Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall rules for IPSec affecting Wireguard

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 250 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R Offline
      RadioRobot
      last edited by RadioRobot

      Hello.
      I have a Wireguard tunnel connected from pfSense to a remote site.
      Windows clients are connected to an IKEv2 server on the pfSense.
      There are three separate tabs for these connections on the Firewall rules page: OPT(wireguard assigned interface), Wireguard and IPSec.
      Both OPT and Wireguard are currently set to allow all traffic.
      But the IPSec connection is limited to allow only commonly used ports.
      The problem is, that the rules listed on the IPSec tab are affecting my wireguard connection. For example, if i block ICMP traffic, all ping packets between pfSense and the remote location (connected through wireguard) become blocked.

      JKnottJ 1 Reply Last reply Reply Quote 0
      • JKnottJ Offline
        JKnott @RadioRobot
        last edited by

        @radiorobot

        Where are you placing those rules?

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        R 1 Reply Last reply Reply Quote 0
        • R Offline
          RadioRobot @JKnott
          last edited by RadioRobot

          @jknott
          IPSec tab: forbid all but port 80 (for example)
          Wireguard: Allow all
          OPT: Allow all

          Result: When i ping a host connected through Wireguard, there is no reply. When i put a rule that allows ICMP on the IPSec tab, the ping goes through.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.