3006.102.3 RT-BE88U as WireGuard client. No Internet connection after reboot.

[biker3]

Hi,
I've got a problem every time I reboot the device if I have a WireGuard client configured.
Please does anyone have this device and use it with the latest version of Merlin as WireGuard client?
As I have described in this post in the Asuswrt-Merlin 3006.102.3 release thread, when I reboot this device, all devices on the LAN stay without internet connection until I modify some Firewall parameter (for example switch Enable Firewall or Enable DoS protection). I've found that this adds some rules in iptables that just rebooted the router are not there and I think they are preventing the devices from accessing the Internet.
This happens to me against a WireGuard server on a RT-AX86U or even ProtonVPN.
Best regards

 

[ZebMcKayhan]

Hi,
I've got a problem every time I reboot the device if I have a WireGuard client configured.
Please does anyone have this device and use it with the latest version of Merlin as WireGuard client?
As I have described in this post in the Asuswrt-Merlin 3006.102.3 release thread, when I reboot this device, all devices on the LAN stay without internet connection until I modify some Firewall parameter (for example switch Enable Firewall or Enable DoS protection). I've found that this adds some rules in iptables that just rebooted the router are not there and I think they are preventing the devices from accessing the Internet.
This happens to me against a WireGuard server on a RT-AX86U or even ProtonVPN.
Best regards

While I don't have your router model nor firmware it does indeed sounds like a firmware issue and since you reported it in the release thread I'm sure @RMerlin is all over it.

However, since this does not appear to be a widespread issue is it possible you are using some feature that others typically don't?

This fw is fairly new and lots of things have changed. The thing with asus-wrt is that it flush Firewall rules and rebuilds them on some occations. Perhaps your setup ends up with a firewall flush simultaneous as wg starts?

You could always re-add your rules in a custom script to fix this temporarily.

Is it only filter rules that are missing or also nat rules?

 

[biker3]

Thank you for your reply ZebMcKayhan.
The only less typical functionality I'm using is In-a-dyn, in addition to Let's Encrypt VPN Director and OpenVPN (I'm using OVPN due to this problem with WireGuard).
I don't know what you're talking about regarding wg rules. I haven't modified anything, but it might be doing an extra flush. So when I change an option in the firewall section, asus-wrt reloads them with good results.
I've just tried to add manually the rules, but I can't get Internet connection from the devices until I switch something in Firewall section. Even I've tried to add different rules not related with WireGuard, like log packets, but no success.
Regarding to Perhaps your setup ends up with a firewall flush simultaneous as wg starts? How can I know it?
About NAT rules you're right! If I compare just rebooted and after switch something in Firewall section I also find differences:

Just rebooted:

-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N DNSFILTER
-N DNSVPN1
-N PUPNP
-N VSERVER
-N VUPNP
-A PREROUTING -p tcp -m tcp --dport 53 -j DNSVPN1
-A PREROUTING -p udp -m udp --dport 53 -j DNSVPN1
-A PREROUTING ! -d 192.168.50.0/24 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.50.1:18017
-A PREROUTING -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.50.1:18018
-A POSTROUTING ! -s 10.6.0.5/32 -o wgc1 -j MASQUERADE
-A POSTROUTING -o tun11 -j MASQUERADE
-A POSTROUTING -s 192.168.53.0/24 -d 192.168.53.0/24 -o br52 -j MASQUERADE
-A POSTROUTING -s 192.168.50.0/24 -d 192.168.50.0/24 -o br0 -j MASQUERADE
-A POSTROUTING -s 192.168.52.0/24 -d 192.168.52.0/24 -o br55 -j MASQUERADE

After switch something in Firewall section:

