I want to be able to do the following at another place of mine:
192.168.1.1 = ISP router / cable modem
192.168.1.100 = Brume 2 (one cable in LAN, WAN disabled/bridged to br-lan, gw 192.168.1.1 for br-lan)
192.168.1.99 = LAN (all LAN devices have gw 192.168.1.1)
And now I want to access from outside internet into LAN through wireguard.
The Brume 2 would just be connected with one cable in LAN port to the 192.168.1.1 router, which is then connected to a switch and the other PCs in LAN are connected to the switch.
I have disabled the WAN port of the Brume 2 via the GLInet web interface so WAN becomes another LAN / bridge of br-lan:
I can already reach the Wireguard server from outside (port forwarding from 192.168.1.1 to 192.168.1.100).
The problem now is, I cant reach any LAN PCs or the ISP router itself from the WG client. I just can reach 192.168.1.100 and 10.0.0.1, that’s it.
I have already allowed wgserver forwarding in LUCI to LAN:
I have set a default gw in LUCI for the br-lan device:
I can ping from ssh console of the Brume the lan devices:
But I cant reach any PCs nor the ISP router from the WG clients.
What else is there to do to make this work? I have already tried to enable NAT masquerading on the WGServer on/off both with no result. Do I need to set a static route too somewhere? I tried experimenting with it but with no luck so far.
I dont want the Brume 2 act as another 2nd router in front or between the clients with two subnets, just as a Wireguard server which then allows to access LAN through it.
Or is there a better elegant way to achieve this? I tried to give WGServer the same subnet address, for example 192.168.1.201 and client 202, that also didnt work. Or do I need to add wgserver to br-lan for this to work too?
Do I need to add a WG static in here maybe? If so which one:
Not sure what would make sense to add though, 192.168.1.0/24 192.168.1.1 wouldnt make much sense because it is already the default gw of br-lan, no? I tried to add that anyway, and it also didnt work.
What about adding a static route at 192.168.1.1, something like 10.0.0.0/24 192.168.1.100 ?
Update:
I fixed it by activating NAT masquerading also on the br-lan device on the Brume 2:
But is this the right way to do it?