Wireguard site-to-site, ping from the routers doesn’t work : again;;

Hello,

I have two sets of Fritzbox 7530 as ISP router----Fitzbox 4020 with OpenWRT. I installed wireguard site-to-site. I had a problem making them ping to each other, and posted a question in May:

To summarize, site-to-site wireguard itself was working in general: I can ping fb4020_2 when I'm connected to fb4020_1 from my laptop, and vice versa, I could also access devices in the other net. However, when I ssh to one of the router, I could not ping the other one.

At that time, somehow it worked in the end, for no obvious reason. But recently, I discovered that ping in one direction stopped working after a week: it hasn't been working for a few months already: I overlooked it. Now, I can ping from fb4020_1 to fb4020_2, but not the other way around.

Moreover, I discovered that, when the public IP changes, the site to site wireguard stops working. After I restarted the interface, it started working again. The "normal" wireguard (from my laptop to each router) works without anything.

As suggested by @trendy in the old posting, I am going to post the output of

ubus call system board; \
uci export network; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru

I would appreciate if @trendy or someone could please give me advice...

Output of the fb4020_1:

root@OpenWrt-mh:~# ubus call system board; \
> uci export network; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
{
	"kernel": "5.4.188",
	"hostname": "OpenWrt-mh",
	"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
	"model": "AVM FRITZ!Box 4020",
	"board_name": "avm,fritz4020",
	"release": {
		"distribution": "OpenWrt",
		"version": "21.02.3",
		"revision": "r16554-1d4dea6d4f",
		"target": "ath79/generic",
		"description": "OpenWrt 21.02.3 r16554-1d4dea6d4f"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdcf:d10b:b9ce::/48'

config device
	option name 'eth1'
	option macaddr '44:4E:6D:0Bxxxx'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option metric '10'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config device
	option name 'eth0.1'
	option macaddr '44:4E:6D:xxxx'

config interface 'lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option device 'br-16'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 1 3'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option type 'bridge'
	option device 'br-11'

config device
	option type 'bridge'
	option name 'br-11'
	list ports 'eth0.11'
	option macaddr '44:4E:6D:xxxx'
	option ipv6 '0'

config device
	option name 'eth0.11'
	option type '8021q'
	option ifname 'eth0'
	option vid '11'
	option macaddr '44:4E:6D:xxxx'

config interface 'Students'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option device 'br-15'

config device
	option type 'bridge'
	option name 'br-15'
	list ports 'eth0.15'
	option ipv6 '0'
	option macaddr '44:4E:6D:0xxxx'

config device
	option name 'eth0.15'
	option type '8021q'
	option ifname 'eth0'
	option vid '15'
	option macaddr '44:4E:6Dxxxx'

config interface 'wanb'
	option proto 'dhcp'
	option metric '20'
	option device 'eth1.7'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '7'
	option ports '0t 2'

config device
	option name 'eth0.7'
	option type '8021q'
	option ifname 'eth0'
	option vid '7'
	option macaddr '44:4E:xxxx'
	option ipv6 '0'

config device
	option type 'bridge'
	option name 'br-16'
	list ports 'eth0.16'
	option mtu '1500'
	option macaddr '44:4E:6D:0xxxx'

config device
	option name 'eth0.16'
	option type '8021q'
	option ifname 'eth0'
	option vid '16'
	option macaddr '44:4E:xxxx6'

config interface 'vpn'
	option proto 'wireguard'
	option private_key 'xxxx'
	option listen_port '51821'
	list addresses '192.168.9.3/24'
	list addresses 'fdf1:e8a1:8d3f:9::3/64'

config wireguard_vpn
	option public_key 'xxxx'
	list allowed_ips '192.168.9.2/32'
	list allowed_ips 'fdf1:e8a1:8d3f:9::2/64'

config device
	option type '8021q'
	option ifname 'eth1'
	option vid '7'
	option name 'eth1.7'
	option macaddr '44:4E:6Dxxxx'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '0t 4t'
	option vid '11'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option ports '0t 4t'
	option vid '15'

