Wireguard + PBR = Port fwd not working

networker · August 7, 2023, 4:05pm

Hi,

I am really not that kind of guy that makes a forum post to ask for help but I tried for several days and still really do not know how to get this done and my mail server is now unreachable from WAN

In a nutshell:
I have configured my new Mullvad VPN exactly like described here (WGINTERFACE/WGZONE):

Now all traffic is getting routed through the Wireguard VPN interface which is working perfectly, but:

I am not able to fix my port forwarding rules from WAN to LAN for my SMTP 25 mail server which worked perfectly before. I tried kind of everything with the firewall settings + the pbr package but the port 25 requests are simply not forwarded to my mail server (192.168.2.2).

Could someone please help me to get the SMTP port 25 forwarded from WAN to my LAN mailserver on 192.168.2.2?

This is my config (Router: Linksys WRT3200ACM / OpenWrt 22.03.2):

config/firewall:

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'
	option forward 'DROP'
	option drop_invalid '1'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	option input 'DROP'
	option forward 'DROP'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'WGINTERFACE'
	list network 'lan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'vpn-1'
	list proto 'udp'
	option src 'wan'
	option src_dport '51820'
	option dest_port '51820'
	option dest_ip '192.168.2.2'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'http'
	option src 'wan'
	option src_dport '80'
	option dest_ip '192.168.2.2'
	option dest_port '80'
	list proto 'tcp'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'https'
	list proto 'tcp'
	option src 'wan'
	option src_dport '443'
	option dest_ip '192.168.2.2'
	option dest_port '443'

config zone
	option name 'WGZONE'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'DROP'
	option forward 'DROP'
	list network 'WGINTERFACE'

config rule
	option src 'lan'
	list src_ip '192.168.2.2'
	list src_ip '192.168.2.4'
	list src_ip '192.168.2.5'
	list src_ip '192.168.2.6'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'
	option name 'WAN | Uplink-1'
	list dest_ip '192.168.1.1'

config redirect
	option target 'DNAT'
	option name 'smtp-1'
	option src 'wan'
	option dest_ip '192.168.2.2'
	list proto 'tcp'
	list proto 'udp'
	option src_dport '25'
	option dest_port '25'
	option dest 'lan'

config rule
	option src 'lan'
	option dest 'wan'
	option target 'ACCEPT'
	option name 'WAN | SMTP'
	option src_port '25'
	list proto 'tcp'
	list proto 'udp'
	list src_ip '192.168.2.2'
	option enabled '0'

config redirect
	option dest 'wan'
	option target 'DNAT'
	option name 'smtp-1'
	option src_dport '25'
	list proto 'tcp'
	list proto 'udp'
	option dest_ip '192.168.2.2'
	option src 'lan'
	option enabled '0'

config rule
	option name 'WAN | SMTP'
	list proto 'tcp'
	option src 'wan'
	option src_port '25'
	option dest 'lan'
	option dest_port '25'
	option target 'ACCEPT'
	list dest_ip '192.168.2.2'
	option enabled '0'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

config forwarding
	option src 'lan'
	option dest 'WGZONE'

config/network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdeb:b96f:82d2::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.2.1'
	list dns '100.64.0.7'

config device
	option name 'wan'
	option macaddr 'SECRET'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option type 'bridge'
	option peerdns '0'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'

config interface 'WGINTERFACE'
	option proto 'wireguard'
	option private_key 'SECRET'
	list addresses 'SECRET'
	option peerdns '0'
	list dns '100.64.0.7'
	option force_link '1'

config wireguard_WGINTERFACE

config wireguard_WGINTERFACE

config wireguard_WGINTERFACE

config wireguard_WGINTERFACE

config wireguard_WGINTERFACE

config wireguard_WGINTERFACE
	option public_key 'SECRET'
	option endpoint_host 'SECRET'
	option endpoint_port '51820'
	option description 'SECRET'
	option route_allowed_ips '1'
	list allowed_ips '0.0.0.0/0'

config device
	option name 'WGINTERFACE'

config/pbr:

