Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site-to-Site Route is One-way

    Scheduled Pinned Locked Moved Routing and Multi WAN
    3 Posts 2 Posters 176 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JLP
      last edited by

      Hello,

      I followed the Netgate guide for a Site-to-Site tunnel (https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-s2s.html), and have created a successful connection. This connection is setup the same, just with different network addresses (two PfSense firewalls).

      HQ LAN: 172.16.0.0/22
      Satellite LAN: 10.1.1.0/24

      HQ VPN: 10.100.100.0/31
      Satellite VPN: 10.100.100.1/31

      Static routes are configured in each PfSense, with the gateway being the VPN address of the other. Each Wireguard interface has an any-any rule. LAN firewall rules are also any-any on both sides.
      I have verified that both the HQ and Satellite networks are able to contact the VPN addresses of both firewalls. Standard networking also works perfectly, each LAN is still using the proper default gateway and resolves DNS.
      The HQ LAN is able to perfectly communicate with any device on the Satellite LAN, Tested comms are SSH, ICMP, and HTTP/S, all reply back to the host on the HQ LAN.

      The problem comes in when trying to communicate from the Satellite LAN to the HQ LAN. The Satellite firewall always gives a "Destination Unreachable" reply. I tested pinging from the firewall, and localhost (the satellite firewall) gave the same "Destination Unreachable"
      Signs point to the static route being improperly configured, however I have re-made and triple-checked this connection:
      886b6abe-9f95-4547-870e-99c8db8ebd3a-image.png

      I am at a loss here. Packet captures provide nothing extra, and just show that the Satellite firewall is sending "Resets" because it thinks it can't route the traffic.

      Any help would be appreciated.

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @JLP
        last edited by

        @JLP
        Did you configure the "allowed networks" in Wireguard on the HQ firewall?

        J 1 Reply Last reply Reply Quote 0
        • J
          JLP @viragomann
          last edited by

          @viragomann Thank you so much. I am grateful you pointed it out, this would have killed me with how much it was staring me in the face.
          I had the wrong config on the Satellite. I was allowing access to its own LAN through its VPN.

          Satellite config allowing for LAN access to itself
          8c144893-fa55-4da5-9136-c988963e2219-image.png

          HQ config allowing the correct, remote network access
          1167428e-4dce-4ade-ab54-45f61836e0ba-image.png

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.