How do I manage firewall rules for WireGuard
-
@yobyot I don't fully understand your question.
You say that in the second config example, you altered the Allowed IPs of the peer. But you didn't do that, you changed the interface address.
Also why are you using a bogon prefix?
4000::/3is not yet assigned. Use ULAs instead. -
@paoloposo Thanks!
Thanks for helping an IPv6 newbie.
What I mean was that when I change a peer's interface to connect using an IPv6 address, I am able to:
- ping pfSense local IPv4 gateway address
- reach external websites (performance is terrible)
Thanks for the suggestion re: ULAs. I was using a bogon because I didn't understand ULAs. Your pointer helped with that. (And, sheesh... /48s for ULAs. Wow! The more you use IPv6 the more you realize how big the space is).
Anyway, I think I came close. There's just that one (or two) things I have misconfigured somewhere.
-
Thanks to @paoloposo, I was able to use ULAs to create an IPv6 tunnel.
When that WireGuard tunnel is up the "remote" peer (a MacBook Pro) can ping6 the ULA address in pfSense.
But I'm still all kinds of confused with respect to firewall rules and, esp., DNS.
How would I set the address of the pfSense DNS Resolver in the remote peer's WG settings?
And I'd also appreciate understanding how I could set up the remote peer to permit both IPv4 traffic and IPv6 traffic in the tunnel when the endpoint is a pfSense peer IPv6 endpoint. In this case, even when I remove the remote peer's IPv6 Addresses and Allowed IPs IPv6 settings (that is, they are IPv4 only), I connect but cannot access anything either on the local LAN or via the WAN.
Is there some magic to firewall rules I am missing? Both the interface rule and the WireGuard rule are set to any any for both IPv4 and IPv6.
Thanks in advance.
-
@yobyot said in How do I manage firewall rules for WireGuard:
How would I set the address of the pfSense DNS Resolver in the remote peer's WG settings?
Using the
DNSoption in the[Interface]section of the Wireguard configuration, like you've done in the provided examples.Also in case you haven't yet done this, be sure to lower the MTU on all affected interfaces (both on the Wireguard interface in pfSense and in the remote peer using the
MTUconfig option under[Interface]. Due to Wireguard overhead, it should be between 1280 and 1412. I use 1280.@yobyot said in How do I manage firewall rules for WireGuard:
And I'd also appreciate understanding how I could set up the remote peer to permit both IPv4 traffic and IPv6 traffic in the tunnel when the endpoint is a pfSense peer IPv6 endpoint.
Wireguard transports both IPv4 and IPv6 traffic through the tunnel, regardless of which protocol the connection between two peers uses. So you could have an entirely IPv6 tunnel network with two peers connecting over IPv4, vice versa or any other combination. If something in that regard currently does not work, it's likely due to misconfiguration. Make sure both ends have addresses in the same respective IPv4 or Ipv6 subnet (pay special attention the correct prefix size is selected in the pfSense interface configuration).
-
Thanks.
My question is about what to put in the DNS parameter of the WG settings. For IPv4, it’s obvious: it’s the address of the gateway.
But ::1 is the local peer’s interface (and doesn’t work) and I don’t understand how to determine the IPv6 address that represents pfSense’s IPv6 DNS (actually, unbound’s) address on the remote pfSense peer.
-
@yobyot said in How do I manage firewall rules for WireGuard:
My question is about what to put in the DNS parameter of the WG settings. For IPv4, it’s obvious: it’s the address of the gateway.
It is the same for both, the address of pfSense in that tunnel...
-
@yobyot said in How do I manage firewall rules for WireGuard:
I thought about posting this in the WireGuard topic but I think it's more appropriate here.
First off, I use OpenVPN and not WireGuard. However VPNs, once connected, all behave the same. That is you have an IP connection between 2 points and normal routing is used. So, separate your issues into two. Is it a VPN connection problem? Or routing? I see some mention of using ULA, which is fine, but is the remote device given a ULA address or global? If you don't have a global address, you won't be able to get beyond your own network. What size prefix are you getting from your ISP? I get a /56. If you have anything larger than a /64, then you can assign one of your own /64s to the VPN tunnel network. With OpenVPN, the endpoint addresses are automagically assigned.
-
Thanks.
But I’m done hacking at the IPv6 connection and endpoint.
WG is just too premature, esp. compared to OpenVPN which works like a charm.
I’ve noticed:
-
The current macOS peer client works differently with the exact same peer configuration than the current iOS peer (except for the keys, of course). And it’s buggy (doesn’t actually quit when exited; has to be terminated).
-
Netgate needs to document a prototype IPv6 config.
-
I have a /56 from FiOS but since that can change, hard-coding addresses is impossible for DNS and there’s no apparent way to specify an IPv6 DNS on the LAN network that a tunnel has access to.
The bottom line: WG really is experimental.
I do have an iOS peer working great — it even connects dynamically when leaving a WiFi network.
And thr iOS config actually works using my public IPv6 endpoint (tunneling only IPv4) on T-Mobile’s cellular network.
So, I (kinda) get it. But the macOS client (on either TMO’s or AT&T’s mobile network; I have a mobile hotspot for the latter) doesn’t work at all, with either IPv4 or IPv6 endpoints and any peer configuration.
-
-
@yobyot I agree on the lack of documentation. Not necessarily on Netgate's part, but on Wireguard in general. For example, I can't find a clear specification of the Wireuard config file parameters and frequently have to resort to other people's examples.
Everything works great for me though and I honestly cannot say that Wireguard in any sense feels experimental. I use it on pfSense, Linux, Windows and Android in remote access and site-to-site scenarios with IPv4 and IPv6.
-
@yobyot said in How do I manage firewall rules for WireGuard:
I have a /56 from FiOS but since that can change, hard-coding addresses is impossible for DNS and there’s no apparent way to specify an IPv6 DNS on the LAN network that a tunnel has access to.
Does it actually change? While I get my prefix with DHCPv6-PD, it's pretty much static and hasn't changed in years.
-
Yup, it can -- and does -- change.
I've had a bunch of /56s given to me as I have (slowly) been implementing IPv6 on 2.7 with FiOS.
Anyway, hardcoding the prefix in an IPv6 DNS entry would be a bad idea, even if you thought it wouldn't change.
My real frustration with PD is that I can never find the DNS IPv6 address on pfSense. It's there -- sometimes a regular nslookup will show its being used -- but how it got its address is a mystery to me. And I don't see it in the UI anywhere.
-
@yobyot said in How do I manage firewall rules for WireGuard:
Yup, it can -- and does -- change.
Do you have Do not allow PD/Address release selected?
-
Yup. All that does is signal VZ that you don’t want it to change. But they don’t guarantee that they won’t release the prefix for you for whatever reason they choose. It’s no more durable than a dynamic IPv4 address is.
-
My IPv4 address is so "durable" it's virtually static. Also, the host name, provided by my ISP, is based on the modem and router MAC addresses, so it never changes, unless I change hardware.