config pbr 'config'
	option verbosity '2'
	option strict_enforcement '1'
	option ipv6_enabled '0'
	list ignored_interface 'vpnserver'
	list ignored_interface 'wgserver'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_reload_delay '1'
	option webui_show_ignore_target '0'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	option resolver_set 'none'
	option enabled '1'

config include
	option path '/usr/share/pbr/pbr.user.aws'
	option enabled '0'

config include
	option path '/usr/share/pbr/pbr.user.netflix'
	option enabled '0'

config policy
	option name 'Plex/Emby Local Server'
	option interface 'wan'
	option src_port '8096 8920 32400'
	option enabled '0'

config policy
	option name 'Plex/Emby Remote Servers'
	option interface 'wan'
	option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
	option enabled '0'

config policy
	option name 'WireGuard Server'
	option interface 'wan'
	option src_port '51820'
	option chain 'output'
	option proto 'udp'
	option enabled '0'

config policy
	option name 'smtp-1'
	option interface 'wan'
	option src_port '25'
	option src_addr '192.168.2.2'

config policy
	option interface 'wan'
	option name 'smtp-1'
	option chain 'forward'
	option dest_port '25'
	option src_addr '192.168.2.2'

config policy
	option name 'smtp-1'
	option interface 'wan'
	option chain 'output'
	option src_addr '192.168.2.2'
	option src_port '25'
	option proto 'tcp udp'

config policy
	option name 'smtp-1'
	option dest_port '25'
	option chain 'input'
	option interface 'wan'
	option src_addr '192.168.2.2'
	option proto 'tcp udp'
	option enabled '0'config pbr 'config'
	option verbosity '2'
	option strict_enforcement '1'
	option ipv6_enabled '0'
	list ignored_interface 'vpnserver'
	list ignored_interface 'wgserver'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_reload_delay '1'
	option webui_show_ignore_target '0'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	option resolver_set 'none'
	option enabled '1'

config include
	option path '/usr/share/pbr/pbr.user.aws'
	option enabled '0'

config include
	option path '/usr/share/pbr/pbr.user.netflix'
	option enabled '0'

config policy
	option name 'Plex/Emby Local Server'
	option interface 'wan'
	option src_port '8096 8920 32400'
	option enabled '0'

config policy
	option name 'Plex/Emby Remote Servers'
	option interface 'wan'
	option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
	option enabled '0'

config policy
	option name 'WireGuard Server'
	option interface 'wan'
	option src_port '51820'
	option chain 'output'
	option proto 'udp'
	option enabled '0'

config policy
	option name 'smtp-1'
	option interface 'wan'
	option src_port '25'
	option src_addr '192.168.2.2'

config policy
	option interface 'wan'
	option name 'smtp-1'
	option chain 'forward'
	option dest_port '25'
	option src_addr '192.168.2.2'

config policy
	option name 'smtp-1'
	option interface 'wan'
	option chain 'output'
	option src_addr '192.168.2.2'
	option src_port '25'
	option proto 'tcp udp'

config policy
	option name 'smtp-1'
	option dest_port '25'
	option chain 'input'
	option interface 'wan'
	option src_addr '192.168.2.2'
	option proto 'tcp udp'
	option enabled '0'

ip rule show:

0:	from all lookup local
30000:	from all fwmark 0x10000/0xff0000 lookup pbr_wan
30001:	from all fwmark 0x20000/0xff0000 lookup pbr_WGINTERFACE
32766:	from all lookup main
32767:	from all lookup default

I hope someone can help me out to fix this really annoying issue

Please let me know if someone needs additional config information, I hope I have included everything that is relevant

LG,
Networker

trendy · August 7, 2023, 4:29pm

A few things to consider.

WGINTERFACE is in lan zone, but it is used in WGZONE as well, so you should remove it from lan.
Redirect rule smtp-1 is correct, however it doesn't use UDP. Delete the other disabled rules.
Remove the stale entries config wireguard_WGINTERFACE in network.
Run a tcpdump on wan interface to verify the ingress traffic on port 25, check the firewall counters to verify that the forwarding is applied, run tcpdump pn lan interface for dst port 25. Check where it is broken.

networker · August 7, 2023, 5:39pm

Hi trendy,

first thank you for your fast reply
I have addressed point 1. to 3. (this does not fix the bug).

