[SOLVED]r49139 WireGuard setup with internet via Client WiFi

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
radoslavv
DD-WRT Novice


Joined: 23 Aug 2013
Posts: 10
Location: Slovakia

PostPosted: Sun Jun 19, 2022 21:52    Post subject: [SOLVED]r49139 WireGuard setup with internet via Client WiFi Reply with quote
I have 3 dd-wrt devices using WireGuard VPN to create LAN:

Topology:


1. NetGear R6700v3 as public "master" node (LAN segment 192.168.10.x)

2. NetGear R6700v3 as "slave" (LAN segment 192.168.20.x)

3. NetGear WNDR4500v1 as "slave" (LAN segment 192.168.30.x)


Segments 192.168.10.0/24 and 192.168.20.0/24 are reachable without issues in both segments. Any host from one segment can reach any hosts in another segment.
Both 1 and 2 devices are in Gateway mode with internet connected wia WLAN port.

Problem is with reachability of 192.168.30.0/24 segment. Only difference in 3rd router configuration is that internet is connected via WiFi port (in client mode). Internet for hosts in 192.168.30.0/24 is working properly, but VPN not (reachability of hosts 192.168.10.0/24, 192.168.20.0/24 does not work properly, same issue with opposite direction).

1) PING works OK from master router 192.168.10.1 to both routers:
Code:
root@R6700:~# ping 192.168.30.1
PING 192.168.30.1 (192.168.30.1): 56 data bytes
64 bytes from 192.168.30.1: seq=0 ttl=64 time=45.266 ms
64 bytes from 192.168.30.1: seq=2 ttl=64 time=66.985 ms
64 bytes from 192.168.30.1: seq=3 ttl=64 time=42.492 ms
64 bytes from 192.168.30.1: seq=4 ttl=64 time=93.015 ms
64 bytes from 192.168.30.1: seq=5 ttl=64 time=42.720 ms
^C
--- 192.168.30.1 ping statistics ---
6 packets transmitted, 5 packets received, 16% packet loss
round-trip min/avg/max = 42.492/58.095/93.015 ms
root@R6700:~# ping 192.168.20.1
PING 192.168.20.1 (192.168.20.1): 56 data bytes
64 bytes from 192.168.20.1: seq=0 ttl=64 time=10.573 ms
64 bytes from 192.168.20.1: seq=1 ttl=64 time=20.543 ms
64 bytes from 192.168.20.1: seq=2 ttl=64 time=11.979 ms
64 bytes from 192.168.20.1: seq=3 ttl=64 time=10.073 ms
64 bytes from 192.168.20.1: seq=4 ttl=64 time=10.165 ms
^C
--- 192.168.20.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 10.073/12.666/20.543 ms


2) PING works OK from slave router 192.168.20.1 to master 192.168.10.1 but not to slave 192.168.30.1:
Code:
root@R6700bu:~# ping 192.168.10.1
PING 192.168.10.1 (192.168.10.1): 56 data bytes
64 bytes from 192.168.10.1: seq=0 ttl=64 time=10.100 ms
64 bytes from 192.168.10.1: seq=1 ttl=64 time=10.848 ms
64 bytes from 192.168.10.1: seq=2 ttl=64 time=9.599 ms
64 bytes from 192.168.10.1: seq=3 ttl=64 time=10.272 ms
64 bytes from 192.168.10.1: seq=4 ttl=64 time=11.080 ms
^C
--- 192.168.10.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 9.599/10.379/11.080 ms
root@R6700bu:~# ping 192.168.30.1
PING 192.168.30.1 (192.168.30.1): 56 data bytes
^C
--- 192.168.30.1 ping statistics ---
9 packets transmitted, 0 packets received, 100% packet loss


3) PING works OK from slave router 192.168.30.1 to master router 192.168.10.1 and slave router 192.168.20.1:
Code:
root@WNDR4500:~# ping 192.168.10.1
PING 192.168.10.1 (192.168.10.1): 56 data bytes
64 bytes from 192.168.10.1: seq=0 ttl=64 time=41.860 ms
64 bytes from 192.168.10.1: seq=1 ttl=64 time=53.699 ms
64 bytes from 192.168.10.1: seq=2 ttl=64 time=41.595 ms
64 bytes from 192.168.10.1: seq=3 ttl=64 time=41.356 ms
64 bytes from 192.168.10.1: seq=4 ttl=64 time=42.793 ms
^C
--- 192.168.10.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 41.356/44.260/53.699 ms
root@WNDR4500:~# ping 192.168.20.1
PING 192.168.20.1 (192.168.20.1): 56 data bytes
64 bytes from 192.168.20.1: seq=0 ttl=63 time=72.868 ms
64 bytes from 192.168.20.1: seq=1 ttl=63 time=56.930 ms
64 bytes from 192.168.20.1: seq=2 ttl=63 time=61.697 ms
64 bytes from 192.168.20.1: seq=4 ttl=63 time=54.941 ms
64 bytes from 192.168.20.1: seq=5 ttl=63 time=128.556 ms
^C
--- 192.168.20.1 ping statistics ---
6 packets transmitted, 5 packets received, 16% packet loss
round-trip min/avg/max = 54.941/74.998/128.556 ms


4) host 192.168.10.66 can ping both slave routers:
Code:
root@WNDR4500:~# ping 192.168.10.1
PING 192.168.10.1 (192.168.10.1): 56 data bytes
64 bytes from 192.168.10.1: seq=0 ttl=64 time=41.860 ms
64 bytes from 192.168.10.1: seq=1 ttl=64 time=53.699 ms
64 bytes from 192.168.10.1: seq=2 ttl=64 time=41.595 ms
64 bytes from 192.168.10.1: seq=3 ttl=64 time=41.356 ms
64 bytes from 192.168.10.1: seq=4 ttl=64 time=42.793 ms
^C
--- 192.168.10.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 41.356/44.260/53.699 ms
root@WNDR4500:~# ping 192.168.20.1
PING 192.168.20.1 (192.168.20.1): 56 data bytes
64 bytes from 192.168.20.1: seq=0 ttl=63 time=72.868 ms
64 bytes from 192.168.20.1: seq=1 ttl=63 time=56.930 ms
64 bytes from 192.168.20.1: seq=2 ttl=63 time=61.697 ms
64 bytes from 192.168.20.1: seq=4 ttl=63 time=54.941 ms
64 bytes from 192.168.20.1: seq=5 ttl=63 time=128.556 ms
^C
--- 192.168.20.1 ping statistics ---
6 packets transmitted, 5 packets received, 16% packet loss
round-trip min/avg/max = 54.941/74.998/128.556 ms


5) host 192.168.30.111 can ping both primary 192.168.10.1 and slave router 192.168.20.1:
Code:
C:\>ping 192.168.10.1

Pinging 192.168.10.1 with 32 bytes of data:
Reply from 192.168.10.1: bytes=32 time=45ms TTL=63
Reply from 192.168.10.1: bytes=32 time=54ms TTL=63
Reply from 192.168.10.1: bytes=32 time=44ms TTL=63
Reply from 192.168.10.1: bytes=32 time=43ms TTL=63

Ping statistics for 192.168.10.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 43ms, Maximum = 54ms, Average = 46ms

C:\>ping 192.168.20.1

Pinging 192.168.20.1 with 32 bytes of data:
Reply from 192.168.20.1: bytes=32 time=54ms TTL=62
Reply from 192.168.20.1: bytes=32 time=62ms TTL=62
Reply from 192.168.20.1: bytes=32 time=51ms TTL=62
Reply from 192.168.20.1: bytes=32 time=51ms TTL=62

Ping statistics for 192.168.20.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 51ms, Maximum = 62ms, Average = 54ms


6) host 192.168.30.111 can tracert both primary 192.168.10.1 and slave router 192.168.20.1:
Code:
C:\>tracert 192.168.10.66

Tracing route to 192.168.10.66 over a maximum of 30 hops

  1     2 ms     1 ms     1 ms  WNDR4500 [192.168.30.1]
  2     *       41 ms    44 ms  172.16.0.1
  3     *      361 ms    44 ms  192.168.10.66

Trace complete.

