Switch inter-vlan routing with only WAN traffic going to a firewall

[Nikotine]

I have a Brocade ICX 6450 with router firmware.
There are two VLANs 9 and 100.
Both have a tagged port 1/1/1 that goes to an OpenWRT router.
The OpenWRT router serves as DHCP server and firewall to WAN.



I have been struggling for weeks now to configure this correctly.

What I want:

1. inter-vlan routing on the Brocade L3 switch (not the OpenWRT router!!!). A device in 10.25.9.0/24 can talk to 10.25.100.0/24 directly, without going via the OpenWRT router.
2. when a device wants to reach the internet, go via 1/1/1 to the OpenWRT router who will then be the firewall to WAN

Problem:
I only can get one or the other to work: either inter-vlan routing in the switch works, but then it doesn't find a route to the internet; or everything passes via OpenWRT but then I don't make use of the routing capability of the switch...

This is my ICX 6450 config:

ICX6450-48P-Router(config)#sh run
Current configuration:
!
ver 08.0.30tT313
!
stack unit 1
  module 1 icx6450-48p-poe-port-management-module
  module 2 icx6450-sfp-plus-4port-40g-module
!
global-stp
!
!
!
vlan 9 name main by port
tagged ethe 1/1/1
untagged ethe 1/1/2 to 1/1/36
router-interface ve 9
!
vlan 100 name IPcams by port
tagged ethe 1/1/1
untagged ethe 1/1/37 to 1/1/48
router-interface ve 100
!
vlan 4095 name DEFAULT-VLAN by port
router-interface ve 4095
!
!
!
!
!
aaa authentication web-server default local
aaa authentication enable default local
aaa authentication login default local
default-vlan-id 4095
enable telnet authentication
hostname ICX6450-48P-Router
ip dhcp-client disable
!
mirror-port ethernet 1/1/1
!
no telnet server
username root password .....
snmp-server community ..... ro
!
!
clock summer-time
clock timezone gmt GMT+01
!
!
ntp
disable serve
server 10.25.9.1
!
!
web-management https
web-management refresh front-panel 30
web-management session-timeout 3600
!
!
!
interface ethernet 1/1/2
mon ethe 1/1/1 both
!
interface ve 9
ip address 10.25.9.2 255.255.255.0
!
interface ve 100
ip address 10.25.100.2 255.255.255.0
!
interface ve 4095
!
!
!
!
!
!
!
!
!
end

What I have tried:

1. Using DHCP option 3 in OpenWRT, I have explicitly given the IP address of the virtual interface on the switch e.g. for VLAN 9, I give clients 10.25.9.2 as gateway. This enables inter-vlan routing in the switch, but there is no route to the OpenWRT router for WAN
2. Using DHCP option 3 in OpenWRT, give DHCP clients both the IP address of the virtual interface on the switch AND the interface in OpenWRT:
   
   This actually works for Windows clients, they happilly take both gateways. But a Raspberry Pi doesn't seem to like it.
3. Set no special option for DHCP, but then ALL traffic goes to the OpenWRT router, so no more inter-vlan routing in the switch
4. Add a default route in the Brocade:

   ip route 0.0.0.0/0 10.25.9.1

   Problem: traffic that should have gone via VLAN 100 now arrives the router via VLAN 9, hence the firewall rules get messed up.
5. Add a default network:

   ip default-network 10.25.9.0/24

   . Doesn't work.

Please help me find the right settings

 

[kapone]

Option 1 would be the right way to configure things, when there's a layer 3 switch involved AND you've a tagged/untagged interface on each VLAN that is hooked to your DHCP/DNS server. With this option, inter-vlan routing stays at the switch level.

So...now we address the WAN. What we want ideally, is a transit type setup in addition to our configuration above, so that the default route at the switch can point to that transit net. So...