Then I installed tcpdump and triggered a mail server test via mxtoolbox. Here is the resulting log section, unfortunately I do not know how to interpret this @trendy ?

tcpdump -i wan:

18:42:47.911326 IP keeper-us-east-1d.mxtoolbox.com.14553 > 192.168.1.2.25: Flags [SEW], seq 4174352920, win 64240, options [mss 1400,nop,wscale 8,nop,nop,sackOK], length 0
18:42:47.911785 IP 192.168.1.2.37853 > [VPN Endpoint Host IP].51820: UDP, length 112
18:42:47.912050 IP 192.168.1.2.25 > keeper-us-east-1d.mxtoolbox.com.14553: Flags [S.], seq 2272095758, ack 4174352921, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
18:42:47.945118 IP [VPN Endpoint Host IP].51820 > 192.168.1.2.37853: UDP, length 160
18:42:48.036023 IP keeper-us-east-1d.mxtoolbox.com.14553 > 192.168.1.2.25: Flags [.], ack 1, win 1028, length 0
18:42:48.113139 ARP, Request who-has keeper-us-east-1d.mxtoolbox.com tell 192.168.1.2, length 28

tcpdump -i br-lan (ha-1.local == 192.168.2.2 == mail server port 25):

18:52:28.607171 IP keeper-us-east-1d.mxtoolbox.com.3638 > ha-1.local.25: Flags [SEW], seq 1764218737, win 64240, options [mss 1380,nop,wscale 8,nop,nop,sackOK], length 0

18:52:33.873913 IP 192.168.1.2 > ha-1.local: ICMP host mailout06.t-online.de unreachable, length 97
18:52:33.873940 IP 192.168.1.2 > ha-1.local: ICMP host mailout06.t-online.de unreachable, length 97
18:52:33.873959 IP 192.168.1.2 > ha-1.local: ICMP host mailout06.t-online.de unreachable, length 97
18:52:33.873977 IP 192.168.1.2 > ha-1.local: ICMP host mailout06.t-online.de unreachable, length 97

@trendy can you know interpret from these logs what is going wrong? I mean the requests from mxtoolbox arrive at my WAN but then are getting rejected or the route backwards from LAN -> WAN is blocked and routed falsely through the WireGuard VPN interface back to the internet?

I really really appreciate your help @trendy

egc · August 7, 2023, 5:47pm

As a test you might try:
ip rule add from 192.168.2.2 sport 25 table pbr_wan

networker · August 7, 2023, 5:52pm

Hi @egc thank you also for your help
I just executed the following cmds:

ip rule add from 192.168.2.2 sport 25 table pbr_wan
ip rule add to 192.168.2.2 dport 25 table pbr_wan
ip route flush cache

After cmd execution: ip rule list:

0:	from all lookup local
29998:	from all to 192.168.2.2 dport 25 lookup pbr_wan
29999:	from 192.168.2.2 sport 25 lookup pbr_wan
30000:	from all fwmark 0x10000/0xff0000 lookup pbr_wan
30001:	from all fwmark 0x20000/0xff0000 lookup pbr_WGINTERFACE
32766:	from all lookup main
32767:	from all lookup default

It still does not work
How can this be?
Is any other rule force overwriting this?

trendy · August 7, 2023, 6:06pm

All works fine on OpenWrt, the mail server is refusing connections.
192.168.1.2 > ha-1.local: ICMP host mailout06.t-online.de unreachable

networker · August 7, 2023, 6:21pm

Are you sure with this?
Yes I see that the connection is getting to the mail server but it seems that something is still wrong with the networking:

mail server logs mxtoolbox test:
(Why does it say "lost connection after CONNECT from keeper-us-east-1d.mxtoolbox.com" after the connect?)

