WireGuard help (connecting, but nothing working)

Installing and Using OpenWrt
21

Simplicity. But if peers are going to be /32, then I guess /24 will work. Would allow for expandability with other 172.16.x.x networks, though I doubt I'll need them.

22

From the FIOS router to the WAN port.

23

Since the FIOS router is connected to the internet, I would consider this the 'main router'.

Here's a key question -- why do you use the FIOS router? Do you have FIOS television services? If not, you probably don't need their router at all.

24

Yes.

If it wasn't for that, I'd chuck it aside.

I treat the FIOS router more like a modem in regards to accessing the Internet. That's why I consider the OpenWRT router to be the main router. It's the one I configure for the home network and everything goes through it to get to the FIOS router. The FIOS router doesn't control anything on the LAN, and none of the LAN clients can access the FIOS router, without being directly connected to the FIOS router.

25

Ok... let's go back to basics.... way back to the very basic stuff.

  • Is your fios router actually set as a /16? Please verify the address and the subnet mask CIDR that is set there. A screenshot would be good.
  • While you are looking at your FIOS router, please look to see if there is a place to set static routes
  • Other than the FIOS STBs, what is connected to your FIOS router via ethernet and/or wifi?
  • What is connected to your OpenWrt router (via ethernet and/or wifi)?
  • Do the things connected to the fios router need to be able to connect to those on the OpenWrt router and vice versa?
  • What is your intended purpose for the OpenWrt router?
    • obviously you want it to be a VPN endpoint, but what else do you want it to do, if anything?

FWIW, I had at one point put a fios router behind another (better) router, and I was still able to get the STBs to work properly. This was on my dad's network, and he has since dropped FIOS TV services, so I don't remember exactly how I did this, but I can say that it is (or was) possible (as of November 2019, anyway).

1 Like
26

From what I recall of the FIOS router settings:

  • 192.168.1.1/16, with the OpenWRT router client being 192.168.254.2.
  • DMZ set to 192.168.254.2
  • Only the STBs. I used to have my TV connected to it wirelessly, but I switched it to wired (OpenWRT)
  • STB's need FIOS and won't work (easily) without it. I would need a special device to provide programming information, and would have to do some trial and error in order to switch them to the WLAN. It's something that I tried one time (just trying an STB to the WLAN and it felt it was more trouble that it was worth).
  • The WRT (what I call the main router) is simply the "master" router of the LAN. There are a few other routers on the LAN, but they are mostly just like hubs that offer additional wireless signals, as well as wired connections to other parts of the household. Most devices have static leases.

I do have a few other services installed. WG obviously, but also Dynamic DNS, Terminal, blbwmon, Mount Points, DAWN, and some other things. I know that offering free wifi is a popular add-on, but I don't offer that (I forget the different packages, but where a person has to agree to Terms & Conditions and such before getting access). The WG is so that a couple of us can access the LAN remotely if needed. I generally don't need to, but another family member does, at least when visiting someone in another state (like they are doing now lol).

I prefer to keep the FIOS router first and treated like the ISP. If I'm doing anything with the network, the STBs can continue to function without interruption. If I were to do it the other way, then when doing anything to the network that causes an issue, someone would start raising a fuss to wonder what's going on. Internet going down isn't so bad, so long as the TV doesn't become unavailable as well.

27

Please don't do this from memory... go to the source and get screen grabs to post here. It matters.

Based on this, the FIOS router should be reset to use a /24 network... there is absolutely no reason for this device to use a /16... literally zero.

From there, your OpenWrt router can use a large subnet if you insist (but again, this is really bad practice, but it is viable)... you'll need to make sure the upstream (FIOS lan) and the OpenWrt lan don't overlap... we can help you with that. But first, we need to know exactly what is configured in the FIOS router. Please get screenshots.

1 Like
28

I personally have my OpenWrt as the demarcation and the FiOS router downstream. I only connect devices to the FiOS device that need TV.

Also, my understanding is that in order to eliminate the router altogether, you need a coax/Ethernet bridge (the new models that also carry the WAN frequency as well).

This is a good idea until you're comfortable with OpenWrt and configuring it.

29

Okay, now I'm confused.

FIOS is 192.168.1.1/16, but the router is showing the WRT as 192.168.1.2.

So FIOS is showing 1.2 as the IP to the router (WAN), but the router is showing 254.2. Shouldn't it NOT be working then? I'm guessing that since it's entered as a static lease in FIOS, it's showing the entry with the 1.2 IP assigned and matching based on MAC vs IP of the actual IP of the client.

