Hi Everyone! I tried looking for this topic so sorry if it’s been asked! I went ahead and upgraded my router to 7.1.1, created a Wireguard interface, peer, all that good stuff, on my phone as well, and got it working! So cool! I can access my NAS from my phone now without the need for “The Cloud”! The only issue is my phone doesn’t have internet when I’m connected to the wireguard vpn and wondered if anybody has any ideas as to why?
This is my main NAT rule. I tried adding one specifically for Wireguard but it wouldn’t let me. Also something that might cause an issue is the IP address that I’m NAT’ing to is the same one my wireguard is connecting to Is that a problem? Thanks!
Same symptoms may have tens if not thousands of different causes. So even if you’d found a similar topic, the cause could have easily been different.
The NAT handling for each “connection” (which is a common name used in the context of a stateful firewall for TCP sessions, UDP flows etc., i.e. collections of packets that can be identified to be related to each other by running between the same pair of socket addresses (IP:port) or by some other fields in case of protocols that do not support the notion of port) is determined while handling the very first (initial) packet of each such connection. So the transport connection of the Wireguard is treated separately from the payload connections unpacked from this transport one.
As you talk about your “main” NAT rule, it implies you have more rules in the /ip firewall nat table. So there is still a possibility that some preceding rule shadows the one you have posted under some circumstances. Another possibility is that something in your /ip firewall filter table prevents the payload traffic from the Wireguard tunnel from being sent out via the WAN. Or the Wireguard client on the phone may become a default gateway when activated, but the allowed-address associated to your router as a peer may only cover the LAN subnet(s) of your router so the rest of the traffic doesn’t even get from the phone…
The above are just the three most likely causes. So follow the hint in my automatic signature below (except that in ROS 7, hide-sensitive has been replaced by show-sensitive, so that sensitive information is only shown if you explicitly ask for it). And post also the configuraton of the Wireguard client on the phone, without the private key of course.
There is no magic solution we can provide based on selected information provided.
As sindy notes you need to provide the config
/export hide-sensitive file=anynameyouwish
You should not require any extra NAT rules for your smartphone to get internet, its all about the correct setup and IP routes… (and possibly a firewall rule or two, or a list interface issue)
The “typical fool” just copies 0.0.0.0/0 and/or ::/0 into the access list of the client.
This forces the default route of the client to go via the WG interface.
If this is the case in your phone client config, limit the access-list to addresses of your home/NAS and you should be good to go.
I think its premature to offer any advice until we see the config, its almost a 'fool’s" errand otherwise! ;-PP
In general and not specific to the OP (not necessarily a blathering idiot),
the client/peer consisting of a smart phone needs a random private IP assigned to it and this will be the allowed address on the MT Server Router for peer settings.
Therefore a clear relationship of the outgoing IP of the smartphone/client is accepted as the incoming peer IP on the Server end of the WG connection. This goes along with the
pairing of public keys generated at the respective top menu Wireguard Interface selections.
Client Wireguard Public Key, gets inserted in the Server Peer Settings.
Server Wireguard Public Key, gets inserted into the Client (smartphone) Peer Settings.
The fun of what happens once the smartphone traffic reaches the Server through the tunnel is where most of your focus will be and our attention on your config settings.
…aggreed…just offered that, because I’ve been putting myself on that foolish side, too …been there, done that … lots of YT-videos do show that kind of stuff .
… lots of YT-videos do show that kind of stuff