lockevod
commented
3 years ago Forwarding is enabled?
Check https://linuxconfig.org/how-to-turn-on-off-ip-forwarding-in-linux
Open Morchipon opened 3 years ago
lockevod
commented
3 years ago Forwarding is enabled?
Check https://linuxconfig.org/how-to-turn-on-off-ip-forwarding-in-linux
giss69
commented
2 years ago Hello, I've same issue. Local is working but no internet possible. Forwarding is active and I can see success requests from Wireguard clients on pinhole but no internet via browser to ping possible.
HawkinsT
commented
2 years ago I have the exact same issue with a DS220+ (so also geminilake); I've spent several hours trying to get this to work now but no luck. I'm able to connect to all local addresses except the two associated with my synology nas (however I can connect to this through the wireguard-assigned ip).
I have forwarding enabled on my nas and even tried letting all traffic through my router's firewall briefly to check there wasn't some issue there.
If anyone has any ideas I'd love to hear them. I'm guessing it's either a bug with the geminilake build or the nas has to be configured differently somehow.
giss69
commented
2 years ago I have the exact same issue with a DS220+ (so also geminilake); I've spent several hours trying to get this to work now but no luck. I'm able to connect to all local addresses except the two associated with my synology nas (however I can connect to this through the wireguard-assigned ip).
I have forwarding enabled on my nas and even tried letting all traffic through my router's firewall briefly to check there wasn't some issue there.
If anyone has any ideas I'd love to hear them. I'm guessing it's either a bug with the geminilake build or the nas has to be configured differently somehow.
i solved it with DNS entry. Try DNS of Google 8.8.8.8 or your router.
HawkinsT
commented
2 years ago Thanks for responding. That wasn't my issue, but I did manage to finally solve it and turns out it was my configuration error. I needed to add postrouting rules for both physical network interfaces on my nas (eth0 and eth1) instead of just one as I naively thought. With only one I'd either get lan but not wan, or wan but not lan.
I also had to enable 'First use IPv4 address to resolve domain names' under my synology DNS advanced settings to get this working through nordvpn (separate but related issue).
nmespc
commented
2 years ago Thanks for responding. That wasn't my issue, but I did manage to finally solve it and turns out it was my configuration error. I needed to add postrouting rules for both physical network interfaces on my nas (eth0 and eth1) instead of just one as I naively thought. With only one I'd either get lan but not wan, or wan but not lan.
I also had to enable 'First use IPv4 address to resolve domain names' under my synology DNS advanced settings to get this working through nordvpn (separate but related issue).
Hey there,
Just set up my DS920 with WireGuard and I seem to only be able to access the local network through the VPN connection.
Do you mind sharing your postrouting rules for eth0 and eth1? Did you add the second interface even when not using the actual port on the NAS or are you using both ethernet ports?
Edit: Nvm... I had AdGuard set up in docker and forgot to remove my local Unbound DNS settings from when i brought over the configs from my raspberry pi. When i set them to 9.9.9.9 it all works!
HawkinsT
commented
2 years ago Glad you got it sorted!
On the off chance it's ever useful to someone else, my rules are:
PostUp = iptables -A FORWARD -i %i -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostUp = iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
PostUp = iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADEI don't think tun0 is required for anything (this is my nordvpn connection that all outgoing external traffic goes through), but this was so temperamental getting set up initially I added it in and have just left it since. I use both physical ethernet ports so my NAS has two local ip addresses. It was surprising to me that only one worked for WAN and the other for LAN in this context, but that was the case. I'm sure with only one physical connection I'd only need to specify the one associated adapter.
nmespc
commented
2 years ago Glad you got it sorted!
On the off chance it's ever useful to someone else, my rules are:
PostUp = iptables -A FORWARD -i %i -j ACCEPT PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostUp = iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE PostUp = iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADEI don't think tun0 is required for anything (this is my nordvpn connection that all outgoing external traffic goes through), but this was so temperamental getting set up initially I added it in and have just left it since. I use both physical ethernet ports so my NAS has two local ip addresses. It was surprising to me that only one worked for WAN and the other for LAN in this context, but that was the case. I'm sure with only one physical connection I'd only need to specify the one associated adapter.
Hey, thank you for replying. :)
I have for the sake of dual bandwidth connected the second ethernet port of my DS920 to the router as well. These are my PostUp and PostDown rules:
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; sleep 5 ; ip route add 10.0.0.0/8 dev %i
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADEI notice that you dont have this portion in your PostUp, any reason for that?
iptables -A FORWARD -o %i -j ACCEPT;
I'm a novice in regards to these rules. I'm thinking I should add eth1 like you for the PostUp. May I ask what your PostDown rules look like? :)
Edit: This is what my rules would end up looking like I guess, having the additonal rule in the 2nd and 6th row that you dont have:
PostUp = iptables -A FORWARD -i %i -j ACCEPT
PostUp = iptables -A FORWARD -o %i -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostUp = iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT
PostDown = iptables -D FORWARD -o %i -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o eth1 -j MASQUERADEHi again, just wanted to add this update for anyone in a similar situation. I ended up having the following as my setup, not sure if its 100% correct, but its working very well for me:
PostUp = iptables -A FORWARD -i %i -j ACCEPT
PostUp = iptables -A FORWARD -o %i -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostUp = iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
PostUp = iptables -t nat -A POSTROUTING -o bond0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT
PostDown = iptables -D FORWARD -o %i -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o eth1 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o bond0 -j MASQUERADEThe download speeds are insane with Adaptive Load Balancing!!
Hello After a tedious setup, I managed to get wireguard to work. But to have an internet connection, I have to uncheck the option 'Block all traffic except tunnel (switch)' from the windows application, and there I am on the net. If this remains checked, I only have access to the local network.
DS920+
wg0.conf