I have a WireGuard interface at 10.10.10.1/24 on my lan firewall zone. The connection works fine, however from remote devices/wg peers, I am only able to access 3 devices on my LAN.
I can access:
The OpenWRT router (192.168.1.1, 192.168.2.1)
My wireless access point (192.168.1.10)
My modem (192.168.100.1) and WAN
I cannot access anything else on the network, including Windows computers, a Linux server, and my NAS.
I believe the issue is that the majority of devices will reject traffic outside of their local network, but I'm not sure if this is the case. Regardless, enabling masquerading on the lan zone seems to solve all my issues.
As far as I'm aware, masquerading will hurt my router's performance. I also just want to understand what's going on here. Could someone help me understand why most LAN devices are inaccessible to my WireGuard interface?
This is true of Windows, for sure. It is not uncommon for some NAS OS's to have a similar restrictions. Most linux distros don't do this by default, but if you have a local firewall enabled, that could account for it.
This is not an ideal solution, but it works because of the nature of masquerading.
Generally not, but it does depend on how it's applied.
Let's start by reviewing your configuration.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
First, in VLAN 1 'd recommend that you mark the ports with :u* to explicitly set the untagged+PVID status. However, the bigger issue is that you have port lan3 untagged in both VLANs. That port should be removed from VLAN 1.
Try making that change, then reboot and test again.
Let's take a look at the config of the remote peer's WG interface.
Also, how is this being tested? What network is the remote peer connected to?
I would check the configuration of the devices that cannot be reached. The fact that you can reach at least 3 devices suggests that the routing is working as expected, and it is very likely the local device rules that are preventing access.
All I have to add to @psherman comprehensive answer is that you basically have two options: either you enable NAT, so those devices perceive only local connections, or you open their firewalls.