Just tested it with /31 and it works. For route-based IPsec the gateway is created automatically when you assign the tunnel to an interface. I haven't tried with /32 tho. But I tried with larger subnet like /24. I guess it's like what you said, as long as they are on the same subnet it will work. Just that for point-to-point connection with a single transit network it doesn't make sense to use something larger that contains more than 2 IPs.
With two VPN clients running on the same pfSense ?
I didn't really insist when testing (things start to behave very bad).
I'm sure that a first VPN client can used as the 'gateway' for a second VPN client on the same device, but you probably have to set them up the old way : manual config file creation and all that. That's not possible on pfSense.
I hope to be wrong of course.
What was possible :
Setting up a pfSense VPN client to 'some' VPN-ISP, routing all outgoing traffic over this connection, that's classic and works fine.
Then I activated a VPN client on my NAS, used 'another' VPN-ISP, and that connected also "just fine".
Now, I had a tunnel over a tunnel.
As I was using some web https sites to test, I actually had a a tunnel in a tunnel in a tunnel.
Btw : you go beyond what is needed to protect the launch codes of the nukes .... are you sure you need this protection ?
@Ratfink Connecting two sites with Wireguard VPN is absolutely doable, and you don't even need fixed IP's for it to work.
When you say you have 5 fixed IP's from your ISP, I'm kind of assuming you have your office at your house? Meaning they are both connected to the same fibre? Otherwise, if they are at very different locations, is it still the same ISP?
In terms of getting the IP's on the respective pfsense machines, I assume you know how or have instructions from the ISP to do this. Might be MAC based if DHCP for example...
Anyway, running pfsense on repurposed HW is very common and can be done "barebone" or virtualized. So you shouldn't have any problems getting to to work on your rack servers, hopefully.
So step one is of course getting both machines up and running. And since they will be for different sites and connected via VPN you must make sure to use different LAN subnets on them. Like 192.168.1.0/24 on one and 192.168.2.0/24 on the other.
Once you have them up and running you can follow a guide like one of these to set up wireguard.
Even though you have fixed IP's it might be a good idea to get two domains, unless you already have that.
If you want to go over WAN anyway, assign an interface to the wg instance and enable it at site 2. This brings up a new firewall rule tab for it then.
Now go to the "Wireguard" tab, edit the existing rules and change the interface to the new one.
I'm not sure what you mean by your last sentence but, I've done the rest.
You mean, changing the interface in the filter rule?
In Firewall > Rules you will see a tab called "Wireguard". pfSense might have created a rule on this tab automatically, when you set up the Wireguard tunnel.
So go to this tab and edit the existing rule and change the interface from "Wireguard" to the interface, which you have assigned to the Wireguard instance before.
Then the rule disappears from the Wireguard tab and appear on the new interface tab.
Also in the WG settings on router 2 you have to change the "allowed IPs" to 0.0.0.0/0 to accept public forwarded traffic.
The problem was an any/any rule in the Wireguard unasigned tunnel firewall rule list. Even though the AirVPN WG interface was assigned, group rules are evaluated first...
Hope this helps someone else as well.
@FoolCoconut THANK you. ive been trying to figure this out for a very long time.
@dogfight76 kannst du doch mal bitte einen RICHTIGEN grafischen netzwerkplan posten, leider verstehe ich deine Schilderung nicht.
wie genau kommst du ins internet, nutzt du Kabelinternet, ist die 6660 deine provider box?
leider verstehe ich nicht warum dein dekstop PC pfSense macht, dann hast du doch keinen Browser nmit dem du surfen kannst?
Yup, those devices are probably not trying to resolve .local addresses using DNS servers at all. They assume they are mDNS and try to find them locally.
I may be interested in knowing more. My ATT router has a 5G port that is unused, but only 1 of the 2 routers has 5G capability, the pfSense. The other router is a MikroTik, but none of it's eth ports have 5G.
For clarity, my pfSense router has a 5G wan input, and 2 10G SFP+ ports as potential outputs.
I wanted perfect separation at the WAN connection, but I could use the 5G ethernet port on the ATT machine and go to the pfRouter, then split the connection to a second router via SFP+ and then to a switch for VPN access via the 2nd SFP+.
This would give me 5G all the way to each router, than separate LANs from there.
@moadmin
Hey guys, can i get any suggestion on this, its still happening even with split tunnel config.
When VPN is on and connected, google meet calls are choppy and distorted, when we turn it off the video is smooth and in good quality.
This happened after we updated our pfsense to 2.6.
But anyway you don't need NAT reflection on pfSense for this now. It's useless, since nothing points to its WAN IP.
And the port forwarding rule with the WAN IP is useless as well.
@viragomann no I need both, I tested it. As soon as I remove the reflection from the port forward, the service is not accessible from within LAN. If I deactivate the WAN port forward Rule, I can't access it from the internet. Maybe because of the first main forward "everything" to pfsense rule in proxmox's network interfaces file. So I will leave as it is for now. I'm just happy that it finally works.
Yes, got a scheduled job doing VM backups every day.
