WireGuard site-to-site with CGNAT and route all traffic of secondary router through main router

My local ISP is using CGNAT so I use a VPS to access my home network (10.0.0.0/24) and route all traffic through the home network when I am connected to the VPN.

Therefore I have the following configuration on my main router:

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ip6assign '64'
        option ipaddr '10.0.0.1'
        option netmask '255.255.255.0'


config interface 'wg0'
        option proto 'wireguard'
        option private_key 'XXXXXXX'
        option defaultroute '0'
        option peerdns '0'
        list dns '10.0.0.1'
        list addresses '10.6.0.1/32'

config wireguard_wg0
        option description 'VPS'
        option public_key 'XXXXXXX'
        option route_allowed_ips '1'
        option endpoint_host 'my-vps-hostname'
        option endpoint_port '51820'
        option persistent_keepalive '15'
        list allowed_ips '10.6.0.0/24'

The wireguard interface is added to the lan firewall zone for easier configuration.

The configuration of the VPS is the following:

[Interface]
Address = 10.6.0.2/32
PrivateKey = XXXXXXX
ListenPort = 51820

# This is needed to allow SSH access after enabling connection
PostUp = ip rule add from <VPS-PUBLIC-IP> table main
# Allow Wireguard Port
PostUp = ufw allow 51820/udp
# Allow Forward from wireguard
PostUp = ufw route allow in on wg0 out on wg0

PostDown = ip rule del from <VPS-PUBLIC-IP> table main
PostDown = ufw delete allow 51820/udp
PostDown = ufw route delete allow in on wg0 out on wg0

# Main Router
[Peer]
PublicKey = XXXXXXX
AllowedIPs = 0.0.0.0/0

# Smartphone 
[Peer]
PublicKey = XXXXXXX
AllowedIPs = 10.6.0.3/32

Everything is working as expected. But now I would like to add a secondary (travel) router which should be met the following requirements:

a) all clients of the secondary router should be available through the VPN. So I would like to access devices on the secondary router when connected to the VPN with the Smartphone
b) all traffic of connected clients should be routed through the main router at home and devices of the main router should be accessible from clients of the secondary router

Therefore I added the following configuration to connect the secondary router to the WireGuard server:

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'XXXXXXX'
        option auto '0'
        list addresses '10.6.0.4/32'
        option delegate '0'
        list dns '10.6.0.1'

config wireguard_wg0
        option description 'VPS'
        option public_key 'XXXXXXX'
        option endpoint_host 'my-vps-hostname'
        option endpoint_port '51820'
        option persistent_keepalive '15'
        option route_allowed_ips '1'
        list allowed_ips '0.0.0.0/0'

On the VPS I added the secondary router as peer and added the network of the clients on the secondary router (172.17.0.0/24) to the allowed ips:

[Peer]
PublicKey = XXXXXXX
AllowedIPs = 10.6.0.4/32, 172.17.0.0/24

Additionally I added the secondary routers client network to the allowed ips of the main router:

config wireguard_wg0
        option description 'VPS'
        option public_key 'XXXXXXX'
        option route_allowed_ips '1'
        option endpoint_host 'my-vps-hostname'
        option endpoint_port '51820'
        option persistent_keepalive '15'
        list allowed_ips '10.6.0.0/24'
        list allowed_ips '172.17.0.0/24'

With this configuration I am able to access the connected clients from the main network and from within the WireGuard network (a).

But unfortunately when connected to the secondary router the internet is not working and I can't access the web interface of the main router or any to the main router connected client.
Ping to the main router is possible, curl to the main router ip is possible to the main page but not the redirected one (/cgi-bin/luci/).
Ping of a connected device is not possible.
So the second requirements is apparently not met.

I already tried different approaches, e.g. instead of all traffic route only the main routers network from the secondary router (allowed ips: 10.6.0.0/24 and 10.0.0.0/24) but the clients on the main router or the main router are still not accessible from the secondary router. Also enabling masquerade on both lan zones didn't change anything.
I have also tried to find the error with the help of tcpdump but couldn't find the problem.

Does anybody have a hint what the problem could be?