config switch_vlan
	option device 'switch0'
	option vlan '5'
	option ports '0t 4t'
	option vid '16'

config switch_vlan
	option device 'switch0'
	option vlan '6'
	option ports '0t 4t'
	option vid '12'

config interface 'wg_s2s_a'
	option proto 'wireguard'
	option private_key 'Oxxxx='
	option listen_port '51822'

config wireguard_wg_s2s_a 's2s_vpn_site_b'
	option public_key 'Qxxxx='
	option preshared_key 'NxxxQ='
	option description 'Annahaus, xxxxxxs.casacam.net'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option endpoint_host 'xxxxcam.net'
	option endpoint_port '51822'
	list allowed_ips 'fd7b:8e0b:fa87::/48'
	list allowed_ips '192.168.10.0/24'
	list allowed_ips '191.168.178.0/24'

config interface 'vlan12test'
	option proto 'static'
	option device 'eth0.12'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'vpn'
	list network 'wg_s2s_a'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wanb'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'IPv6 any zone drop'
	option family 'ipv6'
	list proto 'all'
	option src '*'
	option dest '*'
	option target 'DROP'

config rule
	option name 'IPv6 device drop'
	option family 'ipv6'
	list proto 'all'
	option src '*'
	option target 'DROP'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'
	list network 'vlan12test'

config zone
	option name 'students'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'Students'

config rule
	option name 'guest DNS DHCP'
	option family 'ipv4'
	option src 'guest'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config rule
	option name 'students DNS DHCP'
	option family 'ipv4'
	option src 'students'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config rule
	option name 'guest forward block'
	option src 'guest'
	option target 'DROP'
	option enabled '0'
	list proto 'all'
	option dest 'wan'
	list dest_ip '192.168.10.1/24'
	list dest_ip '192.168.178.1/24'

config rule
	option name 'students forward block'
	option src 'students'
	option dest '*'
	option target 'DROP'
	option enabled '0'
	list proto 'all'
	list dest_ip '192.168.10.1/24'
	list dest_ip '192.168.178.1/24'

config rule
	option name 'Allow-wireguard'
	list proto 'udp'
	option src 'wan'
	option target 'ACCEPT'
	option dest_port '51821 51822'
	option family 'ipv4'

config rule
	option name 'my laptop device input'
	list proto 'all'
	option src '*'
	list src_mac '20:C9:D0:CA:7B:77'
	option target 'ACCEPT'

config rule
	option name 'my laptop foward'
	list proto 'all'
	option src '*'
	list src_mac '20:C9xxxxx7'
	option dest '*'
	list dest_ip '192.168.0.0/16'
	option target 'ACCEPT'

config forwarding
	option src 'guest'
	option dest 'wan'

config forwarding
	option src 'students'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'guest'

config forwarding
	option src 'lan'
	option dest 'students'

config include 'opennds'
	option type 'script'
	option path '/usr/lib/opennds/restart.sh'

