Wireguard Site-to-Site - unable to ping certain hosts

Started by wagman77, May 14, 2025, 10:12:17 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 14, 2025, 10:12:17 PM
I sucessfully established a WG Site2Site tunnel between my "homelab opnsense" and my "company opnsense".
A really strange thing is, that I can't ping certain hosts although they are in the range of the allowed ip's.
On site A, I have 10.0.100.0/24 subnet on site B a 192.168.1.0/24 subnet.
From site A, I can ping my Windows DC on 192.168.1.10 and access it via RDP, but I can't ping my windows laptop on 192.168.1.192.
From site B, I can reach everything on the "allowed ip's" subnet, but I can't ping or access my proxmox cluster on 10.0.100.2 and 10.0.100.3 via the web gui.
The bad thing is, I don't how to resolve this issue.

I am happy for any hints.
May 15, 2025, 08:54:33 AM #1
Have a look at the routing table on the hosts you can't ping. Make sure they have a route back to your homelab.
May 16, 2025, 10:58:46 PM #2
This was a good hint to check for the routing table.
The solution was pretty simple. On my proxmox cluster, there was a VLAN with the same subnet as my home network.
Twice the same subnet is not a good idea.
And the Windows laptop I was unable to ping, was due to Windows Defender firewall settings.
The only challenge I have is, who to get host name resolved from site B when accessing site A.
May 17, 2025, 08:54:23 AM #3
Generally you would configure an internal authoritative DNS tree with a primary in one site and a secondary in all other sites. https://arstechnica.com/information-technology/2024/02/doing-dns-and-dhcp-for-your-lan-the-old-way-the-way-that-works/

Alternatively, what about running pi-hole on both sides and replicating the settings with nebula? https://technotim.live/posts/pihole-sync-nebula/ Set the internal DNS records in pi-hole under Settings, Local DNS Records.

Both Windows and Proxmox are reasonably well suited to running containers.

Bart...
May 17, 2025, 11:13:43 PM #4
Setting up pihole was generally a good idea but in a setup, I checked out just for learning purposes.
On site A, I have an opnsense firewall, on site b, a wireguard server behind a router/modem.
After setting up pihole on this wireguard server, I was able to resolve the hostname from site A.
Nevertheless, I was not able to connect to windows AD. I don't know, what is blocking the connection.

In my other scenario where I connect to opnsenses, I thinks that dns resolution for both sites can be done in the opnsenses without installing addtional things.
I am not able to find the right firewall or whatever settings so that site a is able to resolve the hostname from site be an vice versa.
May 18, 2025, 09:09:36 AM #5
Quote from: wagman77 on May 17, 2025, 11:13:43 PMI was not able to connect to windows AD.
There are a whole bunch of records required for clients to find a DC: https://www.serverlab.ca/tutorials/linux/network-services/using-linux-bind-dns-servers-for-active-directory-domains/
In the Microsoft ecosystem this is easy - just have at least one DC/DNS per site. I can appreciate that you may not want to pay for a second Windows Server on your home network.
Also make sure 10.0.100.0/24 is recorded in AD: https://theitbros.com/active-directory-sites-and-subnets/

Bart...
Print
Go Up Pages1
User actions