Wireguard and martian logging

/etc/config/Firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'                  
        option family 'ipv4'           
                                      
config rule                           
        option name 'Allow-Ping'            
        option src 'wan'              
        option proto 'icmp'           
        option icmp_type 'echo-request'
        option family 'ipv4'            
        option target 'ACCEPT'         
                                       
config rule                            
        option name 'Allow-IGMP'       
        option src 'wan'                        
        option proto 'igmp'            
        option family 'ipv4'           
        option target 'ACCEPT'         
                                            
config rule                                 
        option name 'Allow-DHCPv6'             
        option src 'wan'                     
        option proto 'udp'                      
        option src_ip 'fc00::/6'       
        option dest_ip 'fc00::/6'      
        option dest_port '546'         
        option family 'ipv6'            
        option target 'ACCEPT'         
                                          
config rule                            
        option name 'Allow-MLD'        
        option src 'wan'               
        option proto 'icmp'            
        option src_ip 'fe80::/10'      
        list icmp_type '130/0'                  
        list icmp_type '131/0'         
        list icmp_type '132/0'        
        list icmp_type '143/0'        
        option family 'ipv6'                
        option target 'ACCEPT'        
                                      
config rule                            
        option name 'Allow-ICMPv6-Input'
        option src 'wan'               
        option proto 'icmp'            
        list icmp_type 'echo-request'  
        list icmp_type 'echo-reply'    
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded' 
        list icmp_type 'bad-header'    
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'        
        option family 'ipv6'           
        option target 'ACCEPT'         
                                        
config rule                            
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'               
        option dest '*'                
        option proto 'icmp'            
        list icmp_type 'echo-request'  
        list icmp_type 'echo-reply'    
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'   
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'       
        option family 'ipv6'          
        option target 'ACCEPT'         
                                        
config rule                            
        option name 'Allow-IPSec-ESP'  
        option src 'wan'               
        option dest 'lan'              
        option proto 'esp'                      
        option target 'ACCEPT'         
                                       
config rule                            
        option name 'Allow-ISAKMP'          
        option src 'wan'                    
        option dest 'lan'                      
        option dest_port '500'               
        option proto 'udp'                      
        option target 'ACCEPT'         
                                       
config include                         
        option path '/etc/firewall.user'
                                       
config zone                               
        option input 'ACCEPT'          
        option output 'ACCEPT'         
        option forward 'ACCEPT'        
        option network 'external'       
        option name 'external'                                                          
                                                
config zone                            
        option input 'ACCEPT'         
        option output 'ACCEPT'        
        option forward 'ACCEPT'             
        option name 'guest'        
        option network 'guest'     
                                       
config forwarding                       
        option dest 'wan'              
        option src 'guest'                   
                                                
config redirect                        
        option target 'DNAT'           
        option src 'wan'               
        option dest 'external'           
        option proto 'tcp udp'         
        option src_dport '80'             
        option dest_ip '192.168.2.100' 
        option dest_port '80'          
        option name 'http_external'     
                                       
config redirect                        
        option target 'DNAT'                    
        option src 'wan'               
        option dest 'external'         
        option src_dport '443'        
        option dest_ip '192.168.2.100'      
        option dest_port '443'        
        option name 'https_external'   
        option proto 'tcp udp'                 
                                            
config zone                                    
        option forward 'REJECT'              
        option output 'ACCEPT'                  
        option name 'wanb'             
        option masq '1'                
        option mtu_fix '1'             
        option network 'wanb'           
        option input 'REJECT'          
                                          
config forwarding                      
        option dest 'wanb'             
        option src 'guest'          
                                       
config forwarding                      
        option dest 'wanb'                      
        option src 'lan'                
                                       
config redirect                                 
        option target 'DNAT'           
        option src 'wanb'              
        option dest 'external'          
        option src_dport '80'               
        option dest_ip '192.168.2.100'      
        option dest_port '80'                  
        option name 'http_external_b'         
        option proto 'tcp udp'                  
                                       
config redirect                        
        option target 'DNAT'           
        option src 'wanb'               
        option dest 'external'          
        option src_dport '443'            
        option dest_ip '192.168.2.100' 
        option dest_port '443'         
        option name 'https_external_b'  
        option proto 'tcp udp'         
                                       
