I have a vlan setup for family members called family, which they connect to via wireless.
A series of firewall rules for the family interface to permit what each connected device can access on other vlans.
There is a seperate wireguard interface, wg0, which allows devices to connect remotely, which works fine if I set up a firewall rule to allow blanket access to other zones.
How can I setup remote device access via wg0 so that the device has the same permissions it would have if it was locally connected to the family vlan?
Can I setup some type of NAT rule that can map the remote device ip address on wg0 to it's static lease ip address on family?
If so, could you give me a pointer, as I don't have any experience with NAT rules (For example, I don't know the difference between SNAT, Masquerade and Accept).
If you want the exact same permissions, simply put the wg interface into the same firewall zone as the family interface. (be sure to remove wg from the current zone).
The family subnet is different from the wg0 subnet and the firewall rules are ip address based (i.e. each device’s family ip address is added to each firewall rule).
Do I also need to add a NAT rule to map the wg0 ip address to the family ip address?
I can confirm that this works, but it is less than ideal as I have to add two addresses each time I add a new device rule.
Is there any way to “map” the wireguard peer address to a family interface address (as well as having the family and wg0 interfaces in the same firewall zone)? That way it’s set-and-forget and I don’t have to remember to add the peer ip address each time I add a new rule.
Make the family connect through Wireguard even at home, so the only IP they have home or away is their Wireguard tunnel IP. The LAN that they connect to would block all traffic except to the encrypted Wireguard port.
This is more secure than DHCP reservations as a device can't change its address to circumvent the rules.
You could use IPSets assuming that you have groups of IPs that should be treated the same in terms of the applied firewall rules. Put all the relevant IP addresses into an IPSet, and then use those sets as the source.
I agree with this, but if your family based rules are different on a per-family-member basis, you'd supliment the zone rules with specific IP based ones. Typically the approach is to consider how you would craft the rules for most efficient implementation. A simplified example would be if you had a zone-level rule that was either allow-all or deny-all and then say one or a few rules to do the opposite (deny or allow) for specific sources/destinations.
This is an interesting suggestion, thanks for mentioning it. I did not try it as I came up with a simpler solution.
I mistakenly thought the ip address of the peer had to be in the subnet of the wg0 interface. If I make the following changes I am able to get it to work without changing any individual firewall rules, just have the family and wg0 interfaces share the same zone:
Change the ip address in the remote device’s tunnel config to the ip address it would have if it was connected to the family vlan locally;
Change the wg0 peer Allowed IPs to the same address;
Restart the wg0 interface; and
Connect the device to the wireguard tunnel.
The device has same same access as if it was connected locally.
