@Clive_A  Guide says: "Allowed Address: Specify the address segment that allows traffic to pass through. Generally, you can fill in the subnet address of the peer." I dont want that Wireguard client to be able to reach any other user, just reach internet, but not other IPs in other VLANs, and (ideally) not even in same VLAN. 

Again, I get internet access (all traffic route through tunnel, get Omada public IP as phone public IP) but stil able to reach local devices, a thing that I want to prevent from Omada side

Btw, even if I set Allowed IPs to 192.168.60.0/29 (whole VLANs segment) peer still ignoring ACL rules.

Added Client config for reference:

Clive_A wrote

Hi @mtv890 

Thanks for posting in our business forum.

mtv890 wrote

  @Clive_A  Guide says: "Allowed Address: Specify the address segment that allows traffic to pass through. Generally, you can fill in the subnet address of the peer." I dont want that Wireguard client to be able to reach any other user, just reach internet, but not other IPs in other VLANs, and (ideally) not even in same VLAN. 

Again, I get internet access (all traffic route through tunnel, get Omada public IP as phone public IP) but stil able to reach local devices, a thing that I want to prevent from Omada side

 

Btw, even if I set Allowed IPs to 192.168.60.0/29 (whole VLANs segment) peer still ignoring ACL rules.

 

 

Added Client config for reference:

 

 

 

Your local IP address on the router is not correct either.

That cannot be zero. You cannot fill it with a 0 or 255 as they are not correct to use.

On the router, the Allowed IP is mainly about how you can access the peer end. What matters is the allowed IP on your client(the other peer).

 

The VPN routing is separate from the default NAT and WAN/LAN routings.

I recall that OVPN can do that. I think in your case now, consider the OVPN as it provides the tunnel mode. Wireguard is such that you need to specify the routing. Lines like iptables, I don't know if they work on your phone. But that could be tried.

  @Clive_A  Thanks for your reply, based on your coments I updated config, local IP is now 192.168.60.2 and Allow address include whole VLAN 60 segment 192.168.60.1/29 (yes, segment is /29). Also updated DHCP range so it dont clash with interface nor peer. (updated screenshots below)

Regarding your suggestion of config allowed IP on client, it may work but that's not secure. Reachability limits should be enforced from omada side, if peer (phone) got compromise, attacker can change config and get full access.

what do you mean when you say The VPN routing is separate from the default NAT and WAN/LAN routings.? 

Does that mean that ACL rules doesnt impact VPN traffic?

I was expeacting that forcing Wireguard Interface & peer into an specific subnet range(192.168.60.0/29) associated to an specific VLAN ID (60) but it doesnt.

I suspect that Omada router its not correctly tagging VPN traffic as VLAN (60) but using default VLAN (need to run more test to prove this thoug). Since Wireguard is not associated to an specific port dont know how to config PVID for it.

-----------------------------------------------------------------------------------------------------------------

  @mtv890 

router acl will not work on wireguard traffic, however you can use switch acl which will work against lan devices. with switch acl you can use ip and port groups you cannot do that with router acl.

  @MR.S Thanks a lot for your reply, I tried setting up switch ACL but it doesn't work for me, not sure if I miss configured something or maybe it's related with the fact I using ER707-M2 LAN ports directly (I don't have a dedicate switch, are u running a one?)

Can u please share some screen of your IP groups in ACL config WG interface/peer config?

Cheers!

  @mtv890 

the router is not a switch, you need an Omada L2+ switch so I recommend a small cheap switch such as an SG2008 or SG2008P

  @mtv890 Just for the record I decided to install a WG docker container (docker, NOT unraid built-in WG app) on my Unraid server, using macvlan in unraid config my WG container have a MAC address and I can see it in Omada Controller with its IP. ACL works over WG container traffic, so I got everything I want, too bad I can get it from omada.

Thanks a lot for your replies!