- Create a TRANSIT VLAN on the Brocade. Add a port (that is not in ANY other VLAN) as untagged to this VLAN. (It can be done as tagged as well, nut that's a slightly more complicated config).
- Give it an IP address that is completely different from the rest of your IP address space. Since you're using 10.x.x.x for your network, use 172.16.1.x for this VLAN. There's only going to be two devices on this VLAN. Your switch and your router (point to point).
- Connect one more port (do you have extra ports on the OpenWRT router?) from the OpenWRT to the brocade on the same port that was added to the TRANSIT VLAN above. Give it a static IP in the 172.16.1.x space on the OpenWRT.

So you should have (as an e.g.) for the TRANSIT VLAN - switch is at 172.16.1.1 and the OpenWRT is at 172.16.1.2.
- Run ping tests from the switch to see if it can talk to 172.16.1.2
- Run ping tests from the OpenWRT to see if it can talk to 172.16.1.1

Report back.

 

[Nikotine]

Hi Kapone. But will firewall rules on the OpenWRT router still work when traffic comes from the transit VLAN?
They are simple: VLAN9 traffic can be forwarded to WAN, but VLAN100 not.

I'm trying to avoid having ACL on the switch because of how easy the firewall is on OpenWRT.

 

[kapone]

Yes they will

 

[Nikotine]

Ok, I have created a new transit VLAN on the switch and OpenWRT.
To be clear, do you want me to run a second cable to a port on the OpenWRT router, like this?
I currently don't have one free, but I can shift things around.



If you could please confirm this, then I'll post my ping results.

My current switch config is this:

ICX6450-48P-Router(config)#sh run
Current configuration:
!
ver 08.0.30tT313
!
stack unit 1
  module 1 icx6450-48p-poe-port-management-module
  module 2 icx6450-sfp-plus-4port-40g-module
!
global-stp
!
!
!
vlan 9 name main by port
tagged ethe 1/1/1
untagged ethe 1/1/3 to 1/1/36
router-interface ve 9
!
vlan 100 name IPcams by port
tagged ethe 1/1/1
untagged ethe 1/1/37 to 1/1/48
router-interface ve 100
!
vlan 172 name TRANSIT by port
untagged ethe 1/1/2
router-interface ve 172
!
vlan 4095 name DEFAULT-VLAN by port
router-interface ve 4095
!
!
!
!
!
aaa authentication web-server default local
aaa authentication enable default local
aaa authentication login default local
default-vlan-id 4095
enable telnet authentication
hostname ICX6450-48P-Router
ip dhcp-client disable
!
no telnet server
username root password .....
snmp-server community ..... ro
!
!
clock summer-time
clock timezone gmt GMT+01
!
!
ntp
disable serve
server 10.25.9.1
!
!
web-management https
web-management refresh front-panel 30
web-management session-timeout 3600
!
!
!
interface ve 9
ip address 10.25.9.2 255.255.255.0
!
interface ve 100
ip address 10.25.100.2 255.255.255.0
!
interface ve 172
ip address 172.16.1.1 255.255.255.0
!
interface ve 4095
!
!
!
!
!
!
!
!
!
end

 

[kapone]

I only mentioned a second port, to keep it simple initially. Eventually it can all be done on a single port. And yes, your switch config looks fine.

 

[coxhaus]

Just looking at your diagram it seems to me it appears OpenWRT is doing all the routing because you have VLAN networks defined on OpenWRT. Your L3 switch is just doing L2 to OpenWRT at least for all the networks defined on OpenWRT. I have no experience with either OpenWRT or Brocade as I used Cisco for many years.

You could probably test it by using the Brocade IP address as your default gateway for your clients in the networks. Each VLAN network will have an IP address on the Brocade. Use that IP address for client's gateway IP address. If you only have an IP address for each VLAN on OpenWRT and it is the gateway then Open WRT is doing layer 3 for the VLAN.

I just found where you are using the Brocade IP address 10.25.9.2. When you route you need a different IP network to route to otherwise, I would think you are doing layer 2.

I create what I call a router VLAN network that is defined with one port on the switch and I just one port on the router. I have used both a class C and a point-to-point network. They both work. For DHCP I used Microsoft DHCP and Cisco's IP helper address, which is kind of like DHCP relay when I did not use DHCP on the L3 switch. I have no idea whether you can do the same thing with OpenWRT DHCP.

