Wireguard interface connects to LAN but not WAN on Guest Zone

My wireguard interface allows incoming connections to access the guest zone LAN network. However, I am unable to access the internet while connected to the wireguard tunnel.

When I change the wireguard interface to use the main LAN zone (instead of guest zone), I am able to connect to devices on main LAN zone and connect to WAN.

Why does connecting a wireguard interface to the guest zone not allow me to connect to wan?

Config:

DHCP:

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'GUEST'
	option interface 'GUEST'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'IOT'
	option interface 'IOT'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'wg_server_guest'
	option interface 'wg_server_guest'
	option ignore '1'

Firewall (Zone of interest: WGSer_Guest)


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'GUESTZone'
	option output 'ACCEPT'
	option input 'REJECT'
	option forward 'REJECT'
	list network 'GUEST'

config zone
	option name 'IOTZone'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'ACCEPT'
	list network 'IOT'

config forwarding
	option src 'lan'
	option dest 'IOTZone'

config forwarding
	option src 'GUESTZone'
	option dest 'wan'

config rule
	option name 'Guest DHCP and DNS'
	option src 'GUESTZone'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config rule
	option name 'IOT DHCP and DNS'
	option src 'IOTZone'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'wireguard-guest'
	option src 'wan'
	option src_dport 'port'
	option dest_port 'port'
	option dest_ip '10.100.0.1'

config redirect
	option target 'DNAT'
	option name 'DNS Intercept'
	option src 'lan'
	option src_dport '53'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

config zone
	option name 'WGSer_Guest'
	option output 'ACCEPT'
	list network 'wg_server_guest'
	option input 'REJECT'
	option forward 'REJECT'

config forwarding
	option src 'WGSer_Guest'
	option dest 'wan'

config forwarding
	option src 'WGSer_Guest'
	option dest 'GUESTZone'

Network


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fddc:8416:29ef::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.10'
	list ports 'eth1.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'
	option peerdns '0'
	list dns '8.8.8.8'
	list dns '8.8.4.4'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'
	option peerdns '0'
	list dns '2001:4860:4860::8888'
	list dns '2001:4860:4860::8844'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '6t 1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 5'
	option vid '2'

config interface 'GUEST'
	option proto 'static'
	option ipaddr '10.20.30.40'
	option netmask '255.255.255.0'
	option device 'br-guest'

config interface 'IOT'
	option proto 'static'
	option ipaddr '172.16.0.1'
	option netmask '255.255.255.0'
	option device 'br-iot'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '3'
	option description 'TheLoft_Guest'
	option ports '0t'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option vid '10'
	option description 'TL_VLAN'
	option ports '0t 3t 2t'

config device
	option type 'bridge'
	option name 'br-guest'
	list ports 'eth0.20'
	list ports 'eth0.3'
	list ports 'eth0.4'

config device
	option type 'bridge'
	option name 'br-iot'
	list ports 'eth0.30'

config switch_vlan
	option device 'switch0'
	option vlan '5'
	option vid '20'
	option description 'TL_Guest_VLAN'
	option ports '0t 3t 2t'

config switch_vlan
	option device 'switch0'
	option vlan '6'
	option vid '30'
	option description 'TL_IOT_VLAN'
	option ports '0t 3t 2t'

config switch_vlan
	option device 'switch0'
	option vlan '7'
	option vid '40'
	option description 'TL_VPN_VLAN'
	option ports '0t 3t 2t'

config device
	option type 'bridge'
	option name 'br-vlan'
	list ports 'eth0.10'
	list ports 'eth0.20'
	list ports 'eth0.30'
	list ports 'eth0.40'

config bridge-vlan
	option device 'br-vlan'
	option vlan '10'
	list ports 'eth0.10:t'

config bridge-vlan
	option device 'br-vlan'
	option vlan '20'
	list ports 'eth0.20:t'

config bridge-vlan
	option device 'br-vlan'
	option vlan '30'
	list ports 'eth0.30:t'

config bridge-vlan
	option device 'br-vlan'
	option vlan '40'
	list ports 'eth0.40:t'

config switch_vlan
	option device 'switch0'
	option vlan '8'
	option ports '0t 4'
	option vid '4'
	option description 'TheLoft_Guest'

config interface 'wg_server_guest'
	option proto 'wireguard'
	option private_key '######'
	option listen_port '<port number>'
	list addresses '10.100.0.1/24'

config wireguard_wg_server_guest
	option description 'description'
	list allowed_ips '10.100.0.2/32'
	option route_allowed_ips '1'
	option persistent_keepalive '30'
	option public_key '#####'
	option private_key '######'

GUI:



For anyone who is looking how to fix this I came up with a very simple solution. I employed split tunneling on the wireguard client configuation. This will allow me to connect to my LAN devices through my wireguard interface but use the WAN on my current device. If anyone has a solution to route the WAN traffic from the wireguard interface let me know.

Workaround w/ split tunneling: (LAN through wireguard tunnel / WAN from current device)

  1. Create wireguard client config with allowed IPs that contain the subnet of interest (Guest subnet = 10.20.30.0/24
  2. Enjoy

Example client configuration:

[Interface]
PrivateKey = <private_key>
Address = 10.100.0.2/32

[Peer]
PublicKey = <public_key>
AllowedIPs = 10.20.30.0/24
Endpoint = <endpoint:port>
PersistentKeepalive = 30

Updated GUI:




Input and forward should be set to ACCEPT

input only needs changing if they want to access the router from devices connected to the wireguard interface. I'd assume that with it being a 'guest' interface that's probably unwanted. A traffic rule to allow DNS traffic might be needed though.

And as the zone only has a single interface it makes no difference what forward is set to.

@krazeh I have created firewall rules that allow the guest zone to obtain DNS traffic on ports 53, 67, and 68

The wireguard interface isn't in that zone though is it?