Policy routing out Wireguard interface - asymetric routing

viragomann

@dpravd
The clue is to remove all pass rules from Wireguard and having pass rules for permitting incoming traffic on the VPN only.

dpravd

@viragomann Hmmmm interesting. I'll give this a go, thanks for the info

dpravd

@viragomann I tried what you said, and can see the traffic is hitting this filter in firewall rules.

However, return traffic will not policy route properly - it's still going out the WAN.

So, traffic originating from the lan is fine, it policy routes out the vpn. However traffic coming in on the vpn, goes back out the wan, and skips the policy route for some reason.

I tried setting allow all flags on the lan firewall rules - but still doesn't work.

Of note, the return traffic gets natted properly to the VPN address, but from there instead of going out the VPN, it's going out the WAN.

Here, you can see the SYN acks going out the WAN. The vpn address is 10.11.12.1

Any ideas?

Bob.Dig

@dpravd said in Policy routing out Wireguard interface - asymetric routing:

Any ideas?

Start over with a fresh install. Don't set your VPN as the default gateway, use policy based routing for that. The default gateway should be WAN. And not "Main()", whatever this is.

dpravd

@Bob-Dig Okay - yeah absolutely, the only reason I was setting the VPN as the default gateway as that was the only way to get the return traffic.

I'll start again, thanks.

Bob.Dig

@dpravd And, if your server is on LAN or wherever, you don't need to set the gateway there for a webserver. It would be enough to allow incoming traffic from the VPN to it.

viragomann

@dpravd said in Policy routing out Wireguard interface - asymetric routing:

I tried what you said, and can see the traffic is hitting this filter in firewall rules.

Your screenshot doesn't show any hits on the VPN rule.
Did you reset the states?

Popolou

What do your outbound rules look like?

viragomann

@Popolou said in Policy routing out Wireguard interface - asymetric routing:

What do your outbound rules look like?

The outbound NAT has not even any impact on response packets.

dpravd

I set it up again from scratch. Same thing.

Here is the traffic flow - this works fine, traffic goes out the VPN interface and comes back in the VPN interface

LAN -> VPN Pfsense -> VPN ubuntu -> INTERNET
10.5.0.0/24 -> 10.11.12.1/31 -> 10.11.12.0/31 -> 0.0.0.0/0

Here is the broken traffic - traffic comes in the VPN interface, but then goes out the WAN

INTERNET (dnat to 10.11.12.1) -> VPN ubuntu -> pfsense VPN (port forwards on vpn interface) -> LAN
0.0.0.0/0 -> 10.11.12.0/31 -> 10.11.12.1/31 -> 10.5.0.0/24

In the second flow, the traffic gets to the lan fine, and gets natted to 10.11.12.1 fine, but then goes out the wan.

Lan rule has gatway of VPN.
Wireguard interface has no rules
VPN interface has allow all
Default gateway of box is WAN.

dpravd

@viragomann Yes - sorry, I reset the states just before I took the screenshot

viragomann

@dpravd
To ensure that the proper rule is applied, enable logging in the rule and check the filter log after initiating traffic from remote.
Note the logged rule ID, which is passing the traffic and check if it's the rule you added on the VPN interface.