DMZ is showing as set to 254.2, and the ARP table is showing 254.2. I removed the static lease entry to eliminate confusion.

30

Happen to have any links? :grin:

1 Like
31

That is probably a DHCP reservation that you're seeing there...

But you've set your OpenWrt router with a static IP:

If you notice, you do have the correct gateway here, which is why it wouldn't work if you changed it to any other value. This means you were mistaken when you said this:

and that is why it was so important for you to actually check.

As I mentioned, the .1.2 address is probably a DHCP reservation. But nothing precludes you from using a different address when set via static (as you have done).

Probably good to reduce confusion... but better would be to change the subnets as we have been urging you to do.

Since you have almost nothing on the FIOS router (just the STBs), the FIOS router should be running a /24.

You will still have a conflict if you try to run a 192.168.0.0/16 subnet on Openwrt's lan behind the 192.168.1.1/24 FIOS router's lan... but let's at least get started with the upstream in a more sensible state.

Set the FIOS router to 192.168.1.1/24.

32

I would suggest looking at your provider's site for the current model and price (if they offer one for sale/rent), then checking 3rd parties.

33

Back when I overhauled my dad's network (2019), he had a FIOS G1100.

I recall that I put it behind the primary router (i.e. the router that was directly connected to the FIOS internet connection). It had a connection from the primary router's lan (well, I had actually created an entirely isolated VLAN for this purpose) to the lan port on the FIOS router (I set a compatible static IP and disabled the DHCP server). From there, the G1100 was also connected via coax to a splitter/amplifier to which the STBs were also connected (all via coax). This allowed the STBs to get IP data.

Then, I seem to remember that I needed to do some port forwarding to the STBs in order to get the program guide data working. It wasn't really all that complex, but given that I live 3000 miles away, I got it setup based on the research I had done and I never really experimented to find out what was truly required and what other methods might have worked.

Moral of the story is that the FIOS router that had a coax connection in addition to the ethernet was sufficient to keep everything functional... we didn't need to rent/buy any additional equipment.

Things may have changed since then, and my memory may not be 100% accurate... but I do recall it being less work than I had expected.

1 Like
34

To be clear I meant: "to eliminate the ISP's router - and bring your own device."

35

When I go to 192.168.0.1, I am able to access the router. I'm also able to connect to the home server (RDP for example) which is 192.168.200.0 (main, VM's are other values in the 200.x range).

In order to access FIOS, I had to enable a second network adapter on the computer, which is connected directly to the FIOS router. With it disabled (as it usually is), I cannot access it at all.

Since FIOS is connecting via the WAN port, and it's not bridged to the LAN ports, then isn't it treated as an independent network? As in, any addresses via the WAN port have nothing to do with the LAN ports, since the router (WRT in this case) handles the communication between the two independent networks?

I just don't want to spend hours trying to get a setup working if it's not absolutely necessary. The only thing not working is WG, and I recall it working previously. I've moved WG to 172.16.0.0/8, but still nothing showing.

36

Ah... fair enough. I think my dad had purchased the FIOS router, so there was no additional cost. It was better to use it as a MoCA adapter (or whatever standard they are using in that thing) than to buy different equipment.

37

Honestly, I have no idea why. But your network sounds like it is seriously misconfigured.

Again, these are signs that things are very, very wrong with your network.

Well, it would be, except that you have overlapping subnets, so there is ambiguity when you type in an address. At this point, what you're dealing with is not an issue with "independent networks" and more an issue of the overlap.

There are really good reasons to use smaller subnets. There are very few reasons to use huge ones. You've made a mess of this because your subnets are not properly defined.

Do you want your network to function properly? If so, take what I am saying as the way to achieve that.

The whole purpose of this thread was to get WG working... I would be surprised if it ever actually functioned, but based on what you've shown us, it won't work.

GAAAH!

  1. Stay with RFC1918 ranges. The 172.16.0.0 network space is a /12, not a /8!
  2. Work with smaller subnets. Set WG up with a /24
  3. You must fix the overlap issues with your subnets first or it will never work properly.

I'm going to ask another set of basic questions...
You are insisting on using enormous subnets -- over 65K addresses. You said that you have < 254 devices on your network, so a /24 would be fine. But you also said you want to organize them... fine...

