Wireguard Pfsense gets handshake with ports closed...
-
This is a copy from my post on reddit.
I am hoping that someone here can help me. I am either having the biggest BRUH moment right now trying to work with this or I have missed something somewhere. I setup a Site to Site with me and a friend (friend1) and its working fine. Today I tried to setup another site to site with a different friend (friend2) and it won't connect at all. I have a suspicion that its something to do with blocked ports cause of his ISP. I wanted to do some tests with my working WG connection with friend1. I disabled the opened ports on their firewall but somehow it still was able to handshake. Tried to disable the ports on my end. Still got a handshake. Tried disabling anything firewall related and STILL GOT A HANDSHAKE. As a last thing I wanted to check I used the firewall and BLOCKED the port that my WG is running on. STILL GOT A HANDSHAKE. I am now at the biggest WTF moment. How is this thing still getting a handshake when I have blocked the port? One thing I have noticed is that there is never any states on those ports that I open meaning that somehow they are connecting in another method. Please someone give me advise on how this is happening. I can send screenshots of how everything is configured. I followed the guide here. In the video he showed the ports needing to be opened and they had states across them... -
No matter what rule changes you make, packets can still pass if there is an entry in the state table matching the exact source/destination.
Sounds like you either didn't reset states or didn't wait for the old states to expire between tests.
See also:
https://docs.netgate.com/pfsense/en/latest/troubleshooting/firewall.html#check-the-state-table -
Each time I modified the firewall rules I would restart the service. Does that not clear out the state? Also I made a discovery that if I don't manually create the gateway then the status will forever say handshake never. I am still trying to figure out why when i close the ports on my wan I am still getting a connection.
-
The service has nothing to do with the contents of the firewall state table.
Look over all the links in my previous reply, it's all explained there. It's not a WireGuard issue it's a fundamental aspect of stateful firewall behavior.
