I’ve got a perplexing problem. I hope someone can help me.
I’ve installed wireguard on my android phone and pfsense on my home network.
It mostly works as expected:
-
I can run a terminal emulator on my phone and ping most hosts on my home network.
-
I run a Synology Drive app on my phone which connects to a Synology NAS on my home network.
-
I run a Reolink app on my phone which connects to a Reolink IP camera on my home network.
But there are some hosts on my home network (eg a reolink NVR) that I cannot ping or connect to.
I know the host is working since I can ping it when my phone is connected to my home network via WiFi.
Does anyone know why some hosts on my home network are unreachable while others are reachable?
You need to provide more details.
- Are the machines on the same network or different network?
- If they are on a different network, what are the firewall rules?
- Aside from your phone, have you tried establishing communication to those problematic device using another machine or phone? Did it work or not?
- Please provide the firewall rule between networks
Thanks for your response, I’ll do my best to answer your questions to provide more details. I’m not a networking expert so apologies if it still isn’t clear.
- All the machines are on the same home network. They all are physically connected to the same network switch and receive a static IP address in the same subnet from pfsense DHCP
2 & 4. I’ve attached screen shots of the firewall rules.
- No - I haven’t tried another device. I will try that when I get the chance. But the phone can connect to the problematic machines when it’s connected to the home network using WiFi.
Does reolink NVR appear in Status > DHCP leases page of pfsense?
In the DHCP lease page I can can see static leases listed for a Reolink IP camera xxx.xxx.xxx.18 (which I can ping) and two Reolink NVRs xxx.xxx.xxx.15 and xxx.xxx.xxx.27 (neither of which I can ping).
Once again, what confuses me is that I can ping all these devices when connected to Wifi, in which case my phone is allocated xxx.xxx.xxx.13
I’ve done a bit more research, and I believe the issue is with the Reolink NVR devices themselves. They appear to only respond to IP connections on the same network, regardless of subnet or gateway settings.
When my phone is on the home network via WiFi it gets an IP address of 172.19.xxx.13 which can ping the NVR on 172.19.xxx.15
When my phone is on the home network via Wireguard it gets an IP address of 172.16.16.2. The NVR refuses to respond to any connections from my phone since they originate from a different network.
I followed Tom’s YouTube guide to setting up wireguard and I recall him saying the Interface address on the tunnel should not clash with the target network. This is why I chose 172.16.16.1/24. Can anyone see a workaround?
Could I configure wireguard to allocate a specific IP address to my peer that I reserve on pfsense DHCP to avoid a clash?
No reason to mask ip’s since this is LAN, private.
I assume Wireguard connects to a tunnel ip and then into your network. Since the tunnel is a diff network than your LAN network, you need rules to allow connectivity from 172.16.* to 172.19.*
Thanks pavlos. There is connectivity between 172.16.16.* and 172.19.222.*
When my phone is using wireguard (with IP 172.16.16.2) I can connect to most services on the 172.19.222.* network.
Problem Solved
A work around actually. I ran an instance of simplyproxy on a server on my home network with IP address 172.19.222.24 and connect to that from my phone. The proxy then connects to the Reolink NVR. This connection is accepted as it is from the same network.
It is ultimately a fault (feature?) of the Reolink NVR network software. It simply refuses to allow connections from networks other that its own LAN.
Interesting that individual Reolink cameras do not have this problem.
