VPN Mesh - Rules needed?
I've spent some time today trying to get a VPN mesh going and I've been left scratching my head. I have a Gold and Purple meshed together. The Gold has multiple VLANs, and my NAS is on one and has the mesh domain name of 'nas.casa.net'. I can ping and access nas.casa.net when my laptop is connected directly to the Gold (via WIFI - Not as a VPN client) but I can neither ping nor access nas.casa.net when the same laptop is connected to the Purple (via its local WIFI). I've tried setting up various ingress rules on the Gold and egress rules on the Purple but nothing seems to enable the Purple->Gold->NAS access.
Am I misunderstanding the VPN Mesh feature? I'd assumed that making such cross-box-device-access easy was what the mesh is designed to do
-
Hey TeamFW,
Nope there's no bespoke DNS, or PiHole, or anything special about the Purple's set up.
Ok, a slight update is that (at least) today the NAS isn't responding to pings, even from a laptop on the same VLAN on the Gold and so the fact that it's failing to respond to pings is likely a red herring. Despite that I can still get to its login page when connected to the Gold but I cannot when connected to the Purple, and do that still holds true.
Another oddity is my Wife's laptop which is on the same VLAN on the Gold as the NAS. When I'm connected (using my own laptop) to that same VLAN I can ping my Wife's laptop using its mesh domain (aaa.laptop.casa.net). If I connect to the Purple then when I try to ping it its IP address isn't even resolved. If I try to ping the NAS (I now know the ping will fail anyway) then its IP address IS resolved even though the NAS and my Wife's laptop are on the same VLAN on the Gold, the only difference I know is that the NAS and a static IP and the laptop does not.
I feel like I'm having to reverse engineer the Mesh feature in order to figure out what behaviour to expect and figure out what will and will not work etc: Is there a user guide for it?
Do I need to set any rules to allow devices attached to the Purple to access devices on the Gold?
-
When you reference same VLAN, you mean you can't ping from laptop to NAS? If they are on the same VLAN, the firewalla can't see that ping. If they are on different VLAN's, then likely you may have a Firewall rules on the NAS blocking?
(I assume your problem is within the network? or you only have problems across the meshed network?)
-
Ok, the ping issue has become a distraction and let's abandon that and simplify this query into a dead simple use-case:
Senario:
1. I have a Gold and Purple meshed together
2. I have a NAS on a VLAN on the Gold
3. No VLANS are set on the Purple
Queries:
1. Should I expect a device that's connected to the Purple to be able to access the NAS and Gold?
2. If #1 is possible then do I need to create any rules to allow the Purple access to the Gold's VLAN?
-
In a MSP mesh, you don't need to do anything.
What you need to check and make sure your NAS can be accessed by an IP that's not part of the LAN. (You will need to check your NAS firewall or access settings, this is the most common issue we see).
Next, if you want to test above, just ping from your purple to any device on the same VLAN as the NAS, see if they respond. (verify there is firewall or not)
-
Yay! Got it working :D . The VPN Mesh is now working great: Nice work Guys.
I have one final question. I previously had the Wireguard VPN server enabled on the Gold and now that the Mesh is working I've disabled the feature (so I now just VPN in using my phone's VPN Mesh device). The problem is that I'm left with the network 'Wireguard' that I think was only needed for the old-school VPN server: Is that correct? If so then it would be nice to remove it but there appears to be no way of doing so.
Please sign in to leave a comment.
Comments
6 comments