I would not think you would need a second untagged VLAN port. Untagged traffic is passed to the default VLAN if not tagged at the port and is not layer 3.

I would think if you are doing DHCP within a VLAN then it is layer 2.

 

[Nikotine]

@kapone, ok attached as such.
OpenWRT can ping switch:

root@WRT1900AC:~# ping 172.16.1.1
PING 172.16.1.1 (172.16.1.1): 56 data bytes
64 bytes from 172.16.1.1: seq=0 ttl=64 time=0.903 ms
64 bytes from 172.16.1.1: seq=1 ttl=64 time=0.865 ms
64 bytes from 172.16.1.1: seq=2 ttl=64 time=0.859 ms

And switch can ping OpenWRT:

ICX6450-48P-Router#ping 172.16.1.2
Sending 1, 16-byte ICMP Echo to 172.16.1.2, timeout 5000 msec, TTL 64
Type Control-c to abort
Reply from 172.16.1.2      : bytes=16 time=2ms TTL=64
Success rate is 100 percent (1/1), round-trip min/avg/max=2/2/2 ms.

@coxhaus, I had to create the interfaces in OpenWRT because otherwise DHCP won't work, but I'm sending DHCP option 3 to tell clients to use the switch virtual interfaces as router.

 

[kapone]

@kapone, ok attached as such.
OpenWRT can ping switch:

root@WRT1900AC:~# ping 172.16.1.1
PING 172.16.1.1 (172.16.1.1): 56 data bytes
64 bytes from 172.16.1.1: seq=0 ttl=64 time=0.903 ms
64 bytes from 172.16.1.1: seq=1 ttl=64 time=0.865 ms
64 bytes from 172.16.1.1: seq=2 ttl=64 time=0.859 ms

And switch can ping OpenWRT:

ICX6450-48P-Router#ping 172.16.1.2
Sending 1, 16-byte ICMP Echo to 172.16.1.2, timeout 5000 msec, TTL 64
Type Control-c to abort
Reply from 172.16.1.2      : bytes=16 time=2ms TTL=64
Success rate is 100 percent (1/1), round-trip min/avg/max=2/2/2 ms.

@coxhaus, I had to create the interfaces in OpenWRT because otherwise DHCP won't work, but I'm sending DHCP option 3 to tell clients to use the switch virtual interfaces as router.

Good. They can talk to each other. (although your ping from the switch-->openwrt seems to be slow. 2ms...we'll address it later.

Now, we need a route on the TRANSIT interface (172.16.1.2) in OpenWrt that will allow it to talk to the 10.25.x.x network over the TRANSIT interface (not on the individual VLANs that you've already defined for DHCP). This should look something like:

config route
option interface 'transit' <-- assuming this is what you named it in OpenWrt, or replace with whatever you named it.
option target '10.25.0.0/16'
option gateway '172.16.1.1'

Set that up, and now try to ping 172.16.1.2 from a device on one of the VLANs. See if the ping returns.

 

[Nikotine]

1. Do I still keep this as DHCP option 3? Or only the virtual interface on the swith i.e. 10.25.9.2 for VLAN 9 and 10.25.100.2 for VLAN 100?


2. Do you want me to set this route on the switch as well?

ip route 0.0.0.0/0 172.16.1.2

About the high ping from switch to OpenWRT, by default the switch only pings once.
When I do it more times, the ping is actually lower:

ICX6450-48P-Router#ping 172.16.1.2 count 10
Sending 10, 16-byte ICMP Echo to 172.16.1.2, timeout 5000 msec, TTL 64
Type Control-c to abort
Reply from 172.16.1.2      : bytes=16 time=2ms TTL=64
Reply from 172.16.1.2      : bytes=16 time<1ms TTL=64
Reply from 172.16.1.2      : bytes=16 time<1ms TTL=64
Reply from 172.16.1.2      : bytes=16 time<1ms TTL=64
Reply from 172.16.1.2      : bytes=16 time<1ms TTL=64
Reply from 172.16.1.2      : bytes=16 time<1ms TTL=64
Reply from 172.16.1.2      : bytes=16 time<1ms TTL=64
Reply from 172.16.1.2      : bytes=16 time<1ms TTL=64
Reply from 172.16.1.2      : bytes=16 time<1ms TTL=64
Reply from 172.16.1.2      : bytes=16 time<1ms TTL=64
Success rate is 100 percent (10/10), round-trip min/avg/max=0/0/2 ms.