C:\>tracert 192.168.10.232

Tracing route to 192.168.10.232 over a maximum of 30 hops

  1     2 ms     1 ms     1 ms  WNDR4500 [192.168.30.1]
  2     *        *      397 ms  172.16.0.1
  3    85 ms   109 ms    57 ms  192.168.10.232

Trace complete.


7) host 192.168.10.66 can't tracert slave router 192.168.30.1:
Code:
C:\>tracert 192.168.30.111

Tracing route to NB-LNV-Y9 [192.168.30.111]
over a maximum of 30 hops:

  1     1 ms     1 ms     1 ms  R6700 [192.168.10.1]
  2     *       43 ms    43 ms  172.16.0.3
  3     *        *        *     Request timed out.
  4  ^C
C:\>tracert 192.168.30.111

Tracing route to NB-LNV-Y9 [192.168.30.111]
over a maximum of 30 hops:

  1     1 ms     1 ms     1 ms  R6700 [192.168.10.1]
  2     *       40 ms    45 ms  172.16.0.3
  3     *        *        *     Request timed out.
  4  ^C


8 ) host 192.168.10.66 can reach SSH of master router 192.168.10.1, but just few packets are passing VPN (only part of top command screen is transferred):
Code:
login as: root
Pre-authentication banner message from server:
| DD-WRT v3.0-r49139 giga (c) 2022 NewMedia-NET GmbH
| Release: 06/10/22
| Board: Netgear WNDR4500
End of banner message from server
root@192.168.30.1's password:
==========================================================

     ___  ___     _      _____  ______       ____  ___
    / _ \/ _ \___| | /| / / _ \/_  __/ _  __|_  / / _ \
   / // / // /___/ |/ |/ / , _/ / /   | |/ //_ <_/ // /
  /____/____/    |__/|__/_/|_| /_/    |___/____(_)___/

                       DD-WRT v3.0
                   https://www.dd-wrt.com


==========================================================


BusyBox v1.35.0 (2022-06-10 02:35:58 +07) built-in shell (ash)

root@WNDR4500:~# top
Mem: 48780K used, 75832K free, 0K shrd, 6628K buff, 15240K cached
CPU:  0.0% usr  8.3% sys  0.0% nic 91.6% idle  0.0% io  0.0% irq  0.0% sirq
Load average: 0.14 0.08 0.09 1/65 9403
  PID  PPID USER     STAT   VSZ %VSZ %CPU COMMAND
 9403  9380 root     R     1456  1.1  8.3 top
 1852     1 root     S     4388  3.5  0.0 httpd -n -S -p 80 -m 443
 2319     1 root     S     2240  1.7  0.0 wpa_supplicant -B -Dwext -ieth1 -c /tm
 2613     1 root     S     1904  1.5  0.0 dnsmasq -u root -g root -C /tmp/dnsmas
 1682     1 root     S     1896  1.5  0.0 ttraff
 2320     1 root     S     1688  1.3  0.0 nas -P /tmp/nas.wl1lan.pid -H 34954 -l


9) host 192.168.30.111 can reach SSH of slave router 192.168.30.1, but just few packets are passing VPN (only part of top command screen is transferred):
Code:
login as: root
Pre-authentication banner message from server:
| DD-WRT v3.0-r43886 std (c) 2020 NewMedia-NET GmbH
| Release: 07/21/20
| Board: Netgear R6700 v3
End of banner message from server
root@192.168.20.1's password:
==========================================================

     ___  ___     _      _____  ______       ____  ___
    / _ \/ _ \___| | /| / / _ \/_  __/ _  __|_  / / _ \
   / // / // /___/ |/ |/ / , _/ / /   | |/ //_ <_/ // /
  /____/____/    |__/|__/_/|_| /_/    |___/____(_)___/

                       DD-WRT v3.0
                   http://www.dd-wrt.com

==========================================================


BusyBox v1.32.0 (2020-07-21 09:17:36 +04) built-in shell (ash)

root@R6700bu:~# top
Mem: 69720K used, 184684K free, 0K shrd, 6088K buff, 17140K cached
CPU:  4.1% usr 41.6% sys  0.0% nic 54.1% idle  0.0% io  0.0% irq  0.0% sirq
Load average: 0.57 0.46 0.43 3/159 32641
  PID  PPID USER     STAT   VSZ %VSZ CPU %CPU COMMAND
32631 32558 root     R     1460  0.5   0  4.1 top
 1719  1717 nobody   S    46356 18.1   0  0.0 nginx: worker process
 1720  1717 nobody   S    46244 18.0   0  0.0 nginx: cache manager process
 1717     1 root     S    46120 18.0   1  0.0 nginx: master process /jffs/bin/ng
 1626     1 root     S    12756  4.9   0  0.0 httpd -n -S -p 80 -m 443
17798     1 root     S     1940  0.7   0  0.0 dnsmasq -u root -g root --conf-fil
 1556     1 root     S     1696  0.6   1  0.0 ttraff
 1617     1 root     S     1576  0.6   0  0.0 radio_timer


10) route and iptables look correct for all 3 routers:
---------------------------------------------------------
Code:
login as: root
Pre-authentication banner message from server:
| DD-WRT v3.0-r49139 std (c) 2022 NewMedia-NET GmbH
| Release: 06/10/22
| Board: Netgear R6700 v3
End of banner message from server
root@192.168.10.1's password:
==========================================================

     ___  ___     _      _____  ______       ____  ___
    / _ \/ _ \___| | /| / / _ \/_  __/ _  __|_  / / _ \
   / // / // /___/ |/ |/ / , _/ / /   | |/ //_ <_/ // /
  /____/____/    |__/|__/_/|_| /_/    |___/____(_)___/

