Cannot access LAN from Wireguard client

lpaolini · February 17, 2025, 2:40pm

In my configuration I have two routers:

a GL.iNet MT3000, connected to the internet and called "MT3000"
a third party router, connected to the MT3000 and called "Main router"

internet <==> (WAN) GL-iNet MT3000 (LAN) <==> (WAN) Main Router (LAN) <==> my network

MT3000:

WAN is connected to the internet via PPPoE
LAN address is default 192.168.10.1/24
WireGuard is enabled
DDNS is enabled
static route: 10.118.10.0/24 => 192.168.10.2
WireGuard server "Remote Access LAN" and "IP Masquerading" are enabled

Main router:

WAN address is 192.168.10.2 (DHCP, static)
LAN address is 10.118.10.1
NAT is enabled
static route: 192.168.10.0/24 => 192.168.10.1

Facts:

From any device connected to MT3000 LAN or to the Main router LAN
- I can access the internet
- I can access any address in the MT3000 LAN (192.168.10.x)
- I can access any address in the Main router LAN (10.118.10.x)
From a device connected to the MT3000 WireGuard server over the internet
- I can access the MT3000 LAN interface (192.168.10.1)
- I can access the internet (exit IP is the WireGuard server IP)

So far so good.

However, from a device connected to the MT3000 WireGuard server over the internet

I cannot access the Main router WAN interface (192.168.10.2)
I cannot access the Main router LAN (10.118.10.x)

Any thoughts?

27leguas · February 18, 2025, 7:14pm

I cannot access the Main router WAN interface (192.168.10.2)

That's predictable, it's the IP of the WAN port of a router. By default all ports on the WAN port are closed. A home router is not only a router, it's also a firewall and by default must stop all incoming connections from WAN. Some routers have a toggle to allow access the web interface from internet (WAN port). Other routers have the option to disable completely the firewall function. Both options would allow access the router from WAN.
Some routers have the option to drop packets from private IPs on the WAN port.
As far as I know, if there is no port forwarding, NAT prevents all the connections initiated from WAN to enter the LAN.
The fact that you can access Main router LAN (10.118.10.x) from MT3000 LAN (192.168.10.x) meanwhile NAT is active indicate that you have done something special to the Main router configuration. What have you done?

lpaolini · February 18, 2025, 7:32pm

Hi @27leguas, thanks for your answer.

The Main router firewall is under my control, and I think it's configured correctly. In fact, from a client connected to the MT3000 LAN I can access a service located in the Main router LAN, and the other way round, so routing and firewall should be fine.

The problem only arises when a client connected to the WireGuard server on the MT3000 tries to connect to a service located in the Main router LAN, so I think the issue is either WireGuard configuration or MT3000 firewall configuration, but they both appear to be fine to me. I'm confused.

bruce · February 19, 2025, 10:24am

May be needs to open allow WAN -> LAN at the firewall of the main router, since there is NAT ( WAN <-> LAN) on the main router.

lpaolini · February 19, 2025, 3:00pm

The firewall is open, and in fact I'm able to reach Main router LAN from MT3000 LAN.

27leguas · February 19, 2025, 8:09pm

Do you have Wireguard or any other VPN in your main router? If you have it, even if you don't use it, there is a strong posibility that the IP sub-network used for identifying Wireguard peers, collides (it's the same or overlaps) with the one used on your MT3000 Wireguard. If that's your case, the main router is sending back the packets to his own wireguard network and not to the MT3000 Wireguard clients.

Change the Wireguard (or any VPN) network on your main router so its different to the one on your MT3000 Wireguard.

Which router is the screenshot from?
If it is from your main router, you are dropping connections from WAN to the router itself (wan input), for services such as web administration. I don't know how you can access the main router from the MT3000 LAN (main router WAN) unless you have added a Traffic Rule to override that behavior.

lpaolini · February 22, 2025, 9:20am

Ok, I've found the issue and it has nothing to do with the MT3000.

The missing piece was a static route from my Main router to the WireGuard network (default is 10.0.0.0/24).

10.0.0.0/24 => 192.168.10.1

@27leguas thanks for your help.

27leguas · February 27, 2025, 1:57pm

I didn't advised you to check that because I supposed that your main router default gateway was pointing to the MT3000 (just because you told us your main router WAN is configured by MT3000 DHCP server).
When a route has the same gateway as the default route you can omit it. Putting the route though doesn't hurt. If it works, it's fine.