czsmith
5
root@CameraRouter:~# ip route list table all
default via 10.86.1.1 dev eth0.1 table 1
default via 10.86.1.1 dev eth0.1 proto static metric 10
10.86.1.0/24 dev eth0.1 proto static scope link metric 10
10.86.5.0/24 dev br-lan proto kernel scope link src 10.86.5.2
10.89.5.0/24 dev wg0 proto kernel scope link src 10.89.5.1
broadcast 10.86.1.0 dev eth0.1 table local proto kernel scope link src 10.86.1.4
local 10.86.1.4 dev eth0.1 table local proto kernel scope host src 10.86.1.4
broadcast 10.86.1.255 dev eth0.1 table local proto kernel scope link src 10.86.1.4
broadcast 10.86.5.0 dev br-lan table local proto kernel scope link src 10.86.5.2
local 10.86.5.2 dev br-lan table local proto kernel scope host src 10.86.5.2
broadcast 10.86.5.255 dev br-lan table local proto kernel scope link src 10.86.5.2
broadcast 10.89.5.0 dev wg0 table local proto kernel scope link src 10.89.5.1
local 10.89.5.1 dev wg0 table local proto kernel scope host src 10.89.5.1
broadcast 10.89.5.255 dev wg0 table local proto kernel scope link src 10.89.5.1
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
fded:72ff:6602:10::/64 dev br-lan proto static metric 1024 pref medium
unreachable fded:72ff:6602::/48 dev lo proto static metric 2147483647 error -148 pref medium
fe80::/64 dev ra0 proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0.1 proto kernel metric 256 pref medium
fe80::/64 dev apcli0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast fded:72ff:6602:10:: dev br-lan table local proto kernel metric 0 pref medium
local fded:72ff:6602:10::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev ra0 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev apcli0 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0.1 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
local fe80::e495:6eff:fe05:b52c dev apcli0 table local proto kernel metric 0 pref medium
local fe80::e695:6eff:fe45:b52c dev ra0 table local proto kernel metric 0 pref medium
local fe80::e695:6eff:fe45:b52c dev eth0 table local proto kernel metric 0 pref medium
local fe80::e695:6eff:fe45:b52c dev eth0.1 table local proto kernel metric 0 pref medium
local fe80::e695:6eff:fe45:b52c dev br-lan table local proto kernel metric 0 pref medium
ff00::/8 dev ra0 table local metric 256 pref medium
ff00::/8 dev eth0 table local metric 256 pref medium
ff00::/8 dev br-lan table local metric 256 pref medium
ff00::/8 dev eth0.1 table local metric 256 pref medium
ff00::/8 dev apcli0 table local metric 256 pref medium
ff00::/8 dev wg0 table local metric 256 pref medium
root@CameraRouter:~# ip route get 10.89.5.4
10.89.5.4 dev wg0 src 10.89.5.1 uid 0
cache
root@CameraRouter:~# ip route get 10.89.5.4 from 10.86.5.157 iif eth0.5
10.89.5.4 from 10.86.5.157 dev wg0
cache iif eth0.5
I am not sure just how to disable the firewall, except by going into LUCI and setting all routing policies for "ACCEPT. Right now, however, only the WAN (-> LAN, ->Guest and ->Wireguard) has REJECT as the default in/out/forward policy. All others are ACCEPT.
For yucks, here’s the output of “ip rule list”
root@CameraRouter:~# ip rule list
0: from all lookup local
1001: from all iif eth0.1 lookup main
2001: from all fwmark 0x100/0x3f00 lookup 1
2061: from all fwmark 0x3d00/0x3f00 blackhole
2062: from all fwmark 0x3e00/0x3f00 unreachable
32766: from all lookup main
32767: from all lookup default
Attached are iptables -L and iptables -S outputs… Detailed IPTABLES.zip (11.3 KB)
One last point to reiterate from the OP - pinging the router (10.86.5.2) DOES correctly route the result back. Only forwarded ICMP responses are being misrouted. This makes me suspicious that the problem is some difference in the iptables between the INPUT or OUTPUT chains and the FORWARD chains.
