Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing via Site2Site Wireguard for a specific client

    Scheduled Pinned Locked Moved Routing and Multi WAN
    19 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      thisisagoodfirewall @viragomann
      last edited by thisisagoodfirewall

      @viragomann
      I have the Hybrid Outbound NAT mode enabled as visible in the picture.
      Am I doing this right?

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @thisisagoodfirewall
        last edited by

        @thisisagoodfirewall
        I see. Seemed it was the automatic mode.

        From the concerned client can you ping 8.8.8.8?

        T 1 Reply Last reply Reply Quote 0
        • T
          thisisagoodfirewall @viragomann
          last edited by thisisagoodfirewall

          @viragomann

          nope. can not ping 8.8.8.8

          can reach the network on SiteA - last trace is a dns server.

          I assigned a dns server from Site A.

          DNS is working.

          32a04684-44bc-4595-bf0e-8c081b547ded-image.png

          internet is not. can not ping 8.8.8.8

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @thisisagoodfirewall
            last edited by

            @thisisagoodfirewall
            So this let me suspect that the outbound NAT doesn't work.

            To be sure, did you do the outbound settings at A?

            T 1 Reply Last reply Reply Quote 0
            • T
              thisisagoodfirewall @viragomann
              last edited by

              @viragomann
              Site A:
              a799b163-12f5-401c-9ae4-9cb0954c858b-image.png

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @thisisagoodfirewall
                last edited by

                @thisisagoodfirewall
                This should work from the point of NAT rules.
                However, that one on OPT1 should not be needed. It would only impact access from A to B.

                Do the firewall rules on the VPN interface allow internet access?

                T 1 Reply Last reply Reply Quote 0
                • T
                  thisisagoodfirewall @viragomann
                  last edited by

                  @viragomann

                  OPT1 is the mapping for my openvpn service. Local LAN of Site A (192.168.1.0/24) to VPN Provider.

                  The Gateway of the Wireguard Site2Site tunnel allows all connections.
                  732c9324-ed37-4c20-aeb2-99f3aa6707f9-image.png

                  Still can't figure out why Client on Side B can not connect via the Gateway.

                  V 1 Reply Last reply Reply Quote 0
                  • V
                    viragomann @thisisagoodfirewall
                    last edited by

                    @thisisagoodfirewall said in Routing via Site2Site Wireguard for a specific client:

                    OPT1 is the mapping for my openvpn service. Local LAN of Site A (192.168.1.0/24) to VPN Provider.

                    Ah, I see.

                    Could it be that the upstream traffic from the client at B is also routed to this VPN provider due to the site A routing table?

                    T 1 Reply Last reply Reply Quote 0
                    • T
                      thisisagoodfirewall @viragomann
                      last edited by

                      @viragomann

                      This could be an issue, lets see.

                      This is the Outbound NAT of Site B.

                      ad879963-5ebb-4fde-8980-60f1386bdea6-image.png

                      If I create a firewall rule for the Client on Site B I skip the VPN provider and use the WAN instead.
                      2d4b60e1-031b-4309-a3cd-269b4ae02596-image.png

                      I just want my client to not use the WAN Gateway but the Wireguard Tunnel Gateway s2sgw and have the traffic routed via the Site A internet.

                      V 1 Reply Last reply Reply Quote 0
                      • V
                        viragomann @thisisagoodfirewall
                        last edited by

                        @thisisagoodfirewall
                        Yes, you can do this with a policy routing rule, but consider that you will have to allow DNS access to the local server with an additional rule above of this or even forward DNS requests to a public server.

                        T 1 Reply Last reply Reply Quote 0
                        • T
                          thisisagoodfirewall @viragomann
                          last edited by

                          @viragomann

                          Site B Gateways
                          ec567ad8-ab56-434b-8ef3-5b696c41c567-image.png
                          I need to route via site1gw.

                          This is Site A Gateways
                          3b9632b9-bde1-4093-9e45-a1f45d336b57-image.png

                          Site A static route
                          56037d33-f0b5-4348-839e-0d24360d5ecb-image.png

                          Site B static route
                          ee1cbffe-7c37-4258-8a18-8141ca19d98c-image.png

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.