If the LAN-1 rule is disabled on either pfSense, the corresponding client will loose its internet connection. Both clients can access hosts on their remote LAN (Client1 -> LAN2 and Client2 -> LAN1). Client2: Has internet, but its WAN IP is WAN2 (it's supposed to be WAN1). Websites will timeout, but will actually load partially - and shows the WAN2 IP. Trying to route all traffic from Client1 through pfSense2 and Client2 through pfSense1, with the setup described further down in this comment I get the following: Client1: Can resolve DNS, but traffic seems to get dropped somewhere. Now I'm stuck at actually getting to access WAN through the remote gateway.
With the site to site connection and the manual traffic routing set up, I am seemingly now having the exact same issue on both 10.1.0.2 and the phone, leading me to think the rules are probably correct, and the "issue" described in this post has been resolved. Couldn't ping anything outside the local network. I think this is good in the sense that traffic is most likely being routed through the remote gateway, but for some reason isn't getting through at least I'm not being routed through the local gateway.īefore setting up the site to site connection, I had been trying to connect a phone as a "client" to the remote WG (one of the inactive peers I deleted) and saw the exact same issue: With 'Allowed IPs' on the phone set to 0.0.0.0/0, I was able to access the remote LAN (10.2.0.0/24), but could not access WAN. Apparently, by deleting some previously automatically mapped outbound NAT rules (which, for some reason, were already covered by the automatic rules) and/or removing an inactive WG peer on both the local and remote WG interfaces, I am now getting no WAN connection with the setup described in the original post. By creating rule 1 along with the outbound rule, I expected all traffic to get routed through the remote WAN: Local LAN -> WG -> Remote WAN (5.6.7.8)īut while remote LAN clients are accessible, the WAN IP stays local (1.2.3.4).
Interface: WireGuard Protocol: Any Source: 10.3.0.0/24 Destination: Any Address: Interface Address
Having the following Outbound NAT rules doesn't help: What I don't understand is that with these rules in place, 10.3.0.2 still has its local WAN IP, not the WG peer WAN IP. If rule 1 is disabled, the client looses internet access - as expected. With both rules enabled, 10.3.0.2 has internet access and the states for rule 1 show packets being captured. In short, I have these rules set up on the local LAN interface:Īction: Pass Protocol: Any Source: 10.3.0.2 (a local LAN client) Destination: AnyGateway: WireGuardĪction: Block Protocol: Any Source: 10.3.0.2 Destination: Any My WG site to site tunnel is working (two pfSense instances): I can access clients on the remote LAN, but I cannot route traffic through the remote WAN (as intended anyway). I have had some OpenVPN clients set up previously and have been routing selected traffic through those for some time with no issues, but doing the same for a WG interface just won't work.
Granted, I was never an expert, but still. I'm really at a loss getting WireGuard working everything I thought I knew about networking seems to be wrong.