I just updated to the latest software version and came to the surprise that my Firewall rules that block internet access are not working anymore when I connect to a VPN.
If I disconnect the VPN they work again.
I found the issue, the vpn connection name is changed, it was wgclient and after the update it became wgclient1 but the rule still uses wgclient !
After I edit the rule and select the new name everything works again:
In my case this is just due privacy reasons, but I can see that this can be a high security problem for other people. Be safe!
2 Likes
This is interesting. Thanks for posting!
Update 4.8.3 as been out for a few days and it addresses some VPN issues known in prior releases.
I installed 4.8.3 on my Flint 2 and its fine.
The 4.8.1 was the only update available for my Berryl.
Although somewhat tangential to your post, based on the rules you showed in your screenshot, have you ever considered running VLANs (or even just subnets, though of the two, I recommend VLANs)? It allows you to segment network traffic. For example, you could create a VLAN for IoT devices or even just your cameras, and then as part of setting it up, you can assign that VLAN its own firewall zone. That would then allow you to have a simple firewall rule that says “anything in this firewall zone cannot access WAN" rather than specifying different behavior for some devices in your LAN firewall zone based on MAC address. Just something you might want to consider. I run VLANs, for what it's worth. One note about doing that, though: If you run VLANs, the clients page in the GL.iNet UI will stop showing devices. I've raised this issue elsewhere in this forum (GL.iNet UI shows no clients connected due to use of VLANs), as have others (VLAN management and client support in stock GUI (Flint 2)), but I don't think anyone has ever gotten any signal from GL.iNet staff that they intend to tweak the GL.iNet UI to recognize VLANs such that their UI will report connected clients even if you run VLANs.
Don't I need also a separate AP for the devices to connect to that VLAN? The Berryl can just create an 2 2.4Ghz WLAN networks, a “normal” “guest WLAN and I use both of them.
No, you don't need a separate AP to run VLANs. You configure VLANs in LuCI or by SSHing into your router, and you can run them with or without an additional AP.
If you want to learn more, check out the video I linked to in a reply to someone else from a while back: GL.iNet UI shows no clients connected due to use of VLANs - #7 by Integritas .
P.S. The Beryl AX (GL-MT3000) supports both 2.4 and 5 GHz. Your reply implies only 2.4 GHz unless you've deliberately turned off 5 GHz for some reason.
I will check that video thanks! It just happen that am currently learning VLANs (the theory) because I need/want to integrate them into my Home Network. I use the GL-MT3000 just while traveling and I am currently researching if I should go with the Flint2 for my home or an Unifi Cloud Gateway Fiber.
The devices I am using in this case just can attach to 2.4 networks, that is why I use it as example.
Ha, well now I feel even better about my slightly-tangential-to-the-original-topic reply! What good timing!
The GL-MT3000 is (as you know) a nice choice for traveling. For your home and whether to go GL-MT6000 (Flint 2) or UniFi Cloud Gateway Fiber, it really comes down to what you're trying to achieve and why. Though I suppose that's obvious. You might also consider taking a peek at Omada gear if you're thinking about UniFi. For what it's worth (and I may suffer the wrath of others by saying this), although UniFi/Ubiquiti gear is solid and their UI makes some things dead simple, I've just never been convinced it's worth it for most home setups. But that's just my opinion, and there's a hefty amount of subjectivity in these decisions. Some things might be or might feel objective (e.g., a 10 GbE WAN port for someone with 1 Gbps Internet service seems like massive overkill, though some would likely counter under the auspices of future-proofing). But at the end of the day, these kinds of decisions often largely (if not entirely) come down to value-downside tradeoffs and where someone falls in terms of their personal values and preferences. Thomas Sowell may have said it best:
There are no solutions. There are only trade-offs.
2 Likes
I have heard of the Omada Line but haven't see them in detail really. I am searching for something that is a little bit “plug and play” but with enough customization layers.
I am building a little home lab, right now I just have a promox node with some services and a small NAS.
Besides that I have a bunch of esp32 boards, old phones as controllers, and - here the pain points - some devices that need internet to work, but I don't want to let them intrude on my network, for example, a wifi radio, a TV, Solar Panel controller, etc. I couple of neighbors recommend me UniFi, that is why I lanted there.
Omada gear fits that pretty well - It can be configured very simply or very extensively. You can also configure your devices via a software controller running on a given machine, a dedicated hardware controller, or their cloud controller (with free and paid tiers, with the free tier doing an awful lot and likely meeting many people's needs). The software controller is also free (besides the cost of running on your machine, of course, and it doesn't have to be on at all times as a strict rule, though some features to require it to be running to work). The hardware controller obviously costs money, and I consider that the least attractive option, not least because at the price point at which they run, you could pay just a bit more and get something like an entry-level mini PC to run the software controller and do other stuff (whereas the hardware controller is just for controlling Omada devices).
Again, no disrespect to UniFi/Ubiquiti, but if you're considering their gear, you should definitely consider Omada gear as well. Folks who are diehard UniFi/Ubiquiti often trash talk Omada, but it's just that: trash talk.