ER7206 - Wireguard "Allowed Address" issue

ER7206 - Wireguard "Allowed Address" issue

37 Reply
Re:ER7206 - Wireguard "Allowed Address" issue
2024-06-12 01:19:17

Hi @Navas1 

Thanks for posting in our business forum.

Navas1 wrote

I am trying to achieve the following

 

a) I have a dedicated wireguard server in a remote datacenter ( configured as 192.168.4.0/24 )

b) I have PC's from multiple locations connecting that wireguard server as clients (peers) 

c) I have an office ROUTER (ER7206) with LAN subnet of 192.168.0.0/24 and I want to access all the peers connected to the wireguard server ( 192.168.4.0/24 )

 

when I set Allowed address as 0.0.0.0/0 then I can access those 192.168.4.0/24 subnets but the issue is all of my internet traffic is routed through wireguard tunnel. I don't want that I only want to access my wireguard peers and not the whole internet. Internet should be routed through my local gateway WAN

 

Please let me know if you need any more info.

I hold a grain of salt about your statement.

First, you whole remote subnet is 192.168.4.0/24. Yep, no problem with that.

Allowed IP address is supposed to be 192.168.4.0/24 and you should be able to ping the remote peer WG int IP. Will you be able to do that? Paste a screenshot here.

 

Second, your config on the 7206, seems to be good.

But what are the devices WG IP addresses?

If you can ping the WG int IP, you are accessible and available in the WG subnet which means you should be able to ping other clients that get a WG IP.

Have you considered that if there is a problem with your clients' firewall?

 

So, here's the thing, our troubleshoot and walkthrough stops when you can access the remote peer WG int IP which reflects that the WG tunnel is up and you are actually connected to the remote peer network. 

Get a computer connected to that if possible. That's the most efficient way to test this if there is a problem with WG or not.

 

But if you cannot ping other devices, that should be a problem you troubleshoot yourself as it's beyond our ability as the WG works and we cannot determine any problems with your remote devices.

From the Omada router to the remote peer, this WG tunnel as long as it is good, the rest of the issues you experience should not result from the Omada router because the tunnel is up and there is nothing we can configure to work around it. The routing tables are created and working already.

 

Navas1 wrote

OK, thanks for the clarifications.

 

It seems I have wasted around ~200 bucks

 

I should have gone with openwrt with cheaper router. big mistake.

 

What a disappointment

 

If you compare us to an open-source router system, that's a wrong track that we never intend to compete with. TBH, we don't take open-source systems as our competitors and we don't intend to complete what they can do.

If you prefer that kind of system, please kindly return this product in time if it is still under the return window. Policy may vary from the vendors you purchase.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#12
Options
Re:ER7206 - Wireguard "Allowed Address" issue
2024-06-12 01:49:43

Thank you for your response.

 

I can't ping the WG int. IP from a PC connected to ER7206 through LAN port when I setup "Allowed Address"  as "192.168.4.0/24" Please see here for the screenshot

 

ping response of wg peer from my lan

 

 

 

ping response of wg peer within router. ( I logged in through SSH )

 

 

 

Here is the routing table

 

 

 

However when I set "Allowed Address" as "0.0.0.0/0" I was able to ping WG int. IP from my LAN, but my internet traffic goes through my WG VPN tunnel 

 

Please let me know if you need any more details.

 

  0  
  0  
#13
Options
Re:ER7206 - Wireguard "Allowed Address" issue
2024-06-12 01:52:12

ping from my LAN

 

 

ping within ER7206 router ( I logged in through SSH )

 

 

routing table

 

  0  
  0  
#14
Options
Re:ER7206 - Wireguard "Allowed Address" issue
2024-06-12 01:52:45

Routing table

 

  0  
  0  
#15
Options
Re:ER7206 - Wireguard "Allowed Address" issue
2024-06-12 01:53:38

Sorry I don't know why it is not displaying the routing table image, here is text

 

Routing Table

Entry Count:

 

ID Destination IP Subnet Mask Next Hop Interface Metric

1 0.0.0.0 0.0.0.0 192.168.68.1 WAN2 0
2 192.168.0.0 255.255.255.0 0.0.0.0 LAN 0
3 192.168.4.0 255.255.255.0 0.0.0.0 WG 9999
4 192.168.68.0 255.255.252.0 0.0.0.0 WAN2 0
5 192.168.68.1 255.255.255.255 0.0.0.0 WAN2 0
6 192.168.200.1 255.255.255.255 192.168.68.1 WAN2 0
  0  
  0  
#16
Options
Re:ER7206 - Wireguard "Allowed Address" issue
2024-06-12 01:58:49 - last edited 2024-06-12 02:00:35

Hi @Navas1 

Thanks for posting in our business forum.

Navas1 wrote

ping from my LAN

 

 

ping within ER7206 router ( I logged in through SSH )

 

 

routing table

 

 

SSH and ER7206 can ping it which means it is working.

