Brume2 as the main router (192.168.1.1) which distributes IP address (DHCP);
After Brume2 I have unmanageable switch with all home devices connected to it;
Mango router (WAN 192.168.1.5) is also connected to this switch and I use it to run the WireGuard VPN Server (corresponding port forwarding rule is set in Brume2).
VPN Server works fine, however, my intension is to use Mango router ONLY as a VPN Server and RESTRICT access to my home network devices for the connected VPN Clients (via WAN).
When the âAllow Access Local Networkâ option is disabled, thereâs no access to the devises connected to the Mango network (LAN), but it doesnât affect Mangoâs WAN subnet.
Is there any way to setup the firewall rule in order to restrict the access to the upper level devices? Probably to everything except the main Brume2 (192.168.1.1)?
Iâm currently actively studying the Wireguard documentation, but I canât say that Iâm good at it
But, if you use a mobile device as a WG client, in my case it is an iPhone, in the WG APP client settings when editing allowed IPs, it is possible to activate the button âexclude private IPsâ.
Then you can simply add to the list of allowed ip wich you need to access your local network. For example, your Brume2, as address 192.168.1.1/32 and you will have an access to your Brume from your mobile phone, while other IP addresses on the same subnet will not be available. For me it works. But I find it useless as an elevated user can always edit the profile and override excluded private addresses and access them.
Hi Agent_smith, thanks for the advice. But as you said, this setting is on the Client side, not the Server, so indeed anyone can change.
Iâm trying to play with the firewall rules in Luci, but no success so far.
I donât quite understand your question.
What other devices do you have in your home network? It would be nice if you could draw a network topology diagram.
Hi Alzhao,
For the personal use I run another VPN server on Brume2 with the full access to the LAN.
The purpose of Mango router is to provide the VPN access to friends, colleagues, etc. who are abroad and need to be âin the home countryâ, but I wanted to forbid the access to my home LAN for them.
The solution was to change the âWireGuardâ Zone Firewall settings and to add the âWireGuard to WANâ restriction in the Traffic Rules.
Now the VPN Clients can only access the Mango router via 10.0.0.1 (wg) and 192.168.1.5 (wan) IPs, but the route to the main LAN (via WAN port) is restricted.
@ngtimofeev
In your case, I would add some details, would close access to VPN clients to the internal network for ZONE wareguard> WAN Input > Drop, so they canât reach the web interface of the mango router at IP 10.0.0.1 and I would create another traffic rules that allow only IP address of your personal VPN client for Mango(e.g. with an IP 10.0.0.2/32, see my e.g below), to access to the mango shell, brume shell and other ip addresses from internal network, if required. Very important ! It must be dragged and droped above the deny rule in your case âforbid-wg-to-lanâ then saved and applied.
Hi agent_smith, thanks for your input!
Actually my intension was to allow the VPN Clients to access the Mango, as I have an external drive connected to the router and can share the files with my colleagues in that way. '\\10.0.0.1\GL-Samba'
Since the Mangoâs WEB interface is password protected Iâm not worried that anyone can actually login into it.
