I have 3 routers on OpenWrt and 1 of them like a server and two others like clients,
How to make settings that allows ping from one peer to the other via server peer ?
Where is OpenWrt in this drawing? And are you trying to connect just the two peers themselves to each other, or is there a network behind each of the peers that need to be connected to each other?
1 Like
all connected all is good as discribded exept i cant ping peer 1 from peer2(they do not have externel IPs only server has ) there is no way i can coonect peer1 to peer 2 directly
But that doesn't answer the question -- where is OpenWrt? Peer 1? Peer 2? Server?
1 Like
in descriptioinI have 3 routers on OpenWrt and 1 of them like a server and two others like clients,
Ok... sorry I missed that.
Let's see the configs from each of the devices (label each):
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
1 Like
i dont really think it is nessesary there are only wireguard interfaces in this schema
The reason I'm asking is to ensure that I understand the complete context... the config files really give that whole story. For example, I don't know what the allowed IPs looks like now for the peer 1 and peer 2 devices.
But...
The allowed IPs on both peer 1 and peer 2 should be 192.168.29.0/24.
If that doesn't solve the issue, the config files will probably be necessary so that there's enough info to advise properly.
1 Like
made on both peers 192.168.29.0/24,
here is status of peer 1
peer 2
and server
Please post the requested text configs.
1 Like
psherman:
ubus call system board
peer 1
root@my:~# ubus call system board
{
"kernel": "5.4.238",
"hostname": "my",
"system": "MediaTek MT7620N ver:2 eco:6",
"model": "Zbtlink ZBT-WR8305RT",
"board_name": "zbtlink,zbt-wr8305rt",
"release": {
"distribution": "OpenWrt",
"version": "21.02.7",
"revision": "r16847-f8282da11e",
"target": "ramips/mt7620",
"description": "OpenWrt 21.02.7 r16847-f8282da11e"
}
}
peer2
{
"kernel": "5.4.188",
"hostname": "MakarSklad",
"system": "MediaTek MT7620A ver:2 eco:6",
"model": "Zbtlink ZBT-WE826 (16M)",
"board_name": "zbtlink,zbt-we826-16m",
"release": {
"distribution": "OpenWrt",
"version": "21.02.3",
"revision": "r16554-1d4dea6d4f",
"target": "ramips/mt7620",
"description": "OpenWrt 21.02.3 r16554-1d4dea6d4f"
}
}
server
{
psherman:
cat /etc/config/network
peer 1
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.222.1'
list dns '1.1.1.1'
list dns '8.8.8.8'
option delegate '0'
option ipv6 '0'
config device
option name 'eth0.2'
option macaddr 'f8:5e:3c:0c:59:11'
config interface 'wan'
option device 'eth0.2'
option proto 'pppoe'
option username '030390gb'
option password '9eoaeE'
option ipv6 '0'
config interface 'vpn'
option proto 'wireguard'
option private_key 'eOneDWUsYGBEvDAkBBvXA='
list addresses '192.168.9.1/24'
option listen_port '7473'
config device
option name 'vpn'
option ipv6 '0'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '6t 1 2 3'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '6t 4'
option vid '2'
config wireguard_vpn
option description 'cwifibridge'
option public_key 'O7ZgyqzJgwQ7apmL+ZTKx3k3t41R4='
option route_allowed_ips '1'
list allowed_ips '192.168.9.88/32'
config wireguard_vpn
option description 'CTR(16M)'
option public_key 'SVF/Vdt9iEeZmOs0MonCAkxtayQg='
list allowed_ips '192.168.9.30/32'
config wireguard_vpn
option description 'WIFIPROJ'
option public_key 'NFyn1iQskVGbyZKFB9Kq0FQF5X4='
option route_allowed_ips '1'
list allowed_ips '192.168.9.33/32'
config wireguard_vpn
option route_allowed_ips '1'
option public_key 'aanklfXMMc8MnD3DbiyOBASjcPAQ='
option description 'BlackRouterAdmins'
list allowed_ips '192.168.9.200/32'
config wireguard_vpn
option description 'Ovchinikiva1Amikrotik'
option public_key 'C1TdwWJN/ujmp6WeKtsIXzpMMWYkDzSfUCGPcle7rh4='
option route_allowed_ips '1'
list allowed_ips '192.168.9.199/32'
config wireguard_vpn
option description 'Whimin'
option public_key '480Jzj7jZiVNuarU94Em/+2w5Kjg='
option route_allowed_ips '1'
list allowed_ips '192.168.9.201/32'
list allowed_ips '192.168.0.0/24'
config switch_vlan
option device 'switch0'
option vlan '3'
option ports '6t 0'
option vid '249'
config interface '249'
option proto 'static'
option device 'eth0.249'
option ipaddr '192.168.249.1'
option netmask '255.255.255.0'
config wireguard_vpn
option description 'Sese'
option public_key 'olzBZ4ABdnrbTWYiTPx7x4='
option route_allowed_ips '1'
list allowed_ips '192.168.9.121/32'
list allowed_ips '192.168.121.0/24'
config wireguard_vpn
option description 'SonyWorkNout'
option public_key 'hsUyc2u8IuitokKJVkJ2fKGmY='
list allowed_ips '192.168.9.7/32'
option route_allowed_ips '1'
config interface 'wgcli'
option proto 'wireguard'
option private_key 'ABt8Bmk/VB5UcHYqPj2M='
list addresses '192.168.29.2/24'
config wireguard_wgcli
option description 'clienttoserv'
option public_key '/pp71wUZyh3QMiOlu8afkchFX6l2k='
option route_allowed_ips '1'
option endpoint_host '1.122.253.238'
option endpoint_port '8057'
option persistent_keepalive '24'
list allowed_ips '192.168.29.0/24'
peer2
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.10.1'
list dns '1.1.1.1'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
option auto '0'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