-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N DNSFILTER
-N DNSVPN1
-N GAME_VSERVER
-N LOCALSRV
-N MAPE
-N PCREDIRECT
-N PUPNP
-N VPN_FUSION
-N VSERVER
-N VUPNP
-A PREROUTING -p tcp -m tcp --dport 53 -j DNSVPN1
-A PREROUTING -p udp -m udp --dport 53 -j DNSVPN1
-A PREROUTING -d <MY_PUBLIC_IP> -j GAME_VSERVER
-A PREROUTING -d <MY_PUBLIC_IP> -j VSERVER
-A POSTROUTING ! -s 10.6.0.5/32 -o wgc1 -j MASQUERADE
-A POSTROUTING -o tun11 -j MASQUERADE
-A POSTROUTING -o eth0 -j PUPNP
-A POSTROUTING ! -s <MY_PUBLIC_IP> -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.53.0/24 -d 192.168.53.0/24 -o br52 -j MASQUERADE
-A POSTROUTING -s 192.168.50.0/24 -d 192.168.50.0/24 -o br0 -j MASQUERADE
-A POSTROUTING -s 192.168.52.0/24 -d 192.168.52.0/24 -o br55 -j MASQUERADE
-A LOCALSRV -p udp -m udp --dport 563 -j ACCEPT
-A VSERVER -j VUPNP

Maybe I should try to manually enter the NAT rules as well (along with the filter rules), to see if it works with both types and then automate it in a script.

Regards

 

[ZebMcKayhan]

Maybe I should try to manually enter the NAT rules as well (along with the filter rules), to see if it works with both types and then automate it in a script.

Yep, all is needed.

388 fw prepared all wgcX rules in 2 script files here:

/etc/wg/fw_wgc1.sh
/etc/wg/fw_wgc1_nat.sh

This is so fw easily could rerun these files when firewall flushes without having to restart wg entirely. If you still have these, look inside and if all good you could execute them to get all added again.

 

[ZebMcKayhan]

Regarding to Perhaps your setup ends up with a firewall flush simultaneous as wg starts? How can I know it?

Look at the syslog from boot about what is happening just before or after wg peer starts.

Another way would be to put a syslog logger entry in firewall-start and nat-start script as these are executed after a flush.
https://github.com/RMerl/asuswrt-merlin.ng/wiki/User-scripts

 

[arewhy]

Hi,
I've got a problem every time I reboot the device if I have a WireGuard client configured.
Please does anyone have this device and use it with the latest version of Merlin as WireGuard client?
As I have described in this post in the Asuswrt-Merlin 3006.102.3 release thread, when I reboot this device, all devices on the LAN stay without internet connection until I modify some Firewall parameter (for example switch Enable Firewall or Enable DoS protection). I've found that this adds some rules in iptables that just rebooted the router are not there and I think they are preventing the devices from accessing the Internet.
This happens to me against a WireGuard server on a RT-AX86U or even ProtonVPN.
Best regards

Hi, I have the same router, with the same firmware and I have a WireGuard client configured. I do not experience the loss of internet connectivity for my LAN devices after rebooting. My WG client is connected to NordVPN 24/7. As to router configuration, I have separate SSIDs for the 2.4 and 5 ghz for the main network, a custom SDN VLAN for my IOT devices and a VPN SDN VLAN that my WG client is assigned to. There are four scripts present in /etc/wg: dns1.sh, fw_wgc1.sh, fw_wgc1_nat.sh, and fw_wgc1_sdn5.sh. All of which add various rules to the iptables/ip6tables. Hope this info helps in identifying the issue that you're experiencing.

 

[biker3]

Look at the syslog from boot about what is happening just before or after wg peer starts.

Another way would be to put a syslog logger entry in firewall-start and nat-start script as these are executed after a flush.
https://github.com/RMerl/asuswrt-merlin.ng/wiki/User-scripts

Both scripts aren't called if I disable or enable WireGuard client.
And if I disable WireGuard I can't recover Internet for LAN devices.
E.g. after rebooting:

Dec 31 19:01:05 custom_script: Running /jffs/scripts/firewall-start (args: eth0)                                     
Dec 31 19:01:05 habitacion: firewall-start                                                                                                                     
Dec 31 19:01:05 dnsmasq-dhcp[3780]: DHCPREQUEST(br0) 192.168.50.168 be:0a:50:04:90:d7                                                                          
...
Dec 31 19:01:05 dnsmasq-script[3780]: json_object_from_file: error opening file /jffs/nmp_vc_json.js: No such file or directory                                
Dec 31 19:01:06 custom_script: Running /jffs/scripts/firewall-start (args: eth0)                                                                               
Dec 31 19:01:06 habitacion: firewall-start
...
Dec 31 19:01:10 dnsmasq[3780]: using nameserver 127.0.1.1#53                                                             
Dec 31 19:01:10 dnsmasq[3780]: using only locally-known addresses for mask-h2.icloud.com                                                   
Dec 31 19:01:10 dnsmasq[3780]: using only locally-known addresses for mask.icloud.com                                                             
Dec 31 19:01:10 dnsmasq[3780]: using only locally-known addresses for _dns.resolver.arpa                                 
Dec 31 19:01:10 dnsmasq[3780]: using only locally-known addresses for use-application-dns.net                                 
Dec 31 19:01:10 dnsmasq[3780]: using only locally-known addresses for chale                                          
Dec 31 19:01:10 habitacion: firewall-start                                                                                                                     
Dec 31 19:01:10 dnsmasq[3788]: read /etc/hosts - 22 names
...
Dec 31 19:01:15 WireGuard: Unable to start clients as NTP not synced yet, retrying later
...
Mar 13 00:06:00 rc_service: service 7238:notify_rc restart_wgc                                                                                                 
Mar 13 00:06:00 kernel: wireguard: WireGuard 1.0.20220627 loaded. See www.wireguard.com for information.                                                       
Mar 13 00:06:00 kernel: wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.                                          
Mar 13 00:06:00 kernel: Assigning idx[66] for wgc1                                                                                                             
Mar 13 00:06:00 kernel: blog_get_dstentry_by_id:dstid[322] match fails entry.dstid[450]                                                                        
Mar 13 00:06:00 vpndirector: Routing example from any to 192.168.60.0/24 through wgc1                                                                
Mar 13 00:06:00 dnsmasq[3780]: read /etc/hosts - 24 names                                                                                                      
Mar 13 00:06:00 dnsmasq[3780]: using nameserver 127.0.1.1#53                                                                                                   
Mar 13 00:06:00 dnsmasq[3780]: using only locally-known addresses for mask-h2.icloud.com                                                                       
...                                                                     
Mar 13 00:06:00 dnsmasq[3780]: using nameserver 127.0.1.1#53                                                                                                   
Mar 13 00:06:00 dnsmasq[3780]: using only locally-known addresses for mask-h2.icloud.com                                                                       
...                                                                       
Mar 13 00:06:00 rc_service: waitting "restart_wgc"(last_rc:restart_wgc) via  ...                                                                               
Mar 13 00:06:00 WireGuard: Starting client 1

Thanks @arewhy! Wonderful
I've also some VLAN.
If i compare filter and nat before and after switch something in Firewall section I get:

*** filter_before    Thu Mar 13 00:20:08 2025
--- filter_after    Thu Mar 13 00:20:52 2025
***************
*** 137,149 ****
  -A SECURITY -j RETURN
  -A WGCF -o wgc1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
  -A WGCF -o wgc1 -m set --match-set vpnc_ipset1 src -j ACCEPT
  -A WGCF -i wgc1 -m set --match-set vpnc_ipset1 dst -j ACCEPT
  -A WGCF -o wgc1 -j ACCEPT
  -A WGCF -i wgc1 -j DROP
- -A WGCF -i wgc1 -j DROP
  -A WGCF -o wgc1 -j DROP
  -A WGCI -i wgc1 -j DROP
  -A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
  -A logaccept -j ACCEPT
  -A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
  -A logdrop -j DROP
--- 137,148 ----

