Hi,
OK, a follow-on to this one, as promised
I have a "server" and "client" (to make this easier to follow - I know they are considered peers). The two boxes are remote from each other. The server is pfSense, client is OpenWrt. The client is set up to route all traffic to the server - that sort of works ... I can get to the server, and devices on that subnet. But not from there out to the internet. I need this, because I'm routing all traffic from the client to the server.
On the client end, the info requested in the post noted above (some items removed to shorted the capture, but also some addresses removed),
ip address show; ip route show table all; ip rule show; iptables-save; wg show
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether b0:4e:26:3f:9f:30 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.1/24 brd 192.168.0.255 scope global br-lan
valid_lft forever preferred_lft forever
inet6 fd7b:819c:917f::1/60 scope global
valid_lft forever preferred_lft forever
inet6 fe80::b24e:26ff:fe3f:9f30/64 scope link
valid_lft forever preferred_lft forever
7: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
link/ether b0:4e:26:3f:9f:30 brd ff:ff:ff:ff:ff:ff
8: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether b0:4e:26:3f:9f:31 brd ff:ff:ff:ff:ff:ff
inet X.X.X.X/24 brd 128.189.183.255 scope global eth0.2
valid_lft forever preferred_lft forever
inet6 fe80::b24e:26ff:fe3f:9f31/64 scope link
valid_lft forever preferred_lft forever
9: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
link/[65534]
inet 192.168.253.3/32 brd 255.255.255.255 scope global wg0
valid_lft forever preferred_lft forever
10: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
link/ether b0:4e:26:3f:9f:30 brd ff:ff:ff:ff:ff:ff
inet6 fe80::b24e:26ff:fe3f:9f30/64 scope link
valid_lft forever preferred_lft forever
11: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
link/ether b0:4e:26:3f:9f:2f brd ff:ff:ff:ff:ff:ff
inet6 fe80::b24e:26ff:fe3f:9f2f/64 scope link
valid_lft forever preferred_lft forever
default dev wg0 scope link
Y.Y.Y.Y via X.X.X.X dev eth0.2
128.189.183.0/24 dev eth0.2 scope link src X.X.X.X
192.168.0.0/24 dev br-lan scope link src 192.168.0.1
192.168.2.0/24 dev wg0 scope link
192.168.253.0/24 dev wg0 scope link
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
broadcast 128.189.183.0 dev eth0.2 table local scope link src X.X.X.X
local X.X.X.X dev eth0.2 table local scope host src X.X.X.X
broadcast 128.189.183.255 dev eth0.2 table local scope link src X.X.X.X
broadcast 192.168.0.0 dev br-lan table local scope link src 192.168.0.1
local 192.168.0.1 dev br-lan table local scope host src 192.168.0.1
broadcast 192.168.0.255 dev br-lan table local scope link src 192.168.0.1
local 192.168.253.3 dev wg0 table local scope host src 192.168.253.3
fd7b:819c:917f::/64 dev br-lan metric 1024
unreachable fd7b:819c:917f::/48 dev lo metric 2147483647
fe80::/64 dev eth0 metric 256
fe80::/64 dev eth0.2 metric 256
fe80::/64 dev br-lan metric 256
fe80::/64 dev wlan1 metric 256
fe80::/64 dev wlan0 metric 256
local ::1 dev lo table local metric 0
anycast fd7b:819c:917f:: dev br-lan table local metric 0
local fd7b:819c:917f::1 dev br-lan table local metric 0
anycast fe80:: dev eth0 table local metric 0
anycast fe80:: dev eth0.2 table local metric 0
anycast fe80:: dev br-lan table local metric 0
anycast fe80:: dev wlan1 table local metric 0
anycast fe80:: dev wlan0 table local metric 0
local fe80::b24e:26ff:fe3f:9f2f dev wlan0 table local metric 0
local fe80::b24e:26ff:fe3f:9f30 dev eth0 table local metric 0
local fe80::b24e:26ff:fe3f:9f30 dev br-lan table local metric 0
local fe80::b24e:26ff:fe3f:9f30 dev wlan1 table local metric 0
local fe80::b24e:26ff:fe3f:9f31 dev eth0.2 table local metric 0
ff00::/8 dev eth0 table local metric 256
ff00::/8 dev br-lan table local metric 256
ff00::/8 dev eth0.2 table local metric 256
ff00::/8 dev wg0 table local metric 256
ff00::/8 dev wlan1 table local metric 256
ff00::/8 dev wlan0 table local metric 256
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
# Generated by iptables-save v1.8.6 on Fri Jan 29 15:43:37 2021
*nat
:PREROUTING ACCEPT [3746:620436]