 

[kapone]

Disable DHCP on the TRANSIT interface. Keep it on the other interfaces (with DHCP Option 3) which are tagged into your individual VLANs.

Do not put a default route in yet. We're jumping steps...

 

[Nikotine]

Yes, DHCP is off for VLAN 172.
My question is should option 3 for the other two VLANs be 3,10.25.9.2,10.25.9.1 or just 3,10.25.9.2.
My understanding is that the ping will have to find its way out of VLAN x on the switch, via transit VLAN 172 to the OpenWRT router, so I want to make sure I don't give clients wrong DHCP options

 

[kapone]

Your DHCP IP address will be on a different VLAN that has no clue where the 172.16.x.x IP is. It doesn't matter what the device's IP is in that VLAN, when we try to ping 172.16.x.x the switch will route it over the transit link.

That's exactly what I was trying to test, to see if the switch<-->OpenWrt routing works correctly on the transit link.

 

[kapone]

My question is should option 3 for the other two VLANs be 3,10.25.9.2,10.25.9.1 or just 3,10.25.9.2.

Argh, sorry, just re-read your statement. Keep it as 3,10.25.9.2 Do not give out the OpenWrt IP as the gateway.

 

[Nikotine]

Ok, I kept only 3,10.25.9.2 as DHCP option for VLAN 9 (and 10.25.100.2 for VLAN 100).
I then added a static route on OpenWRT, as instructed above.

I can ping 172.16.1.2 from a device connected to the switch:

pi@rpi3-sdr:~ $ ping 172.16.1.2
PING 172.16.1.2 (172.16.1.2) from 10.25.9.229 enxb827eb45a8ec: 56(84) bytes of data.
64 bytes from 172.16.1.2: icmp_seq=1 ttl=64 time=3.87 ms
64 bytes from 172.16.1.2: icmp_seq=2 ttl=64 time=0.558 ms
64 bytes from 172.16.1.2: icmp_seq=3 ttl=64 time=0.574 ms
64 bytes from 172.16.1.2: icmp_seq=4 ttl=64 time=0.545 ms
^C
--- 172.16.1.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 113ms
rtt min/avg/max/mdev = 0.545/1.387/3.872/1.434 ms
pi@rpi3-sdr:~ $ traceroute 172.16.1.2
traceroute to 172.16.1.2 (172.16.1.2), 30 hops max, 60 byte packets
1  10.25.9.2 (10.25.9.2)  1.301 ms  1.717 ms  2.134 ms
2  172.16.1.2 (172.16.1.2)  0.580 ms  0.457 ms  0.532 ms

 

[kapone]

Excellent!

1. Now add the default route on the switch - ip route 0.0.0.0/0 172.16.1.2
2. Try to access the internet from a device on one of the VLANs - it'll fail.
3. Add a firewall rule on the OpenWrt TRANSIT interface to ALLOW access ONLY for the VLAN that you want internet access for, but we're going to use a CIDR notation for the rule, not an interface.

It'll look something like this:
config rule
option src 'transit'
option dest 'wan'
option src_ip '10.25.x.x/24' <--replace with the IP details of the VLAN
option target 'ACCEPT'
option name 'Allow-WAN-For-10-25-X-X' <--replace with the IP details of the VLAN
option enabled '1'

Now, your internet should work on the selected VLAN and going over the TRANSIT link.

 

[kapone]

Second test - for inter-vlan routing on the switch only.

Take two devices on two separate VLANs,
give them static IPs (just to eliminate DHCP issues), make sure you use the switch VE address as the gateway IP (the same one that you used in DHCP option 3).
shut down the OpenWrt,
try transferring data from one device to the other using IP addresses only. (DNS will not work)

If the inter-vlan routing is working correctly on the switch only, you should be able to transfer data.

