@patient0 Thanks for further suggestions. The tunnel is definitely up and so I don't think this is a CGNAT issue after all. WAN firewall rule is in place for UDP on port 51823 (otherwise the tunnel wouldn't work, right?). I can ping from client 1 -> client 2 and visa versa and also ping all points in between like you suggest. I just can't open an HTTPS connection from pfSenseB from Client 1 using a browser. But I can do this the other way round i.e. from Client 2 to pfSenseA

I will try and do some packet capture to see if that reveals anything.

@Bob-Dig thanks
But I cannot understand why the FTP performance is crippled when going via Wireguard and not when going via the WAN.
The same happens for NFS and SMB file sharing protocols. The performance over Wireguard is rather poor, although I haven't tried these over an unencrypted WAN for obvious reasons so can't really compare.

@Jarhead said in WireGuard Site-to-Site VPN: Route for 192.168.2.0/24 Missing in Routing Table:

@tomasenskede Wireguard doesn't add routes automatically. And adding the "allowed IP's" is not the same as routes.
As stated, you need to add routes manually with Wireguard.

THANKS! when I add a gatewate and static routing it started to work fine, thanks @Jarhead

QR code for pfSense WireGuard will be awesome!

@MartynK that's ok, it's a bit odd that a reboot was necessary. Maybe it was the MTU changes?

My eyes are having a hard time getting beyond 250.0.0.0. Just something about it. I say this as a free thinker that regularly uses 172.20.20.0 or 172.21.21.0

I'm putting my money on a DNS entry feeding a public IP address instead of an internal IP address, and therefore not trying to send the 25 out the tunnel, and then the ISP knocking down the port 25 traffic.

@McMurphy exactly.
I started by setting just the MTU (to 1420). This didn't work.
After the reply from @TheNarc I did a test and additionally set the MSS value as well.

Ultimately, you want the real MSS value to be smaller than the MTU (typically 20 bytes for IP header data and 20 bytes for TCP header, so 40 bytes in total).
However, when you read the description field of the MSS value in pfSense it says

If a value is entered in this field, then MSS clamping for TCP connections to the value entered above minus 40 for IPv4 (TCP/IPv4 header size) and minus 60 for IPv6 (TCP/IPv6 header size) will be in effect.

This is why I set the same value as MTU. I actually don't know why this changes things. I would think that implicitly, the MSS should be affected by changing the MTU value. After all, the amount of data that can fit in a TCP segment directly depends on the overall size of the packet minus all headers. I guess that it would probably also work if you only set the MSS (with reverse logic: How should a packet ever get bigger than its payload size plus all headers), but I haven't tested.

I am no network expert however and the finer details of packet delivery are a mystery to me. I am always happy if I can get things to work ;).

@Bob-Dig @keyser
Ahhh, OK. So the wg<#> Wireguard interface will be assigned to a new logical pfsense interface (as WAN, LAN, OPT1, and OPT2 already have things assigned under Interface Assignments), which will be the next in logical sequence, ergo OPT3. OK, thanks, that helps!

@Ryu945 I never figured out how to get it working in self DNS mode like I could with OpenVPN. I had to put the DNS Resolver in forwarding mode to get it to work.

I also figured out that both the client and server need wireguard rules saying both client LAN to server LAN and server LAN to client LAN.

Same issue for me as well. Just came to check if others have the same problem.

I have 3 wireguard interfaces, one is a client VPN, other two are gateways for site to site VPN. When booting up, pfsense says the service is not running, but all tunnels work just fine.

If I click to start the service sometimes it works and it shows up, other times it still fails and shows not running. Either way, all wireguard interfaces work just fine.

@Bob-Dig
Yep, I get it. A bit of reconfiguration and I should have it working the way I had expected it to.

🙏 thanks

@cosmoxl That's makes at least 2 smart people. Well let's keep our fingers crossed.

@viragomann
i did.
i can reach the pfsense LAN's easily but i cant reach the ISP LAN . please look at the image i uploaded.
how do i get "back" to the native LAN ?

thanks

@Bob-Dig
outbound nat is in Hybrid mode now.
dont understand the other questions..

@Bob-Dig Thanks Bob I have it fixed now.