Thanks very much!

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have
For OpenWrt routers

ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
iptables-save -c; nft list ruleset; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru

For VPS:

ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; iptables-save -c

Sure here is the configuration:

OpenWRT main router
{
        "kernel": "5.15.134",
        "hostname": "RT3200",
        "system": "ARMv8 Processor rev 4",
        "model": "Linksys E8450 (UBI)",
        "board_name": "linksys,e8450-ubi",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.0",
                "revision": "r23497-6637af95aa",
                "target": "mediatek/mt7622",
                "description": "OpenWrt 23.05.0 r23497-6637af95aa"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd3e:3c47:6a6b::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ip6assign '64'
        option ipaddr '10.0.0.1'
        option netmask '255.255.254.0'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option peerdns '0'
        list dns '208.67.222.222'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'XXXXXXXXXXXXXXXXXXXXXX'
        option defaultroute '0'
        option peerdns '0'
        list dns '10.0.0.1'
        list addresses '10.6.0.1/32'

config wireguard_wg0
        option description 'VPS'
        option public_key 'XXXXXXXXXXXXXXXXXXXXXX'
        option route_allowed_ips '1'
        option endpoint_host 'my-vps-hostname'
        option endpoint_port '51820'
        option persistent_keepalive '15'
        list allowed_ips '10.6.0.0/24'
        list allowed_ips '172.17.0.0/24'

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option confdir '/tmp/dnsmasq.d'
        list interface 'lan'
        list interface 'wg0'
        option sequential_ip '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '3'

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option log '1'
        list network 'lan'
        list network 'wg0'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'


-ash: iptables-save: not found
table inet fw4 {
        chain input {
                type filter hook input priority filter; policy accept;
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
                ct state established,related accept comment "!fw4: Allow inbound established and related flows"
                tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
                iifname { "wg0", "br-lan" } jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
                iifname "wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
        }

        chain forward {
                type filter hook forward priority filter; policy drop;
                ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
                iifname { "wg0", "br-lan" } jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
                iifname "wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
                jump handle_reject
        }

        chain output {
                type filter hook output priority filter; policy accept;
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
                ct state established,related accept comment "!fw4: Allow outbound established and related flows"
                oifname { "wg0", "br-lan" } jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
                oifname "wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
        }

        chain prerouting {
                type filter hook prerouting priority filter; policy accept;
                iifname { "wg0", "br-lan" } jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
        }

        chain handle_reject {
                meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
                reject comment "!fw4: Reject any other traffic"
        }

        chain syn_flood {
                limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
                drop comment "!fw4: Drop excess packets"
        }

        chain input_lan {
                jump accept_from_lan
        }

        chain output_lan {
                jump accept_to_lan
        }

        chain forward_lan {
                jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
                jump accept_to_lan
                log prefix "reject lan forward: "
        }

        chain helper_lan {
        }

        chain accept_from_lan {
                iifname { "wg0", "br-lan" } counter packets 158 bytes 11213 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
        }

        chain accept_to_lan {
                oifname { "wg0", "br-lan" } counter packets 337 bytes 21749 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
        }

        chain reject_to_lan {
        }

        chain input_wan {
                meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
                icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping"
                meta nfproto ipv4 meta l4proto igmp counter packets 4 bytes 144 accept comment "!fw4: Allow-IGMP"
                meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
                ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 4 bytes 304 accept comment "!fw4: Allow-MLD"
                icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 138 bytes 23120 accept comment "!fw4: Allow-ICMPv6-Input"
                icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 13 bytes 928 accept comment "!fw4: Allow-ICMPv6-Input"
                jump reject_from_wan
        }

        chain output_wan {
                jump accept_to_wan
        }

        chain forward_wan {
                icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
                icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
                meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
                udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
                jump reject_to_wan
        }

        chain accept_to_wan {
                meta nfproto ipv4 oifname "wan" ct state invalid counter packets 24 bytes 996 drop comment "!fw4: Prevent NAT leakage"
                oifname "wan" counter packets 514 bytes 66212 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
        }

        chain reject_from_wan {
                iifname "wan" counter packets 7 bytes 280 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
        }