 

[Nikotine]

I have added ip route 0.0.0.0/0 172.16.1.2 to the switch.

ICX6450-48P-Router#sh ip route
Total number of IP routes: 4
Type Codes - B:BGP D:Connected O:OSPF R:RIP S:Static; Cost - Dist/Metric
BGP  Codes - i:iBGP e:eBGP
OSPF Codes - i:Inter Area 1:External Type 1 2:External Type 2
        Destination        Gateway         Port          Cost          Type Uptime
1       0.0.0.0/0          172.16.1.2      ve 172        1/1           S    25m51s
2       10.25.9.0/24       DIRECT          ve 9          0/0           D    1d4h
3       10.25.100.0/24     DIRECT          ve 100        0/0           D    1d4h
4       172.16.1.0/24      DIRECT          ve 172        0/0           D    1d1h
ICX6450-48P-Router#

A client in VLAN 9 indeed can't ping google.com.
Then I added a traffic rule in OpenWRT:

config rule
        option src 'TRANSIT'
        option name 'Allow WAN to 10.25.9.0/24'
        list src_ip '10.25.9.0/24'
        option dest 'wan'
        option target 'ACCEPT'

Unfortunately a client in VLAN 9 still can't ping google.com, but traceroute works:

pi@rpi3-sdr:~ $ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.25.9.2       0.0.0.0         UG    202    0        0 enxb827eb45a8ec
10.25.9.0       0.0.0.0         255.255.255.0   U     202    0        0 enxb827eb45a8ec

pi@rpi3-sdr:~ $ ping google.com
PING google.com (142.250.179.142) from 10.25.9.229 enxb827eb45a8ec: 56(84) bytes of data.
From WRT1900AC.lan (10.25.9.1) icmp_seq=1 Destination Port Unreachable
From WRT1900AC.lan (10.25.9.1) icmp_seq=2 Destination Port Unreachable
From WRT1900AC.lan (10.25.9.1) icmp_seq=3 Destination Port Unreachable
^C
--- google.com ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 48ms

pi@rpi3-sdr:~ $ traceroute google.com
traceroute to google.com (142.250.200.14), 30 hops max, 60 byte packets
1  10.25.9.2 (10.25.9.2)  1.170 ms  1.805 ms  2.390 ms
2  WRT1900AC.lan (10.25.9.1)  0.513 ms  0.397 ms  0.457 ms
3  192.168.0.1 (192.168.0.1)  1.889 ms  2.685 ms  3.337 ms
4  <redacted>  12.858 ms  25.353 ms  25.555 ms
5  * * *
6  dD5E0FA71.access.telenet.be (213.224.250.113)  30.432 ms  23.043 ms  23.586 ms
7  74.125.32.88 (74.125.32.88)  27.131 ms  24.916 ms  27.188 ms
8  * * *
9  108.170.241.225 (108.170.241.225)  27.412 ms 108.170.236.138 (108.170.236.138)  26.162 ms 108.170.241.161 (108.170.241.161)  27.033 ms
10  108.170.241.205 (108.170.241.205)  25.873 ms 108.170.241.141 (108.170.241.141)  33.519 ms 108.170.241.204 (108.170.241.204)  33.807 ms
11  209.85.253.113 (209.85.253.113)  34.536 ms 216.239.42.213 (216.239.42.213)  34.157 ms 209.85.255.214 (209.85.255.214)  33.818 ms
12  209.85.142.167 (209.85.142.167)  42.616 ms  25.652 ms 209.85.245.231 (209.85.245.231)  31.776 ms
13  209.85.250.184 (209.85.250.184)  77.623 ms 216.239.58.130 (216.239.58.130)  29.847 ms  30.061 ms
14  74.125.242.65 (74.125.242.65)  27.891 ms 74.125.242.97 (74.125.242.97)  29.578 ms 74.125.242.65 (74.125.242.65)  28.808 ms
15  108.170.234.231 (108.170.234.231)  28.094 ms 108.170.234.221 (108.170.234.221)  28.115 ms 108.170.234.231 (108.170.234.231)  36.360 ms
16  lhr48s29-in-f14.1e100.net (142.250.200.14)  38.624 ms  37.368 ms  33.989 ms

Did I make a mistake somewhere?
Am I reading this correctly, that the route doesn't go via 172.16.1.1?

