Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    WireGuard on pfSense behind ISP router. Why do I need a static route?

    Scheduled Pinned Locked Moved Routing and Multi WAN
    34 Posts 3 Posters 4.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dangersheep
      last edited by dangersheep

      My network looks like this, with pfSense behind an ISP router. Wireguard clients can handshake but not access LAN or WAN.

      NetworkDiagram

      • Client config:
        [Interface]
        PrivateKey = <redacted
        Address = 10.0.100.2/32
        [Peer]
        PublicKey = <redacted>
        AllowedIPs = 0.0.0.0/0
        Endpoint = 150.25.45.1:51820

      • Port forwarding: Forward 51820 from ISP router to 192.168.1.100

      • Gateways:

      • Set the default pfSense gateway to WAN_DHCP

      • Add a new WireGuard gateway with IP 10.0.100.1 for interface WG_HOST

      • WireGuard interface: I assigned a new interface (WG_HOST) with address 10.0.100.1 to the wireguard tunnel and set its upstream gateway to the new WireGuard gateway

      • Firewall: 2 new rules

      • allow UDP traffic from ISP LAN to WAN address on port 51820

      • allow all traffic across WG_HOST interface

      When I initiate a connection from the phone (in the picture below) on the 'client' side I quickly see a successful handshake with rx:400B/min, tx: 10 KiB/min. From the 'host' side, I see the same handshake with similar (but bigger) rx/tx.

      HOWEVER, I'm unable to ping the WG_HOST interface address from the phone (pfSense responds on LAN) or get any DNS from pfSense. I also don't have any access to internet IP addresses or anything on the pfSense LAN network.

      I CAN make it all work by creating a static route with destination network 10.0.100.0/24 and gateway WG_HOST-10.0.100.1.

      1. Have I configured wireguard (interfaces & gateways) in the most sipmle way (given that I have to have pfSense behind an ISP router)

      2. Do I need a static route? I have a feeling it shouldn't be needed, just to let the phone access pfSense services & let traffic out to Internet/pfSense LAN.

      Any tips very gratefully received :)

      V Bob.DigB 2 Replies Last reply Reply Quote 0
      • V
        viragomann @dangersheep
        last edited by

        @dangersheep
        When you're accessing a LAN device from the WG client, it will send response packets to the ISP router, since this is the default gateway.

        So either reconfigure your network and put pfSense in between the router and the LAN or nat the WG traffic on pfSense (masquerading).

        D 1 Reply Last reply Reply Quote 0
        • Bob.DigB
          Bob.Dig LAYER 8 @dangersheep
          last edited by Bob.Dig

          @dangersheep said in WireGuard on pfSense behind ISP router. Why do I need a static route?:

          Add a new WireGuard gateway with IP 10.0.100.1 for interface WG_HOST
          WireGuard interface: I assigned a new interface (WG_HOST) with address 10.0.100.1 to the wireguard tunnel and set its upstream gateway to the new WireGuard gateway

          Don't do that.

          D 2 Replies Last reply Reply Quote 0
          • D
            dangersheep @viragomann
            last edited by

            @viragomann

            reconfigure your network and put pfSense in between the router and the LAN

            I'm sorry, I don't completely understand. Do you mean, put pfSense in front of the ISP router, facing the internet?

            nat the WG traffic on pfSense (masquerading)

            What would this look like? I assume you're talking about outbound NAT on the LAN interface? How does that solve the problem that traffic is wrongly being returned to the ISP router as the default gateway? Wouldn't it make more sense to add a route for traffic being from the LAN subnet to the WG subnet?

            Apologies if my questions betray much ignorance. There is lots.

            V 1 Reply Last reply Reply Quote 0
            • V
              viragomann @dangersheep
              last edited by

              @dangersheep said in WireGuard on pfSense behind ISP router. Why do I need a static route?:

              reconfigure your network and put pfSense in between the router and the LAN

              I'm sorry, I don't completely understand. Do you mean, put pfSense in front of the ISP router, facing the internet?

              I assume, you need the ISP router for your internet connection. Otherwise you could replace it with the pfSense box.
              However, with ISP router you can it set up this way: Internet > ISP router > pfSense > LAN subnet

              Maybe I misunderstood you post and you've it set up this way already?

              Obey what @Bob-Dig wrote above.
              Obviously I didn't read all your text before.

              You must not state an IP in the WG interface settings and you must not state a gateway there at all.
              Anyway there is no need to assign an interface to the WG instance as long as you don't need to policy route traffic to the remote site or other special purposes.

              D 2 Replies Last reply Reply Quote 0
              • D
                dangersheep @Bob.Dig
                last edited by

                This post is deleted!
                1 Reply Last reply Reply Quote 0
                • D
                  dangersheep @viragomann
                  last edited by

                  @viragomann said in WireGuard on pfSense behind ISP router. Why do I need a static route?:

                  Maybe I misunderstood you post and you've it set up this way already?

                  Yes, that's the current setup: https://imgur.com/a/B1xla5Y
                  What's confusing, I suppose, is that there are two "LAN"s - one for the ISP router (which includes the WAN address of the pfSense box) and one behind pfSense.

                  V 1 Reply Last reply Reply Quote 0
                  • D
                    dangersheep @viragomann
                    last edited by

                    @viragomann said in WireGuard on pfSense behind ISP router. Why do I need a static route?:

                    You must not state an IP in the WG interface settings and you must not state a gateway there at all.
                    Anyway there is no need to assign an interface to the WG instance as long as you don't need to policy route traffic to the remote site or other special purposes.

