Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Block Wireguard site-to-site traffic via a certain WAN?

    Scheduled Pinned Locked Moved
    WireGuard
    1
    2
    459
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • luckman212L
      luckman212 LAYER 8
      last edited by luckman212

      x-post from here

      I have a Wireguard Site-to-site setup to a datacenter. Works great! The only problem is, when SITE A's primary internet goes down, I want to drop the tunnel because the backup connection is a metered LTE and there are some large data transfers that occur over the tunnel that would absolutely kill the usage.

      Before you say "just block the WAN2 IP on the SITE B end" — both WAN IPs at SITE A are dynamic.

      I tried to set up floating rule to tag all WG traffic that entered that specific S2S interface and then block it on the WAN2 rule, but that isn't working for some reason. Anyone got a solution for this? Seems like it might be a fairly common situation?

      I'm using pfSense Plus 22.05 on both ends.

      possibly related redmine: #13045

      1 Reply Last reply Reply Quote 1
      • luckman212L
        luckman212 LAYER 8
        last edited by luckman212

        This is the best I could come up with for now.

        It's a pair of floating rules (block/quick) one for each direction (in/out). In the screenshot below, n_coresite_ext is an IP alias of the far end static IP/subnet, 51828 is the listen port on the far-end tunnel, and WAN2_RUT is my failover WAN interface (the one I do not want any WG traffic to traverse).

        It also helps to have wgfix.sh (github) installed.

        dbb94a9c-5fe3-47c5-96d1-cd94ce605a2b-image.png

        1 Reply Last reply Reply Quote 1
        • First post
          Last post