                       DD-WRT v3.0
                   https://www.dd-wrt.com


==========================================================


BusyBox v1.35.0 (2022-06-10 01:51:35 +07) built-in shell (ash)

root@R6700:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         188-xxx-yyy-zz3 0.0.0.0         UG    0      0        0 vlan2
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
172.16.0.0      *               255.255.255.0   U     0      0        0 oet1
172.16.0.2      *               255.255.255.255 UH    0      0        0 oet1
172.16.0.3      *               255.255.255.255 UH    0      0        0 oet1
188.xxx.yyy.zz2 *               255.255.255.252 U     0      0        0 vlan2
192.168.1.0     *               255.255.255.0   U     0      0        0 oet1
192.168.10.0    *               255.255.255.0   U     0      0        0 br0
192.168.20.0    *               255.255.255.0   U     0      0        0 oet1
192.168.20.0    R6700           255.255.255.0   UG    1      0        0 br0
192.168.30.0    *               255.255.255.0   U     0      0        0 oet1
192.168.30.0    172.16.0.3      255.255.255.0   UG    1      0        0 oet1
root@R6700:~# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  0.0.0.0/0            188.xxx.yyy.zz4      tcp dpt:443 to:192.168.10.1:443
DNAT       icmp --  0.0.0.0/0            188.xxx.yyy.zz4      to:192.168.10.1
DNAT       tcp  --  0.0.0.0/0            188.xxx.yyy.zz4      tcp dpt:8443 to:192.168.10.1:8443
DNAT       udp  --  0.0.0.0/0            188.xxx.yyy.zz4      udp dpt:8443 to:192.168.10.1:8443
DNAT       tcp  --  0.0.0.0/0            188.xxx.yyy.zz4      tcp dpt:51820 to:192.168.10.1:51820
DNAT       udp  --  0.0.0.0/0            188.xxx.yyy.zz4      udp dpt:51820 to:192.168.10.1:51820
DNAT       tcp  --  192.168.0.1          188.xxx.yyy.zz4      tcp dpt:514 to:192.168.10.222:514
DNAT       udp  --  192.168.0.1          188.xxx.yyy.zz4      udp dpt:514 to:192.168.10.222:514
DNAT       tcp  --  89.173.176.28        188.xxx.yyy.zz4      tcp dpt:80 to:192.168.10.27:8000
DNAT       udp  --  89.173.176.28        188.xxx.yyy.zz4      udp dpt:80 to:192.168.10.27:8000
DNAT       tcp  --  89.173.176.28        188.xxx.yyy.zz4      tcp dpt:8001 to:192.168.10.27:8001
DNAT       udp  --  89.173.176.28        188.xxx.yyy.zz4      udp dpt:8001 to:192.168.10.27:8001
DNAT       tcp  --  89.173.176.28        188.xxx.yyy.zz4      tcp dpt:8888 to:192.168.10.27:8888
DNAT       udp  --  89.173.176.28        188.xxx.yyy.zz4      udp dpt:8888 to:192.168.10.27:8888
DNAT       tcp  --  0.0.0.0/0            188.xxx.yyy.zz4      tcp dpts:10005:10008 to:192.168.10.40
DNAT       udp  --  0.0.0.0/0            188.xxx.yyy.zz4      udp dpts:10005:10008 to:192.168.10.40
TRIGGER    all  --  0.0.0.0/0            188.xxx.yyy.zz4     TRIGGER type:dnat match:0 relate:0

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  172.16.0.0/24        0.0.0.0/0
SNAT       all  --  192.168.10.0/24      0.0.0.0/0            to:188.xxx.yyy.zz4
RETURN     all  --  0.0.0.0/0            0.0.0.0/0            PKTTYPE = broadcast
MASQUERADE  all  --  192.168.10.0/24      192.168.10.0/24
root@R6700:~# iptables -t mangle -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RRDIPT_INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RRDIPT_FORWARD  all  --  0.0.0.0/0            0.0.0.0/0
TCPMSS     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
RRDIPT_OUTPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain RRDIPT_FORWARD (1 references)
target     prot opt source               destination
RETURN     all  --  192.168.10.222       0.0.0.0/0
RETURN     all  --  0.0.0.0/0            192.168.10.222
RETURN     all  --  192.168.10.27        0.0.0.0/0
RETURN     all  --  0.0.0.0/0            192.168.10.27
RETURN     all  --  192.168.10.66        0.0.0.0/0
RETURN     all  --  0.0.0.0/0            192.168.10.66
RETURN     all  --  188.xxx.yyy.zz3      0.0.0.0/0
RETURN     all  --  0.0.0.0/0            188.xxx.yyy.zz3
RETURN     all  --  192.168.10.101       0.0.0.0/0
RETURN     all  --  0.0.0.0/0            192.168.10.101
RETURN     all  --  192.168.10.102       0.0.0.0/0
RETURN     all  --  0.0.0.0/0            192.168.10.102
RETURN     all  --  192.168.10.103       0.0.0.0/0
RETURN     all  --  0.0.0.0/0            192.168.10.103

Chain RRDIPT_INPUT (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain RRDIPT_OUTPUT (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0
root@R6700:~# iptables -t raw -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            172.16.0.0/24        ADDRTYPE match src-type !LOCAL

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
root@R6700:~#

---------------------------------------------------------
Code:
login as: root
Pre-authentication banner message from server:
| DD-WRT v3.0-r43886 std (c) 2020 NewMedia-NET GmbH
| Release: 07/21/20
| Board: Netgear R6700 v3
End of banner message from server
root@192.168.20.1's password:
==========================================================

     ___  ___     _      _____  ______       ____  ___
    / _ \/ _ \___| | /| / / _ \/_  __/ _  __|_  / / _ \
   / // / // /___/ |/ |/ / , _/ / /   | |/ //_ <_/ // /
  /____/____/    |__/|__/_/|_| /_/    |___/____(_)___/

                       DD-WRT v3.0
                   http://www.dd-wrt.com

==========================================================


BusyBox v1.32.0 (2020-07-21 09:17:36 +04) built-in shell (ash)

root@R6700bu:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.1     0.0.0.0         UG    0      0        0 vlan2
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
172.16.0.0      *               255.255.255.0   U     0      0        0 oet1
188.aaa.bbb.ccc 192.168.1.1     255.255.255.255 UGH   0      0        0 vlan2
188.xxx.yyy.zz4 192.168.1.1     255.255.255.255 UGH   0      0        0 vlan2
192.168.1.0     *               255.255.255.0   U     0      0        0 vlan2
192.168.10.0    *               255.255.255.0   U     0      0        0 oet1
192.168.20.0    *               255.255.255.0   U     0      0        0 br0
192.168.30.0    *               255.255.255.0   U     0      0        0 oet1
root@R6700bu:~# iptables -t nat -Ln
root@R6700bu:~# iptables -t nat -Ln list
Bad argument `list'
Try `iptables -h' or 'iptables --help' for more information.
root@R6700bu:~# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  192.168.0.0/16       0.0.0.0/0           tcp dpt:80
DROP       tcp  --  192.168.20.1         192.168.20.1        tcp dpt:443
ACCEPT     tcp  --  192.168.20.0/24      192.168.20.1        tcp dpt:443
DNAT       tcp  --  0.0.0.0/0           !192.168.1.2         tcp dpt:80 to:192.168.20.1:8118
DNAT       tcp  --  0.0.0.0/0            192.168.1.2         tcp dpt:443 to:192.168.20.1:443
DNAT       icmp --  0.0.0.0/0            192.168.1.2         to:192.168.20.1
DNAT       tcp  --  0.0.0.0/0            192.168.1.2         tcp dpt:8443 to:192.168.20.1:8443
DNAT       udp  --  0.0.0.0/0            192.168.1.2         udp dpt:8443 to:192.168.20.1:8443
TRIGGER    0    --  0.0.0.0/0            192.168.1.2         TRIGGER type:dnat match:0 relate:0

