Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't Route Site To Site

    Scheduled Pinned Locked Moved
    Routing and Multi WAN
    3
    7
    1.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dma_pf
      last edited by dma_pf

      I need some help getting traffic to route over a Site-to Site wireguard tunnel using 2 pfsense routers. The handshake between the routers is established but I can't ping the transit network or LAN on either side of the tunnel.

      Site 1
      WAN IP is dynamic and uses dyndns for DDNS.
      Transit Network: 10.1.0.0/31
      LAN 192.168.163.0/24
      pfsense CE 2.6

      Site 2
      WAN IP is dynamic and uses dyndns for DDNS.
      Transit Network: 10.1.0.0/31
      LAN 192.168.164.0/24
      pfsense+ 23.01

      I've configured the wireguard tunnels and can confirm that I get a handshake between the devices. Endpoint IP's for each are the FQDN provided for each dynamic address. Both tunnels using port 51827.

      1 WG Status.jpg
      I then created an interface for each router with these inputs:

      Site 1
      3b48508b-d07a-44eb-9076-36977b050e61-image.png

      Site 2: The only difference is the IPv4 Address is set to 10.1.0.1/31
      Note that on both routers the system default gateway = "WAN_DHCP"

      Then I created a gateway for each router with these settings:

      Site 1
      b318c606-6aeb-4024-b45d-5e1c860ca28c-image.png

      Site 2: the only difference is the Gateway is set to 10.1.0.0

      I then added a static route to each router:

      Site1
      6218e077-0c7e-404d-8bdb-ccb08fa771e0-image.png
      Site2: The settings are set to:
      Network: 192.168.163.0/24
      Gateway IP: 10.1.0.0_GW

      On each router I created a rule on the new interfaces. Site1 and Site2 have the following identical rule:
      16e8b911-d8d0-4d77-abca-3e07ce04bfaa-image.png

      Next I created a WAN rule on both routers. Site1 and Site2 have the following identical rule:
      47f28fc9-41e2-44f6-aa44-5c3b13e4cc1f-image.png

      I then created a policy routing rule on the LAN interface of each router:

      Site 1
      cdd29d71-72cb-4f8c-abaf-8d6984679e24-image.png

      Site 2: The rule is identical except the Destination IP is set to 192.168.164.0/24
      Note: I tried the rule with Gateway set to Default and also specifying the transit network gateway.

      NAT Rules are set to Hybrid. I can confirm that the Transit network (10.1.0.0/31) was added to each of the automatic NAT rules for the WAN interface. Site1 and Site 2 show the Outbound NAT like this:
      ae1b734c-d29c-4b80-b51e-904a8141dd65-image.png

      I can't get anything to ping across the tunnel. I can't ping to the far side Transit IP from either router. I also can't ping to anything on the far side LAN from either router. The only way I could get that to happen was to set the gateway in each of the router's Interface tab to the transit network gateway. But in doing that the NAT rules are rewritten and all the traffic is sourced with the transit network IP address. I need it to show the original IP from the LAN as the source address.

      I've watched Christian's ( @cmcdonald ) video multiple times and can't see anything that I missed in getting this Site-to-Site working correctly.

      Any help figuring this out is greatly appreciated!

      1 Reply Last reply Reply Quote 0
      • D
        dma_pf
        last edited by

        Just posting a quick note to say that I have edited my original post from yesterday. It now includes screen shots of my configuration in pfsense. For some reason any attempts to upload the screen shots yesterday where met with a "Not able to parse" error and I could not upload them.

        I hope this helps and would really appreciate any feedback on my issue.

        Bob.DigB L 2 Replies Last reply Reply Quote 0
        • D dma_pf referenced this topic on
        • Bob.DigB
          Bob.Dig LAYER 8 @dma_pf
          last edited by

          @dma_pf Have you seen this video?
          If you only have one LAN at each site, you might not even need a Transit Network but I never tried that.

          D 1 Reply Last reply Reply Quote 0
          • L
            lnguyen @dma_pf
            last edited by

            @dma_pf Make sure you set Interface Group Membership to Only Unassigned Tunnels
            a95207c5-680e-4470-9ca2-50232c5860ed-image.png

            1 Reply Last reply Reply Quote 0
            • D
              dma_pf @Bob.Dig
              last edited by

              @bob-dig said in Can't Route Site To Site:

              @dma_pf Have you seen this video?
              If you only have one LAN at each site, you might not even need a Transit Network but I never tried that.

              That's the same video as I referenced in my post. As far as I can tell I've followed it exactly. I can't see anything that I did differently.

              I do have other networks (physical and vlans) on my main router. But in reality there are only 2 servers that I'm trying to give remote access to the other site. They are both on the 192.168.163.0/24 network.

              @lnguyen said in Can't Route Site To Site:

              @dma_pf Make sure you set Interface Group Membership to Only Unassigned Tunnels
              a95207c5-680e-4470-9ca2-50232c5860ed-image.png

              Great idea.....unfortunately I had forgotten to mention in my post that I had already implemented the "Only Assigned Tunnels" option so any rules (there are none) in the "Wiregurad" wouldn't have any effect.

              I've played around with this some more. The only thing I have been able to accomplish is pinging the far side of the transit network from either router when I use the LAN network as the Source address:
              23ce609a-14ae-4414-a12c-097b73f251d6-image.png

              But I can not ping the router on the other side of the tunnel:

              483ff622-5bd3-4817-a1a4-477c5acf61fa-image.png

              I have tried it with:

              • Only a static route to 192.168.164.0/24 enabled on the tunnel gateway.
              • With a static route as above and a policy route on LAN with the gateway set as Default.
              • With a static route as above and a policy routing rule on LAN with the gateway set as the transit gateway.
              • With no static route and only a policy routing rule with the gateway set as the transit gateway.

              None of those things will route traffic across the tunnel to the other router's IP.

              The only way that I can accomplish that is to create an outbound NAT rule for the transit Gateway. Then everything flows across the tunnel but it is routed with the source address of the transit tunnel. I need to have the original LAN IP address as the source for logging purposes.

              I've spent hours going over this again and again and I just can't see what I did different than in Christian's video that would be preventing traffic to be routed across the tunnel without having to NAT the transit tunnel.

              Thanks to both of you for your feedback. I really appreciate you taking the time to read over my post and share your thoughts with me. Sorry it took me so long to get back to you, I was away all last week.

              L 1 Reply Last reply Reply Quote 0
              • L
                lnguyen @dma_pf
                last edited by

                @dma_pf What are the allowed networks under "Peers" for both sites?

                D 1 Reply Last reply Reply Quote 1
                • D
                  dma_pf @lnguyen
                  last edited by dma_pf

                  @lnguyen said in Can't Route Site To Site:

                  @dma_pf What are the allowed networks under "Peers" for both sites?

                  Thanks for pointing me in this direction...that was it! There was an error in one of the peer IP addresses:

                  00155179-c7b4-4b05-be81-a0a7f79d6e1c-image.png

                  The Site 2 network should have been 192.168.164.0.

                  I made the error of seeing that the Wireguard handshake was completed and made the assumption that by doing so it was confirming that: 1) the cryptographic keys matched and 2) that the peer trying to connect had come from the Allowed IP networks. As a result I never rechecked the peer Allowed IPs because I saw a successful handshake.

                  But now I've got to dig deeper into the Wireguard protocol as it appears that the handshake only requires the keys to match and the Allowed IPs are only used as a routing ACL to allow or reject traffic across the tunnel.

                  Thanks again for your help!

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.