Cannot Connect to 1x Specific Host Through WireGuard
-
Hi all,
I just got PFSense and configured WireGuard. It works perfectly, except I cannot ping or connect to a specific host, a Synology server.
I can connect to everything else on my network from my phone while on cell (no WiFi) through WireGuard except that 1x device.
While Connected with WireGuard from External:
10.1.0.1 - PFSense - can ping and connect
10.1.0.10 - Switch - can ping and connect
10.1.0.20 - Access Point - can ping and connect
10.1.0.40 - Synology - CANNOT ping or connect
10.1.0.80 - Desktop - can ping and connectWhile Internal on Network with the Same Device
can ping and connect to anythingAny ideas?
-
Also, I kept my old OpenVPN server up and that allows me to ping and connect to everything while external as well.
-
@ashkaan Without more info it's hard to tell. But if I was to guess it soulds like an Outbound NAT rule or a firewall rule could be missing or misconfigured.
Screenshots of your Outbound NAT rules, Wiregurd interface, and the 10.1.0.40 firewall rules would be very helpful here.
Is the Wireguard tunnell set up as it's own interface?
-
@dma_pf You got it! Also, I tried completely disabling the NAT and Firewall rules that relate to the Synology ("Server").
-
@ashkaan How about a picture of your NAT Rules?
Also, I'm correct in assuming that the Main network is 10.1.0.1/24? What is the VPN.net IP range and the Wireguard tunnell IP?
-
@dma_pf Oh, sorry! Yes, 10.1.0.X is MAIN and 10.4.0.X is VPN.
Also, more info: I'm using 443 UDP for WireGuard right now, but using the default port had the same result as well. Again, access to anything on the network except this one device.
-
@ashkaan Thanks for the info.....need pic of outbound NAT rules.
-
@dma_pf Oops:
-
@ashkaan said in Cannot Connect to 1x Specific Host Through WireGuard:
Oh, sorry! Yes, 10.1.0.X is MAIN and 10.4.0.X is VPN.
Sorry about my delay, I got sidetracked by a few things. Am I correct that the "VPN" interface that you have is an interface set up for Wireguard (not your Open VPN interface) on 10.4.0.1/24? And the alias "Server' is your Synology at 10.1.0.40? If so, is it your intent to be able to access the Synology from devices that are not on Wireguard from out in the WAN?
-
@dma_pf I love how you apologize for a delay when you're helping a total stranger for free on a forum. Kindness like that gives me faith in humanity.
- Yes, VPN is WireGuard (10.4.0.x) and rules that I set in there mess with WireGuard's capabilities.
- Yes, "Server" is the Synology (10.1.0.40).
- Yes, devices NOT ON WireGuard, from external, can reach 10.1.0.40 via TCP: 443.
- Devices ON WireGuard, from external, can reach literally everything else on the network except the Server IP.
-
@ashkaan Your rules look basically right to me. You do not need the rule in the Wireguard interface as you have have it in the VPN interface. And you shouldn't need it in the VPN interface as any traffic initialized on that interface (VPN net) would automatically be allowed into the firewall by default. (Same for the similar rule in Main)
I'm not at all familiar with Synology, but the fact that you're accessing everything but Synology makes me wonder if there is any setting in it that could be restricting traffic from the Wireguard network? Some ACL or something? UDP traffic restricted to certain ports?
-
@dma_pf Ya, I can't think of any reason why I can't connect to it. The interesting thing is that I can connect to it via OpenVPN (coincidentally hosted on my Synology) just fine. I can connect to a 100% of my devices through OpenVPN.
You're right about the Wireguard rule. I removed it and it still functions the same (access to 99% of the network, which is nice).
-
@ashkaan Have you tried doing a packet capture on the Synology to see if the packets are getting to it from the client?
Also, I was browsing the web and saw a few references to a "Enable Multiple Gateways" setting in the Synology that helped resolve some connection issues via VPN connections.
-
@dma_pf said in Cannot Connect to 1x Specific Host Through WireGuard:
Also, I was browsing the web and saw a few references to a "Enable Multiple Gateways" setting in the Synology that helped resolve some connection issues via VPN connections.
Omg.. you found it!! Enable Multiple Gateways was the answer! It works. I guess WireGuard handles the different subnet thing differently than OpenVPN.
Thank you so, so much!
I made two variable changes (EdgeRouter to pfSense and OpenVPN to WireGuard) and I kept pushing the wrong path.
-
@ashkaan Awesome!
-
@dma_pf So interesting update: ever since enabling Multiple Gateways, the 10x dockers that I have on my Synology can no longer talk to each other. I disabled the setting and now they're happy again.
It seems like I have to choose between WireGuard allowing me to connect to my Synology, or my dockers allowing each other to connect.
Is there any alternative solution that you can think of to get WireGuard to work without Multiple Gateways? Maybe a static route or something?
-
@ashkaan said in Cannot Connect to 1x Specific Host Through WireGuard:
Is there any alternative solution that you can think of to get WireGuard to work without Multiple Gateways?
As I mentioned before I have zero experience with Synology (or Docker) so I'm afraid I really don't have much to offer here. The Multiple Gateways suggestion was based on a quick google search where others who were having VPN connection issues were able to solve it by enabling that setting.
My guess, for what it's worth, is that by enabling the Multiple Gateways on the Synology each docker is using a different gateway and you have to configure them to be able to communicate with each other. It seems that there must be some routing/firewall type rules or interface bridging in the Synology that have to be configured. Keep in mind that this is just a guess. Hopefully someone with experience with Synology will chime in here.
Have you tried a Synology forum?
-
@dma_pf Good call! I'll try it. Thank you so much for your help.