2023-08-07 18:18:33.567401662  mail.info: Aug  7 18:18:33 postfix/smtpd[1366]: connect from keeper-us-east-1d.mxtoolbox.com[18.209.86.113]
2023-08-07 18:18:48.563725060  mail.info: Aug  7 18:18:48 postfix/smtpd[1366]: lost connection after CONNECT from keeper-us-east-1d.mxtoolbox.com[18.209.86.113]
2023-08-07 18:18:48.564621569  mail.info: Aug  7 18:18:48 postfix/smtpd[1366]: disconnect from keeper-us-east-1d.mxtoolbox.com[18.209.86.113] commands=0/0

Mxtooolbox says:

Timeout waiting for response after 15 seconds. : Completed Connect

So how can this be? I have not changed anything on my mail server it stopped working the moment I added the WireGuard VPN Interface via the Mullvad tutorial I posted in my first post..

trendy · August 7, 2023, 6:33pm

If you use ip rules add the mask as well, as it is now trying to ARP the mxtoolbox server.
Or use the PBR rules to route to the wan.

networker · August 7, 2023, 6:38pm

What do you mean by "up rules"? With mask do you mean the subnet mask 255.255.255.0?

The strange thing is I already have the pbr service up and running with this config but it does still not work:

What am I doing wrong?

trendy · August 7, 2023, 7:04pm

Slight typo.

I mean /32 which is the mask for a host.

Yes, because the rules you added manually have precedence over the PBR rules. And the PBR rules need only the prerouting chain.

MooMan · August 7, 2023, 7:08pm

Hello, Im also a MullvadVPN User, and aslong as they (Mullvad) supported port forwarding, all was fine, I used it to connect to my WireGuard server, comming in via iPhone or Mac Wireguard via PortForward, it worked great! could surf over my Uplink Wireguard MullvadVPN link on my Router, and access all my resources, smb etc. NOW, and thats the bad NEWS, its not working anymore, cause some people, did criminal things, and Mullvad had to remove port forwarding. forced by swedish Authoritys (Police). Please read in the Mullvad Blog, if you wanna know more about and the why, Im also sad, that they did it... as I cant get in my Network anymore from outside...

-> https://mullvad.net/en/blog/2023/5/29/removing-the-support-for-forwarded-ports/

networker · August 7, 2023, 11:29pm

@trendy I have added the mask to the rules and reapplied them but that has also no effect. I think the problem is the backwards route from LAN to WAN. I mean otherwise I wouldn't be able to see the connection attempts of mxtoolbox in the logs of my mail server (so WAN -> LAN does work).

Could it be that the WireGuard interface traps all outgoing traffic with the allowed ips setting with 0.0.0.0/0?

If I disable the pbr service I get completely no connection from mxtoolbox (no logs) but if I enable it with the 25 prerouting rule to WAN the mxtoolbox logs appear but always with connection lost.. I think it has to be the backwards route from LAN -> WAN which traps everything to the WireGuard interface?

WAN has gateway 192.168.1.1 (my uplink router) but the WireGuard interface has 0.0.0.0? I do not know how to change this could this be the reason for the outgoing traffic trap?

Please guys I really appreciate your support but I think I need a little more please @egc

networker · August 7, 2023, 11:32pm

Hi @MooMan thank you also for your reply. I have heard this and feel also upset about it

That is the reason because I need a exception for my Mullvad WireGuard VPN interface for my mail server because Mullvad blocks port 25 now..

MooMan · August 8, 2023, 12:57am

Yes, really, its always the same on this Planet, 95% or people are OK and dont do criminal things, and cause 5% violators ( idiots ), we 95% must pay the price for their acts... so angry...sorry, wish you can find another way to solve it, I already thinking in renting a linux machine, linode for example, and put a Wiregrardserver on it and enter my home Wireguardserver, over the IP the linux rented machine would have. then I can still access the internet again over my Mullvad Wireguard Connection, ...and surf and access my files, entering over the rented linux machine... but, maybe, there is another, more clever, cheaper solution, if you have any idea... I would be Thankfull, you would let me know, Thanks and Take care

trendy · August 8, 2023, 7:37am

With VPN on, please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru

patrakov · August 8, 2023, 11:49am

@trendy I see that you are using a canned response, however, in this case, because we are dealing with a failed case of port forwarding, it is critical to know which IP addresses are private and which are public. Therefore, I suggest changing the canned response, so that it doesn't lead to the situation "I changed 100.100.123.123 to X.X.X.X because it is a public IP" if the user doesn't know about RFC7793. Yes I know that the supplied tcpdump sorta nullifies this concern.

