@RNM-0 Thanks for your comment and sharing your fix. Unfortunately I don't want to take down pfsense and downgrade versions. I'm currently fine at the moment since I'm using Tailscale and that works. I also fixed the other crash I was having with pfblocker by changing a line code that wasn't pushed out under this version. Hopefully the stable release won't take too long to release but it appears there's still some open bugs that need to be fixed before that happens, and ironically, both the pfblocker and wireguard issues aren't on that list of bug fixes.

Hi again @patient0, Sorry to bother, already added but still the same issue. [image: 1762785278179-0c2b7578-b3d2-481e-9804-2c7cd634a2e2-image.png] Laptop can ping the server in the pfsense network but not the Wireguard [image: 1762785316328-f4f57aeb-7c80-407c-a0b4-ba74bffb0714-image.png] [image: 1762785345259-7c6ef05c-9b95-4efb-9537-25772867ad7e-image.png] Also, Server cannot ping the laptop but can ping the wireguard: [image: 1762785528200-ddfceaf9-4883-4190-840d-a3e31e522e47-image.png] Any more suggestions? Thank you,

@LaUs3r Yeah, I added those IPs, but after restarting pfSense, the WireGuard status says “handshake failed.” Also, when I do nslookup us-bos.prod.surfshark.com, I get two different sets of IPs. For example: • The first time I get 43.225.189.108 and 43.225.189.118 • The next time I get 149.40.50.216 and 149.40.50.290 So I was wondering can I add both sets of IPs, and put a “0” at the end of each, and use /24 for both IPs? I reached out to Surfshark support, and they sent me their official pfSense WireGuard setup guide see the guide here in the guide they mention 10.14.0.2 for static routes

@chpalmer okay so here is the update. I was able to get all my wireguard servers handshaking, my two personal tunnels and my one nord. I have full access to to my lan with my personal tunnels but I now dont have nord routing any traffic through its tunnel. I try to make a lan rule route one ip through nord and make one NAT rule and nothing. I lose internet on my one ip when I try and make a rule to use the nordvpn gateway

@chpalmer One of us should post this to redmine as a regression. Just done by me. Ted

Found a solution: When using the desired outbound address in the outbound nat rule for translation directly, instead of using an alias ip, it seems to work as desired.

Yeah, I'm dumb. The tunnel CID was /29. I just read that only 6 IPs are possible with /29. After I changed the tunnel network to /28, everything works as desired. Well, maybe it will help someone else. Gosh, I'm so embarrassed. XD

@Bronko Thank you very much. I tried adding a route to the device server - unfortunately it wont let me set static routes on tunnel interfaces - but I contacted the manufacturer here and hope he has a solution. I will keep this thread updated and let you know of the outcome

@Bronko The command output of pfctl -vvsr | grep 100000101 is: @2 block drop in log inet all label "Default deny rule IPv4" ridentifier 1000000101 But as I have a rule above saying allow any, this shouldn't happen!

@Bob.Dig I will work on some pics but it's been in a state of evolution as a test network running another scenario at the moment - but when I can switch it back to this I was looking for some things to focus on and try. I used an interface group for NAT rules because one of the tutorials I read showed to do that and said create a group or do rules for every one. Seemed like a group would be best practice then for larger numbers - but you you recommend to just do a NAT entry for each instead?

@hfederau good manual to recheck setup -> https://www.wundertech.net/how-to-set-up-tailscale-on-pfsense/

@powerguy42 how?

resolved! Issue was the following I corrected a few things on your config: Your Outbound NAT configuration was malformed. I corrected it to utilize Hybrid mode and configured a single Outbound NAT for your Wireguard connection, which should be much cleaner. I updated your routing table to be Automatic and switched to Policy-based routing within the firewall rules under Firewall --> Rules --> LAN I updated the name of the interface for the Wireguard tunnel to be called TORGUARD and set the MSS clamping to 1350. This can probably be bumped back up to 1400, but I wanted to make sure the clamping was small enough to avoid fragmentation. I cleaned up some redundant firewall rules and a few other "odds and ends".

@HFADmin If it is no Site2Site-VPN then you don't need any gateways in the first place... If that is true but you want to monitor the connection then you could create dummy-gateways just to ping the remote ip-addresses.

@Bob.Dig what's the right place?

This is what I observe in the system logs when this event occurs: not letting me post the logs here due to ant spam filter you can see it on my post on reddit here in the reply's: https://www.reddit.com/r/PFSENSE/comments/1mrqwg3/wireguard_tunnel_disconnectreconnect_events_cause/