
option name 'external'
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option name 'guest'
option network 'guest'
config forwarding
option dest 'wan'
option src 'guest'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'external'
option proto 'tcp udp'
option src_dport '80'
option dest_ip '192.168.2.100'
option dest_port '80'
option name 'http_external'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'external'
option src_dport '443'
option dest_ip '192.168.2.100'
option dest_port '443'
option name 'https_external'
option proto 'tcp udp'
config zone
option forward 'REJECT'
option output 'ACCEPT'
option name 'wanb'
option masq '1'
option mtu_fix '1'
option network 'wanb'
option input 'REJECT'
config forwarding
option dest 'wanb'
option src 'guest'
config forwarding
option dest 'wanb'
option src 'lan'
config redirect
option target 'DNAT'
option src 'wanb'
option dest 'external'
option src_dport '80'
option dest_ip '192.168.2.100'
option dest_port '80'
option name 'http_external_b'
option proto 'tcp udp'
config redirect
option target 'DNAT'
option src 'wanb'
option dest 'external'
option src_dport '443'
option dest_ip '192.168.2.100'
option dest_port '443'
option name 'https_external_b'
option proto 'tcp udp'
config zone
option name 'zone_vpn'
option network 'vpn'
option input 'REJECT'
option forward 'REJECT'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
config forwarding
option dest 'zone_vpn'
option src 'lan'
config zone
option name 'zone_vpn1'
option network 'vpn1'
option input 'REJECT'
option forward 'REJECT'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
config rule
option name 'Allow-OpenVPN'
option target 'REJECT'
option src '*'
option proto 'udp'
option dest_port '1194'
config forwarding
option dest 'lan'
option src 'zone_vpn1'
config forwarding
option dest 'wan'
option src 'zone_vpn1'
config forwarding
option dest 'wan'
option src 'external'
config forwarding
option dest 'wanb'
option src 'external'
config redirect
option target 'DNAT'
option src 'guest'
option dest 'external'
option src_dport '443'
option dest_ip '192.168.2.100'
option dest_port '443'
option name 'guest_https_external'
option proto 'tcp udp'
option src_dip '192.168.1.100'
config rule 'wg'
option name 'Allow-WireGuard'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
option src '*'
config forwarding
option dest 'wan'
option src 'zone_vpn2'
config zone
option name 'zone_vpn2'
option network 'wg0'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option dest 'lan'
option src 'zone_vpn2'
option enabled '1'
config redirect
option name 'Wireguard SNAT Lan'
option src 'zone_vpn2'
option dest 'lan'
option src_dip '192.168.1.189'
option proto 'tcpudp'
option target 'SNAT'
option enabled '0'
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix ''
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
option metric '10'
config device 'wan_eth0_2_dev'
option name 'eth0.2'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '0t 2'
config switch_vlan
option device 'switch0'
option vlan '2'
option vid '2'
option ports '0t 1'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '3'
option ports '0t 3'
config switch_vlan
option device 'switch0'
option vlan '4'
option vid '4'
option ports '0t 4'
config interface 'external'
option proto 'static'
option ifname 'eth0.3'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
config interface 'guest'
option proto 'static'
option ifname 'eth0.4'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option type 'bridge'
config switch_vlan
option device 'switch0'
option vlan '5'
option vid '5'
option ports '0t 5'
config interface 'wanb'
option ifname 'eth0.5'
option proto 'dhcp'
option metric '20'
config interface 'vpn'
option proto 'none'
option ifname 'tun0'
config interface 'vpn1'
option proto 'none'
option ifname 'tun1'
option auto '1'
config interface 'wg0'
option proto 'wireguard'
option listen_port '51820'
list addresses '192.168.9.1/24'
list addresses 'fdf1:7610:d152:3a9c::1/64'
config wireguard_wg0 'wgclient'
list allowed_ips '192.168.9.0/24'
list allowed_ips 'fdf1:7610:d152:3a9c::0/64'
config wireguard_wg0
option description 'Android'
list allowed_ips '192.168.9.0/24'
/etc/config/mwan3
config rule 'wireguard_rule0'
option dest_port '51820'
option proto 'udp'
option sticky '0'
option use_policy 'wan_only'
config rule 'default_rule'
option dest_ip '0.0.0.0/0'
option proto 'all'
option sticky '0'
option use_policy 'wan_wanb'
config globals 'globals'
option rtmon_interval '5'
config interface 'wan'
option enabled '1'
option family 'ipv4'
option reliability '2'
option count '1'
option timeout '2'
option failure_latency '1000'
option recovery_latency '500'
option failure_loss '20'
option recovery_loss '5'
option interval '5'
option down '3'
option up '8'
config interface 'wan6'
option enabled '0'
option family 'ipv6'
option reliability '2'
option count '1'
option timeout '2'
option interval '5'
option down '3'
option up '8'
config interface 'wanb'
list track_ip '8.8.4.4'
list track_ip '8.8.8.8'
option family 'ipv4'
option reliability '1'
option count '1'
option timeout '2'
option interval '5'
option down '3'
option up '8'
option enabled '1'
option initial_state 'online'
option track_method 'ping'
option size '56'
option max_ttl '60'
option check_quality '0'
option failure_interval '5'
option recovery_interval '5'
config interface 'wanb6'
option enabled '0'
option family 'ipv6'
option reliability '1'
option count '1'
option timeout '2'
option interval '5'
option down '3'
option up '8'
config member 'wan_m1_w3'
option interface 'wan'
option metric '1'
option weight '3'
config member 'wan_m2_w3'
option interface 'wan'
option metric '2'
option weight '3'
config member 'wanb_m1_w2'
option interface 'wanb'
option metric '1'
option weight '2'
config member 'wanb_m2_w2'
option interface 'wanb'
option metric '2'
option weight '2'
config member 'wan6_m1_w3'
option interface 'wan6'
option metric '1'
option weight '3'
config member 'wan6_m2_w3'
option interface 'wan6'
option metric '2'
option weight '3'
config member 'wanb6_m1_w2'
option interface 'wanb6'
option metric '1'
option weight '2'
config member 'wanb6_m2_w2'
option interface 'wanb6'
option metric '2'
option weight '2'
config policy 'wan_only'
list use_member 'wan_m1_w3'
list use_member 'wan6_m1_w3'
config policy 'wanb_only'
list use_member 'wanb_m1_w2'
list use_member 'wanb6_m1_w2'
config policy 'balanced'
list use_member 'wan_m1_w3'
list use_member 'wanb_m1_w2'
list use_member 'wan6_m1_w3'
list use_member 'wanb6_m1_w2'
config policy 'wan_wanb'
list use_member 'wan_m1_w3'
list use_member 'wanb_m2_w2'
list use_member 'wan6_m1_w3'
list use_member 'wanb6_m2_w2'
config policy 'wanb_wan'
list use_member 'wan_m2_w3'
list use_member 'wanb_m1_w2'
list use_member 'wan6_m2_w3'
list use_member 'wanb6_m1_w2'
Sorry for the title, I receive blocking of linux servers correctly for requesting from another network segment.