@networker When censoring IPv4 addresses, please leave the first two octets intact, so that we can verify that what you are censoring is indeed a public IP.

trendy · August 8, 2023, 12:06pm

I don't see port forwarding fail, in fact the tcp handshake is accomplished, but afterwards there is an arp request for the mxtoolbox server, when this should not be the case.

patrakov · August 8, 2023, 12:10pm

Yes, correct, I mean the template in general.

Regarding the unwanted ARP request, we need to check the netmask on all interfaces, and all routes for missing gateways, i.e., things like 1.2.3.4 dev eth0 instead of 1.2.3.4 via 10.0.0.1 dev eth0.

trendy · August 8, 2023, 12:12pm

Right, I guess that if we are not sure about an address redacted, we could ask for clarification.

networker · August 8, 2023, 3:50pm

First of all thank you so much for your great support. You are saving my day @trendy @patrakov @egc @MooMan

Here are the new requested configs with better anonymization of the IPs:

ubus call system board:

{
	"kernel": "5.10.146",
	"hostname": "router-1",
	"system": "ARMv7 Processor rev 1 (v7l)",
	"model": "Linksys WRT3200ACM",
	"board_name": "linksys,wrt3200acm",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.2",
		"revision": "r19803-9a599fee93",
		"target": "mvebu/cortexa9",
		"description": "OpenWrt 22.03.2 r19803-9a599fee93"
	}
}

uci export network:

package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdeb:b96f:82d2::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.2.1'
	list dns '100.64.0.7'

config device
	option name 'wan'
	option macaddr 'SECRET'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option type 'bridge'
	option peerdns '0'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'

config interface 'WGINTERFACE'
	option proto 'wireguard'
	option private_key 'SECRET'
	list addresses '10.[EXT_Mullvad_IP]/32'
	option peerdns '0'
	list dns '100.64.0.7'
	option force_link '1'

config wireguard_WGINTERFACE
	option public_key 'SECRET'
	option endpoint_host '185.[EXT_Mullvad_IP]'
	option endpoint_port '51820'
	option description '[Server_Name_Mullvad]'
	option route_allowed_ips '1'
	list allowed_ips '0.0.0.0/0'

config device
	option name 'WGINTERFACE'

uci export dhcp:

package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option domain 'local'
	option local '/local/'
	list server '100.64.0.7'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option force '1'
	option dynamicdhcp '0'
	option leasetime '2m'
	list dhcp_option '6,100.64.0.7'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	list ra_flags 'none'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option dns '1'
	option name 'mac-2'
	option mac 'SECRET'
	option ip '192.168.2.6'

config host
	option dns '1'
	option mac 'SECRET'
	option ip '192.168.2.3'
	option name 'synology-1'

config host
	option name 'router-2'
	option dns '1'
	option ip '192.168.2.182'
	option mac 'SECRET'

config host
	option name 'air-purifier-1'
	option dns '1'
	option mac 'SECRET'
	option ip '192.168.2.174'

config host
	option dns '1'
	option mac 'SECRET'
	option name 'phone-1'
	option ip '192.168.2.5'

config host
	option dns '1'
	option mac 'SECRET'
	option ip '192.168.2.155'
	option name 'outlet-1'

config host
	option name 'outlet-2'
	option dns '1'
	option mac 'SECRET'
	option ip '192.168.2.170'

config host
	option name 'outlet-3'
	option dns '1'
	option mac 'SECRET'
	option ip '192.168.2.156'

config host
	option name 'outlet-4'
	option dns '1'
	option mac 'SECRET'
	option ip '192.168.2.176'

config host
	option name 'outlet-5'
	option dns '1'
	option mac 'SECRET'
	option ip '192.168.2.184'

config host
	option name 'outlet-6'
	option dns '1'
	option mac 'SECRET'
	option ip '192.168.2.237'

config host
	option name 'outlet-7'
	option dns '1'
	option mac 'SECRET'
	option ip '192.168.2.165'

