Asking for your help in configuring firewall/wireguard.
Currently I do have Wireguard interface on a router, which is proxying everything from my network.
And when wireguard is down - internet is not accessible.
I have devices that have software, that uses range of ports, request upnp mapping, and listen on those ports.
I would like to change it in this way:
Wireguard should not be the default interface, but used only conditionally.
I want to use wireguard only for connections coming only from/to that software. How? Using port rules? For example it works on ports 6000-6010.
Thanks.
And how can I "stop using as default"?
When I drop wireguard interface - everything is working fine.
If I create an interface and it is not working (for example vpn provider is down) - internet is not working as well.
I assume it's creating some route on interface creation...
Not sure how the wg iface was made. Can you share with us the content of /etc/config/network? with sensitive info redacted of course. While at it, output if command ip route show may also help
root@OpenWrt:~# ip route show
default dev wg0 proto static scope link
5.253.1.1 via 87.206.1.1 dev eth0.2 proto static
87.206.1.1/22 dev eth0.2 proto kernel scope link src 87.206.2.1
185.213.1.1 via 87.206.1.1 dev eth0.2 proto static
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
After I removed 'route_allowed_ips' I can use wan directly, even when wg0 is up, but it looks that wg0 is not used at all.
routes look like this:
root@OpenWrt:~# ip route show
default via 87.206.44.1 dev eth0.2 proto static src 87.206.45.165
5.253.206.210 via 87.206.44.1 dev eth0.2 proto static
87.206.44.0/22 dev eth0.2 proto kernel scope link src 87.206.45.165
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
# iptables -t mangle -A PREROUTING -p tcp --sport 6881:6899 -j MARK --set-xmark 0xc8/0xffffffff
# iptables -t mangle -A PREROUTING -p udp --sport 6881:6899 -j MARK --set-xmark 0xc8/0xffffffff
# iptables -t mangle -A PREROUTING -p tcp --dport 6881:6899 -j MARK --set-xmark 0xc8/0xffffffff
# iptables -t mangle -A PREROUTING -p udp --dport 6881:6899 -j MARK --set-xmark 0xc8/0xffffffff
# iptables -t mangle -A OUTPUT -p udp --dport 6881:6899 -j MARK --set-xmark 0xc8/0xffffffff
# iptables -t mangle -A OUTPUT -p tcp --dport 6881:6899 -j MARK --set-xmark 0xc8/0xffffffff
# iptables -t mangle -A OUTPUT -p tcp --sport 6881:6899 -j MARK --set-xmark 0xc8/0xffffffff
# iptables -t mangle -A OUTPUT -p udp --sport 6881:6899 -j MARK --set-xmark 0xc8/0xffffffff
# ip rule add fwmark 0xc8 lookup 202
Have these routes:
# ip route
default via 87.206.1.1 dev eth0.2 proto static src 87.206.1.2
37.120.1.1 via 87.206.1.1 dev eth0.2 proto static
87.206.1.0/22 dev eth0.2 proto kernel scope link src 87.206.1.2
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
# ip route show table 202
default via 10.64.1.2 dev wg0
I see this in firewall stats:
Chain PREROUTING (Policy: ACCEPT, Packets: 14742, Traffic: 49.77 MB)
Pkts. Traffic Target Prot. In Out Source Destination Options
0 0.00 B MARK tcp * * 0.0.0.0/0 0.0.0.0/0 tcp spts:6881:6899 MARK set 0xc8
224 36.64 KB MARK udp * * 0.0.0.0/0 0.0.0.0/0 udp spts:6881:6899 MARK set 0xc8
4 240.00 B MARK tcp * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:6881:6899 MARK set 0xc8
250 49.30 KB MARK udp * * 0.0.0.0/0 0.0.0.0/0 udp dpts:6881:6899 MARK set 0xc8
Chain OUTPUT (Policy: ACCEPT, Packets: 562, Traffic: 142.55 KB)
Pkts. Traffic Target Prot. In Out Source Destination Options
0 0.00 B MARK udp * * 0.0.0.0/0 0.0.0.0/0 udp dpts:6881:6899 MARK set 0xc8
0 0.00 B MARK tcp * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:6881:6899 MARK set 0xc8
0 0.00 B MARK tcp * * 0.0.0.0/0 0.0.0.0/0 tcp spts:6881:6899 MARK set 0xc8
0 0.00 B MARK udp * * 0.0.0.0/0 0.0.0.0/0 udp spts:6881:6899 MARK set 0xc8
Actually counters were reset. Then I massively used the application, so most of megabytes from PREROUTING traffic was from that application, but as you see, it shows that only few kilobytes were marked.
Doesn't it mean that it was not marked by firewall at all?
Network up/down can cause firewall reload which will have counters reset. See if there are such messages in logread output. Note that on a working system, we do not expect networks bumping up and down frequently.
That said, as long as the counters were increasing, the rules for marking were working.