I have a new GL.iNET GL-MT300N-V2 and have setup WireGuard. I can access the router’s admin page on 192.168.8.1, but I can’t see anything else on 192.168.8.0/24. What am I missing?
Yes, “Allow Access Local Network” is on. I’m running the latest firmware version 3.105, and haven’t touched the firewall.
Should the wireguard zone be empty? The others aren’t.
And sorry for the late reply.
I should add my Mango is behind an enterprise firewall (Palo Alto). I can connect to to the wireguard server and the admin site on 192.168.8.1 on ports 80/443. I’m assuming all the wireguard communication is tunneled through one port. I my case 51280. If not, the Palo Alto could be blocking it, as I know it blocks 3389.
alzhao,
Is setting “Allow Access Local Network” on an automation of the instructions below?
https://docs.gl-inet.com/en/3/app/wireguard/#visit-clients-lan-subnet
I think so. I need to test the most recent snapshot to make sure.
1 Like
I updated to 3.201 and am having the same issue.
Hi ueue,
Could you show me the /etc/config/firewall?
root@GL-MT300N-V2:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
option reload '1'
config include 'glfw'
option type 'script'
option path '/usr/bin/glfw.sh'
option reload '1'
config zone 'guestzone'
option name 'guestzone'
option network 'guest'
option forward 'REJECT'
option output 'ACCEPT'
option input 'REJECT'
config forwarding 'guestzone_fwd'
option src 'guestzone'
option dest 'wan'
config rule 'guestzone_dhcp'
option name 'guestzone_DHCP'
option src 'guestzone'
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
config rule 'guestzone_dns'
option name 'guestzone_DNS'
option src 'guestzone'
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
config rule 'sambasharewan'
option src 'wan'
option dest_port '137 138 139 445'
option dest_proto 'tcpudp'
option target 'DROP'
config rule 'sambasharelan'
option src 'lan'
option dest_port '137 138 139 445'
option dest_proto 'tcpudp'
option target 'ACCEPT'
config rule 'AllowWireguard'
option name 'Allow-Wireguard'
option target 'ACCEPT'
option src 'wan'
option proto 'udp tcp'
option family 'ipv4'
option dest_port '51820'
config zone 'wireguard'
option name 'wireguard'
option forward 'DROP'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option device 'wg0'
option masq6 '1'
option input 'ACCEPT'
config forwarding 'wireguard_wan'
option src 'wireguard'
option dest 'wan'
config forwarding 'wireguard_lan'
option src 'wireguard'
option dest 'lan'
option enabled '1'
config forwarding 'lan_wireguard'
option src 'lan'
option dest 'wireguard'
config forwarding 'guest_wireguard'
option src 'guestzone'
option dest 'wireguard'
config forwarding 'wireguard_guest'
option src 'wireguard'
option dest 'guestzone'
config redirect
option target 'DNAT'
option name 'Rad-RDP'
option dest 'lan'
option proto 'tcp udp'
option dest_ip '192.168.8.11'
option dest_port '3389'
option enabled '1'
option gl '1'
option src_dport '3389'
option src 'wireguard'
config include 'gls2s'
option type 'script'
option path '/var/etc/gls2s.include'
option reload '1'
config include 'glqos'
option type 'script'
option path '/usr/sbin/glqos.sh'
option reload '1'
I’m using beta 3.201
Currently checking out
@ueue I’m still on 3.105 and I think I’m able to do this, see how my firewall settings are different to yours, maybe try mine?
@blancmange Thanks for the reply! The only difference I’m seeing is that for the wan zone you accept forwarding. Isn’t this circumventing the NAT? Feel free to correct me if I’ve misunderstood.
@blancmange In any case I rolled back to version 3.105 and tried your change. It didn’t work, so this is not the magic incantation (assuming I didn’t miss another difference). Following the KISS principle, I’m going to set up second mango (GL-MT300N-V2) that’s not behind our Palo Alto firewall and test.
My apology for the late response.
Your forwarding rule is correct, could we arrange a remote support?
I have the same problem on my GL devices. (AR300M/Slate) . So I am also interested in solution 
@Riho-shuu I know that systems on the lan/wifi can connect via RDP, so here is a tcpdump of an attempt to use RDP across the wireguard connection. Here is the dump on wg0
and from br-lan
As you saw with ICMP, there is no return seen on either interface. Interestingly, there is more traffic seen on wg0.