ER7206 - Wireguard "Allowed Address" issue
Please refer to the following topic
https://community.tp-link.com/en/business/forum/topic/636906
I have the same exact problem on my ER7206 router
when I set "Allowed Address" to "0.0.0.0/0" I have no issues pinging all my wireguard LAN IP's but the same time all of my gateway traffic is routed through the VPN tunnel which I don't want that. If I set to "Allowed Address" to "192.168.4.0/24" then I can't ping any Wireguard LAN IPs.
Can any one help me setting up the right way ?
Thanks
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @Navas1
Thanks for posting in our business forum.
Navas1 wrote
I am trying to achieve the following
a) I have a dedicated wireguard server in a remote datacenter ( configured as 192.168.4.0/24 )
b) I have PC's from multiple locations connecting that wireguard server as clients (peers)
c) I have an office ROUTER (ER7206) with LAN subnet of 192.168.0.0/24 and I want to access all the peers connected to the wireguard server ( 192.168.4.0/24 )
when I set Allowed address as 0.0.0.0/0 then I can access those 192.168.4.0/24 subnets but the issue is all of my internet traffic is routed through wireguard tunnel. I don't want that I only want to access my wireguard peers and not the whole internet. Internet should be routed through my local gateway WAN
Please let me know if you need any more info.
I hold a grain of salt about your statement.
First, you whole remote subnet is 192.168.4.0/24. Yep, no problem with that.
Allowed IP address is supposed to be 192.168.4.0/24 and you should be able to ping the remote peer WG int IP. Will you be able to do that? Paste a screenshot here.
Second, your config on the 7206, seems to be good.
But what are the devices WG IP addresses?
If you can ping the WG int IP, you are accessible and available in the WG subnet which means you should be able to ping other clients that get a WG IP.
Have you considered that if there is a problem with your clients' firewall?
So, here's the thing, our troubleshoot and walkthrough stops when you can access the remote peer WG int IP which reflects that the WG tunnel is up and you are actually connected to the remote peer network.
Get a computer connected to that if possible. That's the most efficient way to test this if there is a problem with WG or not.
But if you cannot ping other devices, that should be a problem you troubleshoot yourself as it's beyond our ability as the WG works and we cannot determine any problems with your remote devices.
From the Omada router to the remote peer, this WG tunnel as long as it is good, the rest of the issues you experience should not result from the Omada router because the tunnel is up and there is nothing we can configure to work around it. The routing tables are created and working already.
Navas1 wrote
OK, thanks for the clarifications.
It seems I have wasted around ~200 bucks
I should have gone with openwrt with cheaper router. big mistake.
What a disappointment
If you compare us to an open-source router system, that's a wrong track that we never intend to compete with. TBH, we don't take open-source systems as our competitors and we don't intend to complete what they can do.
If you prefer that kind of system, please kindly return this product in time if it is still under the return window. Policy may vary from the vendors you purchase.
- Copy Link
- Report Inappropriate Content
Thank you for your response.
I can't ping the WG int. IP from a PC connected to ER7206 through LAN port when I setup "Allowed Address" as "192.168.4.0/24" Please see here for the screenshot
ping response of wg peer from my lan
ping response of wg peer within router. ( I logged in through SSH )
Here is the routing table
However when I set "Allowed Address" as "0.0.0.0/0" I was able to ping WG int. IP from my LAN, but my internet traffic goes through my WG VPN tunnel
Please let me know if you need any more details.
- Copy Link
- Report Inappropriate Content
ping from my LAN
ping within ER7206 router ( I logged in through SSH )
routing table
- Copy Link
- Report Inappropriate Content
Routing table
- Copy Link
- Report Inappropriate Content
Sorry I don't know why it is not displaying the routing table image, here is text
Routing Table
Entry Count:
ID | Destination IP | Subnet Mask | Next Hop | Interface | Metric |
---|
1 | 0.0.0.0 | 0.0.0.0 | 192.168.68.1 | WAN2 | 0 |
2 | 192.168.0.0 | 255.255.255.0 | 0.0.0.0 | LAN | 0 |
3 | 192.168.4.0 | 255.255.255.0 | 0.0.0.0 | WG | 9999 |
4 | 192.168.68.0 | 255.255.252.0 | 0.0.0.0 | WAN2 | 0 |
5 | 192.168.68.1 | 255.255.255.255 | 0.0.0.0 | WAN2 | 0 |
6 | 192.168.200.1 | 255.255.255.255 | 192.168.68.1 | WAN2 | 0 |
- Copy Link
- Report Inappropriate Content
Hi @Navas1
Thanks for posting in our business forum.
Navas1 wrote
ping from my LAN
ping within ER7206 router ( I logged in through SSH )
routing table
SSH and ER7206 can ping it which means it is working.
What's the IP of the macOS? The routing table of the macOS?
Do you have any static routing? Can you screenshot and paste it here directly?
- Copy Link
- Report Inappropriate Content
IP address on MAC
Routing table
- Copy Link
- Report Inappropriate Content
Routing table
navas@Navass-MacBook-Pro ~ % netstat -rn
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 192.168.0.1 UGScg en5
13.201.205.86 192.168.8.1 UGHS en0
35.186.199.111 192.168.8.1 UGHS en0
43.204.135.234 192.168.8.1 UGHS en0
100.108/16 utun100 USc utun100
100.108.51.9 100.108.51.9 UH utun100
127 127.0.0.1 UCS lo0
127.0.0.1 127.0.0.1 UH lo0
169.254 link#28 UCS en5 !
192.168.0 link#28 UCS en5 !
192.168.0.1/32 link#28 UCS en5 !
192.168.0.1 50:91:e3:80:5f:e8 UHLWIir en5 1192
192.168.0.100/32 link#28 UCS en5 !
192.168.0.255 ff:ff:ff:ff:ff:ff UHLWbI en5 !
224.0.0/4 link#28 UmCS en5 !
224.0.0.251 1:0:5e:0:0:fb UHmLWI en5
239.255.255.250 1:0:5e:7f:ff:fa UHmLWI en5
255.255.255.255/32 link#28 UCS en5 !
- Copy Link
- Report Inappropriate Content
Hi @Navas1
Thanks for posting in our business forum.
Navas1 wrote
Routing table
navas@Navass-MacBook-Pro ~ % netstat -rn
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 192.168.0.1 UGScg en5
13.201.205.86 192.168.8.1 UGHS en0
35.186.199.111 192.168.8.1 UGHS en0
43.204.135.234 192.168.8.1 UGHS en0
100.108/16 utun100 USc utun100
100.108.51.9 100.108.51.9 UH utun100
127 127.0.0.1 UCS lo0
127.0.0.1 127.0.0.1 UH lo0
169.254 link#28 UCS en5 !
192.168.0 link#28 UCS en5 !
192.168.0.1/32 link#28 UCS en5 !
192.168.0.1 50:91:e3:80:5f:e8 UHLWIir en5 1192
192.168.0.100/32 link#28 UCS en5 !
192.168.0.255 ff:ff:ff:ff:ff:ff UHLWbI en5 !
224.0.0/4 link#28 UmCS en5 !
224.0.0.251 1:0:5e:0:0:fb UHmLWI en5
239.255.255.250 1:0:5e:7f:ff:fa UHmLWI en5
255.255.255.255/32 link#28 UCS en5 !
There is no 192.168.4.0/24 route on your PC.
Try:
sudo route -n add -net 192.168.4.0/24 192.168.0.1
- Copy Link
- Report Inappropriate Content
Hi, thank you for you response,
still no luck,
navas@Navass-MacBook-Pro ~ % netstat -rn
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 192.168.0.1 UGScg en5
13.201.205.86 192.168.8.1 UGHS en0
35.186.199.111 192.168.8.1 UGHS en0
43.204.135.234 192.168.8.1 UGHS en0
100.108/16 utun100 USc utun100
100.108.51.9 100.108.51.9 UH utun100
127 127.0.0.1 UCS lo0
127.0.0.1 127.0.0.1 UH lo0
169.254 link#28 UCS en5 !
192.168.0 link#28 UCS en5 !
192.168.0.1/32 link#28 UCS en5 !
192.168.0.1 50:91:e3:80:5f:e8 UHLWIir en5 1163
192.168.0.100/32 link#28 UCS en5 !
192.168.0.255 ff:ff:ff:ff:ff:ff UHLWbI en5 !
192.168.4 192.168.0.1 UGSc en5
224.0.0/4 link#28 UmCS en5 !
224.0.0.251 1:0:5e:0:0:fb UHmLWI en5
239.255.255.250 1:0:5e:7f:ff:fa UHmLWI en5
255.255.255.255/32 link#28 UCS en5 !
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 3102
Replies: 37
Voters 0
No one has voted for it yet.