Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Connectiong to wg0 from LAN does not give access to other hosts on LAN #133

Open
alext34ms opened this issue Oct 16, 2022 · 2 comments
Open

Connectiong to wg0 from LAN does not give access to other hosts on LAN #133

alext34ms opened this issue Oct 16, 2022 · 2 comments

Comments

@alext34ms
Copy link

alext34ms commented Oct 16, 2022
edited
Loading

I have set up a bare bone installation of the wireguard-vyatta-ubnt on an ER-X and things are rocking when I connect to the router from the outside WAN interface. I have all the correct access to internal hosts.

If I on the other hand set up a tunnel from the LAN, I have internet access, but no connectivity to other hosts on my LAN networks.

Any tips or suggestions on this issue? Is this a routing issue?

My config:

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-name WANv6_IN {
        default-action drop
        description "WAN inbound traffic forwarded to LAN"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related sessions"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    ipv6-name WANv6_LOCAL {
        default-action drop
        description "WAN inbound traffic to the router"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related sessions"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description "Allow IPv6 icmp"
            protocol ipv6-icmp
        }
        rule 40 {
            action accept
            description "allow dhcpv6"
            destination {
                port 546
            }
            protocol udp
            source {
                port 547
            }
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            log disable
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Allow ICMP"
            log enable
            protocol icmp
        }
        rule 30 {
            action drop
            description "Drop invalid state"
            log enable
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description WireGuard
            destination {
                port 51820
            }
            log disable
            protocol udp
        }
        rule 30 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth1 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth4 {
        address dhcp
        description Internet
        dhcpv6-pd {
            pd 0 {
                interface switch0 {
                    host-address ::1
                    prefix-id :1
                    service slaac
                }
                prefix-length /48
            }
            rapid-commit enable
        }
        duplex auto
        firewall {
            in {
                ipv6-name WANv6_IN
                name WAN_IN
            }
            local {
                ipv6-name WANv6_LOCAL
                name WAN_LOCAL
            }
        }
        poe {
            output off
        }
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 192.168.1.1/24
        description Local
        mtu 1500
        switch-port {
            interface eth0 {
            }
            interface eth1 {
            }
            interface eth2 {
            }
            interface eth3 {
            }
            vlan-aware disable
        }
        vif 10 {
            address 10.100.100.1/24
            description GUEST
        }
        vif 11 {
            address 10.100.200.1/24
            description DARK
            mtu 1500
        }
    }
    wireguard wg0 {
        address 172.16.100.1/24
        listen-port 51820
        peer XXX= {
            allowed-ips 172.16.100.100/32
            description XXX
        }
        private-key ****************
        route-allowed-ips true
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name DARK {
            authoritative disable
            subnet 10.100.200.0/24 {
                default-router 10.100.200.1
                dns-server 10.100.200.1
                lease 86400
                start 10.100.200.100 {
                    stop 10.100.200.200
                }
            }
        }
        shared-network-name GUEST {
            authoritative disable
            subnet 10.100.100.0/24 {
                default-router 10.100.100.1
                dns-server 10.100.100.1
                lease 86400
                start 10.100.100.100 {
                    stop 10.100.100.200
                }
            }
        }
        shared-network-name LAN {
            authoritative disable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                lease 86400
                start 192.168.1.100 {
                    stop 192.168.1.200
                }
            }
        }
        static-arp disable
        use-dnsmasq enable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on switch0
            listen-on switch0.10
            listen-on switch0.11
            listen-on wg0
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth4
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    unms {
        disable
    }
}
system {
    analytics-handler {
        send-analytics-report false
    }
    crash-handler {
        send-crash-report false
    }
    domain-name XXXX.net
    host-name XXXX
    login {
        user XXXX {
            authentication {
                encrypted-password ****************
                public-keys XXXX {
                    key ****************
                    type ssh-rsa
                }
            }
            level admin
        }
    }
    name-server 8.8.8.8
    name-server 8.8.4.4
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat disable
        ipsec disable
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
    traffic-analysis {
        dpi disable
        export disable
    }
}
@alext34ms
Copy link
Author

Bump

@iGadget
Copy link

iGadget commented Mar 16, 2023

I'm running into the same issue on my ER-Lite. Although I must admit I set up Wireguard on my ER-Lite ages ago and it's very well possible I didn't set it up correctly to even work with the scenario of using Wireguard internally. It's on my to-do list to dive into this, but at the same time I'm also looking into solutions like Netmaker which I'll probably not be deploying on the ER-Lite.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@iGadget @alext34ms