                    OK, I've removed the WG interface, moved the 'allow WG traffic' rule to the WireGuard tab, and removed the static route for WG traffic and the dedicated gateway rule for WG. But things are not working. I can establish a handshake, but my phone WG_PEER cannot even ping the WG_HOST interface (10.0.100.1).

                    Any clues as to what I'm doing wrong? The WireGuard firewall rule is trivial: all IPv4 traffic is allowed from * source to * destination.

                    1 Reply Last reply Reply Quote 0
                    • V
                      viragomann @dangersheep
                      last edited by

                      @dangersheep
                      Yes, and also LAN devices are missing in the drawing.

                      D 1 Reply Last reply Reply Quote 0
                      • D
                        dangersheep @viragomann
                        last edited by

                        @viragomann
                        Right, i figured that would confuse things but it might have been good to specify which LAN I was talking about. I'm referring to the LAN behind pfSense. Once I'm established on the wg tunnel with handshake performed, I can't even ping the other end of the wireguard tunnel (the WG_HOST interface) let alone the pfSense LAN interface.

                        V 1 Reply Last reply Reply Quote 0
                        • V
                          viragomann @dangersheep
                          last edited by

                          @dangersheep
                          Did you remove the interface already or at least the IP and gateway settings?

                          Did you add a firewall rule to Wireguard or even the specific interface to allow access?

                          D 2 Replies Last reply Reply Quote 0
                          • D
                            dangersheep @Bob.Dig
                            last edited by

                            @Bob-Dig Thank you. I've followed all your instructions. I've deleted the static route; I've deleted the wireguard gateway (now it defaults to WAN_DHCP); I've deleted the assigned interface for wireguard. However, the most I can do is establish a handshake.

                            On my phone with wg active, I see a 'healthy' tx volume (23 KiB) after a minute or two, but just 700 B of rx traffic. The connection doesn't seem to be replying 'properly'

                            1 Reply Last reply Reply Quote 0
                            • D
                              dangersheep @viragomann
                              last edited by

                              @viragomann said in WireGuard on pfSense behind ISP router. Why do I need a static route?:

                              Did you remove the interface already or at least the IP and gateway settings?

                              I removed the assigned interface. And I removed the gateway dedicated to WG. Now I only have one gateway (for each IPv4 and v6) and I explicitly made "WAN_DHCP(6)" the default gateway for pfSense.

                              1 Reply Last reply Reply Quote 0
                              • D
                                dangersheep @viragomann
                                last edited by

                                @viragomann said in WireGuard on pfSense behind ISP router. Why do I need a static route?:

                                Did you add a firewall rule to Wireguard or even the specific interface to allow access?

                                Yes.

                                On the WAN interface, there is one rule allowing all IPv4 UDP traffic addressed to the port 51820 on the WAN interface to pass.

                                On the WireGuard firewall tab (there is no longer a tab for the assigned interface - deleted - so this is just whatever default WireGuard 'interface' exists) there is just one rule that allows all IPv4 traffic to pass from any source/port to any source/port.

                                V D 2 Replies Last reply Reply Quote 0
                                • V
                                  viragomann @dangersheep
                                  last edited by

                                  @dangersheep
                                  So you should be able to ping the WG server IP and the pfSense LAN IP as well at least. Doesn't this work?

                                  D 1 Reply Last reply Reply Quote 0
                                  • D
                                    dangersheep @dangersheep
                                    last edited by

                                    @viragomann

                                    As for how the rules are performing, I log when the WAN -> WG rule is passed, and I see that happening, with UDP traffic addressed to WAN_ADDRESS:51820.

                                    There is lots of blocked UDP traffic on WAN_ADDRESS but it seems to be mainly on port 137 coming from all sorts of ports on the upstream ISP-router LAN address = default gateway.

                                    In passing, why would there be traffic directed to pfSense_WAN:137 from the upstream gateway? I guess that's a response to a filesharing service somewhere behind pfSense - would that make any sense?

                                    V 1 Reply Last reply Reply Quote 0
                                    • D
                                      dangersheep @viragomann
                                      last edited by

                                      @viragomann said in WireGuard on pfSense behind ISP router. Why do I need a static route?:

                                      So you should be able to ping the WG server IP and the pfSense LAN IP as well at least. Doesn't this work?

                                      No, that does not work. pfSense is configured to respond to ping and does so from a device on the LAN subnet. But when connected to the wireguard tunnel, it is not possible to ping anything.

                                      D 1 Reply Last reply Reply Quote 0
                                      • D
                                        dangersheep @dangersheep
                                        last edited by

                                        @viragomann

                                        I can, for example, run wireshark on the wg interface on a device (using my phone data as hotspot). The handshake completes, but when I try to ping I see the ICMP traffic leaving 10.0.100.2 with destination 10.0.100.1 but never any reply.

                                        D 1 Reply Last reply Reply Quote 0
                                        • D
                                          dangersheep @dangersheep
                                          last edited by

                                          This post is deleted!
                                          1 Reply Last reply Reply Quote 0
                                          • V
                                            viragomann @dangersheep
                                            last edited by

                                            @dangersheep said in WireGuard on pfSense behind ISP router. Why do I need a static route?:

                                            In passing, why would there be traffic directed to pfSense_WAN:137 from the upstream gateway? I guess that's a response to a filesharing service somewhere behind pfSense - would that make any sense?

                                            If you're running the filesharing behind pfSense and didn't expose it, there should no related packets be seen on the WAN.

                                            Maybe the router just tries to get NetBIOS informations.

                                            Für Kurviger habe ich ein Tourer+ Jahresabo, eben auch, um das Projekt zu unterstützen. Mal sehen,

                                            Do you see the packets, when sniffing the traffic on pfSense on the WG interface?

                                            D 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.