Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Routing via Site2Site Wireguard for a specific client

    Routing and Multi WAN
    2
    19
    493
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      thisisagoodfirewall last edited by thisisagoodfirewall

      Re: Routing questions Site2Site Wireguard

      As mentioned in these articles

      ipsec-s2s-route-internet-traffic
      openvpn-s2s-route-internet-traffic

      I would like to create a route via my wireguard tunnel which is connecting Site A pfsense and Site B pfsense.

      A client from Site B should be able to use the internet (WAN) of Site A.

      any help is greatly appreciated.

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @thisisagoodfirewall last edited by

        @thisisagoodfirewall
        Configure a policy routing rule for the source IP. Some as with OpenVPN, but select the Wireguard gateway.

        T 1 Reply Last reply Reply Quote 0
        • T
          thisisagoodfirewall @viragomann last edited by thisisagoodfirewall

          @viragomann

          This is what I tried.

          6e1e866d-a003-4dc2-a392-41f1401186bc-image.png

          Routing all the client traffic via the wireguard site2site gateway.
          This does not work. Internet stops at client.

          f76eb02a-fa75-4c29-af69-3f9492ce07a0-image.png
          ac3a8a8e-c2ea-48c0-9f10-7d3accbfda10-image.png

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @thisisagoodfirewall last edited by

            @thisisagoodfirewall
            Two things to consider here:

            • The policy routing forces also DNS traffic to the remote site. If the client is configured to use a local DNS server, resolution will fail.
              So you either have to add an additional rule to allow local DNS access (without a gateway) or you configure a remote or public DNS server on the device.
              You can also simply forward DNS request from the machine to a public or remote server.

            • On the remote site you need a masquerading rule on WAN for the traffic from the local client.

            T 1 Reply Last reply Reply Quote 0
            • T
              thisisagoodfirewall @viragomann last edited by

              @viragomann

              okay.
              I can configure a dns for the client on the remote side like this...
              d9f6a482-fd6e-4927-97c1-2a4f3c65c8d0-image.png

              Not sure what you mean with "On the remote site you need a masquerading rule on WAN for the traffic from the local client."

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @thisisagoodfirewall last edited by

                @thisisagoodfirewall
                If you want to use 8.8.8.8 on the client, simply forward DNS requests from its source IP, as already suggested.

                The masquerading is done with an outbound NAT rule on pfSense.
                Switch the outbound NAT on the remote box to the hybrid mode.
                Then add a rule for the source of 192.168.2.0/24 (or only 192.168.2.73/32) to the WAN.

                T 1 Reply Last reply Reply Quote 0
                • T
                  thisisagoodfirewall @viragomann last edited by

                  @viragomann

                  just need a proof of concept. can fiddle with dns later.
                  added 8.8.8.8 as client dns.

                  masq like this?
                  05bc5508-b1f8-4506-b4a8-f25c961f23e2-image.png
                  I had those settings before and yet the client 192.168.2.73 can't connect to the internet via tunnel.

                  V 1 Reply Last reply Reply Quote 0
                  • V
                    viragomann @thisisagoodfirewall last edited by

                    @thisisagoodfirewall
                    The NAT rules are useless as long as you have the automatic mode enabled.

                    T 1 Reply Last reply Reply Quote 0
                    • T
                      thisisagoodfirewall @viragomann last edited by thisisagoodfirewall

                      @viragomann
                      I have the Hybrid Outbound NAT mode enabled as visible in the picture.
                      Am I doing this right?

                      V 1 Reply Last reply Reply Quote 0
                      • V
                        viragomann @thisisagoodfirewall last edited by

                        @thisisagoodfirewall
                        I see. Seemed it was the automatic mode.

                        From the concerned client can you ping 8.8.8.8?

                        T 1 Reply Last reply Reply Quote 0
                        • T
                          thisisagoodfirewall @viragomann last edited by thisisagoodfirewall

                          @viragomann

                          nope. can not ping 8.8.8.8

                          can reach the network on SiteA - last trace is a dns server.

                          I assigned a dns server from Site A.

                          DNS is working.

                          32a04684-44bc-4595-bf0e-8c081b547ded-image.png

                          internet is not. can not ping 8.8.8.8

                          V 1 Reply Last reply Reply Quote 0
                          • V
                            viragomann @thisisagoodfirewall last edited by

                            @thisisagoodfirewall
                            So this let me suspect that the outbound NAT doesn't work.

                            To be sure, did you do the outbound settings at A?

                            T 1 Reply Last reply Reply Quote 0
                            • T
                              thisisagoodfirewall @viragomann last edited by

                              @viragomann
                              Site A:
                              a799b163-12f5-401c-9ae4-9cb0954c858b-image.png

                              V 1 Reply Last reply Reply Quote 0
                              • V
                                viragomann @thisisagoodfirewall last edited by

                                @thisisagoodfirewall
                                This should work from the point of NAT rules.
                                However, that one on OPT1 should not be needed. It would only impact access from A to B.

                                Do the firewall rules on the VPN interface allow internet access?

                                T 1 Reply Last reply Reply Quote 0
                                • T
                                  thisisagoodfirewall @viragomann last edited by

                                  @viragomann

                                  OPT1 is the mapping for my openvpn service. Local LAN of Site A (192.168.1.0/24) to VPN Provider.

                                  The Gateway of the Wireguard Site2Site tunnel allows all connections.
                                  732c9324-ed37-4c20-aeb2-99f3aa6707f9-image.png

                                  Still can't figure out why Client on Side B can not connect via the Gateway.

                                  V 1 Reply Last reply Reply Quote 0
                                  • V
                                    viragomann @thisisagoodfirewall last edited by

                                    @thisisagoodfirewall said in Routing via Site2Site Wireguard for a specific client:

                                    OPT1 is the mapping for my openvpn service. Local LAN of Site A (192.168.1.0/24) to VPN Provider.

                                    Ah, I see.

                                    Could it be that the upstream traffic from the client at B is also routed to this VPN provider due to the site A routing table?

                                    T 1 Reply Last reply Reply Quote 0
                                    • T
                                      thisisagoodfirewall @viragomann last edited by

                                      @viragomann

                                      This could be an issue, lets see.

                                      This is the Outbound NAT of Site B.

                                      ad879963-5ebb-4fde-8980-60f1386bdea6-image.png

                                      If I create a firewall rule for the Client on Site B I skip the VPN provider and use the WAN instead.
                                      2d4b60e1-031b-4309-a3cd-269b4ae02596-image.png

                                      I just want my client to not use the WAN Gateway but the Wireguard Tunnel Gateway s2sgw and have the traffic routed via the Site A internet.

                                      V 1 Reply Last reply Reply Quote 0
                                      • V
                                        viragomann @thisisagoodfirewall last edited by

                                        @thisisagoodfirewall
                                        Yes, you can do this with a policy routing rule, but consider that you will have to allow DNS access to the local server with an additional rule above of this or even forward DNS requests to a public server.

                                        T 1 Reply Last reply Reply Quote 0
                                        • T
                                          thisisagoodfirewall @viragomann last edited by

                                          @viragomann

                                          Site B Gateways
                                          ec567ad8-ab56-434b-8ef3-5b696c41c567-image.png
                                          I need to route via site1gw.

                                          This is Site A Gateways
                                          3b9632b9-bde1-4093-9e45-a1f45d336b57-image.png

                                          Site A static route
                                          56037d33-f0b5-4348-839e-0d24360d5ecb-image.png

                                          Site B static route
                                          ee1cbffe-7c37-4258-8a18-8141ca19d98c-image.png

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post