Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Wireguard Pfsense gets handshake with ports closed...

    Scheduled Pinned Locked Moved WireGuard
    4 Posts 2 Posters 658 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      Jeep5798
      last edited by

      This is a copy from my post on reddit.
      I am hoping that someone here can help me. I am either having the biggest BRUH moment right now trying to work with this or I have missed something somewhere. I setup a Site to Site with me and a friend (friend1) and its working fine. Today I tried to setup another site to site with a different friend (friend2) and it won't connect at all. I have a suspicion that its something to do with blocked ports cause of his ISP. I wanted to do some tests with my working WG connection with friend1. I disabled the opened ports on their firewall but somehow it still was able to handshake. Tried to disable the ports on my end. Still got a handshake. Tried disabling anything firewall related and STILL GOT A HANDSHAKE. As a last thing I wanted to check I used the firewall and BLOCKED the port that my WG is running on. STILL GOT A HANDSHAKE. I am now at the biggest WTF moment. How is this thing still getting a handshake when I have blocked the port? One thing I have noticed is that there is never any states on those ports that I open meaning that somehow they are connecting in another method. Please someone give me advise on how this is happening. I can send screenshots of how everything is configured. I followed the guide here. In the video he showed the ports needing to be opened and they had states across them...

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        No matter what rule changes you make, packets can still pass if there is an entry in the state table matching the exact source/destination.

        Sounds like you either didn't reset states or didn't wait for the old states to expire between tests.

        See also:
        https://docs.netgate.com/pfsense/en/latest/troubleshooting/firewall.html#check-the-state-table

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        J 1 Reply Last reply Reply Quote 1
        • J
          Jeep5798 @jimp
          last edited by

          Each time I modified the firewall rules I would restart the service. Does that not clear out the state? Also I made a discovery that if I don't manually create the gateway then the status will forever say handshake never. I am still trying to figure out why when i close the ports on my wan I am still getting a connection.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            The service has nothing to do with the contents of the firewall state table.

            Look over all the links in my previous reply, it's all explained there. It's not a WireGuard issue it's a fundamental aspect of stateful firewall behavior.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 1
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.