Asking again for your help. I've problems accessing private LAN using wireguard on a macOS.
I've installed wireguard server part on raspberry pi and I'm forwarding wireguard port 500 on my edge router to it.
wg0 interface on raspi has IP: 10.200.200.1
eth0 (LAN) interface on raspi has IP: 192.168.81.19
From client (macOS) I can ping both 10.200.200.1 and 192.168.81.19 but no other address, like edge router 192.168.81.1. I've tried to two configurations.
- added wg0 to same zone as lan (this seemed to work for a while)
- created new zone for wg0 and set interzone forwarding to lan zone + masquerading
Current route table on raspi:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.81.1 0.0.0.0 UG 0 0 0 eth0
10.200.200.0 * 255.255.255.0 U 0 0 0 wg0
10.200.200.15 * 255.255.255.255 UH 0 0 0 wg0
10.200.200.111 * 255.255.255.255 UH 0 0 0 wg0
10.200.200.123 * 255.255.255.255 UH 0 0 0 wg0
192.168.81.0 * 255.255.255.0 U 0 0 0 eth0
cat /proc/sys/net/ipv4/ip_forward
1
cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config include
option path '/etc/firewall.user'
config zone
option name 'vpn'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
option network 'vpntun'
config rule
option src '*'
option target 'ACCEPT'
option proto 'udp'
option name 'Allow-Wireguard-Inbound'
option dest_port '500'
config zone
option name 'wireguard'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option network 'wg0'
option masq '1'
option mtu_fix '1'
config forwarding
option dest 'wireguard'
option src 'lan'
config forwarding
option dest 'lan'
option src 'wireguard'
Current situation is that I can connect from macOS client but only access raspi IPs and no other IPs in my LAN.