config host
	option name 'outlet-8'
	option dns '1'
	option mac 'SECRET'
	option ip '192.168.2.123'

config host
	option name 'outlet-9'
	option dns '1'
	option mac 'SECRET'
	option ip '192.168.2.206'

config host
	option name 'router-3'
	option dns '1'
	option mac 'SECRET'
	option ip '192.168.2.102'

config host
	option name 'outlet-10'
	option dns '1'
	option mac 'SECRET'
	option ip '192.168.2.185'

config host
	option name 'outlet-11'
	option dns '1'
	option mac 'SECRET'
	option ip '192.168.2.207'

config host
	option name 'outlet-12'
	option dns '1'
	option mac 'SECRET'
	option ip '192.168.2.204'

config host
	option name 'outlet-13'
	option dns '1'
	option mac 'SECRET'
	option ip '192.168.2.167'

config host
	option name 'tv-1'
	option dns '1'
	option mac 'SECRET'
	option ip '192.168.2.10'

config host
	option dns '1'
	option mac 'SECRET'
	option ip '192.168.2.117'
	option name 'work-1-wlan'

config host
	option dns '1'
	option mac 'SECRET'
	option ip '192.168.2.153'
	option name 'cam-1'

config host
	option name 'chris-phone-1'
	option dns '1'
	option mac 'SECRET'
	option ip '192.168.2.209'

config host
	option dns '1'
	option mac 'SECRET'
	option ip '192.168.2.2'
	option name 'ha-1'

config host
	option name 'jessie-ipad-1'
	option dns '1'
	option ip '192.168.2.215'
	option mac 'SECRET'

config host
	option dns '1'
	option mac 'SECRET'
	option ip '192.168.2.201'
	option name 'light-system-1'

config host
	option name 'mac-1'
	option dns '1'
	option mac 'SECRET'
	option ip '192.168.2.4'

config host
	option name 'chris-mac-1'
	option dns '1'
	option mac 'SECRET'
	option ip '192.168.2.159'

config host
	option name 'axel-phone-1'
	option dns '1'
	option mac 'SECRET'
	option ip '192.168.2.190'

config host
	option dns '1'
	option ip '192.168.2.211'
	option mac 'SECRET'
	option name 'jessie-iphone-1'

config host
	option name 'printer-1'
	option dns '1'
	option mac 'SECRET'
	option ip '192.168.2.11'

config host
	option name 'work-1-lan'
	option dns '1'
	option mac 'SECRET'
	option ip '192.168.2.171'

config host
	option name 'scale-1'
	option dns '1'
	option mac 'SECRET'
	option ip '192.168.2.116'

config domain
	option name 'SECRET.ddnss.de'
	option ip '192.168.2.2'

config domain
	option name 'router-1.SECRET.com'
	option ip '192.168.2.2'

config domain
	option name 'proxy-manager.SECRET.com'
	option ip '192.168.2.2'

config domain
	option name 'uplink-1.SECRET.com'
	option ip '192.168.1.1'

config domain
	option name 'mail.SECRET.com'
	option ip '192.168.2.2'

config domain
	option ip '192.168.2.2'
	option name 'bitwarden.SECRET.com'

config domain
	option ip '192.168.2.3'
	option name 'synology-1.SECRET.com'

config domain
	option ip '192.168.2.2'
	option name 'vpn-1.SECRET.ddnss.de'

config domain
	option name 'mac-1.SECRET.com'
	option ip '192.168.2.4'

config domain
	option name 'google.SECRET.com'
	option ip '192.168.2.2'

config domain
	option name 'printer-1.SECRET.com'
	option ip '192.168.2.10'

config domain
	option name 'SECRET.com'
	option ip '192.168.2.2'

config domain
	option name 'joplin.SECRET.com'
	option ip '192.168.2.2'

config domain
	option name 'ha-1.SECRET.com'
	option ip '192.168.2.2'

config domain
	option name 'bitwarden.SECRET.com'
	option ip '192.168.2.2'

config domain
	option name 'status.SECRET.com'
	option ip '192.168.2.2'

config domain
	option name 'paperless.SECRET.com'
	option ip '192.168.2.2'

config domain
	option name 'guacamole.SECRET.com'
	option ip '192.168.2.2'

uci export firewall:

