ER7206 - Wireguard "Allowed Address" issue

ER7206 - Wireguard "Allowed Address" issue

ER7206 - Wireguard "Allowed Address" issue
ER7206 - Wireguard "Allowed Address" issue
2024-06-11 11:31:55
Model: ER7206 (TL-ER7206)  
Hardware Version: V2
Firmware Version: 2.1.2 Build 20240324 Rel.46738

Please refer to the following topic

 

https://community.tp-link.com/en/business/forum/topic/636906

 

I have the same exact problem on my ER7206 router

 

when I set "Allowed Address" to "0.0.0.0/0" I have no issues pinging all my wireguard LAN IP's but the same time all of my gateway traffic is routed through the VPN tunnel which I don't want that. If I set to "Allowed Address" to "192.168.4.0/24" then I can't ping any Wireguard LAN IPs.

 

Can any one help me setting up the right way ?

 

Thanks

  0      
  0      
#1
Options
37 Reply
Re:ER7206 - Wireguard "Allowed Address" issue
2024-06-11 13:54:30

  @Navas1 

try and add wireguard vpn ip  to.

 

 

  0  
  0  
#2
Options
Re:ER7206 - Wireguard "Allowed Address" issue
2024-06-11 14:42:24

  @MR.S 

 

Sorry I am not sure I am quite understand, 

 

Where do you want to add wireguard IP ? My router's wireguard IP address is 192.168.4.8 

 

Here is the configuration images

 

https://take.ms/G8SjK

 

https://take.ms/qAfel

 

Can you please clarify?

  0  
  0  
#3
Options
Re:ER7206 - Wireguard "Allowed Address" issue
2024-06-11 14:57:30

  @Navas1 

 

 

what are you trying to achieve, is it site to site with wireguard or is it client to site?
anyway you have to allow LAN ip and wireguard IP. I don't think you can use the same IP on the LAN and in the wireguard tunnel.

Can you explain a little better what you are configuring.

 

  1  
  1  
#4
Options
Re:ER7206 - Wireguard "Allowed Address" issue
2024-06-11 15:02:50

I am trying to achieve the following

 

a) I have a dedicated wireguard server in a remote datacenter ( configured as 192.168.4.0/24 )

b) I have PC's from multiple locations connecting that wireguard server as clients (peers) 

c) I have an office ROUTER (ER7206) with LAN subnet of 192.168.0.0/24 and I want to access all the peers connected to the wireguard server ( 192.168.4.0/24 )

 

when I set Allowed address as 0.0.0.0/0 then I can access those 192.168.4.0/24 subnets but the issue is all of my internet traffic is routed through wireguard tunnel. I don't want that I only want to access my wireguard peers and not the whole internet. Internet should be routed through my local gateway WAN

 

Please let me know if you need any more info.

  0  
  0  
#5
Options
Re:ER7206 - Wireguard "Allowed Address" issue
2024-06-11 15:10:23

  @Navas1 

 

ok, then I understand, you want to use ER706 as wireguard client to a remote wireguard server. sorrt but it doesn't work, there is no policy route on wireguard, so what you are trying is useless. I have tried and spent days testing this.. I ended up buying a Unifi router that takes care of wireguard for me.

your only option is 0.0.0.0/0 and everything is routed through the wireguard tunnel or find another solution like me.

 

there are rumors that the policy route will come in Q1 2024, now it's end of Q2 so maybe a solution is getting closer

 

 

 

 

 

  1  
  1  
#6
Options
Re:ER7206 - Wireguard "Allowed Address" issue
2024-06-11 15:15:25

OK, thanks for the clarifications.

 

It seems I have wasted around ~200 bucks

 

I should have gone with openwrt with cheaper router. big mistake.

 

What a disappointment

 

 

  0  
  0  
#7
Options
Re:ER7206 - Wireguard "Allowed Address" issue
2024-06-11 15:25:51

  @Navas1 

 

we can ping @Clive_A  from TP-Link, maybe he has more info about this that I don't know about. it would have been great to disconnect the unifi router.

  0  
  0  
#8
Options
Re:ER7206 - Wireguard "Allowed Address" issue
2024-06-11 15:27:12

  @MR.S 

 

can you please let me know the model # of the unifi router?

  0  
  0  
#9
Options
Re:ER7206 - Wireguard "Allowed Address" issue
2024-06-11 15:33:57

  @Navas1 

now I use a cheap bad one. UXG-Lite I don't need any great speed. but I have also used UXG-Pro but all the routers have wireguard policy routing.

have connected it to a separate wan port on the ER8411 and use policy route which is on Omada. then I run policy route to the wan interface to which unifi is connected.

 

 

  0  
  0  
#10
Options
Re:ER7206 - Wireguard "Allowed Address" issue
2024-06-11 17:28:40

  @Navas1 

 

if you have the option of Ipsec site to site then TP-Link routers are absolutely crazy good, if there is an alternative to wireguard then you should try it.

 

in my case I can't use just ipsec. I route 70-80 networks via wireguard and policy route and it doesn't work with ipsec s2s.

 

L2TP is also a possibility, you can use policy route with L2TP as well.

 

  1  
  1  
#11
Options