        chain reject_to_wan {
                oifname "wan" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
        }

        chain dstnat {
                type nat hook prerouting priority dstnat; policy accept;
        }

        chain srcnat {
                type nat hook postrouting priority srcnat; policy accept;
                oifname "wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
        }

        chain srcnat_wan {
                meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
        }

        chain raw_prerouting {
                type filter hook prerouting priority raw; policy accept;
        }

        chain raw_output {
                type filter hook output priority raw; policy accept;
        }

        chain mangle_prerouting {
                type filter hook prerouting priority mangle; policy accept;
        }

        chain mangle_postrouting {
                type filter hook postrouting priority mangle; policy accept;
        }

        chain mangle_input {
                type filter hook input priority mangle; policy accept;
        }

        chain mangle_output {
                type route hook output priority mangle; policy accept;
        }

        chain mangle_forward {
                type filter hook forward priority mangle; policy accept;
                iifname "wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
                oifname "wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
        }

        chain srcnat_lan {
        }

        chain input_vpn {
        }

        chain output_vpn {
        }

        chain forward_vpn {
        }

        chain helper_vpn {
        }

        chain accept_from_vpn {
        }

        chain accept_to_vpn {
        }

        chain reject_to_vpn {
        }
}
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.0.37/24 brd 192.168.0.255 scope global wan
       valid_lft forever preferred_lft forever
10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 10.0.0.1/23 brd 10.0.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
19: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
    inet 10.6.0.1/32 brd 255.255.255.255 scope global wg0
       valid_lft forever preferred_lft forever
default via 192.168.0.1 dev wan  src 192.168.0.37
10.0.0.0/23 dev br-lan scope link  src 10.0.0.1
10.6.0.0/24 dev wg0 scope link
<VPS-PUBLIC-IP> via 192.168.0.1 dev wan
<VPS-PUBLIC-IP> via 192.168.0.1 dev wan
172.17.0.0/24 dev wg0 scope link
192.168.0.0/24 dev wan scope link  src 192.168.0.37
local 10.0.0.1 dev br-lan table local scope host  src 10.0.0.1
broadcast 10.0.1.255 dev br-lan table local scope link  src 10.0.0.1
local 10.6.0.1 dev wg0 table local scope host  src 10.6.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
local 192.168.0.37 dev wan table local scope host  src 192.168.0.37
broadcast 192.168.0.255 dev wan table local scope link  src 192.168.0.37
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
OpenWRT travel router
{
        "kernel": "5.15.134",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7628AN ver:1 eco:2",
        "model": "GL-MT300N-V2",
        "board_name": "glinet,gl-mt300n-v2",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.0",
                "revision": "r23497-6637af95aa",
                "target": "ramips/mt76x8",
                "description": "OpenWrt 23.05.0 r23497-6637af95aa"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd42:4c22:3202::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '172.17.0.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'
        option metric '1024'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0 6t'

config interface 'trm_wwan'
        option proto 'dhcp'
        option metric '100'

config interface 'trm_wwan6'
        option device '@trm_wwan'
        option proto 'dhcpv6'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'XXXXXXXXXXXXXXXXXXXXXX'
        option auto '0'
        list addresses '10.6.0.4/32'
        option delegate '0'
        list dns '10.6.0.1'

config wireguard_wg0
        option description 'VPS'
        option public_key 'XXXXXXXXXXXXXXXXXXXXXX'
        option endpoint_host 'my-vps-hostname'
        option endpoint_port '51820'
        option persistent_keepalive '15'
        option route_allowed_ips '1'
        list allowed_ips '0.0.0.0/0'

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list interface 'lan'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'Security-Cam'
        option ip '172.17.0.2'
        option mac '10:D1:DC:22:9B:8C'

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option log '1'
        list network 'lan'
        list network 'wg0'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'trm_wwan'
        list network 'trm_wwan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

