@sensenmann
damn stupid
just reinstalled the package, works
SORRY

@jimp Thank you. You are awesome. A threat you replied to in 2014 fixed a problem I am facing today hahaha.

301ad6d5-c20a-417b-abfa-a78a39fb81ff-image.png

f83d7898-70cc-438b-9970-6e5b46caeeeb-image.png

@Thrashbang well, in short terms:
you'd need a (wireguard / vpn) server in a country that provides your wanted IP.
Then you could set your server and app so that all traffic goes thru the wireguard tunnel.

Since most ppl do not have access to such a setup, there are some services (that cost money) that do that for you. You can set the country the tunnel comes out (therefore the geo IP).
BUT: imho such services are mostly bs (sorry). You never really know what those services do with their (your) data, they often have funny locations and overall often seem kinda...well...bs. So, you better look twice and make sure you chose a reliable company. Search for VPN provider, VPN geo lock...you'll find a lot..
jm2c

@droidus Need to investigate elsewhere in your config i'm afraid.

@tman222 Good question. Try it!

@Hangnail6119 Ok few updates that I found out after digging a lot more.

In the S2S config pfsense uses transit network IP address so if you have a tunnel as in the video 10.100.90.0/31 that means your sites when sending requests to other end will use that tunnel ips: 10.100.90.0 and 10.100.90.1 Firewall that is asked for a DNS record needs to have Access Lists record for the tunnel. Otherwise it will just refuse those requests. You don't need to add other firewall as DNS server you just need to define Domain override.
With that knowledge how would my example work:

I have 2 sites connected with a tunnel: 10.100.90.0/31
SITE_1 with IP: 10.100.90.0
SITE_2 with IP: 10.100.90.1
SITE_1 has some servers under domain example.com and SITE_2 wants to access them
SITE_1 has host overrides for single servises under Services > DNS Resolver > Host Overrides for example:
git.example.com points at some internal IP and SITE_2 will want to access that
SITE_1 will need to have Access List added for tunnel network Services > DNS Resolver > Access List > +Add and there tunnel network specified 10.100.90.0/31
SITE_! will also need a rule that allows it to recive DNS requests from other end of the tunnel, The simple rule ALLOW src:* dst:This Firewall(53) on S2S interface should be enough AFAIK(at least it works for me :P)
Now the only thing that SITE_2 needs to do is add Domain override. It's located under: Services > DNS Resolver > Domain Overrides and it needs 2 things example.com domain and IP address of SITE_1 that would be 10.100.90.0
And that was my problem, now everything works.

@weyon668 here is what I would suggest you do then.

Your stuff your trying to get to is on your lan network? You can ping your pfsense lan IP.. Ok now sniff on your lan interface for icmp and your destination IP.. Do you see the ping go on?

If so and you get no answer, then the device your pinging is not answering, or he is sending the answer to something other than pfsense..

Here I connected to my openvpn on my phone via a cell connection - and pinging my nas..

vpn.jpg

That 10.0.8.2 is my phone, you can see it sends on the ping request, and in my setup my nas is answering.. Are you not seeing the ech request go out towards your devices IP your trying to ping?

@T5Y85DYSsJmA Is the wireguard tunnel itself up and running? What does / Status / Wireguard show, the tunnel should have a green up-arrow and the peer show a recent handshake having taken place.

No worries, more info is almost always better. 👍

So, in the past we did everything right.
Thank you.

Thanks, this fix definitely worked and I can confirm this is the problem with my setup, has anyone already tried to implement a patch or a script to run on startup to fix this? New to the PfSense project and a big fan of wireguard, is there a github/ gitlab where we can submit issues/ fixes for this? [EDIT: disregard, it seems that the tunnel reset corrected the issue initially, although follow up attempts have been met with a working handshake but no flowing traffic, Might be easier to move to another VPN protocol at this stage]

Spent some time on this over the weekend and quite happy with the results. ;)

Anyone try it from a Starlink fed site yet? I will get the chance to try in the coming weeks.

@Jarhead -Thanks for hint.

Correct-OPT4 is on ....3.100/24 and LAN is on .....1.100/24.
I went to Firewall-NAT-Outbound, changed Outbound NAT Mode from Manual Outbound NAT to Automatic Outbound NAT. pfsense added 2 rules in which a WireGuard Interface takes OPT4 address space as source. (along with LAN address space).

Quick and easy. Maybe adding manual rules is a next part of learning curve.

Debian is radius server, several pfSenses with their captive portals are clients.

@Jarhead
Yeah. I get it. I've read some conflicting info while researching this along with some videos that contradicted some of what I saw. I've gone down so many rabbit holes that I lost track of what I had and had not tried.

That and not noticing my typo (32 vs 24) didn't help.

But thanks.

This is what the android client looks like when it try to enable split tunnel configuration. It refuses to connect.
split tunnel configuration

I got it resolved. I have a bit of an unusual situation. The modem provided by my ISP has a built-in router which I don't want to use. I had originally planned to downgrade it to pass-through mode (so it would only function as a modem). I had the ISP make the change for me as they are the only ones who can do so.

But no matter what I did, pfSense refused to connect to the internet that way. So I had them put it back the way it was. pfSense uses it as the gateway but it sees the ip address assigned to in internally as its "public IP address".

Dynamic DNS still works because we're making external calls to update the DDNS and the remote DDNS server knows the external IP address.

It's been running like this for more than a year without a hiccup. Anyway -- I had to login to the ISP router and tell it to forward port 51820 to the pfSense router. As soon as I did that, my phone was able to connect without a hitch and access my home assistant server via the VPN (I turned off WiFi on my phone for the test).