Can't access LAN from Wireguard VPN on UDM

Samuel · March 9, 2025, 2:23pm

I’ve bought a UDM Pro Max recently, and I’ve got everything setup for the most part.

There’s one thing I don’t understand. I’ve setup some networks
Wireguard VPN Home
Subnet: 10.0.6.0/24
Firewall zone: VPN

SAM_LAN
Subnet: 10.0.0.0/24
Firewall zone: Internal

Home_LAN
Subnet: 10.0.10.0/24
Firewall zone: NSFW

I have a few devices:
Smartphone on 10.0.6.2 (VPN)
Truenas on 10.0.0.6 (SAM_LAN)
Truenas on 10.0.10.6 (Home_LAN)

Thing is, I can access devices on the Home_LAN (10.0.10.6) from my VPN, but not on the SAM_LAN. When I try to access 10.0.0.6, it just times out.
And yes, the UI is also tied to 10.0.0.6. Also other servers on the SAM_LAN are unreachable from the VPN

These are the firewall rules:
allow all: VPN → Internal
allow all: Internal → VPN

I don’t understands whats wrong. I can access the gateway/UDM on 10.0.0.1 from my VPN though.
Any thoughts on this?

LTS_Tom · March 9, 2025, 2:59pm

Have you changed or added any more rules? I have only tested using OpenVPN but by default VPN should be able to access internal.

Samuel · March 9, 2025, 3:21pm

I’ve one extra rule to block some traffic from an other IPSEC VPN network. But even with that rule paused, it doesn’t work.

Yes, that’s what I thought. I’ve setup an OpenVPN server, just now for testing. But that does the same. Not able to get to internal.

I even get the idea that it has nothing to do with the firewall, but that the route is missing or something.

I’ve searched for logs, but logging doesn’t seem to be Unifi’s strongest point.

I’ve created a support ticket at Ubiquiti. Hope they can help.
I will keep you posted, but ideas are still welcome…

Samuel · March 10, 2025, 3:41pm

Alright, got it. I connected to a syslog server to get a better idea what’s wrong. And here it is:

DESCR="[VPN_LAN]Allow All Traffic" IN=wgsrv1 OUT=br0 MAC= SRC=10.0.6.2 DST=10.0.0.6 LEN=60 TOS=00 PREC=0x00 TTL=63 ID=15326 DF PROTO=TCP SPT=58516 DPT=80 SEQ=446096196 ACK=0 WINDOW=65535 SYN URGP=0 MARK=1a0000 
DESCR="[CUSTOM1_VPN]Block All Traff" IN=br110 OUT=wgsrv1 MAC=28:70:4e:2e:fc:cd:12:d9:6b:5f:56:dc:08:00 SRC=10.0.0.6 DST=10.0.6.2 LEN=60 TOS=00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=80 DPT=58516 SEQ=2469835984 ACK=446096197 WINDOW=65160 ACK SYN URGP=0 MARK=1a0000

The VPN is reaching out to the br0 interface (vlan1), but it is getting the return traffic over the br110 interface (vlan110) from my Truenas. And that network/vlan is in my NSFW zone. Adding an Allow All rule in the NSFW zone to 10.0.6.0/24 fixed the problem.

How can I force Truenas to send the return traffic over the same bridge as the incomming traffic?

LTS_Tom · March 10, 2025, 8:07pm

I am not sure since TrueNAS only officially supports one gateway.

Samuel · March 11, 2025, 4:42pm

Thank you.

I suppose I have 2 workarounds.

NAT the traffic
- source: VPN (10.0.6.0/24)
- destination: Truenas (10.0.0.6)
- translated ip: Gateway internal (10.0.0.1)
Or add a firewall exception
- Allow all
- From source zone NSFW and device TrueNAS
- To destination zone VPN and subnet 10.0.6.0/24

I’ve tested both and both work.
If I go with the firewall solution, it feels wrong to have traffic coming in through one vlan, and getting back through the other, because of the TrueNAS default gateway.
If I go with NAT, i will lose which IP addresses have accessed the server.

I think I go with NAT. I think it’s more elegant.