config zone                            
        option name 'zone_vpn'         
        option network 'vpn'           
        option input 'REJECT'                   
        option forward 'REJECT'        
        option output 'ACCEPT'         
        option masq '1'                
        option mtu_fix '1'                  
                                            
config forwarding                              
        option dest 'zone_vpn'               
        option src 'lan'                        
                                       
config zone                            
        option name 'zone_vpn1'        
        option network 'vpn1'           
        option input 'REJECT'          
        option forward 'REJECT'           
        option output 'ACCEPT'         
        option masq '1'                
        option mtu_fix '1'             
                                       
config rule                            
        option name 'Allow-OpenVPN'             
        option target 'REJECT'         
        option src '*'                
        option proto 'udp'            
        option dest_port '1194'             
                                      
config forwarding                     
        option dest 'lan'              
        option src 'zone_vpn1'          
                                       
config forwarding                      
        option dest 'wan'              
        option src 'zone_vpn1'         
                                                
config forwarding                      
        option dest 'wan'              
        option src 'external'           
                                            
config forwarding                           
        option dest 'wanb'                     
        option src 'external'                 
                                                
config redirect                        
        option target 'DNAT'           
        option src 'guest'          
        option dest 'external'           
        option src_dport '443'         
        option dest_ip '192.168.2.100'    
        option dest_port '443'         
        option name 'guest_https_external'
        option proto 'tcp udp'         
        option src_dip '192.168.1.100' 
                                       
config rule 'wg'                                
        option name 'Allow-WireGuard'  
        option dest_port '51820'      
        option proto 'udp'            
        option target 'ACCEPT'              
        option src '*'                
                                      
config forwarding                      
        option dest 'wan'               
        option src 'zone_vpn2'         
                                       
config zone                            
        option name 'zone_vpn2'        
        option network 'wg0'                    
        option input 'REJECT'          
        option output 'ACCEPT'         
        option forward 'REJECT'        
        option masq '1'                     
        option mtu_fix '1'                  
                                               
config forwarding                            
        option dest 'lan'                       
        option src 'zone_vpn2'         
        option enabled '1'             
                                       
config redirect                         
        option name 'Wireguard SNAT Lan'
        option src 'zone_vpn2'            
        option dest 'lan'              
        option src_dip '192.168.1.189'        
        option proto 'tcpudp'          
        option target 'SNAT'           
        option enabled '0'             

/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix ''

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'
        option metric '10'

config device 'wan_eth0_2_dev'
        option name 'eth0.2'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'
                          
config switch_vlan           
        option device 'switch0'  
        option vlan '1'           
        option vid '1'
        option ports '0t 2'
                                               
config switch_vlan
        option device 'switch0'
        option vlan '2'     
        option vid '2'        
        option ports '0t 1'  
                                   
config switch_vlan                    
        option device 'switch0'
        option vlan '3'
        option vid '3'
        option ports '0t 3'   
                           
config switch_vlan        
        option device 'switch0'
        option vlan '4'       
        option vid '4'      
        option ports '0t 4'               

config interface 'external'
        option proto 'static' 
        option ifname 'eth0.3'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
                             
config interface 'guest'
        option proto 'static' 
        option ifname 'eth0.4'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option type 'bridge'      
                      
config switch_vlan         
        option device 'switch0'                
        option vlan '5'
        option vid '5'         
        option ports '0t 5' 
                              
config interface 'wanb'      
        option ifname 'eth0.5'     
        option proto 'dhcp'           
        option metric '20'     
                       
config interface 'vpn'
        option proto 'none'   
        option ifname 'tun0'
                          
config interface 'vpn1'        
        option proto 'none'   
        option ifname 'tun1'
        option auto '1'                   

config interface 'wg0'    
        option proto 'wireguard'
        option listen_port '51820' 
        list addresses '192.168.9.1/24'
        list addresses 'fdf1:7610:d152:3a9c::1/64'
                           
config wireguard_wg0 'wgclient'
        list allowed_ips '192.168.9.0/24'
        list allowed_ips 'fdf1:7610:d152:3a9c::0/64'
                      
config wireguard_wg0       
        option description 'Android'           
        list allowed_ips '192.168.9.0/24'

