WireGuard on pfSense behind ISP router. Why do I need a static route?
-
My network looks like this, with pfSense behind an ISP router. Wireguard clients can handshake but not access LAN or WAN.
-
Client config:
[Interface]
PrivateKey = <redacted
Address = 10.0.100.2/32
[Peer]
PublicKey = <redacted>
AllowedIPs = 0.0.0.0/0
Endpoint = 150.25.45.1:51820 -
Port forwarding: Forward 51820 from ISP router to 192.168.1.100
-
Gateways:
-
Set the default pfSense gateway to WAN_DHCP
-
Add a new WireGuard gateway with IP 10.0.100.1 for interface WG_HOST
-
WireGuard interface: I assigned a new interface (WG_HOST) with address 10.0.100.1 to the wireguard tunnel and set its upstream gateway to the new WireGuard gateway
-
Firewall: 2 new rules
-
allow UDP traffic from ISP LAN to WAN address on port 51820
-
allow all traffic across WG_HOST interface
When I initiate a connection from the phone (in the picture below) on the 'client' side I quickly see a successful handshake with rx:400B/min, tx: 10 KiB/min. From the 'host' side, I see the same handshake with similar (but bigger) rx/tx.
HOWEVER, I'm unable to ping the WG_HOST interface address from the phone (pfSense responds on LAN) or get any DNS from pfSense. I also don't have any access to internet IP addresses or anything on the pfSense LAN network.
I CAN make it all work by creating a static route with destination network 10.0.100.0/24 and gateway WG_HOST-10.0.100.1.
-
Have I configured wireguard (interfaces & gateways) in the most sipmle way (given that I have to have pfSense behind an ISP router)
-
Do I need a static route? I have a feeling it shouldn't be needed, just to let the phone access pfSense services & let traffic out to Internet/pfSense LAN.
Any tips very gratefully received :)
-
-
@dangersheep
When you're accessing a LAN device from the WG client, it will send response packets to the ISP router, since this is the default gateway.So either reconfigure your network and put pfSense in between the router and the LAN or nat the WG traffic on pfSense (masquerading).
-
@dangersheep said in WireGuard on pfSense behind ISP router. Why do I need a static route?:
Add a new WireGuard gateway with IP 10.0.100.1 for interface WG_HOST
WireGuard interface: I assigned a new interface (WG_HOST) with address 10.0.100.1 to the wireguard tunnel and set its upstream gateway to the new WireGuard gatewayDon't do that.
-
reconfigure your network and put pfSense in between the router and the LAN
I'm sorry, I don't completely understand. Do you mean, put pfSense in front of the ISP router, facing the internet?
nat the WG traffic on pfSense (masquerading)
What would this look like? I assume you're talking about outbound NAT on the LAN interface? How does that solve the problem that traffic is wrongly being returned to the ISP router as the default gateway? Wouldn't it make more sense to add a route for traffic being from the LAN subnet to the WG subnet?
Apologies if my questions betray much ignorance. There is lots.
-
@dangersheep said in WireGuard on pfSense behind ISP router. Why do I need a static route?:
reconfigure your network and put pfSense in between the router and the LAN
I'm sorry, I don't completely understand. Do you mean, put pfSense in front of the ISP router, facing the internet?
I assume, you need the ISP router for your internet connection. Otherwise you could replace it with the pfSense box.
However, with ISP router you can it set up this way: Internet > ISP router > pfSense > LAN subnetMaybe I misunderstood you post and you've it set up this way already?
Obey what @Bob-Dig wrote above.
Obviously I didn't read all your text before.You must not state an IP in the WG interface settings and you must not state a gateway there at all.
Anyway there is no need to assign an interface to the WG instance as long as you don't need to policy route traffic to the remote site or other special purposes. -
This post is deleted! -
@viragomann said in WireGuard on pfSense behind ISP router. Why do I need a static route?:
Maybe I misunderstood you post and you've it set up this way already?
Yes, that's the current setup: https://imgur.com/a/B1xla5Y
What's confusing, I suppose, is that there are two "LAN"s - one for the ISP router (which includes the WAN address of the pfSense box) and one behind pfSense. -
@viragomann said in WireGuard on pfSense behind ISP router. Why do I need a static route?:
You must not state an IP in the WG interface settings and you must not state a gateway there at all.