config rule 'wg_s2s_51822'
	option name 'Allow-WireGuard-51822'
	option src 'wan'
	option dest_port '51822'
	option proto 'udp'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'My galaxy fritzbox177'
	option family 'ipv4'
	option src '*'
	list src_mac '34:2D:xxxx6'
	option target 'ACCEPT'
	option dest '*'
	list dest_ip '192.168.177.1'
	list dest_ip '192.168.1.32'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 192.168.177.2/24 brd 192.168.177.255 scope global eth1
       valid_lft forever preferred_lft forever
6: br-11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.2.1/24 brd 192.168.2.255 scope global br-11
       valid_lft forever preferred_lft forever
8: br-15: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.3.1/24 brd 192.168.3.255 scope global br-15
       valid_lft forever preferred_lft forever
10: br-16: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-16
       valid_lft forever preferred_lft forever
13: vpn: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 192.168.9.3/24 brd 192.168.9.255 scope global vpn
       valid_lft forever preferred_lft forever
15: eth0.12@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.4.1/24 brd 192.168.4.255 scope global eth0.12
       valid_lft forever preferred_lft forever
default via 192.168.177.1 dev eth1 proto static src 192.168.177.2 metric 10 
79.254.114.34 via 192.168.177.1 dev eth1 proto static metric 10 
84.135.99.208 via 192.168.177.1 dev eth1 proto static metric 10 
84.135.106.133 via 192.168.177.1 dev eth1 proto static metric 10 
191.168.178.0/24 dev wg_s2s_a proto static scope link 
192.168.1.0/24 dev br-16 proto kernel scope link src 192.168.1.1 
192.168.2.0/24 dev br-11 proto kernel scope link src 192.168.2.1 
192.168.3.0/24 dev br-15 proto kernel scope link src 192.168.3.1 
192.168.4.0/24 dev eth0.12 proto kernel scope link src 192.168.4.1 
192.168.9.0/24 dev vpn proto kernel scope link src 192.168.9.3 
192.168.10.0/24 dev wg_s2s_a proto static scope link 
192.168.177.0/24 dev eth1 proto static scope link metric 10 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.1.0 dev br-16 table local proto kernel scope link src 192.168.1.1 
local 192.168.1.1 dev br-16 table local proto kernel scope host src 192.168.1.1 
broadcast 192.168.1.255 dev br-16 table local proto kernel scope link src 192.168.1.1 
broadcast 192.168.2.0 dev br-11 table local proto kernel scope link src 192.168.2.1 
local 192.168.2.1 dev br-11 table local proto kernel scope host src 192.168.2.1 
broadcast 192.168.2.255 dev br-11 table local proto kernel scope link src 192.168.2.1 
broadcast 192.168.3.0 dev br-15 table local proto kernel scope link src 192.168.3.1 
local 192.168.3.1 dev br-15 table local proto kernel scope host src 192.168.3.1 
broadcast 192.168.3.255 dev br-15 table local proto kernel scope link src 192.168.3.1 
broadcast 192.168.4.0 dev eth0.12 table local proto kernel scope link src 192.168.4.1 
local 192.168.4.1 dev eth0.12 table local proto kernel scope host src 192.168.4.1 
broadcast 192.168.4.255 dev eth0.12 table local proto kernel scope link src 192.168.4.1 
broadcast 192.168.9.0 dev vpn table local proto kernel scope link src 192.168.9.3 
local 192.168.9.3 dev vpn table local proto kernel scope host src 192.168.9.3 
broadcast 192.168.9.255 dev vpn table local proto kernel scope link src 192.168.9.3 
broadcast 192.168.177.0 dev eth1 table local proto kernel scope link src 192.168.177.2 
local 192.168.177.2 dev eth1 table local proto kernel scope host src 192.168.177.2 
broadcast 192.168.177.255 dev eth1 table local proto kernel scope link src 192.168.177.2 
0:	from all lookup local
32766:	from all lookup main
32767:	from all lookup default

Output of fb4020_2

root@OpenWrt2:~# ubus call system board; \
> uci export network; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
{
	"kernel": "5.4.188",
	"hostname": "OpenWrt2",
	"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
	"model": "AVM FRITZ!Box 4020",
	"board_name": "avm,fritz4020",
	"release": {
		"distribution": "OpenWrt",
		"version": "21.02.3",
		"revision": "r16554-1d4dea6d4f",
		"target": "ath79/generic",
		"description": "OpenWrt 21.02.3 r16554-1d4dea6d4f"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd7b:8e0b:fa87::/48'

config device
	option name 'eth1'
	option macaddr '44:4E:6Dxx'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option peerdns '0'
	list dns '8.8.8.8'
	list dns '8.8.4.4'
	list dns '208.67.222.123'
	list dns '208.67.220.123'
	option metric '10'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config device
	option name 'br-lan'
	option type 'bridge'
	option ipv6 '0'
	list ports 'eth0.1'

config device
	option name 'eth0.1'
	option macaddr '44:4E:6D:xx'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option type 'bridge'
	option device 'br-16'
	option ipaddr '192.168.10.1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t'