/etc/config/mwan3

config rule 'wireguard_rule0'        
        option dest_port '51820'     
        option proto 'udp'          
        option sticky '0'            
        option use_policy 'wan_only'      
                                            
config rule 'default_rule'                  
        option dest_ip '0.0.0.0/0'   
        option proto 'all'           
        option sticky '0'            
        option use_policy 'wan_wanb'
                           
config globals 'globals'              
        option rtmon_interval '5'   
                                     
config interface 'wan'         
        option enabled '1'           
        option family 'ipv4'
        option reliability '2'
        option count '1'   
        option timeout '2'         
        option failure_latency '1000'
        option recovery_latency '500'
        option failure_loss '20'     
        option recovery_loss '5'    
        option interval '5'          
        option down '3'             
        option up '8'           
                                   
config interface 'wan6'             
        option enabled '0'               
        option family 'ipv6'         
        option reliability '2'       
        option count '1'             
        option timeout '2'          
        option interval '5'
        option down '3'            
        option up '8'               
                                    
config interface 'wanb'              
        list track_ip '8.8.4.4'
        list track_ip '8.8.8.8'
        option family 'ipv4'          
        option reliability '1'        
        option count '1'    
        option timeout '2'    
        option interval '5'
        option down '3'            
        option up '8'                
        option enabled '1'           
        option initial_state 'online'
        option track_method 'ping'  
        option size '56'             
        option max_ttl '60'         
        option check_quality '0'
        option failure_interval '5'
        option recovery_interval '5'
                                    
config interface 'wanb6'                    
        option enabled '0'                  
        option family 'ipv6'         
        option reliability '1'      
        option count '1'   
        option timeout '2'         
        option interval '5'         
        option down '3'             
        option up '8'                
                               
config member 'wan_m1_w3'      
        option interface 'wan'        
        option metric '1'             
        option weight '3'             
                                      
config member 'wan_m2_w3'   
        option interface 'wan'
        option metric '2'  
        option weight '3'          
                                     
config member 'wanb_m1_w2'           
        option interface 'wanb'      
        option metric '1'           
        option weight '2'            
                                    
config member 'wanb_m2_w2'      
        option interface 'wanb'    
        option metric '2'           
        option weight '2'           
                                            
config member 'wan6_m1_w3'                  
        option interface 'wan6'             
        option metric '1'                   
        option weight '3'            
                                     
config member 'wan6_m2_w3'           
        option interface 'wan6'     
        option metric '2'  
        option weight '3'          
                                    
config member 'wanb6_m1_w2'         
        option interface 'wanb6'     
        option metric '1'      
        option weight '2'      
                                      
config member 'wanb6_m2_w2'           
        option interface 'wanb6'      
        option metric '2'             
        option weight '2'   
                              
config policy 'wan_only'   
        list use_member 'wan_m1_w3'
        list use_member 'wan6_m1_w3' 
                                     
config policy 'wanb_only'            
        list use_member 'wanb_m1_w2'
        list use_member 'wanb6_m1_w2'
                                    
config policy 'balanced'        
        list use_member 'wan_m1_w3'
        list use_member 'wanb_m1_w2'
        list use_member 'wan6_m1_w3'
        list use_member 'wanb6_m1_w2'       
                                            
config policy 'wan_wanb'                    
        list use_member 'wan_m1_w3'         
        list use_member 'wanb_m2_w2' 
        list use_member 'wan6_m1_w3' 
        list use_member 'wanb6_m2_w2'
                                    
config policy 'wanb_wan'   
        list use_member 'wan_m2_w3'
        list use_member 'wanb_m1_w2'
        list use_member 'wan6_m2_w3'
        list use_member 'wanb6_m1_w2'

Sorry for the title, I receive blocking of linux servers correctly for requesting from another network segment.

Remove the masquerading from the wireguard zone.

Change the wg peers such that the allowed ips are each a single unique address and /32 (192.168.9.2/32 and 192.168.9.3/32) and enable the wg option for each of the peers to route allowed ips.

Thanks psherman but there were no changes, I keep sending packets with the peer address to the servers and they block me.

Are the servers allowing traffic from other subnets? Windows for example are known for that limitation.

