Mesh Network Help
So I currently have Site-to-Site VPN set up between my small business and my home. It works like a charm, and allows my quick and easy access to work assets when I am at home (as well as off-site backup).
What I like about the MSP Mesh network is it appears to allow me better control over other users credentials (and decommissioning them if necessary) who may want remote access to work assets. Appears to.
So I went to Mesh Networks in MSP and created a Mesh Network with my two boxes. Unfortunately, as soon as I do, I lose connectivity between devices on the home network and evices on the work network. I tried this when I was at work, but needed to set things back to working status quickly.
I then tried this at home when we were closed so I could spend additional time on this. Unfortunately, there is really not a lot to set here. It either needs to work or not. And it doesn't work for me. I have no connectivity.
I can create users and devices for remote access (untested - but the created profile files look OK). But I'd like to get just the regular box to box communication going and then we can worry about remote access. Any thoughts on what might be going on?
When I delete the Mesh network, the previously configured site-to-site VPN comes right back online immediately. So we are still using that. But I'd love to get the Mesh up and running for the convenience of managing user profiles.
-
Also, I'll need some clarity on how DNS is being handled. With Site-to-site, I can choose to send DNS over the VPN tunnel, which I need as I have Domain controllers on both sides. I can configure that with Site-to-Site. But I don't see any configuration options on Mesh, and don't know if DNS is being sent site-to-site or whether the Firewalla boxes are intercepting DNS.
-
This looks like the mesh setup conflicts with site-to-site VPN. You may try to stop the site-to-site VPN first, and try to setup the mesh again.
For DNS, how do you want to forward the DNS requests? Do you want to forward a specific list of domains or all domains to the other side? The DNS configuration interface is not supported on the Mesh UI yet, but backend already has the functionality.
-
If you still have the issue, you may send email to help@firewalla.com, we can help check what's wrong.
-
Did you guys end up figuring this out? I'm having the same problem.
I had a previously configured S2S VPN between my two boxes when I set up the mesh through MSP. None of the devices connected to one box could communicate with any device on the other box. I figured the previous S2S config may have been an issue, so I decided to start from scratch. I removed the mesh setup on MSP, removed the S2S config, and turned off WireGuard and OpenVPN on both boxes. I then set up the mesh again in MSP. Basically, I figured that I'd let MSP configure everything with a clean slate hoping that would avoid any conflicts. That didn't work. If I'm connected to the mesh on my Mac from a remote network, I can communicate with any subnet on any box I like. But, If I'm connected directly to box #1, I can't communicate with any device or subnet on box #2. If I do a traceroute from Terminal, I see one hop to the Firewalla interface and then nothing. However, if I SSH into Firwalla and traceroute, it works flawlessly. I've paused every block rule in my list just rule that out as on issue, nothing changes.
This is the routing table when I run netstat from SSH:
On This particular box, 10.1.0.0/16 is local, and 10.0.0.0/16 is remote. 10.241.200.195 is the mesh address for the remote box. I can't imagine all the remote subnets being routed to 0.0.0.0 is correct, so maybe that's the problem?
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 172.20.10.1 0.0.0.0 UG 0 0 0 wlan0
10.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0 wg1
10.0.10.0 0.0.0.0 255.255.255.0 U 0 0 0 wg1
10.0.20.0 0.0.0.0 255.255.255.0 U 0 0 0 wg1
10.0.30.0 0.0.0.0 255.255.255.0 U 0 0 0 wg1
10.0.100.0 0.0.0.0 255.255.255.0 U 0 0 0 wg1
10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br1
10.1.10.0 0.0.0.0 255.255.255.0 U 0 0 0 br3
10.1.20.0 0.0.0.0 255.255.255.0 U 0 0 0 br2
10.1.30.0 0.0.0.0 255.255.255.0 U 0 0 0 br4
10.1.100.0 0.0.0.0 255.255.255.0 U 0 0 0 br5
10.1.200.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
10.189.233.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0
10.241.200.0 0.0.0.0 255.255.255.0 U 0 0 0 wg1
10.241.200.19 0.0.0.0 255.255.255.255 UH 0 0 0 wg1
10.241.200.56 0.0.0.0 255.255.255.255 UH 0 0 0 wg1
10.241.200.194 0.0.0.0 255.255.255.255 UH 0 0 0 wg1
10.241.200.195 0.0.0.0 255.255.255.255 UH 0 0 0 wg1
10.241.200.214 0.0.0.0 255.255.255.255 UH 0 0 0 wg1
172.20.10.0 0.0.0.0 255.255.255.240 U 0 0 0 wlan0
172.20.10.1 172.20.10.1 255.255.255.255 UGH 0 0 0 wlan0
-
No, Evan. I actually spent some time yesterday on it. I, like you, shut off all my VPN's and then let MSP configure the mesh. I initially got site-to-site up and running and could log into my remote NAS. Yay!
But things went south from there. I then tried connecting with an external device. I had my phone with me and decided to try that. I disabled Wireless on it, and connected with the VPN profile provided. I was able to get on one network on one side, but could not get to the other network on the other side. The profile is attempting to connect to the nearest box, but it just isn't. It connects to one box only.
The thing is, before with just site-to-site, when I would connect to either side (and it didn't matter which one), the site-to-site functionality would give me access to the other side. But I'm just getting nothing.
This may actually be an iOS issue and not a Wireguard or Mesh VPN issue. However, I DO occasionally use my phone for emergency access so this would be less functionality, not more. I have not tested a computer with a Mesh VPN profile yet. Unfortunately, I had to put the network back together so I disabled the Mesh VPN and re-enabled the usual Site-to-Site VPN with the app. I'll do some more research on the iOS issue, but if I can't get that addressed, I probably don't need to go any further.
Please sign in to leave a comment.
Comments
5 comments