EDIT: I see you posted a second test, I will try that tomorrow. Thanks for the help so far!

 

[kapone]

Hmm...something went wrong.

config rule
        option src 'TRANSIT'
        option name 'Allow WAN to 10.25.9.0/24'
        list src_ip '10.25.9.0/24'
        option dest 'wan'
        option target 'ACCEPT'

Should that really be "list" or "option" on line 4? (I admit I'm not THAT familiar with the OpenWrt syntax)

Also, in your DHCP settings for the OpenWrt, what DNS server IP are you giving out to the clients in the VLANs?

Oh, and save the settings on the switch and reboot it please. Do the same for the OpenWrt.

 

[Nikotine]

The traffic rule was setup using luci (the OpenWRT web interface), so yes I assume that should be "list".

I'm not currently giving any specific DNS server IP to clients.
A windows client attached to VLAN 9 apparently gets the interface on OpenWRT as DNS server:

  22/04/2021   12:43.31   /home/mobaxterm  ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : SB2
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : lan

Ethernet adapter Ethernet 5:

   Connection-specific DNS Suffix  . : lan
   Description . . . . . . . . . . . : ASIX AX88179 USB 3.0 to Gigabit Ethernet Adapter
   Physical Address. . . . . . . . . : 80-6D-97-08-50-2F
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : <redacted>
   IPv4 Address. . . . . . . . . . . : 10.25.9.243(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : donderdag 22 april 2021 12:43:15
   Lease Expires . . . . . . . . . . : vrijdag 23 april 2021 0:43:15
   Default Gateway . . . . . . . . . : 10.25.9.2
   DHCP Server . . . . . . . . . . . : 10.25.9.1
   DHCPv6 IAID . . . . . . . . . . . : 914386327
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-22-BD-C7-E8-C4-9D-ED-99-38-FD
   DNS Servers . . . . . . . . . . . : 10.25.9.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

The Raspberry Pi points to localhost, not sure if that's correct:

pi@rpi3-sdr:~ $ cat /etc/resolv.conf
# Generated by resolvconf
domain lan
nameserver 127.0.0.1

Both of them don't have access to WAN.

Not sure if it matters, but I also added this on the switch: ip dns server-address 172.16.1.2, but I believe this is only used by the switch itself, not connected clients.
That said, while ping google.com can resolve the IP address via 172.16.1.2, the ping doesn't come back.

ICX6450-48P-Router#ping google.be

Type Control-c to abort
Sending DNS Query to 172.16.1.2
Sending 1, 16-byte ICMP Echo to 142.250.179.163, timeout 5000 msec, TTL 64
Type Control-c to abort
Request timed out.
No reply from remote host.
ICX6450-48P-Router#

I have rebooted the switch, but for a reboot of OpenWRT I'll have to wait until the working from home office hours are over

EDIT:
This is the routing table from OpenWRT.
I hope I created that route to 172.16.1.1 correctly.

root@WRT1900AC:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 eth1
10.25.0.0       172.16.1.1      255.255.0.0     UG    0      0        0 eth0.172
10.25.9.0       0.0.0.0         255.255.255.0   U     0      0        0 eth0.9
10.25.100.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0.100
91.193.4.82     192.168.0.1     255.255.255.255 UGH   0      0        0 eth1
172.16.1.0      0.0.0.0         255.255.255.0   U     0      0        0 eth0.172
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan
192.168.4.0     0.0.0.0         255.255.255.0   U     0      0        0 br-guest
192.168.5.0     0.0.0.0         255.255.255.0   U     0      0        0 WGs_MULLVAD
192.168.5.2     0.0.0.0         255.255.255.255 UH    0      0        0 WGs_MULLVAD
192.168.5.3     0.0.0.0         255.255.255.255 UH    0      0        0 WGs_MULLVAD
192.168.5.4     0.0.0.0         255.255.255.255 UH    0      0        0 WGs_MULLVAD