Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Publishing a remote WireGuard endpoint through pfSense WAN IP

    Scheduled Pinned Locked Moved NAT
    1 Posts 1 Posters 29 Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E Offline
      enicolau
      last edited by

      I’m trying to make a device on the remote side of a WireGuard VPN (point B) accessible from the Internet using pfSense’s public IP.

      pfSense has a public IP on WAN and a WireGuard tunnel to a MikroTik behind NAT.

      The tunnel works perfectly — I can reach all devices on the remote network (e.g., 172.16.10.1, 172.16.10.2).

      I want to expose the MikroTik’s web service (port 80) via pfSense’s public IP, for example:
      incoming WAN:8080 → 172.16.10.2:80 (through WireGuard).

      The problem:

      The port forward works if the target is a LAN IP.

      It fails when the target is an IP inside the WireGuard tunnel.

      Routes are configured, the WireGuard interface is assigned, and outbound NAT and firewall rules are correct.
      Still, pfSense doesn’t apply the NAT redirect to the WireGuard interface.

      Why does pfSense skip NAT when forwarding to a WireGuard peer, and what’s the correct way to make a remote WireGuard host publicly accessible through pfSense?

      Looking for a technical explanation and possible workarounds (loopback alias, double NAT, pf rules, etc.).

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.