Remove the masquerading from the wireguard zone.
Change the wg peers such that the allowed ips are each a single unique address and /32 (192.168.9.2/32 and 192.168.9.3/32) and enable the wg option for each of the peers to route allowed ips.
Thanks psherman but there were no changes, I keep sending packets with the peer address to the servers and they block me.
Are the servers allowing traffic from other subnets? Windows for example are known for that limitation.
1 Like
It does not allow another subnet, I need to use the same segment, in the servers I could eliminate that restriction but some devices within the network cannot be modified
Then you'll need to add masquerade in lan zone. But add the condition to masquerade when source subnet is the wg 192.168.9.0/24
Without changes, I keep sending with the address 192.168.9.3 or 192.168.9.2 to the lan
Then run a tcpdump and verify that packets are correct:
tcpdump -i any -evn host 192.168.1.X
change X with the last octet of the host in lan.
root@wurkman:/home/yohiro# tcpdump -i wg0 -env host 192.168.1.100
tcpdump: listening on wg0, link-type RAW (Raw IP), capture size 262144 bytes
19:42:55.250362 ip: (tos 0x0, ttl 64, id 18717, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.9.3 > 192.168.1.100: ICMP echo request, id 4675, seq 1, length 64
19:42:56.277188 ip: (tos 0x0, ttl 64, id 18928, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.9.3 > 192.168.1.100: ICMP echo request, id 4675, seq 2, length 64
19:42:57.301189 ip: (tos 0x0, ttl 64, id 19138, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.9.3 > 192.168.1.100: ICMP echo request, id 4675, seq 3, length 64
19:42:58.325145 ip: (tos 0x0, ttl 64, id 19218, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.9.3 > 192.168.1.100: ICMP echo request, id 4675, seq 4, length 64
Server log
Apr 24 19:42:55 server156 kernel: [4695049.768926] IPv4: martian source 192.168.1.100 from 192.168.9.3, on dev enp3s0
Apr 24 19:42:55 server156 kernel: [4695049.768948] ll header: 00000000: bc ae c5 6f a2 17 68 ff 7b 47 a4 b0 08 00 ...o..h.{G....
Apr 24 19:42:56 server156 kernel: [4695050.793891] IPv4: martian source 192.168.1.100 from 192.168.9.3, on dev enp3s0
Apr 24 19:42:56 server156 kernel: [4695050.793921] ll header: 00000000: bc ae c5 6f a2 17 68 ff 7b 47 a4 b0 08 00 ...o..h.{G....
Apr 24 19:42:57 server156 kernel: [4695051.817751] IPv4: martian source 192.168.1.100 from 192.168.9.3, on dev enp3s0
Apr 24 19:42:57 server156 kernel: [4695051.817768] ll header: 00000000: bc ae c5 6f a2 17 68 ff 7b 47 a4 b0 08 00 ...o..h.{G....
Apr 24 19:42:58 server156 kernel: [4695052.843169] IPv4: martian source 192.168.1.100 from 192.168.9.3, on dev enp3s0
Apr 24 19:42:58 server156 kernel: [4695052.843196] ll header: 00000000: bc ae c5 6f a2 17 68 ff 7b 47 a4 b0 08 00 ...o..h.{G....
It seems to me that the packets are arriving at the server, but that the server is blocking them because it sees them as martians. Can you adjust the configuration of the firewall on the server itself?
In the servers I can modify the rules but I need to connect to devices that have the same restriction in their firmware and I cannot modify them.
Using a SNAT rule, you could make all the packets appear as if originated from the router. This has worked for me in the past in a similar situation.
I see you have such rule defined, but why is it disabled?
I asked you to use -i any to verify that the packets going out of the lan interface are indeed masqueraded as suggested here.By looking at the wg0 interface doesn't help much.
I tried it but I keep sending with the IP assigned by wireguard
Is this some kind of joke?
I gave you one command to use and for 2 posts in a row you are using your own versions.
Best of luck solving your issue as I am not going to deal any more.
it's not a joke, the first capture is in client and the interface capture any does not capture anything so use wg0 if what you needed to see was in openwrt the second capture was there and only filtered the icmp packages because it has a lot of activity
First of all the commands are meant to be run on OpenWrt, unless otherwise specified.
You have selected full verbosity and hex presentation. Do you still insist that you used the command I gave you?
That is not how it is supposed to work. I would go back to that route and try to make it work.