Hi,

I posted here https://forum.draytek.co.uk/viewtopic.php?t=25184&start=40 in the other thread as 4.4.5 seems to be causing issues with a number of routers. I'm currently running 4.4.5.3 RC1 on a 2865 and at least the reboots have stopped. I haven't been able to test everything that's been reported but at least it's a start. The router seems to behaving itself but time will tell as this is a RC build so anything can happen.

I too have the 4.4.5.3RC1 firmware on my 2865 now from Support. It fixes the Bind to IP comment corruption and the Wireguard Client Config Creator......but all my Wireguard connections no longer work. Existing L2L and Remote Dial Wireguard accounts no longer work, even if I re-create the accounts. IPSec works just fine.

Rolling back to 4.4.3.2 and everything works fine.

Just to put this to bed, 4.4.5.3_RC1_BT actually does resolve all my issues seen with 4.4.5.x

What's happened is the behaviour of the Firewall seems to have changed between 4.4.3.2 and 4.4.5.x. I had a WAN-> LocalHost Any, Any, Any rule that blocked all incoming connections to protect me from bad actors trying to establish a VPN from 'those countries'. Under 4.4.3.2, this allowed me to establish L2L VPNs using Wireguard to 3rd party sites no problem.

Under 4.4.5.x though, the same WAN-> LocalHost rule blocked *outgoing* Wireguard L2L connections. I put in an explicit Allow rule and its started working again.

So my Wireguard issues are fixed
Wireguard Client Configurator is fixed.
Bind to IP Comment corruption is fixed
Too soon to tell if the Router crashes are fixed.

What I’d like to see, is the local host rule working for internal VPN L2L connections where the remote network’s router GUI can always be accessed from the opposing end.

There doesn’t seem to be any rule that can stop this, well not that I’ve found yet. Even if you set the management access config settings to only allow specific LAN IPs (all WAN management access disabled already, obviously), if you’re on the remote LAN, you can always access the opposing LAN’s router GUI and actually log in! This only seems to be the case for L2L connections, ‘Remote Dial-in’ users can be locked down.

Why they didn’t just add the ‘VPN’ option to the new ‘Local Host’ rule in the firewall is beyond me.