Single port device splitting one subnet to Wireguard

Hi,
I would just like to get some opinions on this config I am testing.
Normally I would set the internet router to have the Wireguard interface, but that is not an option right now.

The goal is to get remote access to DEV4 at the bottom right from the roaming laptop at the top right.
DEV5 is planned to facilitate this function, I am only using its ETH port - wifi not required.

There may be a couple of DEV4 like devices added in future on that same subnet 10.1.1.x.

So far the following is working:
-Roaming laptop can ping DEV 5 on Wireguard iface 192.168.55.200 and ping static iface 10.1.1.1.
-Can bring up DEV5 webpage on either iface from roaming laptop (they are both in the LAN section of the firewall).
-DEV5 can ping DEV4 (via diagnostics page)

The following is not working:
-Roaming laptop cannot ping /access DEV4.

I am guessing the next step might be to set the default gateway on DEV4 to 10.1.1.1, but I tried that in a previous config iteration and no luck, but it is worth another try since other config options may have changed.

The allowed IPs in the wireguard config routes the whole 10.1.1.0/24 subnet to DEV5.

In theory I could switch to OpenVPN and attempt a L2 bridge, but that I think is overkill, I would just like to know if I can get this to work in OpenWRT this way.

Thanks!

1 Like
  • Enable masquerading for the zone of iface2 on dev5.
  • Allow forwarding from the zone of iface3 to the zone of iface2.
1 Like

Thanks for the prompt response, it makes good sense. I will try that as soon as I get back to the laptop.

1 Like

Thanks again, this worked.
I did also manage to get it to go by having everything in the same Zone and setting the DG on DEV4 and Iface2.
But I think having multiple Zones with masquerading and forwarding is better overall, so I ended up settling on that.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.