No internet access via Brume2

Technical Support for Routers VPN, DNS, Leaks
1

Hey,
I’m still struggling to get VPN work and just as last chance I connected Brume2 directly to the ISP router, but I still get no connection for the wireguard client to the internet. In this case there is no extra network with ipfire, just direct connection to the ISP router (with firewall on). So I made it this way:

  • ISP router 192.168.178.1
  • Brume2 LAN 192.168.178.2
  • set ISP router as gateway in LUCY (didn’t understand why this essential setting is not in the normal web GUI)
  • Port forwarding to the LAN address of the Brume2 for wireguard on the ISP router
  • Wireguard server with 10.0.0.2
  • Wireguard client with 10.0.0.3
  • tested MTU: 1420, 1380, 1320
  • tested DNS server: 1.1.1.1 and some privacy friendly ones

In the dashboard of the wireguard, I see connected Client, So dynDNS and port forwarding work.

But I get no connection to the internet with my smartphone connected to Brume2.
I will try to connect with another hardware, to see if it has to do something with my smartphones OS.
But maybe somebody can understand the failure just with these settings.

Cheers
glineter

2

Is there any way you can get your ISP ‘router’, which I also presume is also the modem, to be just a modem? Is there some way to set it to (ideally) bridged mode but failing that the ability to set a IP on a DMZ (eg: Burme 2’s IP)?

Pardon my soapbox for a moment but those damn ‘all in one’ wifi/router/modem combo pieces of shyte ISPs give you are for those who’d never think to use a router-based VPN never mind get a device capable of VPN Cascading.

(Man oh man; your patience is not to be underestimated. Impressive.)

1 Like
3

The wireguard server is designed to provide service on the WAN of Brume2.
In that case, you don’t need to set the ISP router as gateway in LUCi.

If you have to listen wireguard service on LAN interface(while you use WAN as LAN), try disabling mwan3.

mwan3 stop
/etc/init.d/mwan3 disable
uci set mwan3.globals.enabled='0'
uci commit mwan3
4

puh, I suppose, not. There are not so many settings possibilities within.

sure, I could change it to some kind of better customizable router, but it would be more work for me… and I have enough :smiley:

OH! Is that THE POINT I did not considered??
So I should not use the LAN port to implement the Brume2 into my network, but the WAN port?

But the LAN settings within the web GUI, are they changing the LAN or the WAN port, or both??

As it seems, I did not understand the idea of such VPN services at all :smiley:

5

Yes. You can open the firewall for ssh and httpd to control Brume2 from WAN leaving the LAN unused.

image
image1030×436 12.9 KB

6

ok, but how do I set the IP of the WAN port and how does it work without setting gateway if I have no DHCP for example? If I set WAN to static in LUCY, I still can not change these settings (as it seems, it has to do with “switch protocol”). But should I switch if I have no DHCP?

7

If your ISP router doesn’t have DHCP server, you can set static IP for Brume2’s WAN.

8

Heh; that’s a bet I wouldn’t take.

9

in LUCY I think, because I didn’t find this setting in the regular web GUI.
So I set the static IP and the gateway in LUCY, but I can not access the web GUI now. My ISP router shows, that the Brume2 is connected with the IP, I gave it, but I get no ping and no connection to it.

I opened the port 80 and 22 in the firewall.

maybe it’s because I use the same IP for the LAN? But I don’t use them (WAN and LAN) both at the same time. Just switch them, for the connection to the WAN port don’t work.

10

Yes you should keep LAN and WAN in different subnet.

11

ok, that was the point, I can connect now to the Brume2 via WAN port. BUT :smiley: I still get no connection to the internet

12

Please check if there subnet conflict between the wireguard subnet(10.0.0.x) and LAN/WAN.

13

LAN 192.168.180.1
WAN 192.168.178.7
ISP Router and Gateway 192.168.178.1
Wireguard 10.0.0.2

no conflict as I understand

14

Could we start a remote check to see what happens?
You may try to do a factory reset in case you config many settings and missed something.
It’s not too complicated to set up according to docs WireGuard Server - GL.iNet Router Docs 4

15

in what way could we do it?

yes, this was the last idea I had in that case :smiley:

16

It turns out to enable wireguard server to serve on LAN port, providing Internet access to wireguard client,
you need to enable LAN masquerading and related forwarding rule, use the following command:

# enable wireguard server to LAN forwarding
uci set firewall.wgserver2lan=forwarding
uci set firewall.wgserver2lan.src='wgserver'
uci set firewall.wgserver2lan.dest='lan'
uci set firewall.wgserver2lan.enabled='1'

# set LAN masquerading
uci set firewall.@zone[0].masq='1'
uci set firewall.@zone[0].masq6='1'
uci commit firewall
/etc/init.d/firewall reload
2 Likes
17

oh my god, it works!!! :smiley:

but why so complicated for my setup is just a normal connection to the ISP router (just something that I suppose nearly everybody will do with Brume2)?

So wireguard did not forward the clients to the internet. Was it a bug in the firmware?

18

Not a regular topology actually. Most user access the wireguard server from WAN.
This is also drop-in gateway mode, that may fit your needs.

19

but I also tried the WAN port with the same result.
WAN of brume2 - connected to the ISP router with the same settings I wrote to you.

#Edit:
reset the device, open ports in firewall for 80,443 and 22, connected WAN to ISP router and everything works. Sorry for the chaos! :smiley:

No I’ll try to implement the thing that way into my ipfire network and the DMZ.
I must change the IP of the WAN and gateway for it (so must set it to static). Are there possible problems concerning that?

#Edit2:
as it seems, no problems. Connected with LAN, changes WAN IP and gateway, changed port forwarding in ISP router, connected it to the DMZ and it works (with settings I already set in ipfire).