Anyway there is no need to assign an interface to the WG instance as long as you don't need to policy route traffic to the remote site or other special purposes.OK, I've removed the WG interface, moved the 'allow WG traffic' rule to the WireGuard tab, and removed the static route for WG traffic and the dedicated gateway rule for WG. But things are not working. I can establish a handshake, but my phone WG_PEER cannot even ping the WG_HOST interface (10.0.100.1).
Any clues as to what I'm doing wrong? The WireGuard firewall rule is trivial: all IPv4 traffic is allowed from * source to * destination.
-
@dangersheep
Yes, and also LAN devices are missing in the drawing. -
@viragomann
Right, i figured that would confuse things but it might have been good to specify which LAN I was talking about. I'm referring to the LAN behind pfSense. Once I'm established on the wg tunnel with handshake performed, I can't even ping the other end of the wireguard tunnel (the WG_HOST interface) let alone the pfSense LAN interface. -
@dangersheep
Did you remove the interface already or at least the IP and gateway settings?Did you add a firewall rule to Wireguard or even the specific interface to allow access?
-
@Bob-Dig Thank you. I've followed all your instructions. I've deleted the static route; I've deleted the wireguard gateway (now it defaults to WAN_DHCP); I've deleted the assigned interface for wireguard. However, the most I can do is establish a handshake.
On my phone with wg active, I see a 'healthy' tx volume (23 KiB) after a minute or two, but just 700 B of rx traffic. The connection doesn't seem to be replying 'properly'
-
@viragomann said in WireGuard on pfSense behind ISP router. Why do I need a static route?:
Did you remove the interface already or at least the IP and gateway settings?
I removed the assigned interface. And I removed the gateway dedicated to WG. Now I only have one gateway (for each IPv4 and v6) and I explicitly made "WAN_DHCP(6)" the default gateway for pfSense.
-
@viragomann said in WireGuard on pfSense behind ISP router. Why do I need a static route?:
Did you add a firewall rule to Wireguard or even the specific interface to allow access?
Yes.
On the WAN interface, there is one rule allowing all IPv4 UDP traffic addressed to the port 51820 on the WAN interface to pass.
On the WireGuard firewall tab (there is no longer a tab for the assigned interface - deleted - so this is just whatever default WireGuard 'interface' exists) there is just one rule that allows all IPv4 traffic to pass from any source/port to any source/port.
-
@dangersheep
So you should be able to ping the WG server IP and the pfSense LAN IP as well at least. Doesn't this work? -
As for how the rules are performing, I log when the WAN -> WG rule is passed, and I see that happening, with UDP traffic addressed to WAN_ADDRESS:51820.
There is lots of blocked UDP traffic on WAN_ADDRESS but it seems to be mainly on port 137 coming from all sorts of ports on the upstream ISP-router LAN address = default gateway.
In passing, why would there be traffic directed to pfSense_WAN:137 from the upstream gateway? I guess that's a response to a filesharing service somewhere behind pfSense - would that make any sense?
-
@viragomann said in WireGuard on pfSense behind ISP router. Why do I need a static route?:
So you should be able to ping the WG server IP and the pfSense LAN IP as well at least. Doesn't this work?
No, that does not work. pfSense is configured to respond to ping and does so from a device on the LAN subnet. But when connected to the wireguard tunnel, it is not possible to ping anything.
-
I can, for example, run wireshark on the wg interface on a device (using my phone data as hotspot). The handshake completes, but when I try to ping I see the ICMP traffic leaving 10.0.100.2 with destination 10.0.100.1 but never any reply.
-
This post is deleted! -
@dangersheep said in WireGuard on pfSense behind ISP router. Why do I need a static route?:
In passing, why would there be traffic directed to pfSense_WAN:137 from the upstream gateway? I guess that's a response to a filesharing service somewhere behind pfSense - would that make any sense?
If you're running the filesharing behind pfSense and didn't expose it, there should no related packets be seen on the WAN.
Maybe the router just tries to get NetBIOS informations.
Für Kurviger habe ich ein Tourer+ Jahresabo, eben auch, um das Projekt zu unterstützen. Mal sehen,
Do you see the packets, when sniffing the traffic on pfSense on the WG interface?
