Spitz X3000 WG Server cant access downstream router Lan

blancmange · January 2, 2026, 10:54am

Spitz is on latest firmware 0803release

I can access the Spitz admin panel (192.168.6.1) from mobile data on WG server, and I have WG client internet, but I cant access downstream router on 192.168.50.1 or it’s devices.

Spitz can ping downstream router and vice versa.

PING 192.168.50.1 (192.168.50.1): 56 data bytes
64 bytes from 192.168.50.1: seq=0 ttl=64 time=345.853 ms
64 bytes from 192.168.50.1: seq=1 ttl=64 time=40.885 ms
64 bytes from 192.168.50.1: seq=2 ttl=64 time=47.373 ms
64 bytes from 192.168.50.1: seq=3 ttl=64 time=42.657 ms
64 bytes from 192.168.50.1: seq=4 ttl=64 time=54.107 ms

--- 192.168.50.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 40.885/106.175/345.853 ms

will.qiu · January 4, 2026, 4:06am

Hi

Could you draw a network topology and label the devices' IP addresses and roles (WireGuard server/client) so we can better understand your issue?

blancmange · January 4, 2026, 12:45pm

@will.qiu Hopefully it’s easier to understand my previous comment from this….let me know if it’s not clear.. And all 3 routers are in Router mode

will.qiu · January 5, 2026, 10:54am

Could you clarify whether the router with 192.168.50.1 is directly connected to the X3000 or connected as a WireGuard client through a VPN tunnel?

Also, is your goal wish to connect to the X3000 via WireGuard on your phone while accessing devices at both 192.168.6.1 and 192.168.50.1?

blancmange · January 5, 2026, 10:59am

Yes, the 192.168.50.1 router is connected via Ethernet cable to the Spitz, it gets its internet WAN from the Spitz.

And yes, from mobile id like to access 192.168.50.1 and all of its devices….

At the moment using the WG server of the Spitz, I can only access the Spitz from my mobile. I cant access the downstream router or its devices on my home network.

will.qiu · January 5, 2026, 11:01am

Thank you for the clarification.
We'll need some time to set up the test environment and take a look. We'll provide an update later.

will.qiu · January 7, 2026, 8:26am

We have successfully verified this configuration locally using a Spitz AX (GL-X3000) running firmware v4.8.3 as the primary router.

To allow your WireGuard clients to access resources on a downstream router (like a BE9300 at 192.168.50.1), please follow these steps:

1. On the Spitz AX (Primary Router)

Enable Remote Access: Go to VPN > WireGuard Server > Options and turn on "Allow Remote Access to the LAN Subnet."

image1321×767 39.9 KB
Add a Static Route: To tell the Spitz AX how to find the 192.168.50.x network, navigate to LuCI > Network > Routing > Static IPv4 Routes and add a new route:
- Interface: lan
- Target: 192.168.50.0/24
- Gateway: [Enter the IP address that the Spitz AX has assigned to the downstream router].

Pro-Tip: Assign a Static IP to the downstream router (under Network > LAN) to ensure this route remains active if the device reboots.

image1302×865 47.8 KB

2. On the Downstream Router (e.g., BE9300)

Firewall Adjustment: By default, routers block incoming traffic on the WAN port. To allow the WireGuard remote traffic through, go to LuCI > Network > Firewall and modify the WAN zone to allow Forwarding to the LAN zone.

image1157×491 42.8 KB

image951×801 46.4 KB

Verification: Once these steps are complete, your mobile WireGuard clients will be able to reach the downstream router and its connected devices directly.
image773×650 15.2 KB

blancmange · January 7, 2026, 12:11pm

Thank you SO much @will.qiu It works! I’ve been wanting to do this for a few years! Finally!

I asked a few years ago and nobody could help.

I’m very happy! Incidentally the downstream router is an Asus. Thank you again.