GL.iNet Flint 2 - guest WiFi on VPN, can not access services publicly exposed on WAN

onion · March 23, 2025, 8:29am

Hello
I have a stupid requirement, that I can't seem to get working. Here's the layout:

ISP Modem (bridge mode) > Flint 2 (v4.7.0) > Home VLAN and Guest VLAN

Guest WiFi is enabled, which is always connected to a VPN to protect myself from DMCA notices (my kids friends visiting, and they love their torrenting. this is the only reason i bought this router.)
WG client uses VPN policy based on VLAN (Guest), In global options, Block non-VPN traffic is Off. Allow Access WAN is Off. Services from GL.iNet use VPN is Off. AP Isolation is On under Network > Guest Network.

Now I have a jellyfin server connected via ethernet to my home VLAN. I have a port forwarded from my router, and I can provide access to this server away from home. I also have other services publicly accessible, but lets take jellyfin as an example here.

If I connect to the guest WiFi, I can not access jellyfin or any of the publicly available services on my home VLAN. I would think since I am connected to VPN, all my data is tunneled out before it reaches my WAN IP>home VLAN, but it looks like NAT hairpinning comes into play, and before any packets go out destined for my WAN IP from my guest wifi, they get blocked by VLAN isolation, and I can't access any of these services.

I can access this jellyfin server from my mobile data, or from my phone connected to a VPN, so it is externally accessible.

I had previously enabled adguard home on the flint 2, but that made guest WiFi lose DNS resolution. I could ping IPs, but not resolve any names. So I moved adguard home to a separate server on my home VLAN. But that's a problem for a separate thread.

Is there something I am missing?

Lastimosa · March 23, 2025, 8:41am

I have never been able to remotely access my Plex server when VPN client is active on my router no matter what combination of VPN or port forwarding settings I have tried, I guess this is because all traffic and pings are unavoidably and strictly tunnelled through the VPN as you said but you have also added client isolation as another complicating factor in your case. I would also be quite interested if you find a solution. My only workaround so far is to completely exclude the Plex server from using VPN.

Pro4TLZZ · March 26, 2025, 9:06am

What VPN mode you use? I use target domain mode and I can connect to my Plex server just fine when remote

onion · March 26, 2025, 5:38pm

I use VPN Policy based on the VLAN, set to guest VLAN.

I can access my server remotely (from my mobile data, out and about from public WiFi)

What I can't do is access it from the guest WiFi which is connected to VPN.

Pro4TLZZ · March 27, 2025, 5:27am

Did you try enable remote access Lan on the wireguard client settings? If you have already and it doesn't solve the issue then I think you will need to add a firewall role in luci

onion · March 29, 2025, 3:02am

No, I haven't tried that. But my thinking is that I shouldn't have to do that. I want to keep my home VLAN private, except for the stuff exposed to the internet.

That is, if my jellyfin server is open to the internet, my guest WiFi connected to a VPN should be able to access it, but my guest WiFi should not be able to access other services on my home VLAN.