When I cold boot an RUT955, UDP/51820 destination packets are not transmitted from the WAN port. This occurs internally (hangs wg_wg0) or from the LAN (client hangs waiting for a response). The Wireguard packets are not in a zone, as only local services on the modem speak to servers on the vpn. LAN clients create their own connection to the vpn.
On the RUT955, it registers the packets from the router and the LAN client in the iptables connection tracker. But the upstream router does not see packets. I have no idea where they are going.
root@Teltonika-RUT955:~# cat /proc/net/nf_conntrack | grep udp
ipv4 2 udp 17 177 src=192.168.5.251 dst=35.189.5.78 sport=51820 dport=51820 packets=561 bytes=91852 src=35.189.5.78 dst=192.168.5.251 sport=51820 dport=51820 packets=10 bytes=1396 [ASSURED] mark=15872 zone=0 use=2
ipv4 2 udp 17 175 src=192.168.1.113 dst=35.189.5.78 sport=48231 dport=51820 packets=340 bytes=59028 src=35.189.5.78 dst=192.168.5.251 sport=51820 dport=48231 packets=1 bytes=120 [ASSURED] mark=15872 zone=0 use=2 |
If I stop iptables, the packets start flowing and Wireguard connects
root@Teltonika-RUT955:~# /etc/init.d/firewall stop
root@Teltonika-RUT955:~# wg
interface: wg_wg0
public key: NilYEVNErIPshyYk34z73zizkWuR8sLprbVUNDUDfQE=
private key: (hidden)
listening port: 51820
peer: 0UzrQ+u8Wjr1234S9coMP1j2ilDa3l599CwHYPKH4s=
endpoint: 35.189.5.78:51820
allowed ips: 10.7.0.0/16, 10.11.0.0/16
latest handshake: 1 second ago
transfer: 5.46 KiB received, 80.68 KiB sent
persistent keepalive: every 21 seconds |
If I start iptables, everything keeps working.
root@Teltonika-RUT955:~# /etc/init.d/firewall start
root@Teltonika-RUT955:~# wg
interface: wg_wg0
public key: NilYEVNErIPshyYk34z73zizkWuR8sLprbVUNDUDfQE=
private key: (hidden)
listening port: 51820
peer: 0UzrQ+u8Wjr1234S9coMP1j2ilDa3l599CwHYPKH4s=
endpoint: 35.189.5.78:51820
allowed ips: 10.7.0.0/16, 10.11.0.0/16
latest handshake: 1 minute, 12 seconds ago
transfer: 54.24 KiB received, 192.62 KiB sent
persistent keepalive: every 21 seconds |
If I reboot, the problem comes back, and a restart fixes it.
root@Teltonika-RUT955:~# /etc/init.d/firewall restart |