Accesing local network shares behind router

liagpap · 2022-06-21T04:41:27.381Z

Hi. Thanks for the response.
Yes it is turned on and I have added the list subnet line to the wireguard_server file on the server.

wcs2228 · 2022-06-21T17:43:30.532Z

Can you try changing:

AllowedIPs = 0.0.0.0/0

liagpap · 2022-06-21T18:11:38.474Z

I’ve tried that. When I do that all internet traffic from the client computer gets routed through the server but still the problem with pinging and network share access remains unchanged.

alzhao · 2022-06-22T04:27:13.839Z

Can you refer to Building a Site-2-Site network manually using two GL.iNet routers

In step 7 and 9 there is guide to add route in the server and client.

Update: The problem was caused windows firewall. Thread closed.

liagpap · 2022-06-22T09:59:50.614Z

Screenshot 2022-06-22 125749
hi thanks for th reply. Unfortunately no change

alzhao · 2022-06-22T12:37:25.973Z

On the server (SF1200) you should do as step 7.

Step 9 is for the Wireguard client router.

Sorry for confusion

liagpap · 2022-06-22T13:08:28.403Z

Thanks again for your efforts. The command “ip route add 192.168.*.0/24 dev wg0” returns an error message in command prompt as my wireguard client runs on win11; if I understand it correctly this is a command to set thte ip routting in linux, right? Also do you have a command to undo the ip routing in the server?

alzhao · 2022-06-22T13:32:46.608Z

In the client machine (windows) you don’t need to do anything.

In the server side you can reboot and the command is gone.

liagpap · 2022-06-22T13:46:54.875Z

So how should I setup the ip route in the client?

alzhao · 2022-06-22T14:04:10.258Z

No need to do anything if you use a windows.

Only needed for routers.

liagpap · 2022-06-22T15:46:14.547Z

So I rebooted and edited the wireguard_server file to the following:
config servers
option local_ip ‘10.0.0.1’
option local_port ‘51820’
option local_ipv6 ‘fd00:db8:0:abc::1’
option private_key redacted
option public_key redacted
option access ‘ACCEPT’
option enable ‘1’

config peers ‘wg_peer_8174’
option name ‘redacted’
option client_key redacted
option private_key redacted
option client_ip ‘10.0.0.2, 192.168.1.0/24’

Καταγραφή

The problem persists

LupusE · 2022-06-22T15:46:46.829Z

Maybe it is helpful to understand what a route is.

You’ve got a client. The client got a IP 192.168.1.10/24. 24 is the same as 255.255.255.0. This means all connected devices with a IP between 192.168.10.1 to 192.168.1.254 are able to connect directly via TCP or UDP or ICMP (simplified).
In this network is a router, 192.168.1.1/24. The two devices can talk to each other.

There is a route at the client, that say "everything you don’t know (aka not in 192.168.0.0/24), send to 192.168.0.1. This is called a default route.
As the routers purpose is to route, the router knows his LAN IP (192.168.0.1) and his external IP from your provider.

The GL.iNet devices are routers behind routers. This means:
The client got a 192.168.8.0/24 address. The router is 192.168.8.1/24 in the LAN and in this case 192.168.0.x/24 in the ‘LocalWAN’ (the old LAN). So the router knows to take everything send from the LAN and send it into the LocalWAN … So you can reach from your client 192.168.8.2 over your GL.iNet 192.168.8.1 and 192.168.0.254 all devices in 192.168.0.0/24 … But not the other way around.

IMPORTANT: On the whole path, the net must be unique. Even if it is only a transfer net.

Now you’re setting up a tunnel. The tunnel works nearly the same. There are two endpoints, the Client doesn’t need to know the other net, the router needs.

(Client 192.168.8.1) - (192.168.8.1 GL.iNet 10.0.0.1) - 10.0.0.2 [not allowed to be 0, like in the picture] Desktop 192.168.1.10)
As the Desktop (192.168.1.10) is a Desktop, I don’t think it is able to route within your right LAN.

So, how is your desired Route? IP by IP.

alzhao · 2022-06-22T15:54:11.800Z

Can you show output of command wg in SF1200?

xize11 · 2022-06-22T17:21:07.365Z

Hmm from what I read if I understand you correctly:

You got a modem using the PPPoE connection correct? (I assume this because its often used as a isp connection type), this modem is the SF1200?

