@frodet Here. There is something already but it is closed for no good reason in hindsight. Reading the comments, maybe disabling the keepalive helps...

I have the same problem, i did install again pfsense and do it manually and today i did understand that wireguard was the problem. I had no other option and i remove that package. Wireguard was messing with my pppoe connection for going up/dpinger sometimes one peer would not work etc etc..uff

@sensewolf Okay, found the error: At the remote end, I allow all IPs through the wireguard tunnel. But I incorrectly provided this as 0.0.0.0/24 instead of 0.0.0.0/0. After changing this, the tunnel became stable.

@davidstoll [image: 1666990621007-421998a0-1f2b-4989-a4bc-30284dfab657-image.png] Peer Network <-----WG Tunnel------> Host Network 172.16.11.0 10.6.210.0 192.168.10.0 Peer LAN Gateway | Peer Tunnel Gateway <-----WG Tunnel------> HostTunnel Gateway | Host LAN Gateway 172.16.11.1 10.6.210.2 10.6.210.1 192.168.10.1 Peer Static Route 192.168.10.0 | Gateway: 10.6.210.1 Host Static Route 172.16.11.0 | Gateway: 10.6.210.1

Yes, it is possible. Follow this guide https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-s2s.html Then add these configurations that I posted on this thread. https://forum.netgate.com/topic/175495/wireguard-22-05-4100

Update: I changed the system tunables parameters to [image: 1666110268322-65ad22cb-f9a0-4507-8953-2c6ad142c52e-image.png] and the speed has increased about 2x. 250 down/up. Still not maxing out my full CPU though. Any ideas?

@itestandroid Did you ever figure this out?

I fixed it, it was my mistake. For those of you who may come across this, here's what I did wrong: I set the listen port for both tunnels to be the same, if I had read all of the documentation, I would have known that they need to be unique... :)

@ddbnj Feel free to fork and modify it- I had a "StateKiller" package that I was working on to do more complex rule-based state killing / failback but I sadly never finished it. Not sure how much interest there is for that now that they added some more general purpose state killing options in the recent builds.

@luckman212 it's the same as a non bgp peer. setup bgp router options [image: 1664907772561-306a917e-13c2-44c5-8a5a-8cfada76f504-afbeelding.png] [image: 1664907793482-4f5593a5-9d1c-408b-a111-e3ff89537a9f-afbeelding.png] neighbour (target system) [image: 1664907838085-3b7f143a-26aa-4a7d-a80b-b84b9f133790-afbeelding.png] [image: 1664907879262-d72ded88-c449-4839-8cd0-86b5dcd303d9-afbeelding.png] You need to setup frr [image: 1664908023563-b943ce1a-0a31-4ebc-a4ac-6cd092f300c9-afbeelding.png] [image: 1664907980899-565fac11-b6dd-4103-8f12-0e12cd5a75ef-afbeelding.png] That's the allow all on the bgp And setup ofcourse interface and firewall rules

This is the best I could come up with for now. It's a pair of floating rules (block/quick) one for each direction (in/out). In the screenshot below, n_coresite_ext is an IP alias of the far end static IP/subnet, 51828 is the listen port on the far-end tunnel, and WAN2_RUT is my failover WAN interface (the one I do not want any WG traffic to traverse). It also helps to have wgfix.sh (github) installed. [image: 1664895848013-dbb94a9c-5fe3-47c5-96d1-cd94ce605a2b-image-resized.png]