[Solved] Client subnet not accessible (and no internet)

AB5G

@arrmo It should work without the rules in the Wireguard group tab.
https://docs.netgate.com/pfsense/en/latest/vpn/wireguard/rules.html#tunneled-traffic

"Rules on the WireGuard group tab are matched first, so ensure rules on the group tab are removed, disabled, or do not match traffic which requires reply-to."

"Rules on assigned WireGuard interface tabs also get reply-to which ensures that traffic entering a specific assigned WireGuard interface exits back out the same interface. Without that, return traffic will follow the default gateway."

In your case , you need the traffic to not hit the default GW which is WAN_DHCP and therefore you need the 'reply-to' address. So all your rules should be in the WG interface tab and not the Wireguard group tab. If you have rules in the Wireguard group tab, it will not match any in the WG tab (which you need it to).

Now on the reason why WG int rules are not working, could be a NAT issues - do you have a NAT rule in place natting WG int to WAN (for internet breakout). Use hybrid outbound as a NAT rule and add WG int to WAN selecting the correct subnet. You can start with a clean configuration of Wireguard and try again.

arrmo

@ab5g said in Client subnet not accessible (and no internet):

"Rules on the WireGuard group tab are matched first, so ensure rules on the group tab are removed, disabled, or do not match traffic which requires reply-to."

Thanks! I had seen that, wasn't sure I fully followed it ... LOL! What's odd is that this rule (group tab) works, not the interface - seems reversed, no? Or did I misunderstand your / the point?

@ab5g said in Client subnet not accessible (and no internet):

Now on the reason why WG int rules are not working, could be a NAT issues - do you have a NAT rule in place natting WG int to WAN (for internet breakout). Use hybrid outbound as a NAT rule and add WG int to WAN selecting the correct subnet. You can start with a clean configuration of Wireguard and try again.

I have the rule we discussed above - though I may have it wrong . It's that OpenWrt subnet, NAT'd to WAN, like you say. Will try clean, that makes a lot of sense! To understand ... WG int => NAT the full interface (so both rules there feed it), to WAN. Did I get your point right? Meaning ... not just the OpenWrt subnet, as I have now, but rather the WG int, correct? Actually, looking at the NAT options, I can't select the interface as a NAT source (or does that change when using Hybrid?).

Thanks again for the pointers!!!

AB5G

@arrmo
'seems reversed, no?' - Yep it is reversed. You should only have rules in WG int and not Wireguard Group.

For NAT there are 2 options - I don't know which one you are using. Are you Natting all OW LAN to the tunnel IP at the OW side ?

Refer to my comment from before -

You should be natting OW LAN to 192.168.253.3/32 on the OpenWrt box. With this your NAT rule of 192.168.253.0/24 will work.

In case you do not want to NAT on the OpenWrt side then on the WG interface (firewall rules) in pf you need to allow 192.168.0.0/24 segment (right now you are only allowing 192.168.253.0/24 segment). Then you'd need a NAT rule for 192.168.0.0/24.

arrmo

@ab5g Yep, all makes sense. I think part of this may be that it seems restarting WG on pfSense is not enough ... I seem to need to also reset / reboot on OpenWrt, after pfSense changes. Let me try the changes ... will fiddle for a bit, get back to you.

Thanks!!!

arrmo

@ab5g said in Client subnet not accessible (and no internet):

In case you do not want to NAT on the OpenWrt side then on the WG interface (firewall rules) in pf you need to allow 192.168.0.0/24 segment (right now you are only allowing 192.168.253.0/24 segment). Then you'd need a NAT rule for 192.168.0.0/24.

It's working! The issue was after (firewall / rule) changes, really having to reset / reboot both ends. That was fooling me a bit. To your point, NAT on the OpenWrt side is more difficult, only because it's 1800 miles away ... so if I mess something up, I can't really manually reboot it very easily. So NAT on pfSense (which I sit beside ) is much easier.

That all said, I did have both rules already in the interface. And I am NAT'ing (manually) from the OpenWrt subnet - which works. The only minor thing is that I noticed (after I created the Outbound NAT), that I have the interface set to WAN. It seems to work, but should that interface be WG instead? Or does it matter / apply?

Thanks again!

AB5G

@arrmo
NAT for OW LAN subnet to WAN means to allow OW LAN to browse internet so that is correct.

arrmo

@ab5g Excellent, thanks! "Interface" in this case was just a bit confusing.

Thanks again for all the help and pointers!!

arrmo

@arrmo FYI, opening a new question - all working well, except one type of traffic. Huh?!?! LOL!

AB5G

@arrmo you can edit the original post and mark this solved

arrmo

@ab5g Will do, thanks!