I don’t understand either.
Please do a drawing (a handwritten one will do) with all the addresses/netmasks mentioned and post it somewhere.
Where is 10.0.1.0/24 exactly ?
As I said, the two networks (10.0.1.0/24 & 10.0.2.0/24) can communicate wonderfully in both directions.
The network behind the Fritzbox (10.0.1.0/24) also connects wonderfully directly to the Internet via DSL. However, the network behind the RUTC (10.0.2.0/24) does not have direct access to the Internet via mobile (4G/5G) and I have no idea why not.
I think it’s due to some firewall setting that LAN is not allowed into the WAN or something…???
Ok it is clear now. You can’t use 10.0.2.0/24 addresses for the wg tunnel the routes will be trashed the RUTC will not be able to answer to any packet.
Either change the wg addresses, or change the lan address/netmask of the RUTC (easier ? 10.0.3.0/24 will do).
No, not there. Go to Network->Lan, edit it with the pen and set the IPv4 address to 10.0.3.1 netmask to 255.255.255.0, Save and apply.
You’ll have to reload the configuration of all the lan clients.
Okay, it’s working now.
First of all, thank you very much for that.
I don’t understand why though.
I still come from the IPsec world. Each side has entered its local network and its remote network.
What is Wireguard now 10.0.2.0/24 (in my case) when my local network is now 10.0.3.0/24. Where or what is the 10.0.2.0/24 network now?
10.0.2.0/24 is for the two wg enpoints (the FB and the RUTC).
You must change the AllowedIps field on the FB, add 10.0.3.0/24
in order to be able to reach/reply to lan devices on the RUTC side from the FB side.
The logic is the same as in IPSEC. On A set allowedIPs to B’s wg endpoint + B’s lan, and on B set allowedIPs to A’s wg endpoint + A’s lan.
I really don’t understand it, sorry. Then why do I have to change my LAN from 10.0.2.0/24 to 10.0.3.0/24 and yet leave the local IP network on the GW at 10.0.2.0/24?
Got it at the end.
Contrary to Wireguard, IPSEC may or may not have a specific interface.
So if you use IPSEC you can do with only one interface/IP/mask this was the 10.0.2.0/20 in your initial configuration.
You can also have a tun interface for IPSEC, but this appears to be less used.
Wireguard doesn’t give the choice, a tun interface is required, with its own IP address/netmask.
So the local IP network is not 10.0.2.0/24 it is 10.0.3.0/24 as you can see with “ifconfig br-lan”.
10.0.2.0/24 is the network of the wg interface, do a “ifconfig HentHome” you’ll see it.
And of course you have also a wan or mobile interface with yet another IP/mask pair. Do a “ifconfig” you’ll find it.
This topic was automatically closed after 15 days. New replies are no longer allowed.