1 Like

It does not allow another subnet, I need to use the same segment, in the servers I could eliminate that restriction but some devices within the network cannot be modified

Then you'll need to add masquerade in lan zone. But add the condition to masquerade when source subnet is the wg 192.168.9.0/24

Without changes, I keep sending with the address 192.168.9.3 or 192.168.9.2 to the lan

Then run a tcpdump and verify that packets are correct:
tcpdump -i any -evn host 192.168.1.X
change X with the last octet of the host in lan.

root@wurkman:/home/yohiro# tcpdump -i wg0 -env host 192.168.1.100
tcpdump: listening on wg0, link-type RAW (Raw IP), capture size 262144 bytes
19:42:55.250362 ip: (tos 0x0, ttl 64, id 18717, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.9.3 > 192.168.1.100: ICMP echo request, id 4675, seq 1, length 64
19:42:56.277188 ip: (tos 0x0, ttl 64, id 18928, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.9.3 > 192.168.1.100: ICMP echo request, id 4675, seq 2, length 64
19:42:57.301189 ip: (tos 0x0, ttl 64, id 19138, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.9.3 > 192.168.1.100: ICMP echo request, id 4675, seq 3, length 64
19:42:58.325145 ip: (tos 0x0, ttl 64, id 19218, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.9.3 > 192.168.1.100: ICMP echo request, id 4675, seq 4, length 64

Server log

Apr 24 19:42:55 server156 kernel: [4695049.768926] IPv4: martian source 192.168.1.100 from 192.168.9.3, on dev enp3s0
Apr 24 19:42:55 server156 kernel: [4695049.768948] ll header: 00000000: bc ae c5 6f a2 17 68 ff 7b 47 a4 b0 08 00        ...o..h.{G....
Apr 24 19:42:56 server156 kernel: [4695050.793891] IPv4: martian source 192.168.1.100 from 192.168.9.3, on dev enp3s0
Apr 24 19:42:56 server156 kernel: [4695050.793921] ll header: 00000000: bc ae c5 6f a2 17 68 ff 7b 47 a4 b0 08 00        ...o..h.{G....
Apr 24 19:42:57 server156 kernel: [4695051.817751] IPv4: martian source 192.168.1.100 from 192.168.9.3, on dev enp3s0
Apr 24 19:42:57 server156 kernel: [4695051.817768] ll header: 00000000: bc ae c5 6f a2 17 68 ff 7b 47 a4 b0 08 00        ...o..h.{G....
Apr 24 19:42:58 server156 kernel: [4695052.843169] IPv4: martian source 192.168.1.100 from 192.168.9.3, on dev enp3s0
Apr 24 19:42:58 server156 kernel: [4695052.843196] ll header: 00000000: bc ae c5 6f a2 17 68 ff 7b 47 a4 b0 08 00        ...o..h.{G....

It seems to me that the packets are arriving at the server, but that the server is blocking them because it sees them as martians. Can you adjust the configuration of the firewall on the server itself?

In the servers I can modify the rules but I need to connect to devices that have the same restriction in their firmware and I cannot modify them.

Using a SNAT rule, you could make all the packets appear as if originated from the router. This has worked for me in the past in a similar situation.

I see you have such rule defined, but why is it disabled?

I asked you to use -i any to verify that the packets going out of the lan interface are indeed masqueraded as suggested here.By looking at the wg0 interface doesn't help much.

I tried it but I keep sending with the IP assigned by wireguard

Is this some kind of joke?
I gave you one command to use and for 2 posts in a row you are using your own versions.
Best of luck solving your issue as I am not going to deal any more.

it's not a joke, the first capture is in client and the interface capture any does not capture anything so use wg0 if what you needed to see was in openwrt the second capture was there and only filtered the icmp packages because it has a lot of activity

First of all the commands are meant to be run on OpenWrt, unless otherwise specified.

You have selected full verbosity and hex presentation. Do you still insist that you used the command I gave you?

That is not how it is supposed to work. I would go back to that route and try to make it work.

I didn't ask you to execute the command to a file. I didn't ask you to open it in wireshark and paste all this useless data on the thread.
If you cannot find a single host in the lan that is not so active in sending packets, you can append the and icmp at the end of the command and it will filter the ping and the reply.

root@23400S:~# tcpdump -i any -evn host 192.168.1.100 and icmp
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
18:07:19.806240  In ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.9.3 > 192.168.1.100: ICMP echo request, id 47, seq 1, length 64
18:07:19.806385 Out 68:ff:7b:47:a4:b0 ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.9.3 > 192.168.1.100: ICMP echo request, id 47, seq 1, length 64
18:07:19.806407 Out 68:ff:7b:47:a4:b0 ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.9.3 > 192.168.1.100: ICMP echo request, id 47, seq 1, length 64
^C
3 packets captured
3 packets received by filter
0 packets dropped by kernel

that's one of the servers that blocks requests