-ash: iptables-save: not found
table inet fw4 {
        chain input {
                type filter hook input priority filter; policy accept;
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
                ct state established,related accept comment "!fw4: Allow inbound established and related flows"
                tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
                iifname { "wg0", "br-lan" } jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
                iifname { "eth0.2", "phy0-sta0" } jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
        }

        chain forward {
                type filter hook forward priority filter; policy drop;
                ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
                iifname { "wg0", "br-lan" } jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
                iifname { "eth0.2", "phy0-sta0" } jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
                jump handle_reject
        }

        chain output {
                type filter hook output priority filter; policy accept;
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
                ct state established,related accept comment "!fw4: Allow outbound established and related flows"
                oifname { "wg0", "br-lan" } jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
                oifname { "eth0.2", "phy0-sta0" } jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
        }

        chain prerouting {
                type filter hook prerouting priority filter; policy accept;
                iifname { "wg0", "br-lan" } jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
        }

        chain handle_reject {
                meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
                reject comment "!fw4: Reject any other traffic"
        }

        chain syn_flood {
                limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
                drop comment "!fw4: Drop excess packets"
        }

        chain input_lan {
                jump accept_from_lan
        }

        chain output_lan {
                jump accept_to_lan
        }

        chain forward_lan {
                jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
                jump accept_to_lan
                log prefix "reject lan forward: "
        }

        chain helper_lan {
        }

        chain accept_from_lan {
                iifname { "wg0", "br-lan" } counter packets 55 bytes 4528 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
        }

        chain accept_to_lan {
                oifname { "wg0", "br-lan" } counter packets 168 bytes 10637 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
        }

        chain input_wan {
                meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
                icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping"
                meta nfproto ipv4 meta l4proto igmp counter packets 0 bytes 0 accept comment "!fw4: Allow-IGMP"
                meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
                ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
                icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
                icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
                jump reject_from_wan
        }

        chain output_wan {
                jump accept_to_wan
        }

        chain forward_wan {
                icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
                icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
                meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
                udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
                jump reject_to_wan
        }

        chain accept_to_wan {
                meta nfproto ipv4 oifname { "eth0.2", "phy0-sta0" } ct state invalid counter packets 0 bytes 0 drop comment "!fw4: Prevent NAT leakage"
                oifname { "eth0.2", "phy0-sta0" } counter packets 34 bytes 2623 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
        }

        chain reject_from_wan {
                iifname { "eth0.2", "phy0-sta0" } counter packets 51 bytes 4937 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
        }

        chain reject_to_wan {
                oifname { "eth0.2", "phy0-sta0" } counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
        }

        chain dstnat {
                type nat hook prerouting priority dstnat; policy accept;
        }

        chain srcnat {
                type nat hook postrouting priority srcnat; policy accept;
                oifname { "eth0.2", "phy0-sta0" } jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
        }

        chain srcnat_wan {
                meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
        }

        chain raw_prerouting {
                type filter hook prerouting priority raw; policy accept;
        }

        chain raw_output {
                type filter hook output priority raw; policy accept;
        }

        chain mangle_prerouting {
                type filter hook prerouting priority mangle; policy accept;
        }

        chain mangle_postrouting {
                type filter hook postrouting priority mangle; policy accept;
        }

        chain mangle_input {
                type filter hook input priority mangle; policy accept;
        }

        chain mangle_output {
                type route hook output priority mangle; policy accept;
        }

        chain mangle_forward {
                type filter hook forward priority mangle; policy accept;
                iifname { "eth0.2", "phy0-sta0" } tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
                oifname { "eth0.2", "phy0-sta0" } tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
        }
}
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 172.17.0.1/24 brd 172.17.0.255 scope global br-lan
       valid_lft forever preferred_lft forever
21: phy0-sta0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.43.118/24 brd 192.168.43.255 scope global phy0-sta0
       valid_lft forever preferred_lft forever
23: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
    inet 10.6.0.4/32 brd 255.255.255.255 scope global wg0
       valid_lft forever preferred_lft forever
default dev wg0 scope link
default via 192.168.43.1 dev phy0-sta0  src 192.168.43.118  metric 100
<VPS-PUBLIC-IP> via 192.168.43.1 dev phy0-sta0  metric 100
172.17.0.0/24 dev br-lan scope link  src 172.17.0.1
192.168.43.0/24 dev phy0-sta0 scope link  metric 100
local 10.6.0.4 dev wg0 table local scope host  src 10.6.0.4
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
local 172.17.0.1 dev br-lan table local scope host  src 172.17.0.1
broadcast 172.17.0.255 dev br-lan table local scope link  src 172.17.0.1
local 192.168.43.118 dev phy0-sta0 table local scope host  src 192.168.43.118
broadcast 192.168.43.255 dev phy0-sta0 table local scope link  src 192.168.43.118
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

Apparently this is to much text so the VPS config will be in the next post.

