Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    WireGuard works and yet it doesn't.

    Scheduled Pinned Locked Moved
    WireGuard
    1
    3
    662
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      Ofloo
      last edited by Ofloo

      I figur I'd give wireguard an other try and the most unexpected thing happens?

      I made a site to site setup one with a client with a dynamic IP however with other networks asside from the connecting ip.

      On the pfsense router I can ping the wireguard gateway. However from any of the clients in the network I can't seem to do that. However I am able to ping the wireguard assigned interface IP.

      It boggels my mind can't seem to figure out what is going wrong. Anyone?

      from the router:

      ping 10.44.91.1
PING 10.44.91.1 (10.44.91.1): 56 data bytes
64 bytes from 10.44.91.1: icmp_seq=0 ttl=64 time=18.572 ms
64 bytes from 10.44.91.1: icmp_seq=1 ttl=64 time=20.009 ms
64 bytes from 10.44.91.1: icmp_seq=2 ttl=64 time=22.561 ms

      from a client on behind the router pinging the tunnel assigned IP

      % ping 10.44.91.51
PING 10.44.91.51 (10.44.91.51): 56 data bytes
64 bytes from 10.44.91.51: icmp_seq=0 ttl=64 time=0.201 ms
64 bytes from 10.44.91.51: icmp_seq=1 ttl=64 time=0.162 ms
^C
--- 10.44.91.51 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.162/0.181/0.201/0.019 ms

      Now pinging the tunnels gateway from the client:

      ping 10.44.91.1
PING 10.44.91.1 (10.44.91.1): 56 data bytes
^C
--- 10.44.91.1 ping statistics ---
6 packets transmitted, 0 packets received, 100.0% packet loss

      client side of the tunnel has route all traffic

      780283f0-2357-443f-bea7-cc52c1c1e52c-afbeelding.png

      edit: and the firewall rules are set to allow any

      O 1 Reply Last reply Reply Quote 0
      • O
        Ofloo @Ofloo
        last edited by Ofloo

        @ofloo I know what is wrong only not how to fix it. WireGuard isn't respecting sticky connections.

        router1 -------
  |            `router3
router2 --------'

        a client behind router 3 is requesting a packet. There's a wireguard tunnel between router 2 and 3. There Is a openvpn connection between router 1 and 3.

        There is an IPsec betwen router 1 and 2.

        The client on router3 is requesting a packet this is routed to router2 and there it is NAT onto the internet. The traffic comming back doesn't return from router2 to router3. It returns from router2 to router1 there it gets filtered by the default deny rule however that even has allow all.

        All routers run FRR BGP

        O 1 Reply Last reply Reply Quote 0
        • O
          Ofloo @Ofloo
          last edited by

          @ofloo Figured it out, bgp raw configuration was overwriting the configuration. So basically never got updated kept running old config.

          Must of updated configuration and hit save at some point in the past.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.