I have the Firewalla device setup as a router and a wireguard VPN server. I have the profiles installed on the clients.
When a client connects, they are unable to use internet outbound. I was hoping I could use the firewalla as a private VPN server when I am on the road. What did I miss?
Interestingly, the firewalla claims that I need to do manual port forwarding in the app for the VPN UDP port on my router, even though the firewalla is my router.
Edit: update… ISP says this is an unsupported configuration in the new modem they installed at my property, so they want to replace it. Again. Sigh. Thanks for your help everyone, this is not a Firewalla issue.
Edit 2: ISP sent a technician out and we both giggled over the uselessness. Come to find out that the ISP sent out a modem that cannot be remotely administered. So once they gave me the login information, I popped into the modem and put it into bridge mode by myself. This resolved all of my Firewalla issues. VPN works and Verizon Wi-fi calling is working much better.
Thanks to /u/firewalla and others for patient responses and the help!
Check the VPN server button, if it says port forward needed, you need to port forward. if the FW is the first hop and in router mode, you need to make sure you have a public IP on your WAN side. (or firewalla has a public ipv4)
Did you ever resolve this? I have the same problem. I have a site to site that works great. But single client VPNs block traffic to LAN and WAN (on VPN server side). Verified connection is active as well. I see several other posts on this topic but never see a resolution.
Any rules blocking internet in the VPN Network? Or are the VPN devices in quarantine?
You could check the VPN network for blocked flows to see why they can not access the internet.
What you want to do is absolutely possible.
Do you still have the ISP’s router in your network topology? If so, confirm it is in bridge mode, or passthrough mode so the external IP is forwarded to the Firewalla device. Sounds like you might be running your Firewalla router behind your ISP router’s NAT creating a double NAT.
Not aware of any, but I’ll double check. I keep my setup as simple as possible.
Edit: Nope, literally not a single rule in the VPN group.
I’ve heard this symptom before (in a thread where my Verizon Wi-Fi Calling is spotty, at best). But I have set up the Firewalla in router mode from day one after replacing a gateway Eero with it. I’ll double check again. If it’s running as double-NAT, that was very much unintentional.
I did just get a new router from my ISP. I was wondering if perhaps I’m double-NAT with that by accident, but the Firewalla is showing that it is hosting the external IP. Weird.
Edit: UGH. Yes, the tech set this bloody thing up as a gateway with my Firewalla as a double NAT. Crap.
Another thing to consider is that WireGuard is a connectionless protocol, so there isn’t a connection validation at that level. Even if you were to setup an invalid WireGuard server it would appear to connect on your device but in actuality it didn’t and data won’t be negotiated through the VPN tunnel.
In your Firewalla app, does it show your device as connected when VPN is supposedly connected?