@parhamsan 

parhamsan wrote

Clive_A wrote

 @parhamsan

parhamsan wrote

  @MR.S Hello,

 

So here is what I did. I Forgot the ER8411 from the OC200 (the ER8411 got factory reset), enabled the SSH and SSHed to ER8411.

I then roll-back to the previouse Firmware, 1.2.3, and adopted the ER8411 again.

 

I can now confirm that the Wiregaurd is working as before so it must be a setting on the new firmware that is blocking the traffic.

Maybe someone can explain what is preventing the wiregaurd to work on the new firmware:

 

To start I have 2 LANS:

 

Default 192.168.1.1/24

LAN69 192.168.69.1/24 (LAN69 is only setup to be used in the ACL for Wiregaurd to block access to LAN1, which I found is usless)

 

On Wiregaurd I have 2 Servers (both port 51800 and 51820 are open in NAT):

 

 

 

And below are the Peers:

 

 

 

And the ACL for LAN69 (which is kind of useless, since when I created LAN69 and used it on the wiregaurd VPN, I only have access to WAN and no LAN regardless of the ACL being on or off, which is not an issue I can deal with that by having 2 different addressess for the wiregaurd). 

 

 

 

 

 

With this configuration wiregaurd works fine.

 

But when upgarded to firmware 1.3.1 everything stopped working???

Is there a setting I need to set for the wiregaurd to work on the new firmware?

 

Any help would be appreciated.

 

Thanks!

I don't understand what you would set up like that. 

Allowed peer should be an existing network. If you allow 192.168.50.0/24, which is non-existed, what's the reason? 

 

As for the 192.168.69.0/24, when your phone is connected, and your phone settings are missing from the reply, you should be able to ping the 192.168.69.1, so did you verify that?

As for the phone, WG has to be configured with the DNS. 

 

 

If you ask why, that seems to be a config issue. Not sure if you have read the config guide on the forum. Mr.S is suggesting you remove all the non-related settings to verify the integrity of WireGuard. 

I also don't see a problem with the WG on my test bench. 

  @Clive_A 

 

Hello Clive,

Thanks for your reply!

 

To answer your questions:

I followed this video to create and setup Wiregaurd on the ER8411 and on my phone:

https://youtu.be/ySovFaq9FV0?si=0t9kMSZ46ytjDroP

I though the WG server IPs and peers should be on a completely different subnet from my existing LAN subnet (in my case I only have 192.168.1.0/24)!!!

 

As for the 192.168.69.0/24, when I created the LAN on ER8411, the only reason was to be able to control peers access to WAN only and to deny access to my default LAN.

On my phone I am using 8.8.8.8 as DNS

Seems the ACL will not work for WG and there is no way to control and deny access through the ACL rules, correct?

 

For now I will stick to 1.2.3 Firmware, and will not upgrade to 1.3.1, since after the upgrade my router and internet went completely offline and I have to manually restart and unplug the router for a couple of time for it to come back online (it could be also related to my XGS-PON, so don't want to blame the Firmware for this issue!!!)

 

The only request that I have now is how can I control the way WG peers/clients can have limited access to WAN or LAN (if there is a way).

For example in Archer AX55 there is an option to limit client access by a simple rule correct? Why cant this be implemented in ER8411?

 

 

 

 

Thanks again for your help and reply!!!

I see. You can refer to the guide I created on the Omada router page, where it shows what it means for each parameter in Wireguard to make sure that your config is on the right track.

I know that UI you snipped is from our Archer, but we might be slightly different. 

0.0.0.0/0 in allowed IP is different from the proper subnet you set. It's kind of complicated. 

It takes time to examine and find out why. If you want, you can try with the guide and the 1.3.1 firmware. And it indeed could be an environment issue. 

  @parhamsan 

parhamsan wrote

Clive_A wrote

  @parhamsan 

parhamsan wrote

Clive_A wrote

 @parhamsan

parhamsan wrote

  @MR.S Hello,

 

So here is what I did. I Forgot the ER8411 from the OC200 (the ER8411 got factory reset), enabled the SSH and SSHed to ER8411.

