Have one Turris 1.X in DMZ, with fixed DHCP IP from the LTE router (also used as the DMZ).
It’s behind CGNAT.
For Wireguard config loaded in LuCI (so there is WG Interface, with the peer, and the FW rules for it), the connection is never established, that is my problem.
(The same config is usable in different Turris Omnia machine (different ISP, not LTE)).
Don’t know how to debug this properly - the port is 443, just in case the default for Wireguard is blocked.
shortened ubus / uci from machine:
call system board
“model”: “Turris 1.x”
“version”: “7.1.4”
export dhcp
config dnsmasq
option domainneeded ‘1’
option boguspriv ‘1’
option filterwin2k ‘0’
option localise_queries ‘1’
option rebind_protection ‘1’
option rebind_localhost ‘1’
option local ‘/lan/’
option domain ‘lan’
option expandhosts ‘1’
option nonegcache ‘0’
option authoritative ‘1’
option readethers ‘1’
option leasefile ‘/tmp/dhcp.leases’
option resolvfile ‘/tmp/resolv.conf.d/resolv.conf.auto’
option nonwildcard ‘1’
option localservice ‘1’
option ednspacket_max ‘1232’
option port ‘0’
config dhcp ‘lan’
option interface ‘lan’
option dhcpv4 ‘server’
option leasetime ‘86400’
option ignore ‘0’
option ra ‘server’
option dhcpv6 ‘server’
option start ‘150’
option limit ‘50’
list dhcp_option ‘6,192.168.X.Y’ --differs from the router providing the DMZ
config dhcp ‘wan’
option interface ‘wan’
option ignore ‘1’
list dhcp_option ‘6,CGNAT (from 100.64.0.0 to 100.127.255.255)’
config odhcpd ‘odhcpd’
option maindhcp ‘0’
option leasefile ‘/tmp/hosts/odhcpd’
option leasetrigger ‘/usr/sbin/odhcpd-update’
option loglevel ‘4’
export firewall
config defaults
option input ‘ACCEPT’
option output ‘ACCEPT’
option forward ‘REJECT’
option synflood_protect ‘1’
config zone
option name ‘lan’
option input ‘ACCEPT’
option output ‘ACCEPT’
option forward ‘ACCEPT’
option mtu_fix ‘1’
list network ‘lan’
config zone
option name ‘wan’
option input ‘REJECT’
option output ‘ACCEPT’
option forward ‘REJECT’
option masq ‘1’
option mtu_fix ‘1’
option sentinel_dynfw ‘1’
option sentinel_fwlogs ‘1’
option sentinel_minipot ‘1’
list network ‘wan’
config forwarding
option src ‘lan’
option dest ‘wan’
– # some defaults omitted - shortening the list #
config include
option path ‘/etc/firewall.user’
config rule ‘turris_wan_6in4_rule’
option enabled ‘0’
config rule ‘turris_wan_6to4_rule’
option enabled ‘0’
config include ‘bcp38’
option type ‘script’
option path ‘/usr/lib/bcp38/run.sh’
config zone
option name ‘WG0’
option input ‘REJECT’
option forward ‘REJECT’
option masq ‘1’
option output ‘ACCEPT’
option mtu_fix ‘1’
list network ‘WG0’
config forwarding
option dest ‘WG0’
option src ‘lan’
export network
config interface ‘loopback’
option device ‘lo’
option proto ‘static’
option ipaddr ‘127.0.0.1’
option netmask ‘255.0.0.0’
config globals ‘globals’
option ula_prefix ‘some_prefix/48’
config device
option name ‘br-lan’
option type ‘bridge’
list ports ‘lan1’
list ports ‘lan2’
list ports ‘lan3’
list ports ‘lan4’
list ports ‘lan5’
config interface ‘lan’
option device ‘br-lan’
option proto ‘static’
option ip6ifaceid ‘eui64’
option gateway ‘192.168.1.1’
list dns ‘192.168.1.1’
option _turris_mode ‘managed’
option delegate ‘0’
list ipaddr ‘192.168.X.Y/24’ --differs from the router providing the DMZ
config interface ‘wan’
option device ‘eth2’
option ipaddr ‘CGNAT (from 100.64.0.0 to 100.127.255.255)’
option netmask ‘255.255.255.248’ --why like this?
option gateway ‘CGNAT (from 100.64.0.0 to 100.127.255.255)’
option proto ‘dhcp’
option hostname ‘T1’
option ipv6 ‘0’
config device ‘dev_wan’
option name ‘eth2’
config interface ‘WG0’
option proto ‘wireguard’
list addresses ‘some_IP/32’
option auto ‘0’
option private_key ‘some_key’
option mtu ‘1412’
config wireguard_WG0
option public_key ‘some_key’
option description ‘Imported peer configuration’
list allowed_ips ‘0.0.0.0/0’
option endpoint_host ‘some_IP’
option endpoint_port ‘443’
option route_allowed_ips ‘1’
option persistent_keepalive ‘25’
If the interface WG is started, it does ending with RX: 0 and TX: slowly adding packets as WG attempting to make handshake. Latest handshake is never every time in WG LuCI status page.
What is unclear to me is:
-
can see in the LuCI: Network > Interfaces the WAN IP is the one that is set in the LTE router for the Turris, as DHCP static reservation - but in uci network it’s the CGNAT for WAN.
-
the LAN is without a netmask option (is list ipaddr the source for /24?) and the WAN have it 255.255.255.248, so 6 usable. Don’t know why is that.
Also tried to put in use the Passthrough option - should be similar to the Bridge concept.
But that cause the DHCP to pool the IP address really often (each minute) - and somehow did not work that good, seems to me.
So stick with the DMZ so far, for a year or so at least.
All is working normally for connected LAN (phones, PCs..) devices - except for this Wireguard from the router itself.
So possibly have some misconfiguration here(?), but I’m unable to spot it and resolve.
–
The LTE router here is quite old B2338-168.
All the FW-like options in LTE router are off (no MAC, url, IP, DPI filters, no DDoS protection) enabled instead the Sentinel FW as this should be better, if needed at all, with this connectivity.
–
Thanks anyone for reading till the end.