FWG VPN Server - Can Surf from Client But Cannot See/Access Home Network Devices

Comments

23 comments

  • Avatar
    Firewalla

    Firewalla VPN runs on a network that's adjacent to your home network.

    The best way to access your home devices is to use the "local domain name"; you can find that or change it at

    tap on devices->[find your device]-> look for local domain

    Or you can just use their raw IP address.

     

     

    -1
    Comment actions Permalink
  • Avatar
    Gary Ownsby

    Thank you for your reply.  Hmm...

    "local domain name"...here's what I see at the device level (a camera I'm trying to remotely view):

    As seen from my iPhone via a cellular connection (not wi-fi) via FWG VPN Server:

    If "local domain name" means "beecam.lan", then I still do not see the login screen (via a browser) to my camera.  I've also tried using the direct IP address 10.0.1.160 without success.

    What am I not understanding about this?  Thank you.

    1
    Comment actions Permalink
  • Avatar
    Eric Corsi

    I am having the same issue! Can someone please help us?

    1
    Comment actions Permalink
  • Avatar
    delriostelling

    I am having the same issue, this is my configuration:

    I have a Firewall Gold connected in the following way:

    ISP -> FWG -> Eero

    Eero:

    • DHCP & NAT = Bridge
    • UPnP = On
    • DNS = Default
    • WAN IP Address = -.-.-.
    • Gateway eero IP Address = Not connected
    • IPv6 = Off

    FWG:

    • Networks: LAN1 (192.168.162.1/24) WireGuard (10.189.22.1/24)
    • Source NAT = On
    • Source Networks = 192.168.161.1/24
    • NAT Passthrough = Everything disabled
    • Port Forwarding = (UPnP Disabled)
    • DMZ = Off

    I can connect using WireGuard (Firewalla reports the connection) and I receive IP addresses in the subnet 10.189.22.1/24 which is the VPN network, but I cannot 'see' any of the machines in my LAN1 network, using their localdomain name or their IP address.

    In the only response given by a member of the Firewalla team:

     

    Firewalla VPN runs on a network that's adjacent to your home network.

    The best way to access your home devices is to use the "local domain name"; you can find that or change it at

    tap on devices->[find your device]-> look for local domain

    Or you can just use their raw IP address.

     

    The answer is super vague, non technical a lacks of any explanation on how to solve the issue, whether the person receiving the information knows or lacks any knowledge on the subject. Could someone in the Firewalla team takes responsibility for answering this question?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    1. When you connect back to FWG, check your public IP address, make sure it is the same as your home network.

    2. Tripple check if you have any policies to block local network 

    3. Tripple check the IP address of the device doing the VPN is NOT the same network as your home or VPN network.  <= for example, if your phone is 192.168.1.1 and your home network is 192.168.1.1, you are unlikely to connect to your home network

    1
    Comment actions Permalink
  • Avatar
    Van Landrum

    I too am having the same type of problem.

    I can connect to my home network from my laptop (on another network away from home) using the OpenVPN client.

    If I go to whatsmyip.com in the browser it shows my public IP address on my home network. All good.

    However I cannot see the other devices on my home network. I try to ping my desktop on the home network at desktop.lan or with the Local IP address and get no response. 

    The local network IP address for my laptop is 192.168.1.115

    The Laptop VPN address is 10.137.113.6

    The home network is 192.168.254.1

    If I tracertr to desktop.lan it routes to the Firewalla at the interface of the VPN network 10.137.113.1 but goes no further.

    I have rules on Firewalla to filter out traffic from outside the USA to port 3389 and to block gaming sites and the default bundle

    I may be wrong but it seems like Firewalla is not routing the ping (or other network traffic) from the VPN network to the home network

    Also, I cannot see remote devices in File explorer. 

     

     

     

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Did you check the network mask on both ends as well? Make sure they are not big enough to overlap each other.

    Beyond that, turn on emergency mode and see if the packets goes through. if it does, one of your rules is blocking

    0
    Comment actions Permalink
  • Avatar
    Van Landrum

    When I turn on Emergency Access I still cannot see the other computers in my home network.

    also the DNS does not resolve the local domain name with the Emergengy Access on. 

     

    Mask on laptop local IP is 255.255.255.0

    Mask on VPN network is 255.255.255.252

     

     

     

    0
    Comment actions Permalink
  • Avatar
    Gary Goforth

    I have a similar issue. When I accessing my home network using the VPN on a WiFi network everything works fine, but if I switch to the cellular network I can no longer access anything local at my house. The only change is my phone is fine on WiFi, but fails on cellular. Very weird.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    check your IP address on the cell side and make sure it is conflicting with your home network.  (a lot people use 10.x.x.x/8 ... which conflicts all over

    0
    Comment actions Permalink
  • Avatar
    Gary Goforth

    I had thought it was an IP conflict, and I changed the my VPN IP range to a different one and still have the same result. After a lot of testing it appears to be T-Mobile specific. When I connect using the hotspot on my iPhone that is on Verizon it works fine and it works fine on my iPhone that is on Verizon. I tried a friend's phone on AT&T and it works fine as well, but any phone I try on T-Mobile it fails. I can connect to the VPN on T-Mobile just fine and Internet traffic routes through the VPN and works.

