I just get crazy with the setting of VPN within the Mango interface.
After the update from 3.x zu 4.x the box could not be connected. Sometimes I was able to connect it for maybe 10 Seconds. So I reset it.
The 1st problem:
I can not connect it via 192.168.8.1 (as in the tutorial) if my router has 192.168.178.1 (as the most router?). So I changed the IP to 192.168.178.2 and then connected it via LAN port. By the way, I could NOT connect to it (192.168.1.1) via WAN port as said in the tutorial, just via LAN.
so the setup is that way so far:
router - 192.168.178.1
mango V2 via LAN - 192.168.178.2
2nd problem:
I get no internet connection. So I understand, that the is no gateway setting (just in lucy). So I set in lucy gateway 192.168.178.1 and still get no connection to the internet. Why?
3d problem:
if I connect to the router via WAN port (DHCP) it just doesn't work. I see some IP via arp -a, but can not connect to it, even ping doesn't work.
strange behavior for me:
if I connect beside the already connected LAN port also the second cable to the WAN port (so I have two cables connected). Then I get internet connection, but with some interrupted connections to the browser interface.
What I want?
Just get it running behind the router with wireguard server (port forwarding is already set) to get some clients connected to the internal network (to the SQL data on the server).
So I ubooted the mini router again.
Checked the WAN port in Lucy, it has DHCP.
Connected it via WAN port to my switch (and this to the router).
I get the IP from the router (speedport pro plus), I see it within the connected devices, but can not even ping it. Lucy shows working WAN port with some KB on RX/TX. WTF??
The very strange thing is, if I just connect the WAN, I can reach the Mango V2 via browser just for about 10 seconds and then the connection is dead. But is still shown as working in Lucy.
meanwhile, I didn't change the settings of LAN. Just connected to the Mango V2 via LAN (192.168.178.8.1) directly, made the basic settings, checked that WAN port has DHCP and connected it then via WAN port to my switch (its connected to the speedport router).
Speedport --> Switch --> WAN-Mango V2 with DHCP
this is the actual setting.
And I get the IP in speedport, but I can not connect to it (just some seconds on the fresh connection). In Lucy I see running and working WAN, but it seems to be dead for my connection.
is it the wrong way to connect it via WAN if I want to use the VPN server?
I mentioned these different IPs just because I was in the process.
After uboot you'll get the 192.168.1.1 for the mango V2 to upload the firmware on it. After that you'll get 192.168.8.1 for the mango V2 (everything on the LAN port). After that I changed the LAN to 192.168.178.2, so I can implement it within my network (for my router has 192.168.178.1). This was the first try. After that I got no connection on LAN and on WAN, so I ubooted it again.
Then I changed nothing, just connected the mango V2 to the router via WAN.
So the actual setting is, as mentioned above: Speedport --> Switch --> WAN-Mango V2 with DHCP
It can not be a routing problem.
Speedport gives the mango box an IP (192.168.178.100), but I can not reach it, even not via ping.
No, that does not work.
In routing mode you can't integrate the device just because you change the IPs. It‘s an router, not a switch! This means WAN and LAN are separated.
Either you need to use another network mode (like extender) or you need to use drop-in gateway.
?? If I change the LAN to the IP range which my router has, set my router as gateway, so surely I can access the LAN port within my router (speedport) network. That's the way, I know and practice.
So I dont understand, what you mean. I can not access the mango V2 if it has 192.168.8.1 (after uboot) within my network, my network has 192.168.178.0/24. So if I should connect the mango V2 via LAN port I MUST change the IP. The layer 3 switch would route 192.168.8.1 to the 192.168.178.1, but I have NO layer 3 switch. That is the point about the LAN.
But as somebody sometime in this forum said, I must use the WAN port to use the mango V2 as VPN server, not the LAN port. Is it right or not?
There is nothing to draw.
As I wrote three times, after I ubooted the mango V2 again, I didn't change anything. Just connected it via WAN to my switch.
And this is the actual setting: Speedport (192.168.178.1) --> Switch --> WAN-Mango V2 with DHCP
So, I suppose the only question is. Is it correct to connect the mango box to the WAN port if I want to use it as VPN server or not?
You cannot change Mango router’s IP to 192.168.178.2 which conflict with your parent network. You should just let it be 192.168.8.1.
The 2nd time you said you didn’t change it and it get 192.168.178.100 in the WAN port. You cannot access it using this IP from your parent network. You should configure it at 192.168.8.1 when connected to it directly.
Then connection and subnet are fine. The next step is to set up vpn.
ok, so I don't connect the mango V2 via LAN, correct? Because if I should connect it via LAN, I can not let it on 192.168.8.1 and connect it to my network. It wouldn't work. It's no problem just to connect it directly to any laptop with DHCP and set the mango V2, but not to the whole network, because it has 192.168.178.0/24. So as I understand, I dont need the LAN port for any purpose, but for the first setting after uboot. Is it Correct?
So, I connect it via WAN port which has DHCP (I can see it in lucy). So surely I get from my speedport router 192.168.178.100 on WAN. Because I set the DHCP between 192.168.178.100 and xxxx.150
As I understand, the setting is ok, WHEN it's right to connect to the WAN port (after configuration on an extra Laptop with DHCP via LAN).