 

What's the IP of the macOS? The routing table of the macOS?

 

Do you have any static routing? Can you screenshot and paste it here directly?

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#17
Options
Re:ER7206 - Wireguard "Allowed Address" issue
2024-06-12 02:07:58

IP address on MAC

 

 

Routing table

 

  0  
  0  
#18
Options
Re:ER7206 - Wireguard "Allowed Address" issue
2024-06-12 02:08:37

Routing table

 

navas@Navass-MacBook-Pro ~ % netstat -rn           

Routing tables

 

Internet:

Destination        Gateway            Flags           Netif Expire

default            192.168.0.1        UGScg             en5       

13.201.205.86      192.168.8.1        UGHS              en0       

35.186.199.111     192.168.8.1        UGHS              en0       

43.204.135.234     192.168.8.1        UGHS              en0       

100.108/16         utun100            USc           utun100       

100.108.51.9       100.108.51.9       UH            utun100       

127                127.0.0.1          UCS               lo0       

127.0.0.1          127.0.0.1          UH                lo0       

169.254            link#28            UCS               en5      !

192.168.0          link#28            UCS               en5      !

192.168.0.1/32     link#28            UCS               en5      !

192.168.0.1        50:91:e3:80:5f:e8  UHLWIir           en5   1192

192.168.0.100/32   link#28            UCS               en5      !

192.168.0.255      ff:ff:ff:ff:ff:ff  UHLWbI            en5      !

224.0.0/4          link#28            UmCS              en5      !

224.0.0.251        1:0:5e:0:0:fb      UHmLWI            en5       

239.255.255.250    1:0:5e:7f:ff:fa    UHmLWI            en5       

255.255.255.255/32 link#28            UCS               en5      !

  0  
  0  
#19
Options
Re:ER7206 - Wireguard "Allowed Address" issue
2024-06-12 02:34:55

Hi @Navas1 

Thanks for posting in our business forum.

Navas1 wrote

Routing table

 

navas@Navass-MacBook-Pro ~ % netstat -rn           

Routing tables

 

Internet:

Destination        Gateway            Flags           Netif Expire

default            192.168.0.1        UGScg             en5       

13.201.205.86      192.168.8.1        UGHS              en0       

35.186.199.111     192.168.8.1        UGHS              en0       

43.204.135.234     192.168.8.1        UGHS              en0       

100.108/16         utun100            USc           utun100       

100.108.51.9       100.108.51.9       UH            utun100       

127                127.0.0.1          UCS               lo0       

127.0.0.1          127.0.0.1          UH                lo0       

169.254            link#28            UCS               en5      !

192.168.0          link#28            UCS               en5      !

192.168.0.1/32     link#28            UCS               en5      !

192.168.0.1        50:91:e3:80:5f:e8  UHLWIir           en5   1192

192.168.0.100/32   link#28            UCS               en5      !

192.168.0.255      ff:ff:ff:ff:ff:ff  UHLWbI            en5      !

224.0.0/4          link#28            UmCS              en5      !

224.0.0.251        1:0:5e:0:0:fb      UHmLWI            en5       

239.255.255.250    1:0:5e:7f:ff:fa    UHmLWI            en5       

255.255.255.255/32 link#28            UCS               en5      !

There is no 192.168.4.0/24 route on your PC.

Try:

sudo route -n add -net 192.168.4.0/24 192.168.0.1

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#20
Options
Re:ER7206 - Wireguard "Allowed Address" issue
2024-06-12 03:02:52

Hi, thank you for you response,

 

still no luck, 

 

navas@Navass-MacBook-Pro ~ % netstat -rn                                      

Routing tables

 

Internet:

Destination        Gateway            Flags           Netif Expire

default            192.168.0.1        UGScg             en5       

13.201.205.86      192.168.8.1        UGHS              en0       

35.186.199.111     192.168.8.1        UGHS              en0       

43.204.135.234     192.168.8.1        UGHS              en0       

100.108/16         utun100            USc           utun100       

100.108.51.9       100.108.51.9       UH            utun100       

127                127.0.0.1          UCS               lo0       

127.0.0.1          127.0.0.1          UH                lo0       

169.254            link#28            UCS               en5      !

192.168.0          link#28            UCS               en5      !

192.168.0.1/32     link#28            UCS               en5      !

192.168.0.1        50:91:e3:80:5f:e8  UHLWIir           en5   1163

192.168.0.100/32   link#28            UCS               en5      !

192.168.0.255      ff:ff:ff:ff:ff:ff  UHLWbI            en5      !

192.168.4          192.168.0.1        UGSc              en5       

224.0.0/4          link#28            UmCS              en5      !

224.0.0.251        1:0:5e:0:0:fb      UHmLWI            en5       

239.255.255.250    1:0:5e:7f:ff:fa    UHmLWI            en5       

255.255.255.255/32 link#28            UCS               en5      !

  0  
  0  
#21
Options