*** nat_before    Thu Mar 13 00:30:15 2025
--- nat_after    Thu Mar 13 00:21:11 2025
***************
*** 4,17 ****
  -P POSTROUTING ACCEPT
  -N DNSFILTER
  -N DNSVPN1
  -N PUPNP
  -N VSERVER
  -N VUPNP
  -A PREROUTING -p tcp -m tcp --dport 53 -j DNSVPN1
  -A PREROUTING -p udp -m udp --dport 53 -j DNSVPN1
! -A PREROUTING ! -d 192.168.50.0/24 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.50.1:18017
! -A PREROUTING -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.50.1:18018
  -A POSTROUTING ! -s 10.6.0.5/32 -o wgc1 -j MASQUERADE
  -A POSTROUTING -s 192.168.53.0/24 -d 192.168.53.0/24 -o br52 -j MASQUERADE
  -A POSTROUTING -s 192.168.50.0/24 -d 192.168.50.0/24 -o br0 -j MASQUERADE
! -A POSTROUTING -s 192.168.52.0/24 -d 192.168.52.0/24 -o br55 -j MASQUERADE
\ No newline at end of file
--- 4,25 ----
  -P POSTROUTING ACCEPT
  -N DNSFILTER
  -N DNSVPN1
+ -N GAME_VSERVER
+ -N LOCALSRV
+ -N MAPE
+ -N PCREDIRECT
  -N PUPNP
+ -N VPN_FUSION
  -N VSERVER
  -N VUPNP
  -A PREROUTING -p tcp -m tcp --dport 53 -j DNSVPN1
  -A PREROUTING -p udp -m udp --dport 53 -j DNSVPN1
! -A PREROUTING -d <MY_PUBLIC_IP> -j GAME_VSERVER
! -A PREROUTING -d <MY_PUBLIC_IP> -j VSERVER
  -A POSTROUTING ! -s 10.6.0.5/32 -o wgc1 -j MASQUERADE
+ -A POSTROUTING -o eth0 -j PUPNP
+ -A POSTROUTING ! -s <MY_PUBLIC_IP> -o eth0 -j MASQUERADE
  -A POSTROUTING -s 192.168.53.0/24 -d 192.168.53.0/24 -o br52 -j MASQUERADE
  -A POSTROUTING -s 192.168.50.0/24 -d 192.168.50.0/24 -o br0 -j MASQUERADE
! -A POSTROUTING -s 192.168.52.0/24 -d 192.168.52.0/24 -o br55 -j MASQUERADE
! -A VSERVER -j VUPNP
\ No newline at end of file

In /etc/wg I have these four scripts:
/etc/wg/dns1.sh

#!/bin/sh
/usr/sbin/iptables -t nat -N DNSVPN1
/usr/sbin/iptables -t nat -I PREROUTING -p udp -m udp --dport 53 -j DNSVPN1
/usr/sbin/iptables -t nat -I PREROUTING -p tcp -m tcp --dport 53 -j DNSVPN1

/etc/wg/fw_wgc1.s

!/bin/sh

echo 2 >> /proc/sys/net/ipv4/conf/wgc1/rp_filter
iptables -I WGCI -i wgc1 -j DROP
iptables -I WGCF -i wgc1 -j DROP
iptables -I WGCF -o wgc1 -j ACCEPT
ip6tables -I WGCI -i wgc1 -j DROP
ip6tables -I WGCF -i wgc1 -j DROP
ip6tables -I WGCF -o wgc1 -j ACCEPT
iptables -I WGCF -m set --match-set vpnc_ipset1 dst -i wgc1 -j ACCEPT
iptables -I WGCF -m set --match-set vpnc_ipset1 src -o wgc1 -j ACCEPT
iptables -I WGCF -o wgc1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
ip6tables -I WGCF -o wgc1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -I PREROUTING -i wgc1 -j MARK --or 0x1
iptables -t mangle -I POSTROUTING -o wgc1 -j MARK --or 0x1
ip6tables -t mangle -I PREROUTING -i wgc1 -j MARK --or 0x1
ip6tables -t mangle -I POSTROUTING -o wgc1 -j MARK --or 0x1

/etc/wg/fw_wgc1_nat.sh

#!/bin/sh

iptables -t nat -I POSTROUTING ! -s 10.6.0.5 -o wgc1 -j MASQUERADE

fw_wgc1_none.sh is empty.

