Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Wireguard Pfsense gets handshake with ports closed...

    WireGuard
    2
    4
    82
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      Jeep5798 last edited by

      This is a copy from my post on reddit.
      I am hoping that someone here can help me. I am either having the biggest BRUH moment right now trying to work with this or I have missed something somewhere. I setup a Site to Site with me and a friend (friend1) and its working fine. Today I tried to setup another site to site with a different friend (friend2) and it won't connect at all. I have a suspicion that its something to do with blocked ports cause of his ISP. I wanted to do some tests with my working WG connection with friend1. I disabled the opened ports on their firewall but somehow it still was able to handshake. Tried to disable the ports on my end. Still got a handshake. Tried disabling anything firewall related and STILL GOT A HANDSHAKE. As a last thing I wanted to check I used the firewall and BLOCKED the port that my WG is running on. STILL GOT A HANDSHAKE. I am now at the biggest WTF moment. How is this thing still getting a handshake when I have blocked the port? One thing I have noticed is that there is never any states on those ports that I open meaning that somehow they are connecting in another method. Please someone give me advise on how this is happening. I can send screenshots of how everything is configured. I followed the guide here. In the video he showed the ports needing to be opened and they had states across them...

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        No matter what rule changes you make, packets can still pass if there is an entry in the state table matching the exact source/destination.

        Sounds like you either didn't reset states or didn't wait for the old states to expire between tests.

        See also:
        https://docs.netgate.com/pfsense/en/latest/troubleshooting/firewall.html#check-the-state-table

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        J 1 Reply Last reply Reply Quote 1
        • J
          Jeep5798 @jimp last edited by

          Each time I modified the firewall rules I would restart the service. Does that not clear out the state? Also I made a discovery that if I don't manually create the gateway then the status will forever say handshake never. I am still trying to figure out why when i close the ports on my wan I am still getting a connection.

          1 Reply Last reply Reply Quote 0
          • jimp
            jimp Rebel Alliance Developer Netgate last edited by

            The service has nothing to do with the contents of the firewall state table.

            Look over all the links in my previous reply, it's all explained there. It's not a WireGuard issue it's a fundamental aspect of stateful firewall behavior.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 1
            • First post
              Last post