MT300 V2 can't connect to the internet with WAN port as LAN + other issues

Technical Support for Routers
1

Hi, I'm having issues with an MT300-V2.

It should be used as a VPN Server to access the home network from outside since the main router of the network doesn't support it, but I'm having issues configuring it.

My idea was to configure it as part of the LAN (ideally as a bridge, since it woud have been nice to use both ethernet ports) and simply run Tailscale on in, but it's impossible since there isn't enough free space on the device to do it.

There is also no bridge mode (which is weird since it supposedly was there in older versions of the firmware), closest thing is AP mode which for some reason disables all the VPN software in the main GUI.

Leaving the device configured as a standard router, I've then tried to configure a Wireguard interface but the device doesn't seem to be able to connect to the internet at all if I set the WAN port to be used as LAN.
I've then tried using the WAN as a WAN, (with a 192.168.2.0/24 subnet) and internet works, but regardless of how I try to accept everything from WAN to LAN and vice versa I can't reach stuff on the 192.168.1.0 subnet.

With the WAN operating as WAN I can port forward the 51820 port of Wireguard from the main router to the MT-300 and the device connects, but internet doesn't work.

Configuration on the advanced Luci interface is also a mess, and I'm 99% sure there are conflicting parameters between the two different GUIs (for example in one I see the LAN DHCP going from 100-200, while in Luci it's 100-150).

I think I've also tried to connect it to the network using the LAN port but it didn't work either.

So, how should I configure it to do what I need to do? (Navigate my home network using the MT-300 as an AP with Wireguard protocol).

2

Hello,

AP mode is the wireless access point for the wireless client connect to.

The VPN server is required the routing table feature, there be the Mango should be as the router mode.

But there are 2 workarounds to probably achieve your requirement:

  1. GL firmware, Router mode, and the network cable connects to the LAN port of the Mango, and manually config the static IP, Netmask and Gateway which based on the Primary router LAN to join to its subnet, that is the Mango should access the Internet via the routing table (LAN gateway), and also as the AP. Then, enable and config the WG server.

  2. Vanilla OpenWRT firmware, it will not distinguish between Router, AP, etc modes, so you can install plugins and config the functions what you need at will.

4

I think I've tried connecting the Mango via the Lan interface but it kept saying it had no internet access and I couldn't figure out why.

Btw, by the time the post got approved I was fed with the original firmware and just installed vanilla OpenWRT and configured Wireguard manually and it seems to be working.

1 Like
5

GL firmware makes some specific combinations with the (OpenWRT based) elements: firewall, router, WAN zone, LAN zone, (LAN) bridge, NAT rules, VPN ... Only some combinations are available (repeater, extender mode, router mode (always including NAT), otherwise the list of combinations would be too long to handle

So with any specific setup, like the one posted here, it is sometimes difficult to find how to (ab)use one of these preconfigured combinations. Problem: [ eg In L2 mode (bridge, extender) this GL device has no control over the data flow and manipulation, in L3 mode firewall and NAT can be an abstacle.]

So in this case what is needed, is a VPN coming to one device (MT300) in (the middle of) some home LAN , and has some devices on the other end of the VPN to communicate with the other home LAN devices.

If that is the only need, I would set it up as such (done that on many occasions with other not-preconfigured material) ...

For this MT300 your home network is the WAN zone (just because WAN implies NAT and DHCP obtained IP address). This allows the MT300 to adapt a local IP address on that WAN port, and to masquerade everything from its LAN zone. The LAN interface (not used here) and the VPN when made part of the firewall LAN zone, will access the home network as originating from one home device in the home LAN (with its MT300 WAN interface and home network IP address.)

Any other device in the home network addressed/connected will receive connection requests from that MT300 WAN IP address, which is on the same LAN subnet as those devices. Any answer for that connection will flow back to the original requester based on the NAT-tracking in the MT300.

MT300 will run a VPN client, sitting behind multiple NAT rules away from the internet. No problem here, this is NAT in the good direction for the VPN client, as for any other client device.

Only the VPN server (public service, or your own setup somewhere) has to be reachable from the internet (and needs either a public IP address, or all the port forwards to access it). However VPN services that allow P2P are not that many, but Tailscale and Zerotier certainly do.

Alternative way of working is running a VPN server on the MT300, but then the main router and the MT300 need the port forwarding to be set up properly for the VPN-server-port to be accessible by the VPN-client over internet.

VPN server or client choice is based on convenience, the access in the home network LAN is identical. Only on some networks (like ZeroTier) it is only documented for the client and not documented for the server.

The own VPN server could be configured as HUB for your mobile device and for the MT300, and be installed somewhere else. (Thats exactly what ZeroTier, Tailscale, SoftEther, and others offer)

1 Like