OK don't blame VirtualBox, blame me. I think the issue was that I didn't have "Hardware Clock in UTC Time" set in VirtualBox so the system clock was jumping when NTP kicked in which disrupted something, perhaps crypto-related. Sorry for my error.

@vbman213 said in Specify outbound interface (priority) for WG: Would policy routing This Firewall in a floating rule be used to push WG tunnel traffic over a preferred gateway or gateway group? There seems to be some discussion on Reddit suggesting that this is also possible too instead of changing the default gateway. Maybe, but that's always been a bit iffy -- It's worth trying, but if you do, carefully check the state table and packet captures to ensure that the traffic is exiting the correct interface with the correct address. A problem you might get into there is that it leaves, say, WAN2 with the source set to WAN1. Outbound NAT could work around that if it happens, but it's kinda ugly. The problem is that pf policy routing influences packets that are already fully formed and on an interface, whereas the routing table also influences source address selection for UDP packets. So sure policy routing can change how a packet exits, but it can't change the address from which WireGuard sends the packet.

wg interface config ipv4 and ipv6 address, eg: 10.0.0.102/32, 2a0d:2400:12:c::102/128 but the interface only has ipv4.

'Real soon now!' But yeah, it is close. We had to disable the public snapshots while we got all the changes in order and there are still a few things the need to be resolved. Steve

Yes. With multiple peers you need to set Allowed-IPs to determine which peer WG routes to. https://www.wireguard.com/#cryptokey-routing But to avoid confusion 'Endpoint' is a WG term the defines the external IP. Steve

Hello! I am testing on : 2.5.0-DEVELOPMENT (amd64) built on Mon Jan 25 09:13:15 EST 2021 FreeBSD 12.2-STABLE Using Firefox 84.0.1 (64-bit) I dont see any form field validation happening and the code in wg_validate_post and wg_validate_peer will let you enter just about anything you want. I made a redmine issue with some stopgap code that might help. https://redmine.pfsense.org/issues/11311 John

@griffo said in [what speeds can you get with WG on a On my old Celeron based test router, I always hit a limit of ~110mbits on OpenVPN. So far i've gotten up to 200mbit by switching to Wireguard. see https://redmine.pfsense.org/issues/10311

@stephenw10 said in Removing WG interface breaks firewall: Are you able to reproduce that? What you are seeing there is that the two WireGuard interfaces are still assigned and enabled in the config but do not exist yet in the firewall. However those should not be checked at that point since the interfaces are created after that in the boot. A commit went in to correct that a few days ago: https://github.com/pfsense/pfsense/commit/e564dbd64cc818bd5e751dbeaef8b00f1c0f9ed7 The current snapshot should not hit it. Steve Thanks. On recent builds i have not been able to replicate it. I believe the above resolved the issue.

https://redmine.pfsense.org/issues/11288

Mmm, yeah that's tough on the eyes! https://redmine.pfsense.org/issues/11287 Steve

Those haven't been written yet, some things are still in flux because development is ongoing and we're waiting on a couple more pieces to fall into place yet. Soon!

@skplus This looks to be the same thing our engineers were seeing in testing. The description here isn't the exact same, but the root cause is believed to be the same. This should be fixed in the latest snap.

@chpalmer Oh I picked bad time to look at documentation. I wasn't sure if I need to do something on my end. Thank you very much, I'll keep an eye on update.