Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Force Vlan to Wiregard tunnel

    Scheduled Pinned Locked Moved WireGuard
    9 Posts 4 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      Gerry26500
      last edited by

      Hi there,
      I started to use Wiregard (vs OpenVpn) and I am facing an issue.
      I am trying to force one specific vlan to use the WG tunnel.
      So first , I configured WG and have my tunnel up
      WG.png

      I also created an interface for my vlan 60 (called VPN, 10.10.60.0/24)

      WG2.png

      I also have my WG interface created with the IP provided by the VPN provider

      wg4.png

      and last I have the outbound rule that forces 10.10.60.0/24 to the WG interface

      wg5.png

      Somehow , that doesn;t work. I do have connectivity , but not through the tunnel.

      I checked the forum and some people are saying I should just change the gateway under Vlan 60 :
      WG3.png

      , if I do that , I lose all connectivity on vlan 60.

      What am I missing here ?!
      Thanks in advance!

      J 1 Reply Last reply Reply Quote 0
      • J
        Jarhead @Gerry26500
        last edited by Jarhead

        @gerry26500 First thing I notice is you redacted the tunnel assignment, but then you show the WG interface. So there should be no reason to redact the assignment.
        It should be the WGInterface. Is it?

        Second, you have an upstream gateway assigned to that interface, are you sure you want that?

        Third, shouldn't need the outbound NAT at all.

        Create a gateway pointing to the other end of the tunnel, then use that gateway for the 10.1.60.0 with that gateway.

        G 1 Reply Last reply Reply Quote 1
        • G
          Gerry26500 @Jarhead
          last edited by Gerry26500

          @jarhead Hey , Thanks for the reply
          Yes the local address of the tunnel is 10.2.0.2 (I meant to mask the other IP)
          So regarding the upstream gateway , to be honest I am not sure. My VPN provider doesn;t have a tuto regarding WG so I grabbed the info from a random post on the internt.
          I will remove the outbound NAT , thanks
          ..OH , so what you mean it , the upstream gateway I created for the interface should be on the vlan 60 interface ? or do you mean something else?
          I can't see any other field where I can chose a gateway for a subnet / Vlan
          Let me give it a try
          Thanks !

          Edit :
          If it helps , here is the tuto I followed :
          https://www.ivpn.net/setup/router/pfsense-wireguard/

          (but this applies to the entire router and would like to have only one subnet going through that tunnel )

          J 1 Reply Last reply Reply Quote 0
          • J
            Jarhead @Gerry26500
            last edited by

            @gerry26500 said in Force Vlan to Wiregard tunnel:

            @jarhead Hey , Thanks for the reply
            Yes the local address of the tunnel is 10.2.0.2 (I meant to mask the other IP)
            So regarding the upstream gateway , to be honest I am not sure. My VPN provider doesn;t have a tuto regarding WG so I grabbed the info from a random post on the internt.
            I will remove the outbound NAT , thanks
            ..OH , so what you mean it , the upstream gateway I created for the interface should be on the vlan 60 interface ? or do you mean something else?
            I can't see any other field where I can chose a gateway for a subnet / Vlan
            Let me give it a try
            Thanks !

            Edit :
            If it helps , here is the tuto I followed :
            https://www.ivpn.net/setup/router/pfsense-wireguard/

            (but this applies to the entire router and would like to have only one subnet going through that tunnel )

            No, what I meant was the tunel assignment should be the interface itself.
            Screenshot 2022-06-19 124518.png

            You assigned the IP to the interface for a reason, set the interface as the tunnel assignment.

            Upstream gateway, not sure what you're doing with the vpn conection but setting an upstream gateway makes the interface a wan essentially. Read the text below that option. Is that what you want?
            To force the traffic through the VPN, create a new gateway, then on the allow all firewall rule for vlan60, click advanced, then set the new gateway as it's gateway.
            You should also not have "automatic" set for the default gateway when you create the new gateway, set it to your actual gateway instead.

            Keep in mind, I haven't tried this with WireGuard but it's how you would force traffic with OpenVPN.

            Although if it doesn't work, try adding the outbound NAT again. Might need that but I would think that would be handled on the VPN providers end. WireGuard does need help routing though it seems.

            G 1 Reply Last reply Reply Quote 1
            • G
              Gerry26500 @Jarhead
              last edited by

              @jarhead
              Oh man , you're awesome !!!
              I did have a mix up in the Int assignment. Somehow I was sure that it was assigned to the tunnel but for some reason it was assigned to an Igc interface :|
              That said, it works now ! and I really appreciate your help.
              So just for testing purposes, I tried with and without the outbound rule ..and without it , it doesn't work.

              Cheers!

              S 1 Reply Last reply Reply Quote 0
              • S
                sgw @Gerry26500
                last edited by

                I am currently trying the same here, and I am scared to set "AllowedIPs" to 0.0.0.0, because I fear that this breaks the whole routing on the pfSense ...

                Could someone advise here?

                The pfSense currently runs the wg-tunnel with "AllowedIPs = 10.8.0.0/24" .. so only the tunnel network is routed through.

                The goal is to be able to force one or more VLANs to use that tunnel as default gateway while other (V)LANs should simply use the plain default gateway defined in "Routing".

                Maybe I am too scared ;-) but I am far from that box and don't want to lock me out etc. Thanks.

                Bob.DigB 1 Reply Last reply Reply Quote 0
                • Bob.DigB
                  Bob.Dig LAYER 8 @sgw
                  last edited by

                  @sgw Just do it. Routing is done via pfSense not Wireguard.

                  S 1 Reply Last reply Reply Quote 1
                  • S
                    sgw @Bob.Dig
                    last edited by

                    @bob-dig will try as soon as I have my next telco with the customer. thanks ...

                    S 1 Reply Last reply Reply Quote 0
                    • S
                      sgw @sgw
                      last edited by

                      Seems to work ;-) thanks again @Bob-Dig

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.