I then roll-back to the previouse Firmware, 1.2.3, and adopted the ER8411 again.

 

I can now confirm that the Wiregaurd is working as before so it must be a setting on the new firmware that is blocking the traffic.

Maybe someone can explain what is preventing the wiregaurd to work on the new firmware:

 

To start I have 2 LANS:

 

Default 192.168.1.1/24

LAN69 192.168.69.1/24 (LAN69 is only setup to be used in the ACL for Wiregaurd to block access to LAN1, which I found is usless)

 

On Wiregaurd I have 2 Servers (both port 51800 and 51820 are open in NAT):

 

 

 

And below are the Peers:

 

 

 

And the ACL for LAN69 (which is kind of useless, since when I created LAN69 and used it on the wiregaurd VPN, I only have access to WAN and no LAN regardless of the ACL being on or off, which is not an issue I can deal with that by having 2 different addressess for the wiregaurd). 

 

 

 

 

 

With this configuration wiregaurd works fine.

 

But when upgarded to firmware 1.3.1 everything stopped working???

Is there a setting I need to set for the wiregaurd to work on the new firmware?

 

Any help would be appreciated.

 

Thanks!

I don't understand what you would set up like that. 

Allowed peer should be an existing network. If you allow 192.168.50.0/24, which is non-existed, what's the reason? 

 

As for the 192.168.69.0/24, when your phone is connected, and your phone settings are missing from the reply, you should be able to ping the 192.168.69.1, so did you verify that?

As for the phone, WG has to be configured with the DNS. 

 

 

If you ask why, that seems to be a config issue. Not sure if you have read the config guide on the forum. Mr.S is suggesting you remove all the non-related settings to verify the integrity of WireGuard. 

I also don't see a problem with the WG on my test bench. 

  @Clive_A 

 

Hello Clive,

Thanks for your reply!

 

To answer your questions:

I followed this video to create and setup Wiregaurd on the ER8411 and on my phone:

https://youtu.be/ySovFaq9FV0?si=0t9kMSZ46ytjDroP

I though the WG server IPs and peers should be on a completely different subnet from my existing LAN subnet (in my case I only have 192.168.1.0/24)!!!

 

As for the 192.168.69.0/24, when I created the LAN on ER8411, the only reason was to be able to control peers access to WAN only and to deny access to my default LAN.

On my phone I am using 8.8.8.8 as DNS

Seems the ACL will not work for WG and there is no way to control and deny access through the ACL rules, correct?

 

For now I will stick to 1.2.3 Firmware, and will not upgrade to 1.3.1, since after the upgrade my router and internet went completely offline and I have to manually restart and unplug the router for a couple of time for it to come back online (it could be also related to my XGS-PON, so don't want to blame the Firmware for this issue!!!)

 

The only request that I have now is how can I control the way WG peers/clients can have limited access to WAN or LAN (if there is a way).

For example in Archer AX55 there is an option to limit client access by a simple rule correct? Why cant this be implemented in ER8411?

 

 

 

 

Thanks again for your help and reply!!!

I see. You can refer to the guide I created on the Omada router page, where it shows what it means for each parameter in Wireguard to make sure that your config is on the right track.

I know that UI you snipped is from our Archer, but we might be slightly different. 

0.0.0.0/0 in allowed IP is different from the proper subnet you set. It's kind of complicated. 

 

It takes time to examine and find out why. If you want, you can try with the guide and the 1.3.1 firmware. And it indeed could be an environment issue. 

  @Clive_A 

Hey,

Is the guide you are talking about this one:

https://www.tp-link.com/ca/support/faq/3559/

 

If not can you share the link please.

 

Thanks!

Yes and no. This was a copy and revision of mine posted on the forum. Use the filter to find out if you are interested in extensive reading.