Routing via Site2Site Wireguard for a specific client
-
@thisisagoodfirewall
The NAT rules are useless as long as you have the automatic mode enabled. -
thisisagoodfirewalllast edited by thisisagoodfirewall Feb 23, 2023, 12:01 AM Feb 23, 2023, 12:01 AM
@viragomann
I have the Hybrid Outbound NAT mode enabled as visible in the picture.
Am I doing this right? -
@thisisagoodfirewall
I see. Seemed it was the automatic mode.From the concerned client can you ping 8.8.8.8?
-
thisisagoodfirewalllast edited by thisisagoodfirewall Feb 23, 2023, 12:19 AM Feb 23, 2023, 12:11 AM
nope. can not ping 8.8.8.8
can reach the network on SiteA - last trace is a dns server.
I assigned a dns server from Site A.
DNS is working.
internet is not. can not ping 8.8.8.8
-
@thisisagoodfirewall
So this let me suspect that the outbound NAT doesn't work.To be sure, did you do the outbound settings at A?
-
@viragomann
Site A:
-
@thisisagoodfirewall
This should work from the point of NAT rules.
However, that one on OPT1 should not be needed. It would only impact access from A to B.Do the firewall rules on the VPN interface allow internet access?
-
-
@thisisagoodfirewall said in Routing via Site2Site Wireguard for a specific client:
OPT1 is the mapping for my openvpn service. Local LAN of Site A (192.168.1.0/24) to VPN Provider.
Ah, I see.
Could it be that the upstream traffic from the client at B is also routed to this VPN provider due to the site A routing table?
-
This could be an issue, lets see.
This is the Outbound NAT of Site B.
If I create a firewall rule for the Client on Site B I skip the VPN provider and use the WAN instead.
I just want my client to not use the WAN Gateway but the Wireguard Tunnel Gateway s2sgw and have the traffic routed via the Site A internet.
-
@thisisagoodfirewall
Yes, you can do this with a policy routing rule, but consider that you will have to allow DNS access to the local server with an additional rule above of this or even forward DNS requests to a public server. -