So that should be fine, isn't it? Speedport (192.168.178.1) --> Switch --> WAN-Mango V2 with DHCP (192.168.178.100)
You have a Speedport. The Speedport got a WAN IP from your internet provider, lets call it a.b.c.d and provides a internal IP 192.168.178.1 with the network 192.168.178.0/24.
All devices in your LAN get one IP starting with the network part 192.168.167. and get a host part from 2 to 254. Depending on your DHCP configuration maybe from 100 to 200 or similar.
All devices can access in the Internet as client, because of NAT. The Router will translate all 192.168.178.x addresses and route the answer to the requesting device.
But no device from the Internet will reach any device behind your NAT router. The solution is port forwarding. You can tell your Speedport firewall 'all requests on WAN port 1234 should go to LAN IP:port 192.168.178.2:1234' ...
Now you are setting up a mango, and do exact the same.
Even if it is in your LAN, it works in this way.
Your Mango WAN port goes to a Speedport LAN port. Instead of an Internet IP (a.b.c.d) you'll get a LAN IP (192.168.178.100). From your 192.168.178.0/24 LAN all devices will see only one device. All 192.168.8.0/24 devices connected to (W)LAN wont be reachable. Until you'll say to the Mango 'Route 192.168.178.100:1234 to 192.168.8.2:1234', It is NATed and needs a own ruleset. See, the IP is the Mangos IP, nit the clients. The Speedport LAN is not aware about the Mango LAN.
Per default the GL-iNet Devices are secure and won't expose Ports to the WAN (in general Internet, in your case Speedport LAN).
If you want to access the Mango Admin Panel from your LAN, go to 'Network - Firewall' and choose the tab 'Open Ports on Router'. Click on '+ Add' and add Port 80 (http) or 443 (https). Than your Mango admin panel will be accessible from the Speedport LAN. Don't do this in the Internet!!
But VPN is another page, because this is a service. Just got to 'VPN - WireGuard Server' and Generate a configuration. The default Port is 51820. To reach this port from the Internet, your Speedport needs a port forwarding to IP 192.168.178.100 port 51820.
The Mango firewall should already make this port accessible, no need for configuration here.
Recap:
The SpeedPort and the Mango do NAT. The WAN port has only one IP.
All devices can only see their own LAN and the Network behind WAN. -> A 192.168.8.2 Laptop or Smartphone is able to access the 192.168.178.2 PC or Laptop or Smartphone in the Speedport LAN, because it is behind the Mango WAN ... Therefore the Network can't be 192.168.178.0/24 in the Speedport LAN and the Mango LAN, even in any other connected VPN LAN.
If you want to access the Mango from WAN (Spedport LAN), you need to open the ports.
If you want to access devices in the Mango LAN, you need port forwarding on the Mango.
Port forwarding is from the routers IP to a LAN IP
A port can only be used once. You cant access the Mango on Port 80 and port forward to another Webserver in the Mango LAN.
I hope this makes it a little more clear. If not, just ignore me.
thanks for the whole explanation. The most things there I know. The only thing, that was not clear for me, is the firewall of the mango V2. So I'll try to set it that way next days.
What if I want to configure the LAN manually, so I can access the mango V2 via LAN and have connected it to the speedport via WAN? I suppose I will need layer 3 switch, correct? Because I can not set the LAN f. e. to 192.168.178.2 and the WAN to 192.168.178.3, for it's a separate network card, which needs another IP range, isn't it?
Think from the Client over the Mango over the Speedport to the Internet. From the SpeedPort WAN to the Mango LAN are two steps in between, that are not part of the default routing.
The other way around need to be configured: Internet - SpeedPort WAN (forwarding rules to SpeedPort LAN) - Mango WAN (Port opening in WF or port forwarding to Mango LAN)
I don't see the need of any switch here, except you want to connect more than one device to one LAN port. You can't connect more than one port to WAN.
We are starting with Speedport LAN to Mango WAN. So the Mango gets a WAN IP 192.168.178.100 via DHCP.
Be aware everything works as designed. You can connect anything to the Mango (LAN or WAN) and it will work in the 192.168.8.0/24 Mango network.
Now you want to configure your Mango. This is at this time only possible from the Mango network. Attach any device to LAN or WLAN of the Mango.
Configure the WAN IP you want for the Mango.
Open the ports 80 and 443 (TCP) on the Mango for the router (do not use 'port forwarding'!)
From now on you can reach the Mango admin panel vie Mangos WAN and Speedports network.
If you try to connect Mango LAN to Speedport LAN, the routing will break. These are two different networks, doesn't matter witch layer you are on. A switch won't solve the lack of routing (unless you separate them via VLAN, but I think this will get too complex here, because you still need to configure the back flow).
that's the point, I mean. So it's not possible.
I want just the easier way to connect and configure, maintain the mango V2 (without the need of extra laptop with DHCP for 192.168.8.0/24 connection. And the only way to do so, is to open ports for WAN. Not so good idea regarding security, but I think, it's more practical for maintain reasons.
The open WAN Port on the mango is still in the Speedport WAN. No Internet access involved here.
This is how networking works. In general, nothing special OpenWRT or GL-iNet here.
If you want to access a service it needs to be bound to a port on an interface. From the client you need a route to the interface of the service providing server. Port forwarding is a kind of routing within NAT networks.
You can't connect two subnets with a switch. Which would be even more insecure than a port forwarding within a local network.