Hi @BruceInSG 

Thanks for posting in our business forum.

You don't have a public IP address based on the last picture. Be sure you mosaic the public key when you post something like this.

Hi @BruceInSG 

Thanks for posting in our business forum.

BruceInSG wrote

  @Clive_A 

 

thanks, to point this. but:

 

yes, the ER605 has only a private IP 192.168.1.2, but that's ok, because I do port forward from GPON to it, and the wg connection is up running.

 

the issue is really i cannot access the internet, cannot ping to even 192.168.1.0/24(which is the same subnet of ER605's uplink)

 

1) on ER605, it's default route is pointing to my GPON's 192.168.1.254,

the expected traffic flow should be:  wg client -> GPON(public IP), port fwding -> ER605 wg server -> (back to) GPON -> Internet?

 

2) on ER605, I setup a IPsec VPN, the same topology worked for an iphone

iphone (IKEv2/PSK) -> GPON(public IP), port fwding -> ER605 IPsec VPN(client-to-site setting) -> (back to) GPON -> Internet

 

 

in comparison, I have another 3rd party vendor's router, i also run WG server on it, with of course different key pairs/subnets/port fwding num

the traffic from my pc's wg client -> GPON (public IP) -> that 3rd party router -> (back to) GPON -> Internet is working

though there is an extra setting i did there(i'm not sure if it is relevant), that 3rd party vendor's router is acting as a side-gateway(not because of this WG configuration, but as a general setting for my other devices' static route), i was told by that vendor's tech support to add:
# drop-in gateway features: to enable forwarding
iptables -I FORWARD -j ACCEPT
iptables -I INPUT -j ACCEPT
 

is that the similar reason/root cause?

nonetheless, it is still strange that i cannot even ping the p2p interface ip from WG's connection with ER605.

 

 

 

Take a look at the insight about the VPN tunnel. Is the WG even up on the router? Still the IP thing I think.

It does not connect and that's why you don't have any ping working.

Looking forward to seeing some pictures of the setup and verification of the tunnel.

Hi @BruceInSG 

Thanks for posting in our business forum.

BruceInSG wrote

  @Clive_A 

 

thanks, I just edited my post while your reply came in at the same time,

 

i draw a network diagram for you.

 

GPON has an external public IP.

 

I can from my WG client access the web interface of ER605(192.168.6.1), and ping to 192.168.6.xx/24 of internal LAN, 

but I cannot access ER605's web interface on 192.168.1.2, neither ping to 192.168.1.xx/24 

no internet access(even using ip directly to ping 8.8.8.8)

 

 

 

configuration of wg client:

 

[Interface]
Address = 10.0.2.2/32
ListenPort = 56627
PrivateKey = xxxxx
DNS = 8.8.8.8
MTU = 1420

[Peer]
AllowedIPs = 0.0.0.0/0
Endpoint = public IP of GPON:51820
PersistentKeepalive = 25
PublicKey = yyyyyy

 

 

and ping result with wg connection up, to 10.0.2.1 (which is wg vpn ip), and 192.168.6.1(ER605 internal downlink LAN ip, not ER605 uplink ip)

 

 

That's no longer an issue with the WG.

If you can ping the router and access its LAN IP to its web, that means the tunnel is up and running.

WAN access to the web requires access authority. You need to allow the WAN access in the Remote Assistance tab. However, if you are using the controller, then you don't have access to the web. Everything you need to view or configure is integrated into the controller.

Ping from WAN is also an option in the firewall settings.

Think you should check every tab of the router and see the Help Center or the User Guide to learn about the system.

On wheter you can ping the Internet, or 8.8.8.8, I want to know if you can ping to your 192.168.1.254 GPON(LAN IP)? If you cannot ping the 192.168.1.254, that indicates your WAN or the routing on the GPON LAN is not working as expected.