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       0    --  192.168.20.0/24      0.0.0.0/0           to:192.168.1.2
MASQUERADE  0    --  0.0.0.0/0            0.0.0.0/0           mark match 0x80000000/0x80000000
root@R6700bu:~# iptables -t mangle -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
MARK       0    --  0.0.0.0/0            192.168.1.2          MARK or 0x80000000
CONNMARK   0    --  0.0.0.0/0            0.0.0.0/0           CONNMARK save

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
TCPMSS     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
root@R6700bu:~# iptables -t raw -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DROP       0    --  0.0.0.0/0            172.16.0.0/24       ADDRTYPE match src-type !LOCAL

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
root@R6700bu:~#

---------------------------------------------------------
Code:
login as: root
Pre-authentication banner message from server:
| DD-WRT v3.0-r49139 giga (c) 2022 NewMedia-NET GmbH
| Release: 06/10/22
| Board: Netgear WNDR4500
End of banner message from server
root@192.168.30.1's password:
==========================================================

     ___  ___     _      _____  ______       ____  ___
    / _ \/ _ \___| | /| / / _ \/_  __/ _  __|_  / / _ \
   / // / // /___/ |/ |/ / , _/ / /   | |/ //_ <_/ // /
  /____/____/    |__/|__/_/|_| /_/    |___/____(_)___/

                       DD-WRT v3.0
                   https://www.dd-wrt.com


==========================================================


BusyBox v1.35.0 (2022-06-10 02:35:58 +07) built-in shell (ash)

root@WNDR4500:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.2.0.1        0.0.0.0         UG    0      0        0 eth1
10.2.0.0        *               255.255.0.0     U     0      0        0 eth1
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
172.16.0.0      *               255.255.255.0   U     0      0        0 oet1
172.16.0.1      *               255.255.255.255 UH    0      0        0 oet1
188.xxx.yyy.zz4 10.2.0.1        255.255.255.255 UGH   0      0        0 eth1
192.168.10.0    *               255.255.255.0   U     0      0        0 oet1
192.168.20.0    *               255.255.255.0   U     0      0        0 oet1
192.168.30.0    *               255.255.255.0   U     0      0        0 br0
root@WNDR4500:~# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  0.0.0.0/0            10.2.185.12          tcp dpt:443 to:192.168.30.1:443
DNAT       icmp --  0.0.0.0/0            10.2.185.12          to:192.168.30.1
TRIGGER    all  --  0.0.0.0/0            10.2.185.12         TRIGGER type:dnat match:0 relate:0

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       all  --  192.168.30.0/24      0.0.0.0/0            to:10.2.185.12
RETURN     all  --  0.0.0.0/0            0.0.0.0/0            PKTTYPE = broadcast
MASQUERADE  all  --  192.168.30.0/24      192.168.30.0/24
root@WNDR4500:~# iptables -t mangle -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RRDIPT_INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RRDIPT_FORWARD  all  --  0.0.0.0/0            0.0.0.0/0
TCPMSS     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
RRDIPT_OUTPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain RRDIPT_FORWARD (1 references)
target     prot opt source               destination
RETURN     all  --  10.2.0.1             0.0.0.0/0
RETURN     all  --  0.0.0.0/0            10.2.0.1
RETURN     all  --  192.168.30.111       0.0.0.0/0
RETURN     all  --  0.0.0.0/0            192.168.30.111

Chain RRDIPT_INPUT (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain RRDIPT_OUTPUT (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0
root@WNDR4500:~# iptables -t raw -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            172.16.0.0/24        ADDRTYPE match src-type !LOCAL

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
root@WNDR4500:~#

---------------------------------------------------------

11) 1-packet connection-close HTTP 1.0 web page is transferred (192.168.30.111<->192.168.10.232):
11.1) tcpdump on 192.168.10.1
Code:
root@R6700:~# tcpdump -i oet1 -n |grep 192.168.30.1
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on oet1, link-type RAW (Raw IP), snapshot length 262144 bytes
22:52:15.925758 IP 192.168.30.111.57529 > 192.168.10.232.80: Flags [.], seq 1491238036:1491238037, ack 348007, win 65298, length 1: HTTP
22:52:16.008846 IP 192.168.30.111.57582 > 192.168.10.232.80: Flags [S], seq 987474931, win 64240, options [mss 1420,nop,wscale 8,nop,nop,sackOK], length 0
22:52:16.014106 IP 192.168.30.111.57531 > 192.168.10.232.80: Flags [P.], seq 1426155910:1426156434, ack 348106, win 65392, length 524: HTTP: GET /co2 HTTP/1.1
22:52:16.077537 IP 192.168.10.232.80 > 192.168.30.111.57531: Flags [.], ack 20, win 532, length 0
22:52:16.278261 IP 192.168.10.232.80 > 192.168.30.111.57531: Flags [FP.], seq 1:1293, ack 20, win 532, length 1292: HTTP: HTTP/1.0 200 OK
22:52:16.326752 IP 192.168.30.111.57531 > 192.168.10.232.80: Flags [.], ack 1294, win 65392, length 0
22:52:16.326762 IP 192.168.30.111.57531 > 192.168.10.232.80: Flags [F.], seq 524, ack 1294, win 65392, length 0
22:52:16.492036 IP 192.168.30.111.57531 > 192.168.10.232.80: Flags [FP.], seq 20:524, ack 1294, win 65392, length 504: HTTP
22:52:16.555747 IP 192.168.10.232.80 > 192.168.30.111.57531: Flags [.], ack 40, win 532, length 0
22:52:16.579214 IP 192.168.10.232.80 > 192.168.30.111.57531: Flags [F.], seq 1294, ack 40, win 532, length 0
22:52:16.970414 IP 192.168.30.111.57531 > 192.168.10.232.80: Flags [FP.], seq 40:524, ack 1294, win 65392, length 484: HTTP
22:52:17.015517 IP 192.168.30.111.57582 > 192.168.10.232.80: Flags [S], seq 987474931, win 64240, options [mss 1420,nop,wscale 8,nop,nop,sackOK], length 0
22:52:17.094771 IP 192.168.10.232.80 > 192.168.30.111.57582: Flags [S.], seq 348151, ack 987474932, win 532, options [mss 536], length 0
22:52:17.139643 IP 192.168.30.111.57582 > 192.168.10.232.80: Flags [.], ack 1, win 65392, length 0
22:52:17.680285 IP 192.168.30.111.57531 > 192.168.10.232.80: Flags [FP.], seq 40:524, ack 1294, win 65392, length 484: HTTP
22:52:19.116363 IP 192.168.30.111.57531 > 192.168.10.232.80: Flags [FP.], seq 40:524, ack 1294, win 65392, length 484: HTTP
22:52:21.537815 IP 192.168.30.111.57529 > 192.168.10.232.80: Flags [R.], seq 367, ack 1, win 0, length 0
22:52:21.974690 IP 192.168.30.111.57531 > 192.168.10.232.80: Flags [FP.], seq 40:524, ack 1294, win 65392, length 484: HTTP
22:52:27.673631 IP 192.168.30.111.57531 > 192.168.10.232.80: Flags [FP.], seq 40:524, ack 1294, win 65392, length 484: HTTP
22:52:39.065547 IP 192.168.30.111.57531 > 192.168.10.232.80: Flags [R.], seq 525, ack 1294, win 0, length 0
^C110 packets captured
110 packets received by filter
0 packets dropped by kernel

