Help setting up guest wifi outside wireguard connection

I recently bought a Rut950 (latest firmware RUT9_R_00.07.06.16) to run wireguard vpn through the cellular connection. Its been working fine until I tried to run a “proprietary” workplace solution with Teams inside the wireguard vpn. Teams is glitching and not really working, maybe because the Rut950 can not handle the load. So I want to try to set up an additional network zone/guest network outside the wireguard vpn, to see if the glitcing is reduced. My problem is the new guest network continues to pass through the wireguard vpn/has no connectivity.

To set up the guest network/wifi I follow this guide: How to set up a guest WiFi network - Teltonika Networks Wiki

The guest network is currently up and running giving me ip-address 10.10.10.103 and internet connection, even before following the guide to configure the firewall. My external ip-address at this point is the VPN external ip-address. Firewall settings BEFORE configuring a guest zone in the firewall:

image624×175 23.3 KB

Firewall settings AFTER following the guide to set up the guest zone:

image624×191 26.1 KB

At this point I have no internet connection when logging into the guest_wifi. I think my problem is not configuring the firewall correctly.

Any help would be great.

Before trying alternatives, try setting the WireGuard MTU to 1280 to see if that makes a difference.

Thanks, MTU was 1420, is now 1280. Still no connectivity from guest wifi.

Anyone?

Ive got a functioning wireguard connection, but I cant get connectivity from the guest wifi.

It looks like this may well be your firewall settings. These are very much down to your individual usecase(s) and how you’ve chosen to deal with isolation.

You could try, the below to see if it gets you started and then work up / down your paricular needs from there.

For your lan zone > inter-zone forwardings …
Allow forward to destination zones = wan, wireguard, guestZone
Allow forward from source zones = wireguard

For your wireguard zone > inter-zone forwardings …
Allow forward to destination zones = lan
Allow forward from source zones = lan

For your guestZone zone > inter-zone forwardings …
Allow forward to destination zones = wan
Allow forward from source zones = lan

As I said, you have to config your firewall to YOUR specification. The above settings for instance would allow the lan to intiatiate traffic to your guestZone but the guestZone cannot initiate trafic to your lan zone - if your default policies are set to Forward = Reject.

Add/Delete/Amend as required by your needs.

If this is all new to you, then I’d highly recommend understanding firewall zone forwardings and traffic rules, as they are key to creating a secure network, along with the ‘default policies’ specified by Input / Output / Forward.

Once you’re happy that all can connect to the internet and you have your required VLAN isolation, then I believe you can look to PBR (Policy Based Routing) to force one VLAN via the WAN and another via the Wireguard Tunnel - you may find that you need to remove the lan’s ability to forward to the guestZone. Just have a play.

This topic was automatically closed after 60 days. New replies are no longer allowed.