MT3000 Beryl AX: LAN devices cannot ping devices connected to Beryl AX

HalfLife · December 3, 2024, 2:01am

Hello everyone,

I have Wireguard setup on a Rapsberry PI on the LAN, and the BerylAX router has the Wireguard Client configured, which works fine.

I can ping my LAN devices from a device on the Beryl subnet and have access to all of them.
The problem is, I can't ping the other way from the LAN to hit devices on the Beryl AX Subnet.

I have already enabled the Windows Firewall rules "File and Printer Sharing (Echo Request - ICMPv4)" for Public and Private domains, which allows my Windows 11 client to be pingable.

On the Beryl AX, I turned on "Remote Access LAN" on the WG Client and have the Global Option "Block Non-VPN Traffic" enabled as well. No luck.

Attached is my topology.

bruce · December 3, 2024, 6:31am

Does the Pi as the WG server in the LAN of PC 1, right?

In VPN tunnel:
PC 2 -> GL router -> Pi -> PC 1, works.
But, PC 1 -> Pi -> GL router -> PC 2, not work?

It seems to be the network topology where PC 1 is located, lacking routing rules.
You should add a Route Rule to the Router which in the side of PC 1:

ip route add <Target network> via <Gateway address> dev <interface>

Like:

ip route add 10.0.1.0/24 via <Pi LAN IP, like 10.0.0.2> dev <br-lan>

Firewall:
/etc/config/firewall

config rule
    option name 'Allow-VPN'
    option src 'lan'
    option dest 'lan'
    option dest_ip '10.0.0.2'
    option proto 'all'
    option target 'ACCEPT'

HalfLife · December 4, 2024, 6:46pm

Hi @bruce,

The PI is the WG Server for the WG Client on the GL.inet router.

Yes, PC 2 can ping PC 1.
Right, PC 1 cannot ping PC 2

Excellent, thank you, I will try to add that route to the router on subnet 10.0.0.0/24.

The router is a Nighthawk RAX42, which supports adding routes, but not sure about commands.

Will give it a try, and see what happens.