11.2) tcpdump on 192.168.30.1
Code:
root@WNDR4500:~# tcpdump -i oet1 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on oet1, link-type RAW (Raw IP), capture size 262144 bytes
22:52:15.904666 IP 192.168.30.111.57529 > 192.168.10.232.80: Flags [.], seq 1491238036:1491238037, ack 348007, win 65298, length 1: HTTP
22:52:15.981623 IP 192.168.30.111.57582 > 192.168.10.232.80: Flags [S], seq 987474931, win 64240, options [mss 1420,nop,wscale 8,nop,nop,sackOK], length 0
22:52:15.982750 IP 192.168.30.111.57531 > 192.168.10.232.80: Flags [P.], seq 1426155910:1426156434, ack 348106, win 65392, length 524: HTTP: GET /co2 HTTP/1.1
22:52:16.102399 IP 192.168.10.232.80 > 192.168.30.111.57531: Flags [.], ack 20, win 532, length 0
22:52:16.303844 IP 192.168.10.232.80 > 192.168.30.111.57531: Flags [FP.], seq 1:1293, ack 20, win 532, length 1292: HTTP: HTTP/1.0 200 OK
22:52:16.305918 IP 192.168.30.111.57531 > 192.168.10.232.80: Flags [.], ack 1294, win 65392, length 0
22:52:16.307762 IP 192.168.30.111.57531 > 192.168.10.232.80: Flags [F.], seq 524, ack 1294, win 65392, length 0
22:52:16.464139 IP 192.168.30.111.57531 > 192.168.10.232.80: Flags [FP.], seq 20:524, ack 1294, win 65392, length 504: HTTP
22:52:16.578406 IP 192.168.10.232.80 > 192.168.30.111.57531: Flags [.], ack 40, win 532, length 0
22:52:16.606943 IP 192.168.10.232.80 > 192.168.30.111.57531: Flags [F.], seq 1294, ack 40, win 532, length 0
22:52:16.947174 IP 192.168.30.111.57531 > 192.168.10.232.80: Flags [FP.], seq 40:524, ack 1294, win 65392, length 484: HTTP
22:52:16.993011 IP 192.168.30.111.57582 > 192.168.10.232.80: Flags [S], seq 987474931, win 64240, options [mss 1420,nop,wscale 8,nop,nop,sackOK], length 0
22:52:17.118906 IP 192.168.10.232.80 > 192.168.30.111.57582: Flags [S.], seq 348151, ack 987474932, win 532, options [mss 536], length 0
22:52:17.120979 IP 192.168.30.111.57582 > 192.168.10.232.80: Flags [.], ack 1, win 65392, length 0
22:52:17.660902 IP 192.168.30.111.57531 > 192.168.10.232.80: Flags [FP.], seq 40:524, ack 1294, win 65392, length 484: HTTP
22:52:19.096520 IP 192.168.30.111.57531 > 192.168.10.232.80: Flags [FP.], seq 40:524, ack 1294, win 65392, length 484: HTTP
22:52:21.517227 IP 192.168.30.111.57529 > 192.168.10.232.80: Flags [R.], seq 367, ack 1, win 0, length 0
22:52:21.955573 IP 192.168.30.111.57531 > 192.168.10.232.80: Flags [FP.], seq 40:524, ack 1294, win 65392, length 484: HTTP
22:52:27.653324 IP 192.168.30.111.57531 > 192.168.10.232.80: Flags [FP.], seq 40:524, ack 1294, win 65392, length 484: HTTP
22:52:39.047421 IP 192.168.30.111.57531 > 192.168.10.232.80: Flags [R.], seq 525, ack 1294, win 0, length 0
^C
20 packets captured
20 packets received by filter
0 packets dropped by kernel


12) multi-packet HTTP 1.1 web page (master router admin page) is NOT transferred (192.168.30.111<->192.168.10.1):
12.1) tcpdump on 192.168.10.1
Code:
root@R6700:~# tcpdump -i oet1 -n |grep 192.168.30.1
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on oet1, link-type RAW (Raw IP), snapshot length 262144 bytes
22:38:44.390243 IP 192.168.10.66.51056 > 192.168.30.1.443: Flags [R.], seq 978377737, ack 1457390884, win 0, length 0
22:38:58.343263 IP 192.168.30.111.57273 > 192.168.10.1.80: Flags [S], seq 328263245, win 64240, options [mss 1420,nop,wscale 8,nop,nop,sackOK], length 0
22:38:58.344952 IP 192.168.10.1.80 > 192.168.30.111.57273: Flags [S.], seq 3031236128, ack 328263246, win 28400, options [mss 1420,nop,nop,sackOK,nop,wscale 3], length 0
22:38:58.389532 IP 192.168.30.111.57274 > 192.168.10.1.80: Flags [S], seq 3503679211, win 64240, options [mss 1420,nop,wscale 8,nop,nop,sackOK], length 0
22:38:58.391254 IP 192.168.10.1.80 > 192.168.30.111.57274: Flags [S.], seq 22148557, ack 3503679212, win 28400, options [mss 1420,nop,nop,sackOK,nop,wscale 3], length 0
22:38:58.400699 IP 192.168.30.111.57273 > 192.168.10.1.80: Flags [P.], seq 1:458, ack 1, win 1026, length 457: HTTP: GET / HTTP/1.1
22:38:58.402463 IP 192.168.10.1.80 > 192.168.30.111.57273: Flags [.], ack 458, win 3684, length 0
22:38:58.400710 IP 192.168.30.111.57273 > 192.168.10.1.80: Flags [.], ack 1, win 1026, length 0
22:38:58.406352 IP 192.168.10.1.80 > 192.168.30.111.57273: Flags [.], ack 458, win 3684, length 0
22:38:58.416027 IP 192.168.10.1.80 > 192.168.30.111.57273: Flags [.], seq 1:2841, ack 458, win 3684, length 2840: HTTP: HTTP/1.1 401 UNAUTHORIZED
22:38:58.418676 IP 192.168.10.1.80 > 192.168.30.111.57273: Flags [P.], seq 2841:3215, ack 458, win 3684, length 374: HTTP
22:38:58.420509 IP 192.168.10.1.80 > 192.168.30.111.57273: Flags [F.], seq 3215, ack 458, win 3684, length 0
22:38:58.445957 IP 192.168.30.111.57274 > 192.168.10.1.80: Flags [.], ack 1, win 1026, length 0
22:38:58.474379 IP 192.168.30.111.57273 > 192.168.10.1.80: Flags [.], ack 1, win 1026, length 0
22:38:58.478977 IP 192.168.30.111.57273 > 192.168.10.1.80: Flags [.], ack 1, win 1026, options [nop,nop,sack 1 {2841:3215}], length 0
22:38:58.667854 IP 192.168.10.1.80 > 192.168.30.111.57273: Flags [.], seq 1:1421, ack 458, win 3684, length 1420: HTTP: HTTP/1.1 401 UNAUTHORIZED
22:38:59.187352 IP 192.168.10.1.80 > 192.168.30.111.57273: Flags [.], seq 1:1421, ack 458, win 3684, length 1420: HTTP: HTTP/1.1 401 UNAUTHORIZED
22:38:59.844812 IP 192.168.10.66.51055 > 192.168.30.1.443: Flags [.], seq 2250878284:2250878285, ack 993200019, win 1025, length 1
22:38:59.912544 IP 192.168.30.1.443 > 192.168.10.66.51055: Flags [.], ack 1, win 3684, options [nop,nop,sack 1 {0:1}], length 0
22:39:00.226766 IP 192.168.10.1.80 > 192.168.30.111.57273: Flags [.], seq 1:1421, ack 458, win 3684, length 1420: HTTP: HTTP/1.1 401 UNAUTHORIZED
22:39:02.305202 IP 192.168.10.1.80 > 192.168.30.111.57273: Flags [.], seq 1:1421, ack 458, win 3684, length 1420: HTTP: HTTP/1.1 401 UNAUTHORIZED
22:39:06.472349 IP 192.168.10.1.80 > 192.168.30.111.57273: Flags [.], seq 1:1421, ack 458, win 3684, length 1420: HTTP: HTTP/1.1 401 UNAUTHORIZED
22:39:08.285137 IP 192.168.10.1.80 > 192.168.30.111.57274: Flags [F.], seq 1, ack 1, win 3550, length 0
22:39:08.335089 IP 192.168.30.111.57274 > 192.168.10.1.80: Flags [.], ack 2, win 1026, length 0
22:39:13.149915 IP 192.168.30.111.57274 > 192.168.10.1.80: Flags [F.], seq 1, ack 2, win 1026, length 0
22:39:13.151548 IP 192.168.10.1.80 > 192.168.30.111.57274: Flags [.], ack 2, win 3550, length 0
22:39:14.806572 IP 192.168.10.1.80 > 192.168.30.111.57273: Flags [.], seq 1:1421, ack 458, win 3684, length 1420: HTTP: HTTP/1.1 401 UNAUTHORIZED
^C142 packets captured
142 packets received by filter
0 packets dropped by kernel