config interface 'guest'
	option proto 'static'
	option netmask '255.255.255.0'
	option type 'bridge'
	option device 'br-11'
	list dns '208.67.222.222'
	list dns '208.67.220.220'
	option ipaddr '192.168.12.1'

config interface 'resident'
	option proto 'static'
	option netmask '255.255.255.0'
	option type 'bridge'
	option device 'br-15'
	list dns '208.67.222.222'
	list dns '208.67.222.220'
	option ipaddr '192.168.13.1'

config device
	option type 'bridge'
	option name 'br-guest'
	list ports 'eth0.11'
	option ipv6 '0'

config device
	option type 'bridge'
	option name 'br-16'
	list ports 'eth0.16'
	option macaddr '44:4E:6D:0xx'

config switch_vlan
	option device 'switch0'
	option vlan '6'
	option vid '16'
	option ports '0t 1 3 4t'

config device
	option type 'bridge'
	option name 'br-11'
	list ports 'eth0.11'
	option ipv6 '0'
	option macaddr '44:4E:6xx'

config switch_vlan
	option device 'switch0'
	option vlan '7'
	option vid '11'
	option ports '0t 4t'

config device
	option type 'bridge'
	option name 'br-15'
	list ports 'eth0.15'
	option macaddr '44:4E:6xx'

config switch_vlan
	option device 'switch0'
	option vlan '8'
	option vid '15'
	option ports '0t 4t'

config interface 'vlan12'
	option proto 'static'
	option netmask '255.255.255.0'
	option type 'bridge'
	option device 'br-12'
	list dns '208.67.222.222'
	list dns '208.67.222.220'
	option ipaddr '192.168.14.1'

config device
	option type 'bridge'
	option name 'br-12'
	list ports 'eth0.12'
	option macaddr '44:4E:6xx'

config switch_vlan
	option device 'switch0'
	option vlan '9'
	option vid '12'
	option ports '0t 4t'

config interface 'WANb'
	option proto 'dhcp'
	option metric '20'
	option device 'eth1.17'

config switch_vlan
	option device 'switch0'
	option vlan '10'
	option vid '7'
	option ports '0t'

config interface 'vpn'
	option proto 'wireguard'
	option listen_port '51820'
	option private_key 'Mxx='
	list addresses '192.168.8.1/24'
	list addresses 'fdf1:e8a1:8d3f:8::1/64'

config wireguard_vpn 'wgclient'
	option public_key 'Wxx0='
	option persistent_keepalive '25'
	option description 'Mac'
	list allowed_ips '192.168.8.2/32'
	list allowed_ips 'fdf1:e8a1:8d3f:8::2/128'

config device
	option name 'eth0.7'
	option type '8021q'
	option ifname 'eth0'
	option vid '7'
	option macaddr '44:4E:xx9'

config device
	option name 'eth0.11'
	option type '8021q'
	option ifname 'eth0'
	option vid '11'
	option macaddr '44:4E:xx'

config device
	option name 'eth0.12'
	option type '8021q'
	option ifname 'eth0'
	option vid '12'
	option macaddr '44:4E:6Dxxx'

config device
	option name 'eth0.15'
	option type '8021q'
	option ifname 'eth0'
	option vid '15'
	option macaddr '44:4E:6Dxx'

config device
	option name 'eth0.16'
	option type '8021q'
	option ifname 'eth0'
	option vid '16'
	option macaddr '44:4E:xx'

config switch_vlan
	option device 'switch0'
	option vlan '11'
	option vid '17'
	option ports '0t 2'

config device
	option name 'eth1.17'
	option macaddr '44:4E:6Dxx'

config interface 'wg_s2s_b'
	option proto 'wireguard'
	option private_key 'xx='
	option listen_port '51822'

config wireguard_wg_s2s_b 's2s_vpn_site_a'
	option public_key 'Uxx='
	option preshared_key 'Nxx='
	option description 'Marienhaus, xxsacam.net'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option endpoint_host 'mxxcam.net'
	option endpoint_port '51822'
	list allowed_ips '192.168.1.0/24'
	list allowed_ips 'fdcf:d10b:b9ce::/48'
	list allowed_ips '192.168.177.0/24'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'vlan12'
	list network 'vpn'
	list network 'wg_s2s_b'

