Hi there.
I installed two Firezone instance on two ubuntu 20.04 lts servers.
Firezone-A on 192.168.11.0/24 connected by VPN to 10.0.0.0/20
Firezone-B on 10.0.0.0/20 connected by VPN to 192.168.11.0/24
When connected to A, I can ping all addresses, but only open websites on 10.0.0.0/20
When connected to B, I can ping all addresses, but only open websites on 192.168.11.0/24
So I can never reach websites of the network, where the server is on.
One server has no firewall on, the other has firewall on with basic rules.
forwarding is on.
You have:
Firezone-A on network 192.168.11.0/24, lets say the IP of your FZ-A is 192.168.11.1
Firezone-B on network 10.0.0.0/20, lets say the IP of your FZ-B is 10.0.0.1
Your network connectivity between 192.168.11.0/24 and 10.0.0.0/20 is via FZ-A and FZ-B respectively, is that correct?
What is the wg-firezone interface IP of FZ-A and FZ-B?
Both Firezone-Servers are separate tests.
A-home—VPN—B-Office
This was my first test:
Firezone-A on network 192.168.11.0/24, the IP of FZ-A is 192.168.11.21
IPv4 address for wg-firezone: 10.3.2.1
This was my second test:
Firezone-B on network 10.0.0.0/20, the IP of FZ-B is 10.0.0.182
IPv4 address for wg-firezone: 10.3.2.1
10.0.0.0/20 and 192.168.11.0/24 are connected by a VPN, which is independed of Firezone.
The idea was not to connect the networks.
I want to access the networks from mobile devices/notebooks.
I connected with the wireguard client from my Macbook as well as from my mobile phone to A or B
using mobile network or WLAN, which is not within the two networks.
Ok understood, are you trying to connect to both the VPNs (A-home and B-office) at the same time from a single client (mobile)? if so the client will get IPs in the same range which belong to both the VPNs as per your setup
No, I connect with the client to A or B with 10.0.0.0/20,192.168.11.0/24 allowed.
And I can not reach the netwotk I connect to, but the one further away.
I can ping all IPs, close and far.
I am connected to the correct sever, I can see it in the web interface.
After ping I tried curl and get …
curl -v --max-time 5 blog.xxxxxx.yy
Trying 10.0.5.78…
TCP_NODELAY set
Connected to blog.xxxxxx.yy (10.0.5.78) port 80 (#0)
GET / HTTP/1.1
Host: blog.xxxxxx.yy
User-Agent: curl/7.64.1
Accept: /
Operation timed out after 5001 milliseconds with 0 bytes received
@someHuman If you can ping but HTTP isn’t working, sounds like an MTU issue.
Try reducing the WireGuard MTU in /etc/firezone/firezone/rb for both instances, and setting the same MTU for device configs in /settings/site in the web portal. You’ll need to regenerate configs or manually edit the existing config on your devices.
If that doesn’t fix it, I’m not sure what the issue could be. Most likely a routing issue. We’re working on multisite support which will likely make this easier, but that’s still a ways away.