Mesh Network Help

Comments

5 comments

  • Avatar
    Lee Pelletier

    Also, I'll need some clarity on how DNS is being handled.  With Site-to-site, I can choose to send DNS over the VPN tunnel, which I need as I have Domain controllers on both sides.  I can configure that with Site-to-Site.  But I don't see any configuration options on Mesh, and don't know if DNS is being sent site-to-site or whether the Firewalla boxes are intercepting DNS.

     

    0
    Comment actions Permalink
  • Avatar
    Support Team

    This looks like the mesh setup conflicts with site-to-site VPN. You may try to stop the site-to-site VPN first, and try to setup the mesh again.

     

    For DNS, how do you want to forward the DNS requests? Do you want to forward a specific list of domains or all domains to the other side? The DNS configuration interface is not supported on the Mesh UI yet, but backend already has the functionality.

    0
    Comment actions Permalink
  • Avatar
    Support Team

    If you still have the issue, you may send email to help@firewalla.com, we can help check what's wrong.

    0
    Comment actions Permalink
  • Avatar
    Evan Cox

    Did you guys end up figuring this out? I'm having the same problem.

     

    I had a previously configured S2S VPN between my two boxes when I set up the mesh through MSP. None of the devices connected to one box could communicate with any device on the other box. I figured the previous S2S config may have been an issue, so I decided to start from scratch. I removed the mesh setup on MSP, removed the S2S config, and turned off WireGuard and OpenVPN on both boxes. I then set up the mesh again in MSP. Basically, I figured that I'd let MSP configure everything with a clean slate hoping that would avoid any conflicts. That didn't work. If I'm connected to the mesh on my Mac from a remote network, I can communicate with any subnet on any box I like. But, If I'm connected directly to box #1, I can't communicate with any device or subnet on box #2. If I do a traceroute from Terminal, I see one hop to the Firewalla interface and then nothing. However, if I SSH into Firwalla and traceroute, it works flawlessly. I've paused every block rule in my list just rule that out as on issue, nothing changes.

     

    This is the routing table when I run netstat from SSH:

    On This particular box, 10.1.0.0/16 is local, and 10.0.0.0/16 is remote. 10.241.200.195 is the mesh address for the remote box. I can't imagine all the remote subnets being routed to 0.0.0.0 is correct, so maybe that's the problem?

     

    Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface

    0.0.0.0         172.20.10.1     0.0.0.0         UG        0 0          0 wlan0

    10.0.1.0        0.0.0.0         255.255.255.0   U         0 0          0 wg1

    10.0.10.0       0.0.0.0         255.255.255.0   U         0 0          0 wg1

    10.0.20.0       0.0.0.0         255.255.255.0   U         0 0          0 wg1

    10.0.30.0       0.0.0.0         255.255.255.0   U         0 0          0 wg1

    10.0.100.0      0.0.0.0         255.255.255.0   U         0 0          0 wg1

    10.1.1.0        0.0.0.0         255.255.255.0   U         0 0          0 br1

    10.1.10.0       0.0.0.0         255.255.255.0   U         0 0          0 br3

    10.1.20.0       0.0.0.0         255.255.255.0   U         0 0          0 br2

    10.1.30.0       0.0.0.0         255.255.255.0   U         0 0          0 br4

    10.1.100.0      0.0.0.0         255.255.255.0   U         0 0          0 br5

    10.1.200.0      0.0.0.0         255.255.255.0   U         0 0          0 br0

    10.189.233.0    0.0.0.0         255.255.255.0   U         0 0          0 wg0

    10.241.200.0    0.0.0.0         255.255.255.0   U         0 0          0 wg1

    10.241.200.19   0.0.0.0         255.255.255.255 UH        0 0          0 wg1

    10.241.200.56   0.0.0.0         255.255.255.255 UH        0 0          0 wg1

    10.241.200.194  0.0.0.0         255.255.255.255 UH        0 0          0 wg1

    10.241.200.195  0.0.0.0         255.255.255.255 UH        0 0          0 wg1

    10.241.200.214  0.0.0.0         255.255.255.255 UH        0 0          0 wg1

    172.20.10.0     0.0.0.0         255.255.255.240 U         0 0          0 wlan0

    172.20.10.1     172.20.10.1     255.255.255.255 UGH       0 0          0 wlan0

    0
    Comment actions Permalink
  • Avatar
    Lee Pelletier

    No, Evan.  I actually spent some time yesterday on it.  I, like you, shut off all my VPN's and then let MSP configure the mesh.  I initially got site-to-site up and running and could log into my remote NAS.  Yay!

    But things went south from there.  I then tried connecting with an external device.  I had my phone with me and decided to try that.  I disabled Wireless on it, and connected with the VPN profile provided.  I was able to get on one network on one side, but could not get to the other network on the other side.  The profile is attempting to connect to the nearest box, but it just isn't.  It connects to one box only.

    The thing is, before with just site-to-site, when I would connect to either side (and it didn't matter which one), the site-to-site functionality would give me access to the other side.  But I'm just getting nothing.

    This may actually be an iOS issue and not a Wireguard or Mesh VPN issue.  However, I DO occasionally use my phone for emergency access so this would be less functionality, not more.  I have not tested a computer with a Mesh VPN profile yet.  Unfortunately, I had to put the network back together so I disabled the Mesh VPN and re-enabled the usual Site-to-Site VPN with the app.  I'll do some more research on the iOS issue, but if I can't get that addressed, I probably don't need to go any further.

     

    0
    Comment actions Permalink

Please sign in to leave a comment.