12.2) tcpdump on 192.168.30.1 (not transferred 401 UNAUTHORIZED)
Code:
root@WNDR4500:~# tcpdump -i oet1 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on oet1, link-type RAW (Raw IP), capture size 262144 bytes
22:38:44.415964 IP 192.168.10.66.51056 > 192.168.30.1.443: Flags [R.], seq 978377737, ack 1457390884, win 0, length 0
22:38:58.309336 IP 192.168.30.111.57273 > 192.168.10.1.80: Flags [S], seq 328263245, win 64240, options [mss 1420,nop,wscale 8,nop,nop,sackOK], length 0
22:38:58.310072 IP 192.168.30.111.57274 > 192.168.10.1.80: Flags [S], seq 3503679211, win 64240, options [mss 1420,nop,wscale 8,nop,nop,sackOK], length 0
22:38:58.361708 IP 192.168.10.1.80 > 192.168.30.111.57273: Flags [S.], seq 3031236128, ack 328263246, win 28400, options [mss 1420,nop,nop,sackOK,nop,wscale 3], length 0
22:38:58.363781 IP 192.168.30.111.57273 > 192.168.10.1.80: Flags [.], ack 1, win 1026, length 0
22:38:58.364001 IP 192.168.30.111.57273 > 192.168.10.1.80: Flags [P.], seq 1:458, ack 1, win 1026, length 457: HTTP: GET / HTTP/1.1
22:38:58.410711 IP 192.168.10.1.80 > 192.168.30.111.57274: Flags [S.], seq 22148557, ack 3503679212, win 28400, options [mss 1420,nop,nop,sackOK,nop,wscale 3], length 0
22:38:58.412777 IP 192.168.30.111.57274 > 192.168.10.1.80: Flags [.], ack 1, win 1026, length 0
22:38:58.423685 IP 192.168.10.1.80 > 192.168.30.111.57273: Flags [.], ack 458, win 3684, length 0
22:38:58.423887 IP 192.168.10.1.80 > 192.168.30.111.57273: Flags [.], ack 458, win 3684, length 0
22:38:58.445595 IP 192.168.10.1.80 > 192.168.30.111.57273: Flags [F.], seq 3215, ack 458, win 3684, length 0
22:38:58.446682 IP 192.168.10.1.80 > 192.168.30.111.57273: Flags [P.], seq 2841:3215, ack 458, win 3684, length 374: HTTP
22:38:58.447816 IP 192.168.30.111.57273 > 192.168.10.1.80: Flags [.], ack 1, win 1026, length 0
22:38:58.448500 IP 192.168.30.111.57273 > 192.168.10.1.80: Flags [.], ack 1, win 1026, options [nop,nop,sack 1 {2841:3215}], length 0
22:38:59.873805 IP 192.168.10.66.51055 > 192.168.30.1.443: Flags [.], seq 2250878284:2250878285, ack 993200019, win 1025, length 1
22:38:59.873979 IP 192.168.30.1.443 > 192.168.10.66.51055: Flags [.], ack 1, win 3684, options [nop,nop,sack 1 {0:1}], length 0
22:39:08.305104 IP 192.168.10.1.80 > 192.168.30.111.57274: Flags [F.], seq 1, ack 1, win 3550, length 0
22:39:08.307470 IP 192.168.30.111.57274 > 192.168.10.1.80: Flags [.], ack 2, win 1026, length 0
22:39:13.115467 IP 192.168.30.111.57274 > 192.168.10.1.80: Flags [F.], seq 1, ack 2, win 1026, length 0
22:39:13.173808 IP 192.168.10.1.80 > 192.168.30.111.57274: Flags [.], ack 2, win 3550, length 0
^C
20 packets captured
20 packets received by filter
0 packets dropped by kernel