    I downloaded an App called Network Analyzer that is available on both Android and iPhone and the only differences I can see between the carriers is on AT&T and Verizon the phones get a private IPv4 address from the carrier. When I run the same app on T-Mobile it is not giving out a private IPv4 address just an IPv6 address. I am assuming that is what might be causing the issue, as it is the only difference I am seeing between the carriers.

    0
    Comment actions Permalink
  • Avatar
    Gary Goforth

    Just an update. I ended up getting it working by lowering the MTU to 1452 on the WireGuard client on my phone and I am able to get to all my home resources on the VPN and my internet tunnel through the VPN is much faster as well. I verified it works on my iPhone on T-Mobile as well. It appears to be specific to T-Mobile. I even tried creating a VPN using OpenVPN and it had the same issue. I also changed the MTU on it as well and it fixed the issue. Just wanted to share incase others have problems.

    1
    Comment actions Permalink
  • Avatar
    ape

    I have the same issue. I can connect and surf with my home ISPs IP address, but not access any device in my home network.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    @ape, when you connect into firewalla, try to ping the IP address of any devices on the network, do they reply? if they don't, check your client and make sure it is NOT the same IP range as your home

    0
    Comment actions Permalink
  • Avatar
    Mike

    I'm seeing the same issue. I'm on Mac OS 13.2.1. I tried Wireguard and OpenVPN and both no longer work for me.  Wireguard previously worked for me, but it seemed to stop working after upgrading my OS to 13.2.1.

     

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Do you see errors? does your other devices work with the same profile?

    0
    Comment actions Permalink
  • Avatar
    Mike

    I tried my iPad and it looks like its experiencing the same issue. I installed both OpenVPN and Wireguard, but my iPad cannot access my internal network servers.  So it seems that perhaps the OS isn't the culprit?

    I am on Firewalla Beta so I'll try downgrading to the stable version and see if that resolves the issue.

    0
    Comment actions Permalink
  • Avatar
    ape

    In my case, this hint lead me to the solution: https://www.reddit.com/r/firewalla/comments/p2pb09/lan_access_through_wireguard_vpn/

    On the client device (iPhone), I had to go into the settings in the Wireguard app and add the local network IP range to the list of allowed IPs. It is now "0.0.0.0/0, 192.168.1.0/24"

    1
    Comment actions Permalink
  • Avatar
    Frank Garza

    I'm not sure why its been 2 years and there's not an actual solution posted here. Here ya go for anyone who needs it.

    Make sure you create a rule that allows access from the vpn to Lan.
    1. Click on the shield that says Rules.
    2. Add rule
    3. Click allow and then set a target
    4. You're going to want to select local network and choose the vpn you've created
    5. Choose to, from, or both for bidirectional...I choose both
    6. Then go to select a device, where you can choose Lan1 which is more than likely the network you are trying to access or you can choose individual devices to prevent remote access to certain machines

    7. You can choose a time for the rule to be active or choose always for it to always be active 

    8. Make notes for future use or for others to know the purpose of the rules

     

    BTW it looks like you'll need to access devices using the ip address. I was able to rdp this way.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    @Frank

    Are you using client-to-server VPN? or are you using site-to-site VPN? 

    Site-to-site VPN may require rules if you setup in certain configurations. See https://help.firewalla.com/hc/en-us/articles/5515850433683-Firewalla-Site-to-Site-VPN#h_01GHDFPCBF9GCKSARAB4ZAE41A

    0
    Comment actions Permalink
  • Avatar
    Kelly Householder

    Just ran into the same issue and my internal device that I was trying to access was in the quarantine group so even with emergency access or any rule, it was still being blocked so it may be something worth checking

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    If you are having problems with accessing devices while on VPN, try to "ping" the IP address of the device you are accessing directly. If that successful, you have issue with the device itself blocking

    0
    Comment actions Permalink
  • Avatar
    Jason Beckett

    If the wan port of your FW has a private IP then you have a double nat situation. The other tell is that in the VPN Setup page of the FW app, the Port Forwarding field says "Manual Setup". Clicking the manual setup provides instructions for the rule to configure on your ISP router. The concept here is that you need to forward the VPN traffic from the ISP router to the NAT'd IP of your FW. Stated another way, the port forward rule on your ISP router must route traffic to the WAN IP of your Firewalla. 

    0
    Comment actions Permalink

Please sign in to leave a comment.