:INPUT ACCEPT [709:48754]
:OUTPUT ACCEPT [582:42055]
:POSTROUTING ACCEPT [1034:97758]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i wg0 -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o wg0 -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_postrouting -s 192.168.0.0/24 -d 192.168.0.1/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: ssh (reflection)" -j SNAT --to-source 192.168.0.1
-A zone_lan_postrouting -s 192.168.0.0/24 -d 192.168.0.1/32 -p udp -m udp --dport 22 -m comment --comment "!fw3: ssh (reflection)" -j SNAT --to-source 192.168.0.1
-A zone_lan_postrouting -s 192.168.253.3/32 -d 192.168.0.1/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: ssh (reflection)" -j SNAT --to-source 192.168.253.3
-A zone_lan_postrouting -s 192.168.253.3/32 -d 192.168.0.1/32 -p udp -m udp --dport 22 -m comment --comment "!fw3: ssh (reflection)" -j SNAT --to-source 192.168.253.3
-A zone_lan_postrouting -s 192.168.0.0/24 -d 192.168.0.1/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: http (reflection)" -j SNAT --to-source 192.168.0.1
-A zone_lan_postrouting -s 192.168.253.3/32 -d 192.168.0.1/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: http (reflection)" -j SNAT --to-source 192.168.253.3
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_lan_prerouting -s 192.168.0.0/24 -d X.X.X.X/32 -p tcp -m tcp --dport 6022 -m comment --comment "!fw3: ssh (reflection)" -j DNAT --to-destination 192.168.0.1:22
-A zone_lan_prerouting -s 192.168.0.0/24 -d X.X.X.X/32 -p udp -m udp --dport 6022 -m comment --comment "!fw3: ssh (reflection)" -j DNAT --to-destination 192.168.0.1:22
-A zone_lan_prerouting -s 192.168.253.3/32 -d X.X.X.X/32 -p tcp -m tcp --dport 6022 -m comment --comment "!fw3: ssh (reflection)" -j DNAT --to-destination 192.168.0.1:22
-A zone_lan_prerouting -s 192.168.253.3/32 -d X.X.X.X/32 -p udp -m udp --dport 6022 -m comment --comment "!fw3: ssh (reflection)" -j DNAT --to-destination 192.168.0.1:22
-A zone_lan_prerouting -s 192.168.0.0/24 -d X.X.X.X/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: http (reflection)" -j DNAT --to-destination 192.168.0.1:80
-A zone_lan_prerouting -s 192.168.253.3/32 -d X.X.X.X/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: http (reflection)" -j DNAT --to-destination 192.168.0.1:80
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
-A zone_wan_prerouting -p tcp -m tcp --dport 6022 -m comment --comment "!fw3: ssh" -j DNAT --to-destination 192.168.0.1:22
-A zone_wan_prerouting -p udp -m udp --dport 6022 -m comment --comment "!fw3: ssh" -j DNAT --to-destination 192.168.0.1:22
-A zone_wan_prerouting -s 192.168.0.0/16 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: http" -j DNAT --to-destination 192.168.0.1:80
COMMIT
# Completed on Fri Jan 29 15:43:37 2021
# Generated by iptables-save v1.8.6 on Fri Jan 29 15:43:37 2021
*mangle
:PREROUTING ACCEPT [14035:1885022]
:INPUT ACCEPT [10346:1331167]
:FORWARD ACCEPT [2099:292697]
:OUTPUT ACCEPT [15326:5078143]
:POSTROUTING ACCEPT [17425:5370840]
-A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Fri Jan 29 15:43:37 2021
# Generated by iptables-save v1.8.6 on Fri Jan 29 15:43:37 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i wg0 -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i wg0 -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o wg0 -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_ACCEPT -o wg0 -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_src_ACCEPT -i wg0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o tun0 -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i tun0 -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Fri Jan 29 15:43:37 2021
interface: wg0
public key: ......
private key: (hidden)
listening port: 39988
peer: ......
preshared key: (hidden)
endpoint: Y.Y.Y.Y:yyyy
allowed ips: 192.168.253.0/24, 192.168.2.0/24, 0.0.0.0/0
latest handshake: 5 seconds ago
transfer: 354.26 KiB received, 1.42 MiB sent
I have another client connected to the server, no issue at all .. can get to the server subnet, and the internet. BTW, I see this on the OpenWrt client ... perhaps that Gateway is the issue? Not sure how to set that, I admit.
Thanks!