config interface '4g'
option proto 'modemmanager'
option device '/sys/devices/platform/101c0000.ehci/usb1/1-1/1-1.3'
option apn 'public.mc'
option auth 'none'
option iptype 'ipv4v6'
option signalrate '3'
config interface 'VPN'
option proto 'wireguard'
option private_key 'EB9fRbS3ea7TG1kV2BfznmQnc='
list addresses '192.168.29.10/24'
config wireguard_VPN
option route_allowed_ips '1'
option description 'VPN'
option persistent_keepalive '24'
option public_key '/pp71wUZyh3u8afkchFX6l2k='
option endpoint_host '1.122.253.238'
option endpoint_port '8057'
list allowed_ips '192.168.29.0/24'
psherman:
cat /etc/config/network
server
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd34:db0b:8256::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.44.1'
config device
option name 'eth0.2'
option macaddr 'f8:5e:3c:0c:59:ad'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
config interface 'WG'
option proto 'wireguard'
option private_key 'iDIXfd6exkTZEqxbEQ='
option listen_port '8057'
list addresses '192.168.29.1/24'
config wireguard_WG
option description 'MAKARCHA'
option public_key 'tWEzxUCcjL3KM10='
option route_allowed_ips '1'
list allowed_ips '192.168.29.10/32'
config wireguard_WG
option public_key 'QIaJyzlqXkSsO+SB3w='
option route_allowed_ips '1'
option description '_ITSME_'
list allowed_ips '192.168.29.2/32'
psherman:
cat /etc/config/firewall
firewall peer1
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'wgcli'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'WG'
list proto 'udp'
option src 'wan'
option dest_port '7473'
option target 'ACCEPT'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config zone
option name 'VPN'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
option masq '1'
list network 'vpn'
config rule
option name 'Iperf3'
option src 'wan'
option dest_port '5201'
option target 'ACCEPT'
option enabled '0'
config forwarding
option src 'lan'
option dest 'VPN'
config zone
option name 'videonet'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network '249'
config forwarding
option src 'videonet'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'videonet'
psherman:
cat /etc/config/firewall
firewall peer2
config defaults
option output 'ACCEPT'
option forward 'DROP'
option input 'DROP'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'VPN'
config zone
option name 'wan'
option output 'ACCEPT'
option mtu_fix '1'
list network 'wan'
list network '4g'
option input 'DROP'
option forward 'DROP'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
option enabled '0'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
config include
option path '/etc/firewall.user'
config redirect
option dest_port '1817'
option src 'wan'
option name 'cam1'
option src_dport '1817'
option target 'DNAT'
option dest_ip '192.168.10.17'
option dest 'lan'
list proto 'tcp'
config redirect
option dest_port '1816'
option src 'wan'
option name 'cam2'
option src_dport '1816'
option target 'DNAT'
option dest_ip '192.168.10.16'
option dest 'lan'
list proto 'tcp'
config redirect
option dest_port '1815'
option src 'wan'
option name 'cam3'
option src_dport '1815'
option target 'DNAT'
option dest_ip '192.168.10.15'
option dest 'lan'
list proto 'tcp'
config redirect
option dest_port '1818'
option src 'wan'
option name 'cam4'
option src_dport '1818'
option target 'DNAT'
option dest_ip '192.168.10.18'
option dest 'lan'
list proto 'tcp'
config redirect
option src 'wan'
option name 'cam5'
option target 'DNAT'
option dest 'lan'
list proto 'tcp'
option dest_port '1819'
option dest_ip '192.168.10.19'
option src_dport '1819'
config redirect
option dest_port '1820'
option src 'wan'
option name 'cam6'
option src_dport '1820'
option target 'DNAT'
option dest_ip '192.168.10.20'
option dest 'lan'
list proto 'tcp'
config redirect
option src 'wan'
option name 'webif'
option src_dport '8080'
option target 'DNAT'
option dest_ip '192.168.10.1'
option dest 'lan'
list proto 'tcp'
option dest_port '443'
config nat
list proto 'all'
option name 'SNAT'
option src_ip '192.168.10.0/24'
option target 'SNAT'
option snat_ip '83.169.210.130'
option src 'wan'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'shhh'
list proto 'tcp'
option src 'wan'
option src_dport '1425'
option dest_ip '192.168.10.1'
option dest_port '22'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'camera5 manage'
option src 'wan'
option src_dport '8019'
option dest_ip '192.168.10.19'
option dest_port '8019'
option enabled '0'
psherman:
cat /etc/config/firewall
firewall server
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'WG'
list proto 'udp'
option src 'wan'
option dest_port '8057'
option target 'ACCEPT'
config rule
option name 'ssh'
option src 'wan'
option dest_port '22'
option target 'ACCEPT'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name '8080'
option family 'ipv4'
option src 'wan'
option src_dport '8080'
option dest_ip '192.168.44.1'
option dest_port '80'
config zone
option name 'VPN'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'WG'
Try changing the forward rule on the server to ACCEPT.
Restart all three devices and test again.
1 Like
you are looking to VPN server rules that has nothing to do with client(peer1) client
