Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    After Intel quad 1gbe -> Chelsio T422-CR wireguard is not routing traffic.

    Scheduled Pinned Locked Moved
    Hardware
    4
    6
    486
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kanser_russ
      last edited by

      I recently upgraded my NIC in my pfSense box from an Intel Quad 1gbe PCIe card to a Chelsio T422-CR dual gbe + dual 10gbe sfp+ card. The move went relatively smoothly, with the exception that my wireguard internal routing is broken now.

      Handshake is working perfectly, the traffic from my device is hitting my firewall rules fine. It seems like the traffic gets to the destination and is lost when trying to find a route back to the device.

      The state table for the Wireguard firewall rule "allow all to all" says "SYN_SENT:ESTABLISHED" I have tried running the tunnel with an assigned interface and without, same issue.

      Routing table entries for Wireguard subnet:

      10.10.10.0/24 link#11 U 0 1420 tun_wg0
      10.10.10.1 link#11 UHS 0 16384 lo0

      Running pfSense 2.6 with Wireguard 0.1.6_2

      I feel like I have tried everything, to the point of wondering if the Chelsio itself or my Mikrotik CRS305 isn't passing the return traffic for some reason.

      Any and all help is greatly appreciated, I rely heavily on Wireguard for remote access to my home apps rather than opening up more ports on the firewall and creating more attack vectors .
      Thanks!

      J 1 Reply Last reply Reply Quote 0
      • J
        Jarhead @kanser_russ
        last edited by

        @kanser_russ It's the Chelsio card.
        There's a thread on here from me about the same thing except it was actually crashing my pfSense.
        Once I disabled the Wireguard tunnels, it would work perfectly. Enable Wireguard, crash.
        Never found a reason but for some reason Wireguard does not like Chelsio.
        I ended up buying an Intel card.

        I 1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          Some MTU or hardware offloading difference perhaps?

          I would be running packet captures to see what part of the traffic path is actually failing.

          Steve

          1 Reply Last reply Reply Quote 0
          • I
            italeffect @Jarhead
            last edited by

            @jarhead Just came across your post. I recently updated to a Chelsio T422 card and connecting a wireguard client caused an instant crash of pfsense. After unsuccessful troubleshooting, on a chance I installed the 23.01 beta and it's now working fine.

            J 1 Reply Last reply Reply Quote 1
            • J
              Jarhead @italeffect
              last edited by

              @italeffect That's great news!
              I won't be using mine for a little while, recently sold my house and just renting until the market turns but I would love to go back to my Chelsio since it's 4 ports instead of the 2 I have on the Intel card.
              Looking forward to trying it out now!

              J 1 Reply Last reply Reply Quote 0
              • J
                Jarhead @Jarhead
                last edited by

                Decided to put the Protectli away and go back to my main router with the Chelsio card installed.
                I can also confirm Wireguard is working fine with it and 2.7.
                I only have 2 tunnels up but I can't imagine more would make a difference.
                I even plugged directly into a Frontier ONT and received a DHCP address.
                Looking good!

                1 Reply Last reply Reply Quote 1
                • First post
                  Last post