Opened 6 months ago

#379 new defect

Cannot access 10.213.11.0/24 via wireguard

Reported by: djt@… Owned by: eliri
Priority: major Milestone:
Component: Network Keywords:
Cc:

Description

Hi, I am trying to reach 10.213.11.162 from home, this is a meshtastic node connected to the wifi network at the space.

As you can see below, pings from my router (on wireguard) to this device fail, but I can ping the router on the devhack side:

djt@rtr:~$ ping 10.213.11.162 count 5
PING 10.213.11.162 (10.213.11.162) 56(84) bytes of data.

--- 10.213.11.162 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4125ms

djt@rtr:~$ ping 10.213.0.1 count 5
PING 10.213.0.1 (10.213.0.1) 56(84) bytes of data.
64 bytes from 10.213.0.1: icmp_seq=1 ttl=64 time=9.67 ms
64 bytes from 10.213.0.1: icmp_seq=2 ttl=64 time=7.80 ms
64 bytes from 10.213.0.1: icmp_seq=3 ttl=64 time=7.80 ms
64 bytes from 10.213.0.1: icmp_seq=4 ttl=64 time=8.54 ms
64 bytes from 10.213.0.1: icmp_seq=5 ttl=64 time=7.97 ms

--- 10.213.0.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4008ms
rtt min/avg/max/mdev = 7.799/8.355/9.673/0.712 ms

Here is my wireguard configuration and evidence of a proper route existing for the devhack supernet:

djt@rtr:~$ sudo wg show wg4
interface: wg4
  public key: mXilXq4j3arohJg8jlEsSg5VDkXqK4+hpymgORnZqwI=
  private key: (hidden)
  listening port: 50438

peer: DoNiaT4ImOWmshzE0qBbCHuMKWrOQVBMG0jNOs+CmCg=
  endpoint: 66.170.190.194:51820
  allowed ips: 10.213.0.0/16, 10.200.254.0/24
  latest handshake: 1 minute, 20 seconds ago
  transfer: 52.71 MiB received, 43.13 MiB sent
  persistent keepalive: every 2 minutes

djt@rtr:~$ ip route | grep 10.213
10.213.0.0/16 nhid 54 dev wg4 proto static metric 20

Here is my NAT configuration, masquerading all traffic from my internal private subnet towards devhack subnets out my devhack wireguard tunnel address:

djt@rtr:~$ show configuration commands | grep -E '(Dev-Hack-Tunnel-Networks|nat source rule 60)'
set firewall group network-group Dev-Hack-Tunnel-Networks network '10.200.254.0/24'
set firewall group network-group Dev-Hack-Tunnel-Networks network '10.213.0.0/16'
set nat source rule 60 destination group network-group 'Dev-Hack-Tunnel-Networks'
set nat source rule 60 outbound-interface name 'wg4'
set nat source rule 60 source address '172.31.240.0/24'
set nat source rule 60 translation address 'masquerade'

Below is my firewall configuration, showing that I have a separate zone for devhack, and the rules for lan and local traffic to the devhack zone, and a stateful firewall ruleset for return traffic (in the context of the firewall rules, 'return' means accept, there is a default drop that is added to the end, which is only hit in the case of traffic from devhack to my network that did not originate from related or established connection traffic):

djt@rtr:~$ show firewall zone-policy zone dev-hack
Zone      Interfaces    From Zone    Firewall IPv4    Firewall IPv6
--------  ------------  -----------  ---------------  ---------------
dev-hack  wg4           lan          lan_dev-hack
                        local        local_dev-hack
djt@rtr:~$ show firewall ipv4 name lan_dev-hack
Ruleset Information

---------------------------------
ipv4 Firewall "name lan_dev-hack"

Rule     Action    Protocol      Packets    Bytes  Conditions
-------  --------  ----------  ---------  -------  ------------
10       return    all                41     2804
default  drop      all                 0        0

djt@rtr:~$ show firewall ipv4 name local_dev-hack
Ruleset Information

---------------------------------
ipv4 Firewall "name local_dev-hack"

Rule     Action    Protocol      Packets    Bytes  Conditions
-------  --------  ----------  ---------  -------  ------------
10       return    all                11      924
default  drop      all                 0        0

djt@rtr:~$ show firewall ipv4 name dev-hack_lan
Ruleset Information

---------------------------------
ipv4 Firewall "name dev-hack_lan"

Rule     Action    Protocol      Packets    Bytes  Conditions
-------  --------  ----------  ---------  -------  ---------------------------------
10       return    all                 0        0  ct state { established, related }
default  drop      all                 0        0

djt@rtr:~$ show firewall ipv4 name dev-hack_local
Ruleset Information

---------------------------------
ipv4 Firewall "name dev-hack_local"

Rule     Action    Protocol      Packets    Bytes  Conditions
-------  --------  ----------  ---------  -------  ---------------------------------
10       return    all                 7      588  ct state { established, related }
default  drop      all                 0        0

Please fix this (and access to other relevant subnets) so that people can mess with projects attached to the wireless network from home, or roadwarrior.

Change History (0)

Note: See TracTickets for help on using tickets.