  1. How many devices do you have total?
  2. How many different categories of devices do you have in your organizational scheme?
  3. How many device in each category? (or the max number you've got in any individual category)
  4. Do they need to be in the same L2 network, or might smaller subnets dedicated to the organizational goals work, too?
38

:man_facepalming: Sorry, that's what I meant. I set it up with /8 as available (0's) not taken (1's).

image

I promise you, my brain just farts a lot when it comes to that, so don't pull your hair out.

And the two peers are /32, as in, all bits are 1, no 0's. Just to make sure that doesn't get forgotten by me. lol. (Mine is 172.16.0.1/32 for example.)

  1. With assigned static leases? 80. There are some devices that don't have static leases. Honestly, I need to go through as I'm sure I can clear a few out. Many of the addresses are simply reserved but not often used, or at least not used at the same time (like the gaming systems).
  2. Probably about 7 or 8. I don't want to do it, but I could probably move the server and VM's to 100.x range. (There's almost nothing in the 192.168.1xx.x area, except for 133.x, but I could easily reassign that after the other person has returned from their trip.)
  3. Varies.
  4. This depends. If there's a way to assign them different subnets but have them still talk to one another without any issues, then I suppose other subnets could work. Alexa controls some devices, TV's are either assigned by person or location (person for bedroom, location otherwise). I need to be able to RDP to the server and VM's.

I have it grouped like this (and yes, it's a little bit messy)... (192.168.group.x)

  • 0 = network - a couple of routers really.
  • 1 = My group.
    • I'm #1!!!
    • I keep myself here since some unconfigured network devices use 1.1 as their default IP. So I keep the first few available in case I encounter one.
  • 2 = Wireless repeaters (only 2 of them) to extend range in a couple of spots where wired isn't an option.
  • 4 = Devices (Alexa, automated devices, printer, TV's (room based), etc.)
  • 7 = Guests (dynamic leases).
  • 33 = Another person's group/133 for alternate DNS servers.
  • 47 = Gaming systems (PS/Xbox/etc)
  • 78 = Another person's group
  • 200 = Home server.
  • 666 = The Devil. (Sorry, had to sneak some humor in here.)

Max leased addresses is 64, which I had increased from a lower number (can't remember what, like maybe 40?) when I was noticing issues and realized there weren't enough leases available.

So some questions:

  1. Can multiple subnets be created on one router?
  2. Can those subnets be accessed via different routers?
  3. Can they communicate with one another easily?
  4. How many grains of sand are on the face of the planet (exact number)?

I guess one way to ask all of the above in a simple manner is, is there a way to let them keep the same addresses and communicate with each other while subnetting them in a way to be able to create a single subnet for FIOS so that it's isolated?

39

How about using contiguous groups if you really feel that the network needs to be organized like this.

For example, a /20 would give you 15 groups based on your scheme.

Yes. Easily.

Depends on the topology of the system and in some cases the capabilities of the router in question, but in general yes it is possible.

This is mostly a factor of the firewall. But yes. The only things that have trouble are auto-discovery or mdns based things like casting or Sonos or AirPrint/airplay.

I’m not sure what you mean heee, but all your devices will sit behind the openwrt router. Therefore the openwrt router will handle all the routing and isolation/allowances/prohibitions for inter-subnet connections. It will also nat masquerade the entire complex network so that the fios router doesn’t see anything except the openwrt router’s wan port.

Meanwhile, your wireguard network is still invalid. Set the main wg interface address as 172.16.0.1/24 and then a peer to 172.16.0.2/32

40

You mean 16 groups, right?

 

FIOS to WRT (WAN, segregated), then LAN to next router (WAN, bridged), repeat 2 more times.

Only the main (WRT) router doesn't have the WAN port treated like a LAN port. So the other routers are like hubs that also provide wireless access.
Simple map: Internet--F--W--1--2--3

 

Auto-Discovery, like Winders discovering devices on the network? I don't believe we've ever benefited from that.

Sonos? Like media detection? What about Plex? Of course, the Home Server running Plex has all the media contained in it, so not really an issue, but still curious.

AirPrint/AirPlay? You mean Apple? Eww.

 

42 eh? You do know that with inflation, it's now 47. Just ask Rick Berman.

 

What you described is what I was asking, I believe. All devices keep existing assigned IP addresses, are able to communicate with one another despite being in different subnets, FIOS connection shielded from seeing the LAN (and vice versa, as far as the FIOS LAN is concerned).

Just shoot me now. (Fixed it, tested it, still not working.)