13) multi-packet HTTP 1.1 web page (slave router admin page) is NOT transferred (192.168.10.66<->192.168.30.1):
13.1) tcpdump on 192.168.10.1
Code:
root@R6700:~# tcpdump -i oet1 -n |grep 192.168.30.1
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on oet1, link-type RAW (Raw IP), snapshot length 262144 bytes
22:36:13.775261 IP 192.168.10.66.51055 > 192.168.30.1.443: Flags [S], seq 2250877443, win 64240, options [mss 1420,nop,wscale 8,nop,nop,sackOK], length 0
22:36:13.776995 IP 192.168.10.66.51056 > 192.168.30.1.443: Flags [S], seq 978377218, win 64240, options [mss 1420,nop,wscale 8,nop,nop,sackOK], length 0
22:36:13.992921 IP 192.168.30.1.443 > 192.168.10.66.51055: Flags [S.], seq 993199919, ack 2250877444, win 28400, options [mss 1420,nop,nop,sackOK,nop,wscale 3], length 0
22:36:13.992932 IP 192.168.30.1.443 > 192.168.10.66.51056: Flags [S.], seq 1457390883, ack 978377219, win 28400, options [mss 1420,nop,nop,sackOK,nop,wscale 3], length 0
22:36:13.998889 IP 192.168.10.66.51055 > 192.168.30.1.443: Flags [.], ack 1, win 1026, length 0
22:36:14.000440 IP 192.168.10.66.51056 > 192.168.30.1.443: Flags [.], ack 1, win 1026, length 0
22:36:14.002658 IP 192.168.10.66.51056 > 192.168.30.1.443: Flags [P.], seq 1:518, ack 1, win 1026, length 517
22:36:14.004488 IP 192.168.10.66.51055 > 192.168.30.1.443: Flags [P.], seq 1:518, ack 1, win 1026, length 517
22:36:14.089798 IP 192.168.30.1.443 > 192.168.10.66.51055: Flags [.], ack 518, win 3684, length 0
22:36:14.093591 IP 192.168.30.1.443 > 192.168.10.66.51056: Flags [.], ack 518, win 3684, length 0
22:36:14.455281 IP 192.168.30.1.443 > 192.168.10.66.51056: Flags [P.], seq 1421:1579, ack 518, win 3684, length 158
22:36:14.458311 IP 192.168.10.66.51056 > 192.168.30.1.443: Flags [.], ack 1, win 1026, options [nop,nop,sack 1 {1421:1579}], length 0
22:36:14.577230 IP 192.168.30.1.443 > 192.168.10.66.51056: Flags [P.], seq 1421:1579, ack 518, win 3684, length 158
22:36:14.580128 IP 192.168.10.66.51056 > 192.168.30.1.443: Flags [.], ack 1, win 1026, options [nop,nop,sack 2 {1421:1579}{1421:1579}], length 0
22:36:19.334719 IP 192.168.30.1.443 > 192.168.10.66.51056: Flags [F.], seq 1579, ack 518, win 3684, length 0
22:36:19.337645 IP 192.168.10.66.51056 > 192.168.30.1.443: Flags [.], ack 1, win 1026, options [nop,nop,sack 1 {1421:1579}], length 0
22:36:19.339732 IP 192.168.30.1.443 > 192.168.10.66.51055: Flags [P.], seq 1:100, ack 518, win 3684, length 99
22:36:19.342951 IP 192.168.10.66.51055 > 192.168.30.1.443: Flags [P.], seq 518:841, ack 100, win 1025, length 323
22:36:19.397026 IP 192.168.30.1.443 > 192.168.10.66.51055: Flags [.], ack 841, win 3684, length 0
22:36:19.622125 IP 192.168.30.1.443 > 192.168.10.66.51055: Flags [P.], seq 1520:1721, ack 841, win 3684, length 201
22:36:19.625182 IP 192.168.10.66.51055 > 192.168.30.1.443: Flags [.], ack 100, win 1025, options [nop,nop,sack 1 {1520:1721}], length 0
22:36:24.622396 IP 192.168.30.1.443 > 192.168.10.66.51055: Flags [F.], seq 1721, ack 841, win 3684, length 0
22:36:24.625434 IP 192.168.10.66.51055 > 192.168.30.1.443: Flags [.], ack 100, win 1025, options [nop,nop,sack 1 {1520:1721}], length 0
^C96 packets captured
96 packets received by filter
0 packets dropped by kernel

13.2) tcpdump on 192.168.30.1
Code:
root@WNDR4500:~# tcpdump -i oet1 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on oet1, link-type RAW (Raw IP), capture size 262144 bytes
22:36:13.917459 IP 192.168.10.66.51055 > 192.168.30.1.443: Flags [S], seq 2250877443, win 64240, options [mss 1420,nop,wscale 8,nop,nop,sackOK], length 0
22:36:13.917724 IP 192.168.30.1.443 > 192.168.10.66.51055: Flags [S.], seq 993199919, ack 2250877444, win 28400, options [mss 1420,nop,nop,sackOK,nop,wscale 3], length 0
22:36:13.917825 IP 192.168.10.66.51056 > 192.168.30.1.443: Flags [S], seq 978377218, win 64240, options [mss 1420,nop,wscale 8,nop,nop,sackOK], length 0
22:36:13.918028 IP 192.168.30.1.443 > 192.168.10.66.51056: Flags [S.], seq 1457390883, ack 978377219, win 28400, options [mss 1420,nop,nop,sackOK,nop,wscale 3], length 0
22:36:14.046217 IP 192.168.10.66.51056 > 192.168.30.1.443: Flags [.], ack 1, win 1026, length 0
22:36:14.051548 IP 192.168.10.66.51055 > 192.168.30.1.443: Flags [.], ack 1, win 1026, length 0
22:36:14.051808 IP 192.168.10.66.51055 > 192.168.30.1.443: Flags [P.], seq 1:518, ack 1, win 1026, length 517
22:36:14.051954 IP 192.168.30.1.443 > 192.168.10.66.51055: Flags [.], ack 518, win 3684, length 0
22:36:14.052069 IP 192.168.10.66.51056 > 192.168.30.1.443: Flags [P.], seq 1:518, ack 1, win 1026, length 517
22:36:14.058420 IP 192.168.30.1.443 > 192.168.10.66.51056: Flags [.], ack 518, win 3684, length 0
22:36:14.293366 IP 192.168.30.1.443 > 192.168.10.66.51056: Flags [P.], seq 1:1579, ack 518, win 3684, length 1578
22:36:14.545475 IP 192.168.30.1.443 > 192.168.10.66.51056: Flags [P.], seq 1421:1579, ack 518, win 3684, length 158
22:36:14.558594 IP 192.168.10.66.51056 > 192.168.30.1.443: Flags [.], ack 1, win 1026, options [nop,nop,sack 1 {1421:1579}], length 0
22:36:14.595678 IP 192.168.30.1.443 > 192.168.10.66.51056: Flags [.], seq 1:1421, ack 518, win 3684, length 1420
22:36:14.679382 IP 192.168.10.66.51056 > 192.168.30.1.443: Flags [.], ack 1, win 1026, options [nop,nop,sack 2 {1421:1579}{1421:1579}], length 0
22:36:14.986629 IP 192.168.30.1.443 > 192.168.10.66.51056: Flags [.], seq 1:1421, ack 518, win 3684, length 1420
22:36:15.758258 IP 192.168.30.1.443 > 192.168.10.66.51056: Flags [.], seq 1:1421, ack 518, win 3684, length 1420
22:36:17.321364 IP 192.168.30.1.443 > 192.168.10.66.51056: Flags [.], seq 1:1421, ack 518, win 3684, length 1420
22:36:19.295252 IP 192.168.30.1.443 > 192.168.10.66.51056: Flags [F.], seq 1579, ack 518, win 3684, length 0
22:36:19.300904 IP 192.168.30.1.443 > 192.168.10.66.51055: Flags [P.], seq 1:100, ack 518, win 3684, length 99
22:36:19.359023 IP 192.168.10.66.51056 > 192.168.30.1.443: Flags [.], ack 1, win 1026, options [nop,nop,sack 1 {1421:1579}], length 0
22:36:19.363442 IP 192.168.10.66.51055 > 192.168.30.1.443: Flags [P.], seq 518:841, ack 100, win 1025, length 323
22:36:19.363665 IP 192.168.30.1.443 > 192.168.10.66.51055: Flags [.], ack 841, win 3684, length 0
22:36:19.586715 IP 192.168.30.1.443 > 192.168.10.66.51055: Flags [P.], seq 100:1721, ack 841, win 3684, length 1621
22:36:19.642069 IP 192.168.10.66.51055 > 192.168.30.1.443: Flags [.], ack 100, win 1025, options [nop,nop,sack 1 {1520:1721}], length 0
22:36:19.666297 IP 192.168.30.1.443 > 192.168.10.66.51055: Flags [.], seq 100:1520, ack 841, win 3684, length 1420
22:36:20.057023 IP 192.168.30.1.443 > 192.168.10.66.51055: Flags [.], seq 100:1520, ack 841, win 3684, length 1420
22:36:20.447916 IP 192.168.30.1.443 > 192.168.10.66.51056: Flags [.], seq 1:1421, ack 518, win 3684, length 1420
22:36:20.828623 IP 192.168.30.1.443 > 192.168.10.66.51055: Flags [.], seq 100:1520, ack 841, win 3684, length 1420
22:36:22.391598 IP 192.168.30.1.443 > 192.168.10.66.51055: Flags [.], seq 100:1520, ack 841, win 3684, length 1420
22:36:24.585755 IP 192.168.30.1.443 > 192.168.10.66.51055: Flags [F.], seq 1721, ack 841, win 3684, length 0
22:36:24.646089 IP 192.168.10.66.51055 > 192.168.30.1.443: Flags [.], ack 100, win 1025, options [nop,nop,sack 1 {1520:1721}], length 0
22:36:25.527639 IP 192.168.30.1.443 > 192.168.10.66.51055: Flags [.], seq 100:1520, ack 841, win 3684, length 1420
22:36:26.700004 IP 192.168.30.1.443 > 192.168.10.66.51056: Flags [.], seq 1:1421, ack 518, win 3684, length 1420
22:36:31.779445 IP 192.168.30.1.443 > 192.168.10.66.51055: Flags [.], seq 100:1520, ack 841, win 3684, length 1420
22:36:39.226989 IP 192.168.30.1.443 > 192.168.10.66.51056: Flags [.], seq 1:1421, ack 518, win 3684, length 1420
22:36:44.306606 IP 192.168.30.1.443 > 192.168.10.66.51055: Flags [.], seq 100:1520, ack 841, win 3684, length 1420
22:36:44.356826 IP 192.168.10.66.51056 > 192.168.30.1.443: Flags [F.], seq 518, ack 1, win 1026, length 0
22:36:44.357014 IP 192.168.30.1.443 > 192.168.10.66.51056: Flags [.], ack 519, win 3684, length 0
22:36:44.698585 IP 192.168.10.66.51055 > 192.168.30.1.443: Flags [F.], seq 841, ack 100, win 1025, length 0
22:36:44.698770 IP 192.168.30.1.443 > 192.168.10.66.51055: Flags [.], ack 842, win 3684, length 0
^C
41 packets captured
41 packets received by filter
0 packets dropped by kernel


