Passing Traffic - Firewall rules
Nimda11 opened this issue · 7 comments
I have it working (WG 0.0.20190913 on USG3 4.4.44.5213844) but I am unable to pass any traffic (ping dns or http/s).
is there a firewall configuration that I am missing? If so can I assume that the WG interfaces don't use the native Vyatta firewall configuration and I'll need to modify ip tables?
Not sure if this is a bug or a feature.
Best,
- Sam
What do you have for the allowed-ips directive? You will likely need to write firewall/iptables rules to force traffic from specific hosts over the interfaces in question. vyatta does not allow 0.0.0.0/0 rules typically as that'd overwrite the entire route table and thus the router could not communicate with the VPN server.
My suggestion is to establish a VLAN that you want to route through your WireGuard interfaces and set up rules to do so.
Thanks for the reply.
My Allowed-IPs directive is True
I'm not trying to route 0,0,0,0/0 just a few subnets on my home lab that I need access to.
Regarding vlaning; are you saying I should create a vlan interface attached to wg0 and configuring it like any other ethernet interface?
If you are not routing all traffic you do not need to create a separate vlan.
Here's what you need to do:
ensure "route-allowed-ips" is set to "true"
then under peer make sure you set the "allowed-ips" which should contain the subnets you want to route to that specific wireguard (wg) interface.
At that point you the subnets should be routing. Try pinging a remote VPN host from your the router directly once you confirm that "wg" is showing up.
Thats how I am/was setup. No worky, why I was asking about firewall rules etc.
Did you create a masquerade for wg0 on the source NAT page? You’ll need that most likely depending on how you have the setup. Are you able to ping from the router to a remote VPN host (using the private IP)?
Sent with GitHawk
Following up on this... did the masquerade fix your issue?