Open sunnysk opened 2 years ago
dc361
commented
2 years ago Perhaps someone with USG experience can jump in as I do not have one of the units to test - but - I see that the USG example shows peers connecting only to the network 'inside' the USG and not the internet. Perhaps you would need to add 0.0.0.0/0 to the allowed IPs for your android peer.
sunnysk
commented
2 years ago Perhaps someone with USG experience can jump in as I do not have one of the units to test - but - I see that the USG example shows peers connecting only to the network 'inside' the USG and not the internet. Perhaps you would need to add 0.0.0.0/0 to the allowed IPs for your android peer.
I was using the 0.0.0.0/0 for the android peer. Still cant visit the internet, only has lan connection.
andreheuer
commented
2 years ago Hi all, I do have the same issue. I can access all local networks (i.e. also VLANs) even though the networks are isolated, but I cannot access any internet (WAN) address / ip. It seems that some routing is missing, but I have no clue were to add etc. Can someone support please?
peacey
commented
2 years ago I don't have a USG, but this seems like a symptom of not having proper masquerade (SNAT) rules setup for your WAN interface. Either that or there is a firewall rule blocking packets from travelling from WireGuard to WAN.
To really figure out what's happening, I would do a tcpdump on the USG: sudo tcpdump -ni any host 1.1.1.1 then run ping 1.1.1.1 on the WireGuard client. See how the packets travel and if it is being SNATed on the WAN. For a control test, you can do the same tcpdump, but ping from a USG LAN client instead to see what it should look like when it works.
andreheuer
commented
2 years ago Thank you for this hint. It is almost what I have expected. The ping is send out, but response received: This is how it looks like from my Wireguard client:
15:57:55.241875 IP 10.0.80.2 > 1.0.0.1: ICMP echo request, id 13479, seq 0, length 64 15:57:55.242096 IP 10.0.80.2 > 1.0.0.1: ICMP echo request, id 13479, seq 0, length 64 15:57:56.247051 IP 10.0.80.2 > 1.0.0.1: ICMP echo request, id 13479, seq 1, length 64 15:57:56.247224 IP 10.0.80.2 > 1.0.0.1: ICMP echo request, id 13479, seq 1, length 64 15:57:57.250794 IP 10.0.80.2 > 1.0.0.1: ICMP echo request, id 13479, seq 2, length 64 15:57:57.250976 IP 10.0.80.2 > 1.0.0.1: ICMP echo request, id 13479, seq 2, length 64
And this is how it looks like from a normal client with working internet acccess:
15:56:41.138409 IP 10.0.10.7 > 1.0.0.1: ICMP echo request, id 2, seq 1, length 64 15:56:41.138662 IP 10.0.10.7 > 1.0.0.1: ICMP echo request, id 2, seq 1, length 64 15:56:41.151375 IP 1.0.0.1 > 10.0.10.7: ICMP echo reply, id 2, seq 1, length 64 15:56:41.151622 IP 1.0.0.1 > 10.0.10.7: ICMP echo reply, id 2, seq 1, length 64 15:56:42.138916 IP 10.0.10.7 > 1.0.0.1: ICMP echo request, id 2, seq 2, length 64 15:56:42.139158 IP 10.0.10.7 > 1.0.0.1: ICMP echo request, id 2, seq 2, length 64 15:56:42.151357 IP 1.0.0.1 > 10.0.10.7: ICMP echo reply, id 2, seq 2, length 64 15:56:42.151553 IP 1.0.0.1 > 10.0.10.7: ICMP echo reply, id 2, seq 2, length 64
However, I cannot differentiate if it is a NAT issue or due to firewall rules blocking the ping reply. Do you have more insights? Your support is really appreciated, thank you!
peacey
commented
2 years ago Hi @andreheuer,
Surprisingly, I don't see the NAT in the output in either case. Did you do a tcpdump on "any" interface or just on your LAN interface? Can you do a tcpdump on your WAN interface and try again? You are doing the tcpdump directly on the USG in SSH, not the clients right? Also, is 10.10.10.0/24 your WAN subnet or LAN subnet?
Also, is there a way to export all your firewall rules and show them? This way we can inspect them to see if they're blocking forwarding packets or not doing masquerade. I think you can export your whole config by running mca-ctrl -t dump-cfg. Copy all of it and paste it in a text file and upload it here.
andreheuer
commented
2 years ago Hi @peacey,
you directly pointed me to my issue. Seemed to be a layer 8 problem ;-) I do have a kind of double NAT, as behind the USG is another router. As I have created a new network for the Wireguard user, I almost forgot to add a static route to this first router. Now I have added the static route and internet routing works like a charm!
Thank you!
sunnysk
commented
2 years ago @andreheuer could you show me your solution config please? Thank you !
andreheuer
commented
2 years ago @sunnysk it is almost the standard config for wireguard. I have moved the firewall rules into the UI, so they are not in the config json:
{
"service": {
"nat": {
"rule": {
"5999": {
"exclude": "''",
"outbound-interface": "eth0",
"type": "masquerade"
}
}
}
},
"interfaces": {
"wireguard": {
"wg0": {
"description": "Wireguard VPN",
"address": [
"10.0.80.1/24"
],
"firewall": {
"in": {
"name": "LAN_IN"
},
"local": {
"name": "LAN_LOCAL"
},
"out": {
"name": "LAN_OUT"
}
},
"listen-port": "62133",
"mtu": "1500",
"peer": [{
"XXXXXXX": {
"allowed-ips": [
"10.0.80.2/32"
],
"persistent-keepalive": 25
}
},
{
"XXXXXXX": {
"allowed-ips": [
"10.0.80.3/32"
],
"persistent-keepalive": 25
}
}
],
"private-key": "XXXXXXXX",
"route-allowed-ips": "true"
}
}
}
}
i follow the readme useage step by step, and success installed the wireguard on the USG. then I can use a android phone connect to the wireguard, also i can use the android phone to visit my nas server. At this moment , my android phone cant connect to the internet, only have the LAN connection. I'm not familiar with the router os. so anyone can help me to solve this problem. Thx a lot