10416 questions

12418 answers

19278 comments

21744 members

0 votes
277 views 39 comments
by
Hi

I can get openVPN connected fine and internet traffic through.

I can get WIREGUARD connected fine but no internet traffic through.

I have read for most of the day and have ensured that the WAN is allowed through the Wireguard ALLOWED forward to destination and source zones. (This is the only thing in there?)

I can ping the LAN IP for the wireguard connection and can reach them. I cannot ping google.com or 8.8.8.8

I cannot use internet browsers or stream.

This all points to firewall issues but I cannot get my head around about what the problem is.
by
Okay I can now ping web addresses and external ip but still no access from browser, streaming etc
by
Anyone help? Is there a known issue with the latest firmware? I note from another post there is with RMS vpn.
by

REMOVED AND PUT IN CORRECT PLACE FOR CONTINUING CONVERSATION

by

------------

4 Answers

0 votes
by

 add ::/0 to the allowed IP addresses list as a separate entry. 

 

Best answer
0 votes
by
Hello,

In Network->Firewall->General Settings/Zone Forwardings, have you set both lan->wireguard and wireguard->lan to Accept/Accept/Accept ?

Regards,
by

I think so

Others include

by
Ok. Could you ping 8.8.8.8 and check the wireguard interface RX and TX counters with ifcconfig ?

In the wireguard parameters, what is the content of the 'Allowed IP' field ?
by

root@Teltonika-RUTX09:~# ifconfig NORDWG

NORDWG    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

          inet addr:10.5.0.2  P-t-P:10.5.0.2  Mask:255.255.255.0

          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1

          RX packets:1790 errors:0 dropped:0 overruns:0 frame:0

          TX packets:1997 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:467964 (456.9 KiB)  TX bytes:412664 (402.9 KiB)

root@Teltonika-RUTX09:~# ifconfig NORDWG

NORDWG    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

          inet addr:10.5.0.2  P-t-P:10.5.0.2  Mask:255.255.255.0

          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1

          RX packets:1818 errors:0 dropped:0 overruns:0 frame:0

          TX packets:2034 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:472476 (461.4 KiB)  TX bytes:417560 (407.7 KiB)

root@Teltonika-RUTX09:~# ifconfig NORDWG

NORDWG    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

          inet addr:10.5.0.2  P-t-P:10.5.0.2  Mask:255.255.255.0

          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1

          RX packets:1850 errors:0 dropped:0 overruns:0 frame:0

          TX packets:2081 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:482796 (471.4 KiB)  TX bytes:424136 (414.1 KiB)

root@Teltonika-RUTX09:~# ifconfig NORDWG

NORDWG    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

          inet addr:10.5.0.2  P-t-P:10.5.0.2  Mask:255.255.255.0

          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1

          RX packets:1871 errors:0 dropped:0 overruns:0 frame:0

          TX packets:2119 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:485628 (474.2 KiB)  TX bytes:431540 (421.4 KiB)

root@Teltonika-RUTX09:~# ifconfig NORDWG

NORDWG    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

          inet addr:10.5.0.2  P-t-P:10.5.0.2  Mask:255.255.255.0

          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1

          RX packets:1987 errors:0 dropped:0 overruns:0 frame:0

          TX packets:2248 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:516428 (504.3 KiB)  TX bytes:457860 (447.1 KiB)

Allowed IPs - 0.0.0.0/0

NB: Ping was from a device on the network not from the router. 

by
The counters increase in both directions. Strange. Could you show the output of the "wg" command at same time ? And replace 0.0.0.0/0 by 0.0.0.0/1,128.0.0.0/1 ?

