@sgc would also love to know the quick details (dont need a super detailed writeup) of how you got your WG remote access tunnel set up with SLAAC or DHCP6

@cmcdonald thank you for the explanation. indeed the problem was my frr configuration, all is working fine now.

After really long try and error I found the cause of all the mess. It is in this case mandatory to enter a MSS into the wireguard interface. I thought its calculated automatic based on MTU so 1420 - 40 = 1380. but it is not! After entering the MSS (1380) the connection is working like charm, also with large packets and hardware offloading.

@JeGr Apropos living on the edge. [image: 1663510391633-screenshot-2022-09-18-161302.png]

Update - Running iperf3 on Windows and setting the "-w" flag to "1m" gets me closer to ~450Mbs. Now I've got to figure out how to get windows to do that by default...

So, after some further digging, I discovered a couple things. You have to actually assign the tunnel to an interface The MacOS Wireguard app doesn't support .ddns.net domains Thank you for your help, once I assigned the interface correctly everything worked like a charm.

@bob-dig It works! Thanks!

@ben9090 Good that it's working but if you want to troubleshoot the pings, do packet captures on all relevant ports to see where they're getting lost.

@brians Thank you so much that exactly what i needed it worked perfectly

@rcoleman-netgate Oh I remember that now how it shares one internal interface for everything.

I have since been able to reproduce the issue, having the same problem but less setup: Install the package Set up the tunnel (Assign interface, configure a peer) Set up a WAN-Rule to allow connections and do a test. Done After the pfsense is rebooted, my WAN-Gateway for ipv4 goes down (Services -> Gateways) and the firewall is not able to do an ipv4 based update-check or ipv4 based ping (using Select Interface automatically). Everything works using ipv6, I tested the ipv4 functionality using the context switch in Advanced setup -> Networking. On the other hand, certain ipv4 services still work, namely: name resolution using ipv4 pinging, if the WAN-interface is explicitly chosen Disabling wireguard does not solve the issue, uninstalling and rebooting does though. Logs give no hint as of why this issue arises. Does anybody have an idea? Or shall I issue a github-issue to the corresponding wireguard-plugin?

@dapersico post a screenshot of your rules please. And do you have any rules in your floating tab? That looks like it was evaluated with that 0/4.. But to be honest, why would the client even try to be connecting to your lan address, that would never work from the internet. So its prob going to your wan address. Which is why I suggested use "this firewall" alias - this would be all your pfsense IPs..

@tommyt619 Update: Nope! I was wrong. Well, I was right about my mistake at least. Thankfully I hadn't deleted the line in wg0.conf because I probably would have assumed that I tried and it failed. Since I'm split tunneling Ive got a million different networks and staring right at me on the next line is #0.0.0.0/24. Facepalm. 0.0.0.0/0 now works. nftables handling NAT from there to all the VLANs so all is well. Thanks again!