MV1000 Brume - network question

Hi all, forgive me if this is a stupid question.
I’ve just purchased the MV1000 Brume (maybe should have done some more research first). I currently have a cable modem, with a TP Link Deco Mesh providing all the routing for the house. I was hoping to put the MV1000 between the modem and the Deco Mesh, to provide VPN & some of the other services (like the ad blocker etc). Reluctant to disable the routing on the Deco Mesh, since it has some great parental controls.
Can the MV1000 be a VPN server etc without being a router? Is there any way I could get this to work as I originally intended?

Any help would be much appreciated.

Cheers

Yes. You can. I’ve release it on the workplace of a my friend with a B1300.

Hi antifascista, thanks for responding.
Were you using the MV1000 (Brume) as well as the B1300. I see the B1300 has most of the features of the MV1000 in it. I already have a mesh system (TP Link Deco), so it would be really helpful if you could explain a bit more about your solution and what you did.

Thanks

Connect wan of Brume to lan. Brume lan ip is not important, you can leave it on 192.168.8.1
Set up your wireguard server on brume and set port forwarding for it on your main router.
Connect your wireguard client and you will have avaliable your entire lan.

Thanks for your help, I’ll give that ago tomorrow, but would that be applying double NAT? I’m no expert.
I was thinking the Wan port from MV1000 would go into the Modem and the Lan port to the Mesh router

If you do my solution you don’t have double nat because brume is not the gateway of your lan but only a vpn server to access your lan. I suggest you this solution because you want use your mesh system as gateway.

I think what Zibzab is trying to do here is to use their Brume as VPN client for one of the commercial VPN providers to secure their whole network including the mesh system. If this is the case, then it will have to sit between their modem and the mesh system (in which case the mesh system will have to be switched in to bridge mode to avoid double NAT issues). I hope Zibzab can confirm their use case.

I refer my solution to this question…

Hi Almahadeus, antifascista is correct - I don’t want to use it as a router, or with a VPN provider. It’s to provide a VPN link into the local network. Also hoping to use adgaurd and some of the other services. Thanks for your support.
Almahdeaus, hopefully setting up later today. Do I need to add port forwarding to the MV1000 from the TP Link for it to work as you’ve suggested?

Cheers

Yes, for the udp port of your Wireguard server.

Thank you. I’ll give that a go later today and get back to you

Remember to use Lan of brume only for configuration by a client directly connected to it. In this scenario lan of brume must be not connected to your lan.
If you have success next step will be using brume for adguard internally…

Hi antifascista,
ok, I’ve configured as you said and set up wireguard VPN server and all works really well - fast.
I’ve also set up DDNS and that is working.
Do I have to do anything special to set up adguard?

Thanks for your help… works perfectly.

Cheers

Very happy for your goal.

To use brume for dns server you have to set “use wan as lan” but first by luci interface you have to disable dhcp server of brume and set his lan ip on the same subnet of your main lan then you will can configure and start adguard.
If all is ok you will can set your dhcp server to assign brume as dns server of your client.

Hi, I don’t want DNS, just Dynamic DNS since I don’t have a static IP. I’ve tested using ns lookup and that appears to be working fine.

Do you want to use adguard? Then you have to use your brume ad your dns server rather than your router or 8.8.8.8 or another public dns server.
Dynamic dns is totally another thing.

Hi,
i’m also using gl.inet router as wireguard vpn server. In my case MT300N-V2. I’m also using WAN-Port connected to my LAN, so it has local IP on WAN-site and it’s working well with dyndns-name + wireguard portforwarding. I’m using iphone, ipad and 2nd MT300N-V2 as clients outside my LAN.
In firewall-page at my MT300N-V2-wireguard-server, i have opened some ports. Port 80 and 22 for configuring through webinterface and ssh direct with the WAN-IP, because WAN-IP is ip of my local network. 192.168.8.1 (mango’s LAN) is not in use. Or just in emergency case. Also WLAN is not used.

My 2nd mango router, which is for holiday usage, could be connected to my guest-wifi, go out there and come “back” through VPN to my LAN. This is for testing purpose, but is really working well. I’ve set up the switch to enable and disable wiregurad vpn. I also configured the 3rd LED (besides power and wifi) for wireguard vpn on both routers. So i can see if there’s traffic and if wg is connected.

Hi antifascista,
I’ve done as you said, turned DHCP off in Luci and assigned it an IP on the local Lan (same subnet as my router). Turned Wan to Lan. I can now VPN in, but not connect - says check IP address. It’s like I can’t see the local network.
Any ideas?

In luci firewall add wireguard to lan zone.

I stumbled upon this thread as I am also struggling to have VPN clients reach the LAN interface; reaching the WAN interface works just fine. I even created a firewall rule to enable all traffic from the wireguard zone to a host on the LAN.

I am complete novice, so my analysis may be wrong- when looking at the firewall on the Luci side of the admin panel, the wireguard zone is empty. That is, there are no interfaces associated with it. In fact, it is not possible to add wg0 to that zone. Likewise, Luci does not show any routes from wg0 to LAN (I tried uploading images but as a new member I am not allowed).

So my conclusion is that the Gl Wireguard GUI does not properly configure the firewall and therefore hosts on the LAN interface are unreachable.