@tibere86 When your coming through a vpn and wanting to talk to something on a network attached to pfsense you can run into a few different problems. Prob the most common is just firewall on the host doesn't like whatever the vpn clients IP is, in your case some 172.16 address.. Since its not local network to who your talking to.. Another issue is what your trying to talk to from the vpn is not using pfsense as their gateway.. So if they allow X to talk to them, they send it to some other gateway other than pfsense. Another is the device your talking to has no gateway at all.. Doing an outbound nat is sure a way to work around those issues. I would validate that pfsense is sending on the traffic.. Do a sniff on your lan interface while you send a ping to your pihole, do you see pfsense send on the traffic? If so then you should check pihole firewall allowing what you want to allow. Or if you can ping, its maybe just a acl on pihole. There is a setting in pihole. Which is default I do believe.. [image: 1709912400776-pihole.jpg] That would not answer some query from some 172.16 address when its local address is a 10.0.0 because that is not its local network.

Just chiming in that this has already been reported https://forum.netgate.com/topic/183141/wireguard-status-shows-last-handshake-1-years-11-months-ago And I think the issue is not because of the leap year, but rather certain end-of-month days. It's happened to my firewalls before (during 2023 and 2024) but not every month. When it happens, it's usually the last few hours of the day.

Thank you so much! I created an Interface for the WG tunnel set a Gateway to WG peer address via this Interface and created a static route to opposite network through this new GW. It is working fine now!

@Bob-Dig Thanks !!! After some research on policy based routing, I managed to give Internet access to a vm on my LAN using this tutorial as inspiration : https://protonvpn.com/support/pfsense-wireguard/ now I'll try to configure haproxy to expose the services of the vm on my lan !

@renegade I have both, CE and plus and none is showing this. So get rid of this I guess.

@Lace Not sure what you mean exactly. His intrusion detection had gone a little rouge and was blocking allowed traffic. It seems the last Unifi update added a feature he was not aware of. There are complications doing a tunnel. We share a subnet, and it happens to be the one my computer is on at his house. There was some reconfiguring to do beyond the actual tunnel. For now, no tunnel.

A big Thanks to Jarhead. I have succeeded in my aim today, which I had planned for. I can ping both sides and access via RDP, but I still don't understand few things. Normally, if you want to access a network, you need to be in the same range as that network. For example, I would like to access "side A" (192.168.10.0/24) from "side B" (192.168.20.0/24). I always kept a PC with an IP setting in the range of 192.168.10.50 on "side B", and actually, this is the issue with my settings, other than the gateway setting in the past. Today, when I changed this IP to the normal 192.168.20.50, it is working fine now.

For future travelers, this Youtube video is helpful: https://www.youtube.com/watch?v=ralWaBL98pU

@viragomann I got it. The "WireGuard Networks" alias wasn't defined/working... Changed it to the address of my WG network and things are working. Thanks!

@jtressler I wasn't checking the WG status quite often but I now see it's happening again. This time I'm running the latest pfSense Plus 23.09.1 and up-to-date WireGuard 0.2.1 package. [image: 1706756031506-wireguard-datez.png] It's January 31st, and I had suspicion being the end of month would have something to do with this; I'd want to test this theory but haven't been able to set the date to a specific day without the firewall getting auto-synced to the current date. I also recall checking another month's last day (October 31st I think) and it was showing all normal. At least I can document that this happened again on the last day of January, as well as September. I remember others posted on June 30th about this problem. So we now have: Jan 31st Jun 30th Sep 30th I wonder if there is any correlation between the months...

Risk of necropost, but I found this topic helpful: setup-docs-incomplete-for-wireguard-confused-about-terms-having-a-challenging-time-setting-up-wireguard-read-here

@Bob-Dig That fixed it, thank you so much for your help. You are right, I was not thinking about this properly. Steve

@inghaj As long as the Fritzbox does support Wireguard properly, this should be totally possible. In terms of broad brushtrokes, the pfSense docs will be your best bet: https://docs.netgate.com/pfsense/en/latest/vpn/wireguard/index.html https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-s2s.html Second link is an example config of a Site-to-Site tunnel, should help a bit. In terms of configuring the Fritzbox, probably best to consult their manual about that.

@Gertjan Thanks very much for the ideas & sorry for the late reply...family went on a surprise vacay. So yes the windows firewall was blocking it but blocking before the "Private or Public" pop up. I only mention in case someone else stumbles upon this thread and needs clarification. The Nic was set to "Private". To resolve I had to go into the windows firewall rules and add an inbound rule. Under "Scope", "Remote IP Addresses" I added my vpn range. I can now ping & access the file shares - the security pop up box does in fact now pop up asking for the credentials. The WDMybook has a static IP BUT set within the configuration of the WDMybook GUI. It is within PFSense's dynamic IP range so I will change to WDMybook to dynamic (within the WDMybook Settings) and then set a static ip address for it within PFSense. I do have wireguard set to use the dns ip of pfsense. As for the remaining ip's. One device is a debian box that will also need it's firewall rules adjusted if I want access to it. The others are Amazon devices and they (Amazon) seem to block VPN's. I think it's a blanket thing to prevent ppl trying to access content outside of their global region but seems to also block incoming connections. Not a big deal as I don't need access to the echo dot's from outside. Thanks for the help. Glad it's working

Ugh, not at all related to Wireguard, but an outage on one of my ISPs. I need to improve my alerting. [I tried to post this the other day, but the forums were having issues]

It seems to be an error specific for my setup here and not regarding pfsense/wireguard. I only have this problem at our provider colocation and not at our own locations.