FWG VPN Server - Can Surf from Client But Cannot See/Access Home Network Devices
Hello All,
I can remotely connect to my FWG VPN Server and surf without any issues; however, I cannot access or view any devices on my home network. I noticed the VPN Server uses a different IP range than my home network but I don't see anywhere I can change it.
The instructions reference something about "Manual Install" but I don't actually see that anywhere. As I recall VPN servers, in general, must assign a compatible IP range to remotely-connecting devices.
Am I missing something in the setup? Thank you.
-
Thank you for your reply. Hmm...
"local domain name"...here's what I see at the device level (a camera I'm trying to remotely view):
As seen from my iPhone via a cellular connection (not wi-fi) via FWG VPN Server:
If "local domain name" means "beecam.lan", then I still do not see the login screen (via a browser) to my camera. I've also tried using the direct IP address 10.0.1.160 without success.
What am I not understanding about this? Thank you.
-
I am having the same issue, this is my configuration:
I have a Firewall Gold connected in the following way:
ISP -> FWG -> Eero
Eero:
- DHCP & NAT = Bridge
- UPnP = On
- DNS = Default
- WAN IP Address = -.-.-.
- Gateway eero IP Address = Not connected
- IPv6 = Off
FWG:
- Networks: LAN1 (192.168.162.1/24) WireGuard (10.189.22.1/24)
- Source NAT = On
- Source Networks = 192.168.161.1/24
- NAT Passthrough = Everything disabled
- Port Forwarding = (UPnP Disabled)
- DMZ = Off
I can connect using WireGuard (Firewalla reports the connection) and I receive IP addresses in the subnet 10.189.22.1/24 which is the VPN network, but I cannot 'see' any of the machines in my LAN1 network, using their localdomain name or their IP address.
In the only response given by a member of the Firewalla team:
Firewalla VPN runs on a network that's adjacent to your home network.
The best way to access your home devices is to use the "local domain name"; you can find that or change it at
tap on devices->[find your device]-> look for local domain
Or you can just use their raw IP address.
The answer is super vague, non technical a lacks of any explanation on how to solve the issue, whether the person receiving the information knows or lacks any knowledge on the subject. Could someone in the Firewalla team takes responsibility for answering this question?
-
1. When you connect back to FWG, check your public IP address, make sure it is the same as your home network.
2. Tripple check if you have any policies to block local network
3. Tripple check the IP address of the device doing the VPN is NOT the same network as your home or VPN network. <= for example, if your phone is 192.168.1.1 and your home network is 192.168.1.1, you are unlikely to connect to your home network
-
I too am having the same type of problem.
I can connect to my home network from my laptop (on another network away from home) using the OpenVPN client.
If I go to whatsmyip.com in the browser it shows my public IP address on my home network. All good.
However I cannot see the other devices on my home network. I try to ping my desktop on the home network at desktop.lan or with the Local IP address and get no response.
The local network IP address for my laptop is 192.168.1.115
The Laptop VPN address is 10.137.113.6
The home network is 192.168.254.1
If I tracertr to desktop.lan it routes to the Firewalla at the interface of the VPN network 10.137.113.1 but goes no further.
I have rules on Firewalla to filter out traffic from outside the USA to port 3389 and to block gaming sites and the default bundle
I may be wrong but it seems like Firewalla is not routing the ping (or other network traffic) from the VPN network to the home network
Also, I cannot see remote devices in File explorer.
-
I have a similar issue. When I accessing my home network using the VPN on a WiFi network everything works fine, but if I switch to the cellular network I can no longer access anything local at my house. The only change is my phone is fine on WiFi, but fails on cellular. Very weird.
-
I had thought it was an IP conflict, and I changed the my VPN IP range to a different one and still have the same result. After a lot of testing it appears to be T-Mobile specific. When I connect using the hotspot on my iPhone that is on Verizon it works fine and it works fine on my iPhone that is on Verizon. I tried a friend's phone on AT&T and it works fine as well, but any phone I try on T-Mobile it fails. I can connect to the VPN on T-Mobile just fine and Internet traffic routes through the VPN and works.
I downloaded an App called Network Analyzer that is available on both Android and iPhone and the only differences I can see between the carriers is on AT&T and Verizon the phones get a private IPv4 address from the carrier. When I run the same app on T-Mobile it is not giving out a private IPv4 address just an IPv6 address. I am assuming that is what might be causing the issue, as it is the only difference I am seeing between the carriers.
-
Just an update. I ended up getting it working by lowering the MTU to 1452 on the WireGuard client on my phone and I am able to get to all my home resources on the VPN and my internet tunnel through the VPN is much faster as well. I verified it works on my iPhone on T-Mobile as well. It appears to be specific to T-Mobile. I even tried creating a VPN using OpenVPN and it had the same issue. I also changed the MTU on it as well and it fixed the issue. Just wanted to share incase others have problems.
-
I tried my iPad and it looks like its experiencing the same issue. I installed both OpenVPN and Wireguard, but my iPad cannot access my internal network servers. So it seems that perhaps the OS isn't the culprit?
I am on Firewalla Beta so I'll try downgrading to the stable version and see if that resolves the issue.
-
In my case, this hint lead me to the solution: https://www.reddit.com/r/firewalla/comments/p2pb09/lan_access_through_wireguard_vpn/
On the client device (iPhone), I had to go into the settings in the Wireguard app and add the local network IP range to the list of allowed IPs. It is now "0.0.0.0/0, 192.168.1.0/24"
-
I'm not sure why its been 2 years and there's not an actual solution posted here. Here ya go for anyone who needs it.
Make sure you create a rule that allows access from the vpn to Lan.
1. Click on the shield that says Rules.
2. Add rule
3. Click allow and then set a target
4. You're going to want to select local network and choose the vpn you've created
5. Choose to, from, or both for bidirectional...I choose both
6. Then go to select a device, where you can choose Lan1 which is more than likely the network you are trying to access or you can choose individual devices to prevent remote access to certain machines7. You can choose a time for the rule to be active or choose always for it to always be active
8. Make notes for future use or for others to know the purpose of the rules
BTW it looks like you'll need to access devices using the ip address. I was able to rdp this way.
-
@Frank
Are you using client-to-server VPN? or are you using site-to-site VPN?
Site-to-site VPN may require rules if you setup in certain configurations. See https://help.firewalla.com/hc/en-us/articles/5515850433683-Firewalla-Site-to-Site-VPN#h_01GHDFPCBF9GCKSARAB4ZAE41A
-
If the wan port of your FW has a private IP then you have a double nat situation. The other tell is that in the VPN Setup page of the FW app, the Port Forwarding field says "Manual Setup". Clicking the manual setup provides instructions for the rule to configure on your ISP router. The concept here is that you need to forward the VPN traffic from the ISP router to the NAT'd IP of your FW. Stated another way, the port forward rule on your ISP router must route traffic to the WAN IP of your Firewalla.
Please sign in to leave a comment.
Comments
23 comments