WireGuard on pfSense behind ISP router. Why do I need a static route?
-
This post is deleted! -
@viragomann said in WireGuard on pfSense behind ISP router. Why do I need a static route?:
Maybe I misunderstood you post and you've it set up this way already?
Yes, that's the current setup: https://imgur.com/a/B1xla5Y
What's confusing, I suppose, is that there are two "LAN"s - one for the ISP router (which includes the WAN address of the pfSense box) and one behind pfSense. -
@viragomann said in WireGuard on pfSense behind ISP router. Why do I need a static route?:
You must not state an IP in the WG interface settings and you must not state a gateway there at all.
Anyway there is no need to assign an interface to the WG instance as long as you don't need to policy route traffic to the remote site or other special purposes.OK, I've removed the WG interface, moved the 'allow WG traffic' rule to the WireGuard tab, and removed the static route for WG traffic and the dedicated gateway rule for WG. But things are not working. I can establish a handshake, but my phone WG_PEER cannot even ping the WG_HOST interface (10.0.100.1).
Any clues as to what I'm doing wrong? The WireGuard firewall rule is trivial: all IPv4 traffic is allowed from * source to * destination.
-
@dangersheep
Yes, and also LAN devices are missing in the drawing. -
@viragomann
Right, i figured that would confuse things but it might have been good to specify which LAN I was talking about. I'm referring to the LAN behind pfSense. Once I'm established on the wg tunnel with handshake performed, I can't even ping the other end of the wireguard tunnel (the WG_HOST interface) let alone the pfSense LAN interface. -
@dangersheep
Did you remove the interface already or at least the IP and gateway settings?Did you add a firewall rule to Wireguard or even the specific interface to allow access?
-
@Bob-Dig Thank you. I've followed all your instructions. I've deleted the static route; I've deleted the wireguard gateway (now it defaults to WAN_DHCP); I've deleted the assigned interface for wireguard. However, the most I can do is establish a handshake.
On my phone with wg active, I see a 'healthy' tx volume (23 KiB) after a minute or two, but just 700 B of rx traffic. The connection doesn't seem to be replying 'properly'
-
@viragomann said in WireGuard on pfSense behind ISP router. Why do I need a static route?:
Did you remove the interface already or at least the IP and gateway settings?
I removed the assigned interface. And I removed the gateway dedicated to WG. Now I only have one gateway (for each IPv4 and v6) and I explicitly made "WAN_DHCP(6)" the default gateway for pfSense.
-
@viragomann said in WireGuard on pfSense behind ISP router. Why do I need a static route?:
Did you add a firewall rule to Wireguard or even the specific interface to allow access?
Yes.
On the WAN interface, there is one rule allowing all IPv4 UDP traffic addressed to the port 51820 on the WAN interface to pass.
On the WireGuard firewall tab (there is no longer a tab for the assigned interface - deleted - so this is just whatever default WireGuard 'interface' exists) there is just one rule that allows all IPv4 traffic to pass from any source/port to any source/port.
-
@dangersheep
So you should be able to ping the WG server IP and the pfSense LAN IP as well at least. Doesn't this work? -
As for how the rules are performing, I log when the WAN -> WG rule is passed, and I see that happening, with UDP traffic addressed to WAN_ADDRESS:51820.
There is lots of blocked UDP traffic on WAN_ADDRESS but it seems to be mainly on port 137 coming from all sorts of ports on the upstream ISP-router LAN address = default gateway.
In passing, why would there be traffic directed to pfSense_WAN:137 from the upstream gateway? I guess that's a response to a filesharing service somewhere behind pfSense - would that make any sense?
-
@viragomann said in WireGuard on pfSense behind ISP router. Why do I need a static route?:
So you should be able to ping the WG server IP and the pfSense LAN IP as well at least. Doesn't this work?
No, that does not work. pfSense is configured to respond to ping and does so from a device on the LAN subnet. But when connected to the wireguard tunnel, it is not possible to ping anything.
-
I can, for example, run wireshark on the wg interface on a device (using my phone data as hotspot). The handshake completes, but when I try to ping I see the ICMP traffic leaving 10.0.100.2 with destination 10.0.100.1 but never any reply.
-
This post is deleted! -
@dangersheep said in WireGuard on pfSense behind ISP router. Why do I need a static route?:
In passing, why would there be traffic directed to pfSense_WAN:137 from the upstream gateway? I guess that's a response to a filesharing service somewhere behind pfSense - would that make any sense?
If you're running the filesharing behind pfSense and didn't expose it, there should no related packets be seen on the WAN.
Maybe the router just tries to get NetBIOS informations.
Für Kurviger habe ich ein Tourer+ Jahresabo, eben auch, um das Projekt zu unterstützen. Mal sehen,
Do you see the packets, when sniffing the traffic on pfSense on the WG interface?
-
@viragomann said in WireGuard on pfSense behind ISP router. Why do I need a static route?:
Do you see the packets, when sniffing the traffic on pfSense on the WG interface?
So, I can see the handshake, watching the traffic on the wg interface from my remote device.
And I can see the ICMP arriving on the pfSense WG interface:
HH:53:42.411647 IP 10.0.100.2 > 10.0.100.1: ICMP echo request, id 18, seq 1, length 64 -
@dangersheep
But no response?To get sure, if you go to Status > Gateways, is there any other gateway shown up aside from the WAN?
Does pfSense and the LAN devices even have internet access?
-
@viragomann
No reply, no. I just see that line.Status > Gateways just shows the ISP router LAN interface address (ipv4 and 6) and both are 'online. No other gateways.
pfsense and the LAN devices both have internet access.
-
@dangersheep
If I watch the pfSense LAN interface and ping from a device on that subnet, I get a response and I see the full request-reply exchange in the pfSense packet capture, so I think I'm doing it right.There's really nothing coming back out of the WG interface.
-
What gateway should traffic on the wireguard tunnel use? Surely you want that traffic to go back out the wireguard interface, not out the default gateway?
Aren't the packets being encrypted, at the remote wg interface (we see them hitting that interface), travelling down the tunnel, being decrypted and hitting the pfSense wg interface (we see them arriving), and then sent back out the default gateway? What guarantees that the wg traffic goes back out the tunnel?