This is the VPS config:

VPS
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: ens6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    altname enp0s6
    inet <VPS-PUBLIC-IP>/32 metric 100 scope global dynamic ens6
       valid_lft 416sec preferred_lft 416sec
14: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.6.0.2/32 scope global wg0
       valid_lft forever preferred_lft forever
default dev wg0 table 51820 scope link
default via <VPS-PUBLIC-GATEWAY> dev ens6 proto dhcp src <VPS-PUBLIC-IP> metric 100
10.6.0.3 dev wg0 scope link
10.6.0.4 dev wg0 scope link
<VPS-PUBLIC-GATEWAY> dev ens6 proto dhcp scope link src <VPS-PUBLIC-IP> metric 100
prohibit 169.254.169.254
172.17.0.0/24 dev wg0 scope link
<PUBLIC-IP-FROM-A-SERVICE-OF-THE-HOST> via <VPS-PUBLIC-GATEWAY> dev ens6 proto dhcp src <VPS-PUBLIC-IP> metric 100
<PUBLIC-IP-FROM-A-SERVICE-OF-THE-HOST> via <VPS-PUBLIC-GATEWAY> dev ens6 proto dhcp src <VPS-PUBLIC-IP> metric 100
local 10.6.0.2 dev wg0 table local proto kernel scope host src 10.6.0.2
local <VPS-PUBLIC-IP> dev ens6 table local proto kernel scope host src <VPS-PUBLIC-IP>
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
0:      from all lookup local
32763:  from <VPS-PUBLIC-IP> lookup main
32764:  from all lookup main suppress_prefixlength 0
32765:  not from all fwmark 0xca6c lookup 51820
32766:  from all lookup main
32767:  from all lookup default
# Generated by iptables-save v1.8.9 (nf_tables) on Fri Apr 26 06:46:48 2024
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
[14935:3791105] -A PREROUTING -p udp -m comment --comment "wg-quick(8) rule for wg0" -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
[8984:2607604] -A POSTROUTING -p udp -m mark --mark 0xca6c -m comment --comment "wg-quick(8) rule for wg0" -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
COMMIT
# Completed on Fri Apr 26 06:46:48 2024
# Generated by iptables-save v1.8.9 (nf_tables) on Fri Apr 26 06:46:48 2024
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
[0:0] -A PREROUTING -d 10.6.0.2/32 ! -i wg0 -m addrtype ! --src-type LOCAL -m comment --comment "wg-quick(8) rule for wg0" -j DROP
COMMIT
# Completed on Fri Apr 26 06:46:48 2024
# Generated by iptables-save v1.8.9 (nf_tables) on Fri Apr 26 06:46:48 2024
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:f2b-sshd - [0:0]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
[0:0] -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
[508108:163341514] -A INPUT -j ufw-before-logging-input
[508108:163341514] -A INPUT -j ufw-before-input
[708:71124] -A INPUT -j ufw-after-input
[699:70422] -A INPUT -j ufw-after-logging-input
[699:70422] -A INPUT -j ufw-reject-input
[699:70422] -A INPUT -j ufw-track-input
[242175:113243572] -A FORWARD -j ufw-before-logging-forward
[242175:113243572] -A FORWARD -j ufw-before-forward
[1089:70415] -A FORWARD -j ufw-after-forward
[1089:70415] -A FORWARD -j ufw-after-logging-forward
[1089:70415] -A FORWARD -j ufw-reject-forward
[1089:70415] -A FORWARD -j ufw-track-forward
[433024:146146661] -A OUTPUT -j ufw-before-logging-output
[433024:146146661] -A OUTPUT -j ufw-before-output
[6180:1329908] -A OUTPUT -j ufw-after-output
[6180:1329908] -A OUTPUT -j ufw-after-logging-output
[6180:1329908] -A OUTPUT -j ufw-reject-output
[6180:1329908] -A OUTPUT -j ufw-track-output
[0:0] -A f2b-sshd -j RETURN
[0:0] -A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
[0:0] -A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
[0:0] -A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
[0:0] -A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
[0:0] -A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
[0:0] -A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
[0:0] -A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
[0:0] -A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
[0:0] -A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
[7912:2107593] -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[9:772] -A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
[0:0] -A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
