Wireguard firewall question regarding NAT

Hello fellas,

I run into a problem with my current wireguard setup. I have 2 subnets at different location:
192.168.1.0/24
192.168.5.0/24

They connect to each other with a wireguard interface, wireguard itself is under 192.168.13.0/24.
I put wireguard interface in the lan firewall zone.

Now most things work flawlessly, but there is a hiccup:
For example, windows PC 1(192.168.1.100) cannot ping PC 2(192.168.5.100), because from the point of the PC 2, the ICMP traffic does not come from 192.168.5.0/24, thus it is denied. This applies to quite some machines on my setup. I think nat at gateway is required, but I have not been able to figure it out.

Can someone please tell me what is the best practice here?
Much appreciated!

So I figured it out. Enabling masquerading on lan makes it work.

Note that masquerading is a last resort workaround.
The proper solution should be adding the remote subnets to the trusted sources in the Windows firewall.

2 Likes

I am aware of the solution to manually set each machine that I want to access.
But it is pretty cumbersome.
I did add masquerade subnet restrictions, so I reckon it would be fine.

1 Like

Well, you asked about the best practice and that's it. :wink:
In addition, you can automate firewall configuration with GPO or scripts.

2 Likes

Thanks for the heads up! However I did fail to mention that there are a couple of routers with original firmware (no openwrt support) in AP mode which simply does not have the settings for it...

Anyway, still good to know for future reference that setting each machine is the best practice :grinning:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.