Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing via Site2Site Wireguard for a specific client

    Scheduled Pinned Locked Moved Routing and Multi WAN
    19 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      viragomann @thisisagoodfirewall
      last edited by

      @thisisagoodfirewall
      The NAT rules are useless as long as you have the automatic mode enabled.

      T 1 Reply Last reply Reply Quote 0
      • T
        thisisagoodfirewall @viragomann
        last edited by thisisagoodfirewall

        @viragomann
        I have the Hybrid Outbound NAT mode enabled as visible in the picture.
        Am I doing this right?

        V 1 Reply Last reply Reply Quote 0
        • V
          viragomann @thisisagoodfirewall
          last edited by

          @thisisagoodfirewall
          I see. Seemed it was the automatic mode.

          From the concerned client can you ping 8.8.8.8?

          T 1 Reply Last reply Reply Quote 0
          • T
            thisisagoodfirewall @viragomann
            last edited by thisisagoodfirewall

            @viragomann

            nope. can not ping 8.8.8.8

            can reach the network on SiteA - last trace is a dns server.

            I assigned a dns server from Site A.

            DNS is working.

            32a04684-44bc-4595-bf0e-8c081b547ded-image.png

            internet is not. can not ping 8.8.8.8

            V 1 Reply Last reply Reply Quote 0
            • V
              viragomann @thisisagoodfirewall
              last edited by

              @thisisagoodfirewall
              So this let me suspect that the outbound NAT doesn't work.

              To be sure, did you do the outbound settings at A?

              T 1 Reply Last reply Reply Quote 0
              • T
                thisisagoodfirewall @viragomann
                last edited by

                @viragomann
                Site A:
                a799b163-12f5-401c-9ae4-9cb0954c858b-image.png

                V 1 Reply Last reply Reply Quote 0
                • V
                  viragomann @thisisagoodfirewall
                  last edited by

                  @thisisagoodfirewall
                  This should work from the point of NAT rules.
                  However, that one on OPT1 should not be needed. It would only impact access from A to B.

                  Do the firewall rules on the VPN interface allow internet access?

                  T 1 Reply Last reply Reply Quote 0
                  • T
                    thisisagoodfirewall @viragomann
                    last edited by

                    @viragomann

                    OPT1 is the mapping for my openvpn service. Local LAN of Site A (192.168.1.0/24) to VPN Provider.

                    The Gateway of the Wireguard Site2Site tunnel allows all connections.
                    732c9324-ed37-4c20-aeb2-99f3aa6707f9-image.png

                    Still can't figure out why Client on Side B can not connect via the Gateway.

                    V 1 Reply Last reply Reply Quote 0
                    • V
                      viragomann @thisisagoodfirewall
                      last edited by

                      @thisisagoodfirewall said in Routing via Site2Site Wireguard for a specific client:

                      OPT1 is the mapping for my openvpn service. Local LAN of Site A (192.168.1.0/24) to VPN Provider.

                      Ah, I see.

                      Could it be that the upstream traffic from the client at B is also routed to this VPN provider due to the site A routing table?

                      T 1 Reply Last reply Reply Quote 0
                      • T
                        thisisagoodfirewall @viragomann
                        last edited by

                        @viragomann

                        This could be an issue, lets see.

                        This is the Outbound NAT of Site B.

                        ad879963-5ebb-4fde-8980-60f1386bdea6-image.png

                        If I create a firewall rule for the Client on Site B I skip the VPN provider and use the WAN instead.
                        2d4b60e1-031b-4309-a3cd-269b4ae02596-image.png

                        I just want my client to not use the WAN Gateway but the Wireguard Tunnel Gateway s2sgw and have the traffic routed via the Site A internet.

                        V 1 Reply Last reply Reply Quote 0
                        • V
                          viragomann @thisisagoodfirewall
                          last edited by

                          @thisisagoodfirewall
                          Yes, you can do this with a policy routing rule, but consider that you will have to allow DNS access to the local server with an additional rule above of this or even forward DNS requests to a public server.

                          T 1 Reply Last reply Reply Quote 0
                          • T
                            thisisagoodfirewall @viragomann
                            last edited by

                            @viragomann

                            Site B Gateways
                            ec567ad8-ab56-434b-8ef3-5b696c41c567-image.png
                            I need to route via site1gw.

                            This is Site A Gateways
                            3b9632b9-bde1-4093-9e45-a1f45d336b57-image.png

                            Site A static route
                            56037d33-f0b5-4348-839e-0d24360d5ecb-image.png

                            Site B static route
                            ee1cbffe-7c37-4258-8a18-8141ca19d98c-image.png

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.