And your router (missing name here) is behind it using the wireguard client? And the server is on the SF1200?

I think you have to prototype a little here first without the wireguard because it might make things doable.

So the router has a NAT, and the modem has a NAT, with other words your router would be aware of your computer but on the part of the modem, the modem can only see the router as a client and not see the client list like inside the router.

Then there are two options:

A)
You have to make the router static on the modem side, then portforward the input rules for this port and forward it to this router ip.

Then on the router you also portforward but then you forward it to your pc (this ip needs also static), and then of course have the wireguard share option enabled.

If im right but I’m not sure how the ddns works your network should be reachable.

B)
Just my speculation, but wouldn’t it be easier to use a tagged vlan and make it so that the modem handles the dhcp, firewall and maybe even wireguard so you won’t have to deal with the double nat issue?, I had a situation with three nats but I needed a way to reach the clients over one cable, vlans could be very powerfull to traverse into a network topology it might be a good idea depending on your complexity of the network.

liagpap · 2022-06-22T18:07:34.491Z

Screenshot 2022-06-22 205803

liagpap · 2022-06-22T18:16:50.157Z

Hi LupusE.
I don’ want to have access from the client lan or to client lan just to the client computer.
So ideally I would like a route
(192.168.8.) - (192.168.8.1 GL.iNet 10.0.0.1) - (10.0.0.2 Desktop 192.168.1.10)
and reverse
192.168.1.10 Desktop 10.0.0.2- 10.0.0.1 GL.Inet 192.168.8.1- 192.168.8.

liagpap · 2022-06-22T18:35:05.056Z

Dear xize11,
I don’t think that’s exactly the case. At the office I have a modem that connects to the internet. The wan port of the SF1200 connects to the lan port of the modem and I use the PPoE passthrough feature of the modem and connect the SF1200 with PPoE to the internet. The modem and the SF1200 have different (both public) IPs assigned. If I understand it correctly this means that there is only one NAT (of the SF1200) in play. When I check the netwok settings of the modem (which has a ip range of 192.168.0.0/255.255.255.0) the SF1200 does not have an ip or appears on the port forwarding list section of the modem.
The client 192.168.1.10 is at home behind a modem (192.168.1.1.) that has a public ip address and wg ports forwarded.
I hope this makes the setup more clear.
Unfortunately the internet provider does not allow different modes and the modem does not support wg and found the vlan setup quite complicated, thats why I decided to buy the SF1200 and use the PPPoE

LupusE · 2022-06-22T18:49:25.387Z

liagpap:

At the office I have a modem that connects to the internet. The wan port of the SF1200 connects to the lan port of the modem and I use the PPoE passthrough feature

Okay, uncommon, but not impossible. Make sure you don’t have to pay twice in the end.
Normal there is a PPPoE and the GL.iNet behind. And Portforwarding does the needed magic.

Please let’s focus on one direction at first.
… btw, why WG ports? It is only one …

I assume the VPN tunnel is up and running.
Your client behind the SF1200 is able to ping
192.168.8.2 (?it’s own address)
192.168.8.1 (the SF1200 LAN)
10.0.0.1 (the SF1200 wg0)
10.0.0.2 (the remote endpoint)
192.168.1.10 (the remote desktop)

Where does it stop? If it stops in the middle, it’s not a problem right now, maybe just a firewall is blocking ICMP, here.

Edit: My setup.
I have a wg client installed on my android 11 tablet. It is connected to a wg server at my home. Than I’ve got a Beryl with WAN at my home router and LAN at my lab-laptop.
The Beryl is connected to the wg server. I am able with my tablet, to ping the lab-laptop from everywhere through the tunnel.

But the wg server is fully capable of routing. It would be the same, if the Beryl was the server. In my case I’ve had to use ‘boringtun’ (from cloudflare), because my server is a virtual container. I don’t know if anything if this apply to your setup.

liagpap · 2022-06-22T21:22:46.262Z

So LupusE’s last post got me thinking, so I tried pinging my printer’s ip address at the office and it worked. I figured out that it was Norton Firewall that was blocking ping and network sharing. So I temporarily disabled it on both computers I had the shares and presto. Worked like a charm. Still works after reenabling the firewall.
So alzhao’s settings and allowing traffic through the pc’s firewall worked.

liagpap · 2022-06-22T21:24:10.723Z

Many thanks to all for your time and help. I actually feel a bit wiser when it comes to routing and vpn