config zone 'wan'
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	option input 'REJECT'
	option masq '1'
	list network 'wan'
	list network 'wan6'
	list network 'WANb'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'IPv6 device block'
	option family 'ipv6'
	option src '*'
	option target 'DROP'
	list proto 'all'

config rule
	option name 'IPv6 forward drop'
	option family 'ipv6'
	list proto 'all'
	option src '*'
	option dest '*'
	option target 'DROP'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config zone
	option name 'resident'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'resident'

config rule
	option name 'guest DNS DHCP'
	option src 'guest'
	option dest_port '53 67 68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'resident DHCP DNS'
	option src 'resident'
	option dest_port '53 67 68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'guest forward block'
	option src 'guest'
	option target 'DROP'
	list proto 'all'
	option dest 'wan'
	list dest_ip '192.168.178.0/24'
	list dest_ip '192.168.1.1/24'

config rule
	option src 'resident'
	option name 'resident forward block'
	option target 'DROP'
	option dest '*'
	list proto 'all'
	list dest_ip '192.168.178.0/24'
	list dest_ip '192.168.1.0/24'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option proto 'udp'
	option target 'ACCEPT'
	option family 'ipv4'
	option dest_port '51820 51822'

config rule
	option dest 'lan'
	option target 'ACCEPT'
	list dest_ip '192.168.10.30'
	option src 'wan'
	option family 'ipv4'
	option name 'raspi-omada from wan'
	list proto 'tcp'
	list proto 'icmp'
	option dest_port '22 8043'
	option enabled '0'

config rule
	option name 'my laptop device input'
	list proto 'all'
	option src '*'
	list src_mac '20:C9xx'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'my laptop forward'
	option src '*'
	option dest '*'
	option target 'ACCEPT'
	list src_mac '20:C9:xx'
	list proto 'all'
	list dest_ip '192.168.178.0/24'
	list dest_ip '192.168.10.0/24'
	list dest_ip '192.168.12.0/24'
	list dest_ip '192.168.13.0/24'
	list dest_ip '192.168.1.1/24'
	option enabled '0'

config forwarding
	option src 'guest'
	option dest 'wan'

config forwarding
	option src 'resident'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'guest'

config forwarding
	option src 'lan'
	option dest 'resident'

config include 'opennds'
	option type 'script'
	option path '/usr/lib/opennds/restart.sh'

