Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing via Site2Site Wireguard for a specific client

    Scheduled Pinned Locked Moved Routing and Multi WAN
    19 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      viragomann @thisisagoodfirewall
      last edited by

      @thisisagoodfirewall
      I see. Seemed it was the automatic mode.

      From the concerned client can you ping 8.8.8.8?

      T 1 Reply Last reply Reply Quote 0
      • T
        thisisagoodfirewall @viragomann
        last edited by thisisagoodfirewall

        @viragomann

        nope. can not ping 8.8.8.8

        can reach the network on SiteA - last trace is a dns server.

        I assigned a dns server from Site A.

        DNS is working.

        32a04684-44bc-4595-bf0e-8c081b547ded-image.png

        internet is not. can not ping 8.8.8.8

        V 1 Reply Last reply Reply Quote 0
        • V
          viragomann @thisisagoodfirewall
          last edited by

          @thisisagoodfirewall
          So this let me suspect that the outbound NAT doesn't work.

          To be sure, did you do the outbound settings at A?

          T 1 Reply Last reply Reply Quote 0
          • T
            thisisagoodfirewall @viragomann
            last edited by

            @viragomann
            Site A:
            a799b163-12f5-401c-9ae4-9cb0954c858b-image.png

            V 1 Reply Last reply Reply Quote 0
            • V
              viragomann @thisisagoodfirewall
              last edited by

              @thisisagoodfirewall
              This should work from the point of NAT rules.
              However, that one on OPT1 should not be needed. It would only impact access from A to B.

              Do the firewall rules on the VPN interface allow internet access?

              T 1 Reply Last reply Reply Quote 0
              • T
                thisisagoodfirewall @viragomann
                last edited by

                @viragomann

                OPT1 is the mapping for my openvpn service. Local LAN of Site A (192.168.1.0/24) to VPN Provider.

                The Gateway of the Wireguard Site2Site tunnel allows all connections.
                732c9324-ed37-4c20-aeb2-99f3aa6707f9-image.png

                Still can't figure out why Client on Side B can not connect via the Gateway.

                V 1 Reply Last reply Reply Quote 0
                • V
                  viragomann @thisisagoodfirewall
                  last edited by

                  @thisisagoodfirewall said in Routing via Site2Site Wireguard for a specific client:

                  OPT1 is the mapping for my openvpn service. Local LAN of Site A (192.168.1.0/24) to VPN Provider.

                  Ah, I see.

                  Could it be that the upstream traffic from the client at B is also routed to this VPN provider due to the site A routing table?

                  T 1 Reply Last reply Reply Quote 0
                  • T
                    thisisagoodfirewall @viragomann
                    last edited by

                    @viragomann

                    This could be an issue, lets see.

                    This is the Outbound NAT of Site B.

                    ad879963-5ebb-4fde-8980-60f1386bdea6-image.png

                    If I create a firewall rule for the Client on Site B I skip the VPN provider and use the WAN instead.
                    2d4b60e1-031b-4309-a3cd-269b4ae02596-image.png

                    I just want my client to not use the WAN Gateway but the Wireguard Tunnel Gateway s2sgw and have the traffic routed via the Site A internet.

                    V 1 Reply Last reply Reply Quote 0
                    • V
                      viragomann @thisisagoodfirewall
                      last edited by

                      @thisisagoodfirewall
                      Yes, you can do this with a policy routing rule, but consider that you will have to allow DNS access to the local server with an additional rule above of this or even forward DNS requests to a public server.

                      T 1 Reply Last reply Reply Quote 0
                      • T
                        thisisagoodfirewall @viragomann
                        last edited by

                        @viragomann

                        Site B Gateways
                        ec567ad8-ab56-434b-8ef3-5b696c41c567-image.png
                        I need to route via site1gw.

                        This is Site A Gateways
                        3b9632b9-bde1-4093-9e45-a1f45d336b57-image.png

                        Site A static route
                        56037d33-f0b5-4348-839e-0d24360d5ecb-image.png

                        Site B static route
                        ee1cbffe-7c37-4258-8a18-8141ca19d98c-image.png

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.