Also of interest: ifconfig br-lan, ifconfig wwan0, to see the MTU of the interfaces.
by

interface: NORDWG

  public key: REDACTED

  private key: (hidden)

  listening port: 51820

peer: REDACTED

  endpoint: 178.239.162.207:51820

  allowed ips: 0.0.0.0/1, 128.0.0.0/1

  latest handshake: 25 seconds ago

  transfer: 80.87 KiB received, 94.04 KiB sent

  persistent keepalive: every 25 seconds

root@Teltonika-RUTX09:~# wg

interface: NORDWG

  public key: REDACTED

  private key: (hidden)

  listening port: 51820

peer: REDACTED

  endpoint: 178.239.162.207:51820

  allowed ips: 0.0.0.0/1, 128.0.0.0/1

  latest handshake: 29 seconds ago

  transfer: 103.75 KiB received, 118.06 KiB sent

  persistent keepalive: every 25 seconds

root@Teltonika-RUTX09:~# wg

interface: NORDWG

  public key: REDACTED

  private key: (hidden)

  listening port: 51820

peer: REDACTED

  endpoint: 178.239.162.207:51820

  allowed ips: 0.0.0.0/1, 128.0.0.0/1

  latest handshake: 1 minute, 12 seconds ago

  transfer: 221.84 KiB received, 224.30 KiB sent

  persistent keepalive: every 25 seconds

root@Teltonika-RUTX09:~# wg

interface: NORDWG

  public key: REDACTED

  private key: (hidden)

  listening port: 51820

peer: REDACTED

  endpoint: 178.239.162.207:51820

  allowed ips: 0.0.0.0/1, 128.0.0.0/1

  latest handshake: 1 minute, 15 seconds ago

  transfer: 277.36 KiB received, 249.20 KiB sent

  persistent keepalive: every 25 seconds

root@Teltonika-RUTX09:~# wg

interface: NORDWG

  public key: REDACTED

  private key: (hidden)

  listening port: 51820

peer: REDACTED

  endpoint: 178.239.162.207:51820

  allowed ips: 0.0.0.0/1, 128.0.0.0/1

  latest handshake: 1 minute, 17 seconds ago

  transfer: 282.79 KiB received, 254.73 KiB sent

  persistent keepalive: every 25 seconds

root@Teltonika-RUTX09:~# wg

interface: NORDWG

  public key: REDACTED

  private key: (hidden)

  listening port: 51820

peer: REDACTED

  endpoint: 178.239.162.207:51820

  allowed ips: 0.0.0.0/1, 128.0.0.0/1

  latest handshake: 1 minute, 18 seconds ago

  transfer: 287.07 KiB received, 256.18 KiB sent

  persistent keepalive: every 25 seconds

root@Teltonika-RUTX09:~# wg

interface: NORDWG

  public key: REDACTED

  private key: (hidden)

  listening port: 51820

peer: REDACTED

  endpoint: 178.239.162.207:51820

  allowed ips: 0.0.0.0/1, 128.0.0.0/1

  latest handshake: 1 minute, 19 seconds ago

  transfer: 288.51 KiB received, 257.37 KiB sent

  persistent keepalive: every 25 seconds

root@Teltonika-RUTX09:~# wg

by

root@Teltonika-RUTX09:~# ifconfig br-lan

br-lan    Link encap:Ethernet  HWaddr 00:1E:42:27:CD:05

          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0

          inet6 addr: fd1d:4fcd:c3e9::1/60 Scope:Global

          inet6 addr: fe80::21e:42ff:fe27:cd05/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:26285884 errors:0 dropped:326 overruns:0 frame:0

          TX packets:71194326 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:2096557283 (1.9 GiB)  TX bytes:93634601609 (87.2 GiB)

 

root@Teltonika-RUTX09:~# ifconfig wwan0

wwan0     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

          inet addr:100.91.126.178  P-t-P:100.91.126.178  Mask:255.255.255.255

          inet6 addr: fe80::b278:89d9:9dc:bfa9/64 Scope:Link

          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1460  Metric:1

          RX packets:70583067 errors:12657 dropped:0 overruns:0 frame:8839

          TX packets:25357216 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:96372094371 (89.7 GiB)  TX bytes:3298633708 (3.0 GiB)

