Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pulling my hair out. Accessing Pihole instance on local LAN from remote WG client issue.

    WireGuard
    2
    2
    268
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tibere86
      last edited by

      Local LAN = 10.0.0.1/24
      Pihole instance = 10.0.0.100
      WireGuard Subnet = 172.16.0.0/24
      WireGuard Remote client (laptop) = 172.16.0.3

      This issue nagging me as I am unable to resolve it. Through all the Google searching, I have had no luck. My WireGuard remote client (laptop) is able to connect fine and full tunnel (0.0.0.0/0) traffic out the WAN without issue (with the necessary WAN NAT rule). Where I get hung up is said remote client can only access 172.16.0.0/24 subnet and ONLY the pfSense router's LAN address, 10.0.0.1/24. The remote client is unable to connect to any other addresses on the LAN subnet (10.0.0.0/24).

      I have doublechecked all my rules; allow all on WireGuard interface is there, client WireGuard configs have 0.0.0.0/0 as allowed IPs. I am at a loss. This is seems to be a routing/NATing issue I presume.

      Just offhand (I'm guessing here), will an Outbound NAT rule on the LAN interface with my WireGuard subnet (172.16.0.0/24) solve this issue?

      Many thanks in advance.

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @tibere86
        last edited by

        @tibere86 When your coming through a vpn and wanting to talk to something on a network attached to pfsense you can run into a few different problems. Prob the most common is just firewall on the host doesn't like whatever the vpn clients IP is, in your case some 172.16 address.. Since its not local network to who your talking to.. Another issue is what your trying to talk to from the vpn is not using pfsense as their gateway.. So if they allow X to talk to them, they send it to some other gateway other than pfsense. Another is the device your talking to has no gateway at all..

        Doing an outbound nat is sure a way to work around those issues.

        I would validate that pfsense is sending on the traffic.. Do a sniff on your lan interface while you send a ping to your pihole, do you see pfsense send on the traffic? If so then you should check pihole firewall allowing what you want to allow. Or if you can ping, its maybe just a acl on pihole.

        There is a setting in pihole. Which is default I do believe..

        pihole.jpg

        That would not answer some query from some 172.16 address when its local address is a 10.0.0 because that is not its local network.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.