I've already tried the 100% trick as per the following forum thread, but colums do not scale.

@luckman212 Has this been integrated into a subsequent release or is this patch still valid? I'm having the same issue on 23.05.1-RELEASE.

This looks like it will solve my issue. I'll update after I've had a chance to try it out.

@cburbs

187e2a46-521f-4dc3-ae9e-c8033cff7719-image.png

So if the phone connecting is on the 10.0.2 wireguard tunnel and I only want access to Vlan 3 what's the best way to do that?

While on wireguard:
No access to the pfsense box, Switches, Vlan1, Vlan4, Vlan4
Can't ping anything in the above either

Just access to one docker on Vlan3.

@JustAnotherUser said in Routing Internet Traffic Through A Site-To-Site Wireguard tunnel:

You set your SITE's Default Gateway to your WG interface

...WG interface on MAIN Router.
(to be unambiguous)

@mThirteen

Your WG VPN may be up and running fine and you just don't know it...

From each device: ping the far end WG tunnel IP. If you can ping the tunnel IPs, your VPN is working fine.

If your VPN is working fine but there's still no traffic through it, it's probably because:

You didn't set up the static routes.

You have OpenVPN entries on your pfSense box that are interfering. The Wireguard module is a little bit broken in that OpenVPN entries (even disabled ones), mess up WG.

I fixed this issue by deleting all of my OVPN entries.

Others have fixed this issue by deleting the WG peers and tunnels and re-installing them.

I highly suggest you backup your pfSense before deleting anything.

One other thing you may try is to explicitly add your tunnel's far end IP in the Allowed IPs (/32). With 0.0.0.0, it shouldn't matter but the WG module is a little flaky and this might fix it:

[Peer]
PublicKey = ************************************
AllowedIPs = x.x.x.x/32
AllowedIPs = 0.0.0.0/0

Thank guys,

I have a Wireguard client set up like https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-client.html with a gateway group that prefers routing over Wireguard (tun_wg0) and fails over to normal WAN GW in case of Wireguard failure.

I have found that the best way of disabling Wireguard from GUI is to disable the tun_wg0 interface. In that way traffic fails over to WAN GW.

If I do the same in CLI using ifconfig tun_wg0 down, the interface goes down, but traffic never fails over to WAN GW. What is the CLI equivalence of disabling tun_wg0 in GUI?

@mikebflyer

You bridge the interfaces. I've never done it in pfSense so I can't tell you the details other than:

Interfaces >> Bridges >> Add

When you bridge them, they act as one interface so they have the same IP and are connected to the same subnet.

Here's how to do it to an OVPN interface (it will be the same for a WG interface):
https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-bridged.html

@mooncaptain

I had the same problem. HERE was my fix-

https://forum.netgate.com/topic/181857/solved-wireguard-interfaces-ping-but-can-t-get-actual-data-through

@Neosmith20

Lastly, if you look in:

Status >> System Logs >> System >> General

And filter on "ireguard" (and then filter again on "WG0" (or whatever you named your interface)), you will see some of the logs.

(My personal experience has been that those log entries have been pretty useless)

Well i think that i might solved the problem after reboot. If someone can test and see if its working, i did several reboots and now my wg is coming up without the error for unknown gateway.
What i did is check the box Disable Negate rules under System/Advanced/Firewall & NAT.
But i still have the problem if my wan goes offline when it is coming back my wg connection will remain offline until i reboot the box.
This is a clean 2.7 install without restoring backup just to discard any errors.

@tweek negative. I wrote the package and can confirm it has always been kernel driver.

@keyser okidok, thx anyway ;-)

solved at reference...

@viragomann AHA! I figured it out now! So, that client (10.247.1.13) used to have my wireguard server running on it, and I never uninstalled it. So I THINK that ubuntu server had static routes set up for traffic on the 10.66.66.1/24 subnet, and was sending traffic to those subnets into the void. After uninstalling wireguard on the server, pings are now working between my windows machine connected via wireguard and the server at 10.247.1.13. Still can't ping windows to windows, but I'm guessing that's a firewall issue and I can look at that in my own time.

Thanks for the help folks! I think we can consider this resolved now.