config rule
	option name 'My galaxy fritzbox'
	option src '*'
	option dest 'wan'
	list dest_ip '192.168.178.1'
	option target 'ACCEPT'
	list src_mac '34:2D:0D:xx'
	option family 'ipv4'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 192.168.178.2/24 brd 192.168.178.255 scope global eth1
       valid_lft forever preferred_lft forever
1184: br-11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.12.1/24 brd 192.168.12.255 scope global br-11
       valid_lft forever preferred_lft forever
1186: br-12: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.14.1/24 brd 192.168.14.255 scope global br-12
       valid_lft forever preferred_lft forever
1188: br-15: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.13.1/24 brd 192.168.13.255 scope global br-15
       valid_lft forever preferred_lft forever
1190: br-16: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.10.1/24 brd 192.168.10.255 scope global br-16
       valid_lft forever preferred_lft forever
1194: vpn: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 192.168.8.1/24 brd 192.168.8.255 scope global vpn
       valid_lft forever preferred_lft forever
default via 192.168.178.1 dev eth1 proto static src 192.168.178.2 metric 10 
79.254.115.201 via 192.168.178.1 dev eth1 proto static metric 10 
192.168.1.0/24 dev wg_s2s_b proto static scope link 
192.168.8.0/24 dev vpn proto kernel scope link src 192.168.8.1 
192.168.10.0/24 dev br-16 proto kernel scope link src 192.168.10.1 
192.168.12.0/24 dev br-11 proto kernel scope link src 192.168.12.1 
192.168.13.0/24 dev br-15 proto kernel scope link src 192.168.13.1 
192.168.14.0/24 dev br-12 proto kernel scope link src 192.168.14.1 
192.168.177.0/24 dev wg_s2s_b proto static scope link 
192.168.178.0/24 dev eth1 proto static scope link metric 10 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.8.0 dev vpn table local proto kernel scope link src 192.168.8.1 
local 192.168.8.1 dev vpn table local proto kernel scope host src 192.168.8.1 
broadcast 192.168.8.255 dev vpn table local proto kernel scope link src 192.168.8.1 
broadcast 192.168.10.0 dev br-16 table local proto kernel scope link src 192.168.10.1 
local 192.168.10.1 dev br-16 table local proto kernel scope host src 192.168.10.1 
broadcast 192.168.10.255 dev br-16 table local proto kernel scope link src 192.168.10.1 
broadcast 192.168.12.0 dev br-11 table local proto kernel scope link src 192.168.12.1 
local 192.168.12.1 dev br-11 table local proto kernel scope host src 192.168.12.1 
broadcast 192.168.12.255 dev br-11 table local proto kernel scope link src 192.168.12.1 
broadcast 192.168.13.0 dev br-15 table local proto kernel scope link src 192.168.13.1 
local 192.168.13.1 dev br-15 table local proto kernel scope host src 192.168.13.1 
broadcast 192.168.13.255 dev br-15 table local proto kernel scope link src 192.168.13.1 
broadcast 192.168.14.0 dev br-12 table local proto kernel scope link src 192.168.14.1 
local 192.168.14.1 dev br-12 table local proto kernel scope host src 192.168.14.1 
broadcast 192.168.14.255 dev br-12 table local proto kernel scope link src 192.168.14.1 
broadcast 192.168.178.0 dev eth1 table local proto kernel scope link src 192.168.178.2 
local 192.168.178.2 dev eth1 table local proto kernel scope host src 192.168.178.2 
broadcast 192.168.178.255 dev eth1 table local proto kernel scope link src 192.168.178.2 
0:	from all lookup local
32766:	from all lookup main
32767:	from all lookup default
root@OpenWrt2:~# 

Don't you use wireguard_watchdog for that?

@trendy

thanks a lot for your hint ! No, I didn't know about watchdog. I just set it up.
I used watchdog file without modifying the content, was it right?

If you mean that you ran the commands mentioned in the wiki without changing anything, then yes that's right.

OK! Thanks!

And, hopefully someone could tell me why pinging from fb4020_2 to fb4020_1 is not working.... it was working for a week or so, as long as I could tell. (I have a ping monitor for fb4020_1 setup in fb4020_2, and it saves the record of 10 ping, in case 4 pings don't go through. That file was dated about a week after I verified that ping-each-other was working.) I don't think I changed anything that could result in this... besides, I don't understand how it could happen that I can ping from my laptop connected to fb4020_2, but not from inside of fb4020_2. As it is, I wont be getting any SMS alert, in case the cable between fb4020_1 and FB7530 is accidentally removed (it did happen once !)

Check with a tcpdump the IP header of the ping packet. I suspect the source IP doesn't belong to the allowed IPs.

Indeed !!! I didn't know that the source IP address is not always automatically the IP of the device I'm using. I did tcpdump host 192.168.1.1 on fb4020_2 (192.168.10.1), then got

13:56:33.866136 IP 192.168.178.2 > 192.168.1.1: ICMP echo request, id 1386, seq 0, length 64

192.168.178.2 is the wan-side of the IP address of fb4020_2 in fb7530.

So I went to fb4020_1 to see if 192.168.178.2 belongs to the allowed IPs, then discovered that I had put the subnet 191.168.178.0/24, instead of 192 !!!! I corrected it and restarted the interface, then now ping 192.168.1.1 is working !!

I don't understand at all, though, why ping-packet got the source address from the wan-side, if the packet is still inside fb4020_2.

Somehow, tcpdump on fb020_1 is not working at all, it's another issue....

Thanks a lot for your advice !!

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.