As for ping, for now, let's say I'm just at an arbitrary wifi, let's say at my friend's with no particular vpn or firewall or anything, and I don't turn wireguard on. Let's say my FB4020 and Raspi are as they are now. If I ping the public IP on my laptop, I can check if my Raspi is on-line. But if someone pull the cable between FB4020 and Raspi, I won't be able to tell, because Raspi is still on-line.
I am wondering if I can set something on Raspi, so that ping public IP would tell me the internet connectivity of FB4020, instead of Raspi. (i.e. bypassing raspi.)
If that's possible, in the future, when I get my second internet contract and put FB4020 there behind an ISP router, I can set Raspi here to ping it, and to email me if FB4020 doesn't react to ping. That would be the easiest.
ah, that makes sense, 9.0 being the address of the network! I was wondering why it's asking 255.255 thing if I had to put /24. Thank you !!
But I didn't get any error message though....;;
Regarding the ping, you can forward ICMP to the FB4020 from RPi, however the fw3 doesn't give options which icmp types to forward, so it forwards them all.
You can use same sections for another device, running 'wg-server'. If device has static IP, you do not need to implement port forwarding, but just to open port.
Well, but if FB4020 is running behind Raspi, can I really create wireguard interface with the same subnet and use the same port on Raspi ? Can Wireguard find out which one it has to connect to, just because of the keys?
Any forwarding can be dangerous. It would be better to ping through the wireguard tunnel. There can be better ways to monitor the health of the FB4020 than forwarding ICMP. Like some webpage showing it's status and health.
Now I'm done with a lot of things, it's working fine:) Here is the summary:
First, my topology (the main part in this context)
ISP---Modem---Raspi4-192.168.1.1/24--FB4020 (tentative)
My laptop with win8.1 on VBox: elsewhere
Remote access to FB4020:
Installed WG server on FB4020, with 192.168.9.1/24, port: 51820
Installed WG on win8.1 with 192.168.9.2
(Reference: https://golb.hplar.ch/2019/07/wireguard-windows.html)
Set the port forwarding on Raspi4 for 51820 UDP to WAN-side IP of FB4020.
Static route on Raspi with target 192.168.9.0, gatewayIP=WAN-side IP of FB4020.
Remote access to Raspi (because FB4020 will be gone at some point):
Installed WG server on Raspi: with 192.168.9.1/24, port: 51821 (I figured that it really can't be 51820 as long as it's being forwarded. But the address can be the same, because FB4020 is connected to 192.168.1.1/24 of Raspi)
I think "opening the port" set by the firewall traffic rule "allow wireguard", as given in wiki.
So far they are both working Thank you so much for all your help!
Now, what I'm not sure about:
1.
I am not sure if it's good or bad. I would like to access everything I can access when I'm there locally, including, for example, ISP router before FB4020 with 192.168.178.1 (once FB4020 is properly set up at the new site), but when I am browsing regular internet site or ssh to somewhere else, I don't need to go through FB4020.
that's why I put 192.168.0.0/16. Is it right that way?
Forwarding/opening:
When you install OpenWRT, by default "allow ping" is there among the traffic rules, where it accepts ICMP from WAN, so that one can ping the router just by the public IP, or send any types of ICMP, if it is directly connected to a modem.
Wouldn't it be then not the same, if FB4020 is behind another router, and I set forwarding of ICMP to FB4020?
I use uptimerobot.com for Raspi, because it's pingable. If it fails, I get an email/sms. It would be nice if I can do something similar for FB4020, once it get's behind an ISP router in the new site. I don't really have to see the health, I just want to know right away if it's down, so that I can go there/remote access to see what's going on.
I would appreciate if someone could please clarify these to me:)
Yes, FB4020 will be double NAT behind an ISP router. (now double NAT behind Raspi)
Raspi is simple NAT behind a modem. But I don't like it so much this way, because each time I restart the network or reboot the router, the Public IP changes. And if the modem gets rebooted (like accidentally pulling the power supply), the router has to be restarted as well. I might make it double NAT. I heard about some negative effects of it, but now I think it really doesn't matter, it's mostly about gaming.
Thank you so much for all your help!