I have a working wg0 interface and I can access my LAN from Internet. Now I want add another wireguard instance to access internal IOT interface so I can access the internal devices from outside. Currently firewall zone blocks any traffic from IOT to LAN and would prefer to keep it that way.
How do I do it?
only permit traffic from LAN to IOT ?
OK, I will try that. Thanks. Or, can I just add wg0 => IOT in addition to wg0 => LAN in firewall zones? Is it going to automatically route between the different subnets?
yeah, that should do it.
Got it, just curious though, if => depicts one way traffic from wg0 to iot, why reject "input" and "forward"?
Depends on your goals (I'm not saying you should or should not reject, just pointing out that it is goal specific). See below:
INPUT
Input controls the ability for networks on a zone to connect to the router itself. For example, if you want to administer the router via the ssh or web interface from a remote peer, you would set input to ACCEPT. If you don't fully trust the remote peer(s), set this to REJECT to prevent them from accessing the router's admin (and/or other services).
FORWARD
Forward controls the intra-zone connections. This really only applies if you have multiple networks contained within the same zone. If you want the networks to be able to freely communicate with each other, set forward to ACCEPT. If you want them isolated, set it to REJECT.
In both cases, you can write granular firewall rules to allow/deny connections, but the zone controls are the baseline/default in the absence of other rules to govern the networks/hosts within a zone.
Good explanation, But now I am more confused.
I do want to access everything on the LAN including luci access, SMB server on the LAN, WAN and IOT devices through wg0 when connecting from external network and when I am connected directly to the LAN. My current setup is
wg0 => iot, lan, wan - Input Accept, Output Accept, Forward Accept
LAN => iot, lan, wan - Input Accept, Output Accept, Forward Accept
Can traffic flow from wan to lan and iot without invoking wg0, if forward is accepted?
I did not know that forward was for inter network zone traffic. Could somebody on WAN access iot directly without using wg0? I thought that the traffic was initiated from left zone => to the right zone(s). The zone(s) on the right were only targets for zone on the left. I was under impression that the zones on the right did not communicate with each other unless there was another explicit zone rule.
I certainly do not want to expose LAN and the router itself to anybody on WAN or IOT without VPN access. In this case what should be in input, output and forward?
So other option I can think of is
wg0=> LAN
&
LAN => WAN, IOT
Once I am connected to LAN on wg0 I should be able to access IOT and WAN.
Is this a cleaner solution? What would input, output, and forward be for this case?
Do I need to drop traffic from WAN => IOT and IOT => LAN explicitly in this case?
Also, how to these zone rules stack up? Does next rule override previous rule?
