LAN access from VPN

viragomann

@ghazel
Indeed, it's as you said before.

Maybe the Netgear is still doing source IP rewriting for sources that are outside the subnet?

Obviously that's the case.

But it must no do this if it's running in AP mode as you mentioned. In AP mode all traffic through the device is on layer 2 only, no routing or natting / masqerading would be possible.

So there must be something wrong with the settings of the Netgear AP. You should re-check this.

ghazel

@viragomann said in LAN access from VPN:

But it must no do this if it's running in AP mode as you mentioned. In AP mode all traffic through the device is on layer 2 only, no routing or natting / masqerading would be possible.

So there must be something wrong with the settings of the Netgear AP. You should re-check this.

Unfortunately in AP mode there are zero additional settings.

I could get a standalone switch for the wired devices to connect to LAN, but the wireless devices would still have the same problem.

Would it be practical to force WG_VPN to use a section of the 192.168.1.x range, so that wireguard peers appeared to be on the same subnet as the Netgear?

viragomann

@ghazel said in LAN access from VPN:

Unfortunately in AP mode there are zero additional settings.

But there must be something wrong with it. Did you reboot or better reset the device?

Replacing the source IP with its own only makes if the wifi device is in router mode and redirects respond packets back to the origin source.

Can it operate as a router?
This could be a workaround.

Would it be practical to force WG_VPN to use a section of the 192.168.1.x range, so that wireguard peers appeared to be on the same subnet as the Netgear?

You could masquerade the outgoing traffic on pfSense LAN interface and get the same. But if the switch replaces the source IP anyway, what I think, you win nothing.

ghazel

@viragomann said in LAN access from VPN:

But there must be something wrong with it. Did you reboot or better reset the device?

Rebooted many times (thanks PG&E!). Have not tried a full reset, but will.

Can it operate as a router?
This could be a workaround.

Yes, with the downside of double-NAT. Services that currently work fine with upnp/nat-pmp would stop working.

You could masquerade the outgoing traffic on pfSense LAN interface and get the same. But if the switch replaces the source IP anyway, what I think, you win nothing.

It seems like the switch does not replace the source IP if it's in the same subnet range (192.168.1.x). So if the wireguard peer got 192.168.1.114 or something like that (instead of 192.168.2.14), maybe that would work?

viragomann

@ghazel said in LAN access from VPN:

It seems like the switch does not replace the source IP if it's in the same subnet range (192.168.1.x).

Yes, I had even the same idea. So maybe you could try to masquerade the traffic on pfSense.

You can do this with an outbound NAT rule. On the outbound NAT tab enable the hybrid mode first.
Then add a rule with this values:
interface: LAN
source: 192.168.2.0/24
destination: any
translation: interface address

This replaces the source address with pfSense LAN address, so it's inside the subnet. Maybe this works.

ghazel

@viragomann said in LAN access from VPN:

This replaces the source address with pfSense LAN address, so it's inside the subnet. Maybe this works.

It does work! Thank you very much!