I run into a problem with my current wireguard setup. I have 2 subnets at different location:
192.168.1.0/24
192.168.5.0/24
They connect to each other with a wireguard interface, wireguard itself is under 192.168.13.0/24.
I put wireguard interface in the lan firewall zone.
Now most things work flawlessly, but there is a hiccup:
For example, windows PC 1(192.168.1.100) cannot ping PC 2(192.168.5.100), because from the point of the PC 2, the ICMP traffic does not come from 192.168.5.0/24, thus it is denied. This applies to quite some machines on my setup. I think nat at gateway is required, but I have not been able to figure it out.
Can someone please tell me what is the best practice here?
Much appreciated!
Note that masquerading is a last resort workaround.
The proper solution should be adding the remote subnets to the trusted sources in the Windows firewall.
I am aware of the solution to manually set each machine that I want to access.
But it is pretty cumbersome.
I did add masquerade subnet restrictions, so I reckon it would be fine.
Thanks for the heads up! However I did fail to mention that there are a couple of routers with original firmware (no openwrt support) in AP mode which simply does not have the settings for it...
Anyway, still good to know for future reference that setting each machine is the best practice