If I run these scripts I can't recover Internet access for the LAN devices. I always need switch something from Firewall.

After @arewhy feedback I'm considering restore settings, JFFS partition,.. everything and start again with asus-wrt 3006.102.3 from scratch and with the minimum settings I need to use WireGuard client.

 

[ZebMcKayhan]

I'm considering restore settings, JFFS partition,.. everything and start again with asus-wrt 3006.102.3 from scratch and with the minimum settings I need to use WireGuard client.

That may be a good idea. Please report back if its successful or not.

 

[biker3]

That may be a good idea. Please report back if its successful or not.

I've done a factory default/restore following RMerlin's guide from this thread and I've found the reason! Static IP in WAN (I paid for one).
I've discovered that with a minimal fresh install: 1 WiFi network, Static WAN IP and WireGuard client.
If I change from Static IP to Automatic IP and reboot (I get a dynamic IP, not my paid IP) the problem doesn't appear after boot. However, If I come back to Static IP and reboot the problem after boot appears (and if I switch something in Firewall section I recover Internet in LAN devices).
I don't know the reason of this behavior. It's like the router doesn't refresh/apply the same settings in filter or nat or anything in case it knows WAN IP at boot or it needs to get from DHCP

@arewhy what do you have in WAN Connection Type?

​

 

[arewhy]

I've done a factory default/restore following RMerlin's guide from this thread and I've found the reason! Static IP in WAN (I paid for one).
I've discovered that with a minimal fresh install: 1 WiFi network, Static WAN IP and WireGuard client.
If I change from Static IP to Automatic IP and reboot (I get a dynamic IP, not my paid IP) the problem doesn't appear after boot. However, If I come back to Static IP and reboot the problem after boot appears (and if I switch something in Firewall section I recover Internet in LAN devices).
I don't know the reason of this behavior. It's like the router doesn't refresh/apply the same settings in filter or nat or anything in case it knows WAN IP at boot or it needs to get from DHCP

@arewhy what do you have in WAN Connection Type?

​

I think you're on to something, my WAN connection type is Automatic IP.

 

[biker3]

I think you're on to something, my WAN connection type is Automatic IP.

Thank you. At least thanks to your example I was encouraged to restore the device and find the possible cause of the Static IP in WAN.

@ZebMcKayhan do you recommend anything to continue? Would I have to restore an Asus version and try? Could I report the error to Asus if I manage to replicate it?
Regards

 

[ZebMcKayhan]

Would I have to restore an Asus version and try? Could I report the error to Asus if I manage to replicate it?

Your call. If you have the time/energy it may be worth it. Or you could sit by and wait for the next version.

You could experiment with restarting services, i.e

service "restart_wgc 1"
service restsrt_firewall
et.c.

And see how you can restore it. Then put in appropriate user script, like wan_start something like

sleep 30
service xyz

 

[biker3]

Your call. If you have the time/energy it may be worth it. Or you could sit by and wait for the next version.

You could experiment with restarting services, i.e

service "restart_wgc 1"
service restsrt_firewall
et.c.

And see how you can restore it. Then put in appropriate user script, like wan_start something like

sleep 30
service xyz

Thank you for your idea!
I've just created a wan-event script in case of init event:

#!/bin/sh
if [ "$2" = "init" ]; then
        logger "waiting 30s to restart firewall"
        sleep 30
        logger "restarting firewall to fix problem related with WireGuard and Static IP"
        service restart_firewall
fi

I've tested it and it works fine both after reboot and in case the connection is cut and then re-established.
This error is interesting. The init event occurs before WireGuard establishes connection, but the workaround works!

 

[ZebMcKayhan]

This error is interesting. The init event occurs before WireGuard establishes connection, but the workaround works!

Some of these hook scripts are called to execute in the background (not all though), so system continues to boot after calling it, even if it have not completed. Setting a sleep time well after all other should be up and running and you have your desired function.

Thanks for sharing!