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'
	option forward 'DROP'
	option drop_invalid '1'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	option input 'DROP'
	option forward 'DROP'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'vpn-1'
	list proto 'udp'
	option src 'wan'
	option src_dport '51820'
	option dest_port '51820'
	option dest_ip '192.168.2.2'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'http'
	option src 'wan'
	option src_dport '80'
	option dest_ip '192.168.2.2'
	option dest_port '80'
	list proto 'tcp'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'https'
	list proto 'tcp'
	option src 'wan'
	option src_dport '443'
	option dest_ip '192.168.2.2'
	option dest_port '443'

config zone
	option name 'WGZONE'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'DROP'
	option forward 'DROP'
	list network 'WGINTERFACE'

config rule
	option src 'lan'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'
	option name 'WAN | Uplink-1'
	list dest_ip '192.168.1.1'
	list dest_ip '0.0.0.0/0'
	list src_ip '192.168.2.2'
	list src_ip '192.168.2.4'
	list src_ip '192.168.2.5'
	list src_ip '192.168.2.6'
	list src_ip '192.168.2.10'

config redirect
	option target 'DNAT'
	option name 'smtp-1'
	option src 'wan'
	option dest_ip '192.168.2.2'
	option src_dport '25'
	option dest_port '25'
	option dest 'lan'
	list proto 'tcp'

config rule
	option src 'lan'
	option dest 'wan'
	option target 'ACCEPT'
	option name 'WAN | SMTP'
	option src_port '25'
	list proto 'tcp'
	list proto 'udp'
	list src_ip '192.168.2.2'
	option enabled '0'

config rule
	option name 'WAN | SMTP'
	list proto 'tcp'
	option src 'wan'
	option src_port '25'
	option dest 'lan'
	option dest_port '25'
	option target 'ACCEPT'
	list dest_ip '192.168.2.2'
	option enabled '0'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

config forwarding
	option src 'lan'
	option dest 'WGZONE'

ip -4 addr ; ip -4 ro li tab all ; ip -4 ru:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.2/24 brd 192.168.1.255 scope global wan
       valid_lft forever preferred_lft forever
11: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
       valid_lft forever preferred_lft forever
15: WGINTERFACE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.[Mullvad VPN IP]/32 brd 255.255.255.255 scope global WGINTERFACE
       valid_lft forever preferred_lft forever
default via 192.168.1.1 dev wan table pbr_wan 
192.168.2.0/24 dev br-lan table pbr_wan proto kernel scope link src 192.168.2.1 
default via 10.[Mullvad VPN IP] dev WGINTERFACE table pbr_WGINTERFACE 
192.168.2.0/24 dev br-lan table pbr_WGINTERFACE proto kernel scope link src 192.168.2.1 
default dev WGINTERFACE proto static scope link 
185.[Mullvad VPN IP] via 192.168.1.1 dev wan proto static 
192.168.1.0/24 dev wan proto kernel scope link src 192.168.1.2 
192.168.2.0/24 dev br-lan proto kernel scope link src 192.168.2.1 
local 10.[Mullvad VPN IP] dev WGINTERFACE table local proto kernel scope host src 10.[Mullvad VPN IP] 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.1.0 dev wan table local proto kernel scope link src 192.168.1.2 
local 192.168.1.2 dev wan table local proto kernel scope host src 192.168.1.2 
broadcast 192.168.1.255 dev wan table local proto kernel scope link src 192.168.1.2 
broadcast 192.168.2.0 dev br-lan table local proto kernel scope link src 192.168.2.1 
local 192.168.2.1 dev br-lan table local proto kernel scope host src 192.168.2.1 
broadcast 192.168.2.255 dev br-lan table local proto kernel scope link src 192.168.2.1 
0:	from all lookup local
30000:	from all fwmark 0x10000/0xff0000 lookup pbr_wan
30001:	from all fwmark 0x20000/0xff0000 lookup pbr_WGINTERFACE
32766:	from all lookup main
32767:	from all lookup default

I hope that is all thats needed to debug this issue further