Thank guys,

I have a Wireguard client set up like https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-client.html with a gateway group that prefers routing over Wireguard (tun_wg0) and fails over to normal WAN GW in case of Wireguard failure.

I have found that the best way of disabling Wireguard from GUI is to disable the tun_wg0 interface. In that way traffic fails over to WAN GW.

If I do the same in CLI using ifconfig tun_wg0 down, the interface goes down, but traffic never fails over to WAN GW. What is the CLI equivalence of disabling tun_wg0 in GUI?

@mikebflyer

You bridge the interfaces. I've never done it in pfSense so I can't tell you the details other than:

Interfaces >> Bridges >> Add

When you bridge them, they act as one interface so they have the same IP and are connected to the same subnet.

Here's how to do it to an OVPN interface (it will be the same for a WG interface):
https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-bridged.html

@mooncaptain

I had the same problem. HERE was my fix-

https://forum.netgate.com/topic/181857/solved-wireguard-interfaces-ping-but-can-t-get-actual-data-through

@Neosmith20

Lastly, if you look in:

Status >> System Logs >> System >> General

And filter on "ireguard" (and then filter again on "WG0" (or whatever you named your interface)), you will see some of the logs.

(My personal experience has been that those log entries have been pretty useless)

Well i think that i might solved the problem after reboot. If someone can test and see if its working, i did several reboots and now my wg is coming up without the error for unknown gateway.
What i did is check the box Disable Negate rules under System/Advanced/Firewall & NAT.
But i still have the problem if my wan goes offline when it is coming back my wg connection will remain offline until i reboot the box.
This is a clean 2.7 install without restoring backup just to discard any errors.

@tweek negative. I wrote the package and can confirm it has always been kernel driver.

@keyser okidok, thx anyway ;-)

solved at reference...

@viragomann AHA! I figured it out now! So, that client (10.247.1.13) used to have my wireguard server running on it, and I never uninstalled it. So I THINK that ubuntu server had static routes set up for traffic on the 10.66.66.1/24 subnet, and was sending traffic to those subnets into the void. After uninstalling wireguard on the server, pings are now working between my windows machine connected via wireguard and the server at 10.247.1.13. Still can't ping windows to windows, but I'm guessing that's a firewall issue and I can look at that in my own time.

Thanks for the help folks! I think we can consider this resolved now.

@Betahelix WireGuard tunnels only operate at Layer 3. If you need to transport L2 traffic you need to utilize a tap mode (layer 2) VPN driver.

@Bob-Dig So I reverted to manual (did a restore) since hybrid and automatic were not working, and it is broken now.

@tibere86 that doesnt help if they are using DoH which works over 443. Also DoT works over port 853 which is easier to block.

Just here to report that enabling IPsec-MB on 23.05 has reduced the CPU usage quite a bit on my 5100 when using Wireguard.