=> Something is wrong in WDNR4500. Routes & iptables seems to be OK. Seems something is wrong in dd-wrt code in router Gateway mode in combination with WiFi Client internet access (not all packets are passing WireGuard interface).

Any advices are welcome. I tried several changes in WG setup, but no change in behaviour. Same issue was with older code r43886 on master router. Apparently some issue present longer and not resolved till now.
Sponsor
dale_gribble39
DD-WRT Guru


Joined: 11 Jun 2022
Posts: 1899

PostPosted: Sun Jun 19, 2022 22:13    Post subject: Reply with quote
Upgrade.
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=332374

Read.
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327397

Do you have webUI access disabled over wifi in your configuration?
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Mon Jun 20, 2022 6:24    Post subject: Reply with quote
Disable the 2019 Mitigation. It prevents access to the lan behind the router.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Mon Jun 20, 2022 6:56    Post subject: Reply with quote
I do not have time to study your setup in details today.

Besides the good advices from the former speakers which I should follow (upgrade to recent build and disable mitigation) there is another thing which could explain (part) of your problem, MTU is too high, maximum is 1440.

Especially if IPv6 is involved and/or PPPoE you should lower MTU below 1440.

Try 1400 or go even lower.

The WireGuard Advanced setup guide has a setup described just like yours, so have a look there and check your settings.

The VPN troubleshooting guide and the WireGuard Server Setup guide have a paragraph about MTU

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087


Last edited by egc on Mon Jun 20, 2022 14:22; edited 1 time in total
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Mon Jun 20, 2022 6:57    Post subject: Reply with quote
Moved this thread to the Advanced networking forum as it can be of interest to us all.
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Mon Jun 20, 2022 13:48    Post subject: Reply with quote
I dont have anything too meaningful to add at this time, except my congratulations to you sir. Your OP post is what I consider a worthy reference topic as how to ask for help in the right way.

Perhaps too detailed where output is concerned since one example of failed ping is enough to determine there is not communication between subnets, if ping fails all else fails.

I will look at this in detail when I have some time, sadly pesky personal life is getting in the way as usual. Wink

What I will say is that routing fails to 192.168.30.x because perhaps you havent told 192.168.30.x about 192.168.10.x and 192.168.10.x. and vice versa.

Advanced routing tab should be key.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Mon Jun 20, 2022 14:29    Post subject: Reply with quote
To add, if you want to connect to clients on your LAN from another subnet then take care of the firewall settings of the client.
Most clients have their own firewall which only allows connection from their own subnet and not from a foreign subnet

Alternatively on the router NAT traffic coming out from br0 e.g.
Code:
iptables -t nat -I POSTROUTING -o br0 -s 192.168.0.0/16 -j MASQUERADE


Instead of 192.168.0.0/16 you can make two rules with the subnets of the other routers

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Mon Jun 20, 2022 15:42    Post subject: Reply with quote
Another thing that can help:
On the WNDR4500, Allowed IP's use 172.16.0.0/24 instead of 172.16.0.1/32

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
radoslavv
DD-WRT Novice


Joined: 23 Aug 2013
Posts: 10
Location: Slovakia

PostPosted: Wed Jun 22, 2022 7:42    Post subject: Reply with quote
@dale_gribble39
1. Upgrade.
Why? Is there some relevant FIX?
Btw tried r49197 but had issues with Setup->Tunnels texts in page -> Undefined.
2. Read.
Thx, was not aware of some history & changes overview
3. Do you have webUI access disabled over wifi in your configuration?
YES

@Per Yngve Berg
4. Disable the 2019 Mitigation.
Disabled both master R6700 and slave WNDR4500 routers.
Did NOT help.

@egc
5. MTU is too high, maximum is 1440.
(do not use IPv6)
5.1 MTU changed 1460->1360 on both master R6700 and slave WNDR4500 and HELPed. So I investigated.
5.2 master R6700 MTU=1460 WNDR4500 MTU=1360 still working
5.3 master R6700 MTU=1460 WNDR4500 MTU=1441-1460 NOT working
5.4 master R6700 MTU=1460 WNDR4500 MTU=1440 working
Hope this will help also other dd-wrt users.
However do not understand why there was not same issue with 2nd slave R6700 but just only with WNDR4500...
Seems like some HW limitation (HW packets buffers size on WNDR4500) or undiscovered bug.

@all
Thank you for advices.
Did not investigate other options as lowering MTU helped.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Wed Jun 22, 2022 8:14    Post subject: Reply with quote
All new builds default to a Maximum of 1440 and if you have IPv6 and/or PPPoE enabled it will set even lower automatically.

That is why it is important to upgrade to the latest build and reset to default after upgrading Smile

If you see "Undefined" then there are new or changed GUI options and you have to clear your browser cache: CTRL + F5

Anyway glad it is solved Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum