Wireguard VPN - allowing access to every VLAN

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Wireguard VPN - allowing access to every VLAN

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Wireguard VPN - allowing access to every VLAN
Wireguard VPN - allowing access to every VLAN
2023-08-05 15:35:45
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: 2.1.2

Has anyone been able to properly setup any ACL's for their omada wireguard vpn config's so it will not route and allow access to all the vlans in your networks?  Documentation is close to meh at best for cloud omada configurations. To get to my current working configuration now I pulled info from various sources and walkthroughs none omada related and it is all running together due to the amount of different information that does and doesn't apply to omada. It seems no matter where or how I try to create an ACL I can get to any and every single one of my vlans.

"Desperate times call for desperate desperateness."
  1      
  1      
#1
Options
6 Reply
Re:Wireguard VPN - allowing access to every VLAN
2023-08-07 06:25:37

Hi @Daggett 

Thanks for posting in our business forum.

Has anyone been able to properly setup any ACL's for their omada wireguard vpn config's so it will not route and allow access to all the vlans in your networks?  Documentation is close to meh at best for cloud omada configurations.

The Omada Controller cloud equals the basic none-cloud one. The only difference was the adoption. Most other features are the same.

 

Daggett wrote

It seems no matter where or how I try to create an ACL I can get to any and every single one of my vlans.

Can you post your configuration here so that I can verify your ACL? Are you using Gateway ACL?

What other devices do you have? Switch?

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#2
Options
Re:Wireguard VPN - allowing access to every VLAN
2023-08-08 21:34:34

  @Clive_A 

I have tried ACL's at every level Gateway, Switch, and EAP. At this point in time it looks to be only wired clients connected to the switch that I am able to access when connected externally with Wireguard. As for the TP Link documentation for setting up wireguard I will have to look at it again but the way it said to set up wireguard did not work for me using the hardware controller at the time which is why I looked elsewhere. Currently the config I have works minus the access accross all vlans on the with the devices plugged into the switch. 

 

 

 

 

 

"Desperate times call for desperate desperateness."
  0  
  0  
#3
Options
Re:Wireguard VPN - allowing access to every VLAN
2023-08-09 01:56:55 - last edited 2023-08-09 01:58:31

Hi @Daggett 

What did you put in here? Your whole LAN network?

 

 

 

 

In your ACL setup, have you tried to include the Local IP Address in your Wireguard to the ACL of "Deny"?

Your goal is to exclude Wireguard clients to access all of your VLANs. But I don't see any of the ACL you created to fit that.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#4
Options
Re:Wireguard VPN - allowing access to every VLAN
2023-08-09 14:07:20

  @Clive_A 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

192.168.0.XXX is the Wireguard

10.100.100.XXX is the LAN

 

I had created ACL rules that didn't work and before the start of this thread were deleted from the Switch and Gateway to save myself from later confusion. It should be noted the wireless clients connected to the AP's as of currently I cannot reach through the vpn on physically connected clients via ethernet to the switch. 

The gateway/switch ACL used the IPGroup (for Wiregaurd) to Network (for local vlans) that blocked all traffic to all internal vlans with the reverse rule checked and it still allowed access to everything. I had manually created the IPGroup with the range Wireguard is using since there is no local LAN/VLAN under the wired networks lan tab since that breaks the vpn for me.

 

"Desperate times call for desperate desperateness."
  0  
  0  
#5
Options
Re:Wireguard VPN - allowing access to every VLAN
2023-08-12 14:58:38

1. I recreated all the ACL policies I originally deleted and the policies still didn't work.

2. I then pulled my v1 er605 off the shelf and put it in place of the v2 and the acl rules worked.

3. Removed the v2 er605 from my tplink account and factory defaulted it.

4. Upon re-adding it back to my account and putting it back as my primary router the acl rules started working properly with it. 

 

The only difference I made to the wireguard group from my original setup was to specify the range using /24 vs /32 so I wouldn't have to individually re-add/specify the clients in the range for wireguard that I use. All the wireguard ACL's I use reference that group for wireguard at the switch and eap level.

"Desperate times call for desperate desperateness."
  0  
  0  
#6
Options
Re:Wireguard VPN - allowing access to every VLAN
2024-01-23 07:52:50

I have same or similar problem. 

On the client side I need to set 0.0.0.0/0 as allowed IP addresses so that all traffic goes through the tunnel. And is hidden to the hotspot infrastructure.

However, on the Server side (Omada gateway) I am not able to create any rule that would block WG Client to access all LANs and VLANs (complete internal network).

I need to have one client have access only to internet and one specific VLAN and nothing else. Is this possible? Or do we need to wait for the ER605 updated firmware?

  4  
  4  
#7
Options

Information

Helpful: 1

Views: 1873

Replies: 6

Related Articles