 

root@Teltonika-RUTX09:~#

by
The MTU of the wg interface is too high, set it to 1460 - 80 = 1380 not 1420 and try again.
by

root@Teltonika-RUTX09:~# ifconfig br-lan

br-lan    Link encap:Ethernet  HWaddr 00:1E:42:27:CD:05

          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0

          inet6 addr: fd1d:4fcd:c3e9::1/60 Scope:Global

          inet6 addr: fe80::21e:42ff:fe27:cd05/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:26451674 errors:0 dropped:333 overruns:0 frame:0

          TX packets:71786693 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:2110202768 (1.9 GiB)  TX bytes:94380515868 (87.8 GiB)

root@Teltonika-RUTX09:~# ifconfig NORDWG

NORDWG    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

          inet addr:10.5.0.2  P-t-P:10.5.0.2  Mask:255.255.255.0

          UP POINTOPOINT RUNNING NOARP  MTU:1380  Metric:1

          RX packets:1812 errors:0 dropped:0 overruns:0 frame:0

          TX packets:2145 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:411020 (401.3 KiB)  TX bytes:442020 (431.6 KiB)

root@Teltonika-RUTX09:~# ifconfig wwan0

wwan0     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

          inet addr:100.91.126.178  P-t-P:100.91.126.178  Mask:255.255.255.255

          inet6 addr: fe80::b278:89d9:9dc:bfa9/64 Scope:Link

          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1460  Metric:1

          RX packets:71170949 errors:24660 dropped:0 overruns:0 frame:17163

          TX packets:25509279 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:97113864966 (90.4 GiB)  TX bytes:3311663606 (3.0 GiB)

Still not working. 

by

------------

0 votes
by
I had to lower the wireguard mtu tp 1380 to get ssh traffic over it. The mobile connection presented mtu as 1460 and wireguard needs 40 (60 for ipv6) overhead. What also worked was increasing the mobile mtu to 1500 but I'm not sure if the mobile provider would accept that. So to be on the safe side lower wg.
by

NSLOOKUP for HTTPs://

oot@Teltonika-RUTX09:~# nslookup https://www.yahoo.com

Server:         127.0.0.1

Address:        127.0.0.1#53

** server can't find https://www.yahoo.com: NXDOMAIN

** server can't find https://www.yahoo.com: NXDOMAIN

by
Thanks for the extensive help.

Without all this ruling out I would have never got to the solution.
by

> So to me - correct me if I misunderstand- the routing tables were not putting the WG before the ISP when active?

I don't think so. From ping 8.8.8.8 from the laptop tcpdump can see the requests/replies on the wg interface but not the wwan0 one. So the routes were already correct or at least workable for IPv4.

For nslookup: just nslookup www.yahoo.com not nslookup https://www.yahoo.com

Try https://bbc.co.uk from a browser. May fail cause name resolution returns IPv6 addresses first you need to add ::/0 to the allowed IP addresses list.

 

by

So https://bbc.co.uk loads the webpage but I have added ::/0 to the third line of allowed ips. 

But when I run nslookup it looks like the ipv6 still is appearing. 

Non-authoritative answer:

Name:    yahoo.com

Addresses:  2001:4998:24:120d::1:0

          2001:4998:44:3507::8001

          2001:4998:124:1507::f000

          2001:4998:24:120d::1:1

          2001:4998:44:3507::8000

          2001:4998:124:1507::f001

          74.6.231.20

          74.6.231.21

          98.137.11.163

          98.137.11.164

          74.6.143.25

          74.6.143.26

by
Yes, route metrics have nothing to do here. bbc.co.uk is accessed via its first IPv6 address which wasn't sent through the tunnel before adding ::/0 to the allowed IPs list.

The same would apply for https://www.yahoo.com

ping 8.8.8.8 being an IPv4 address isn't affected by the ::/0 rule.

Please fix your first answer because it will induce other users in error.
0 votes
by

Think I sorted it.

So a few troubleshooting items later with the Metric.

Setting my WG metric to 10  BUT LEAVING the MOB metric blank (or with the greyed out 300) has sorted this.

So to me - correct me if I misunderstand- the routing tables were not putting the WG before the ISP when active?

by
This is not a route issue but a missing IPv6 ::/0 address in the Allowed IPs list.