[0:0] -A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
[67:4044] -A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
[447:36614] -A ufw-before-forward -j ufw-user-forward
[3566:303872] -A ufw-before-input -i lo -j ACCEPT
[16214:4542092] -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[3:573] -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
[3:573] -A ufw-before-input -m conntrack --ctstate INVALID -j DROP
[0:0] -A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
[0:0] -A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
[0:0] -A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
[5782:218108] -A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
[0:0] -A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
[23:2308] -A ufw-before-input -j ufw-not-local
[0:0] -A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
[0:0] -A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
[23:2308] -A ufw-before-input -j ufw-user-input
[3566:303872] -A ufw-before-output -o lo -j ACCEPT
[17485:3611600] -A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[755:105658] -A ufw-before-output -j ufw-user-output
[0:0] -A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
[0:0] -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
[0:0] -A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
[23:2308] -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
[0:0] -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
[0:0] -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
[0:0] -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
[0:0] -A ufw-not-local -j DROP
[0:0] -A ufw-skip-to-policy-forward -j DROP
[0:0] -A ufw-skip-to-policy-input -j DROP
[0:0] -A ufw-skip-to-policy-output -j ACCEPT
[36:4204] -A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
[719:101454] -A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
[3:206] -A ufw-user-forward -i wg0 -o wg0 -j ACCEPT
[0:0] -A ufw-user-input -p tcp -m tcp --dport 1337 -j ACCEPT
[0:0] -A ufw-user-input -p udp -m udp --dport 1337 -j ACCEPT
[0:0] -A ufw-user-input -p udp -m udp --dport 51820 -j ACCEPT
[0:0] -A ufw-user-input -i wg0 -p tcp -m tcp --dport 1338 -j ACCEPT
[0:0] -A ufw-user-input -i wg0 -p udp -m udp --dport 1338 -j ACCEPT
[0:0] -A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
[0:0] -A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
[0:0] -A ufw-user-limit-accept -j ACCEPT
COMMIT
# Completed on Fri Apr 26 06:46:48 2024
# Generated by iptables-save v1.8.9 (nf_tables) on Fri Apr 26 06:46:48 2024
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

From a first look, they seem correct. So maybe there is a problem elsewhere. Let's try with tcpdump to see where the problem is.

  1. Start a continuous ping from a client connected to the travel router towards 1.0.0.1
  2. Run a tcpdump on the main router tcpdump -i any -vnn host 1.0.0.1
  3. Repeat the same for the IP of a host in the main router lan.
1 Like

Actually I already checked on every part with tcpdump and everything was working.
But in the meantime I think I found a possible problem and I think I solved it. I remembered when ping is working and still no access is possible MTU could be the reason.

Apparently it is neccessary to lower the MTU of the wireguard interface on the travel router AND use MSS clamping (mtu_fix) on the firewall zone with the wireguard interface on the travel router.

Afterwards everything is working as expected.

Can someone explain why this is needed?

Yes, that is a possible reason. It happens because you are encapsulating data inside the wireguard packet. And while the original data size had acceptable size to be transmitted to the next hop, the additional bytes from the wireguard are making the packet exceed the maximum size. This is evident as you mentioned when ping or some other small size packet works, but something bigger fails. Normally there is some ICMP error message, like "packet too big".

1 Like

Great, thank you very much for your help and explanation!
I marked my findings as solution.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.