Block Wireguard site-to-site traffic via a certain WAN?

luckman212

x-post from here

I have a Wireguard Site-to-site setup to a datacenter. Works great! The only problem is, when SITE A's primary internet goes down, I want to drop the tunnel because the backup connection is a metered LTE and there are some large data transfers that occur over the tunnel that would absolutely kill the usage.

Before you say "just block the WAN2 IP on the SITE B end" — both WAN IPs at SITE A are dynamic.

I tried to set up floating rule to tag all WG traffic that entered that specific S2S interface and then block it on the WAN2 rule, but that isn't working for some reason. Anyone got a solution for this? Seems like it might be a fairly common situation?

I'm using pfSense Plus 22.05 on both ends.

possibly related redmine: #13045

luckman212

This is the best I could come up with for now.

It's a pair of floating rules (block/quick) one for each direction (in/out). In the screenshot below, n_coresite_ext is an IP alias of the far end static IP/subnet, 51828 is the listen port on the far-end tunnel, and WAN2_RUT is my failover WAN interface (the one I do not want any WG traffic to traverse).

It also helps to have wgfix.sh (github) installed.