Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Wireguard Hub and Spoke Configuration

    WireGuard
    2
    3
    456
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      aero45
      last edited by

      Hello All,

      Looking for input on why I'm having this issue and suggested fix.
      I am currently in middle of replacing old Custom Linux Servers setup as a Firewall, DHCP server, IPIP Tunnel, with two NICS eth0=WAN, eth1=LAN and this setup is at five locations.
      In our main office (HUB) we have Linux Server and one Palo Alto Firewall setup in virtual-wire-mode, ISP router plugs into eth0 of Linux Server eth1 of Linux plugs into PA Firerwall Port 1 and
      Port 2 of PA Firewall Plugs into LAN. And each remote office branch have IPIP tunnel going back to Main Office Hub from Linux Server. I would just replace everything at once but it's a location issue and other factor is we have all our
      remote offices DNS traffic going back to our main office (HUB) for Active Directory.

      I'm trying to switch out Custom Linux Servers at each branch after hours one by one with pfSense box and using Wireguard for the tunnel back to hour main office (HUB).
      I have green handshake on both ends with pfSense Wiregurad status and on one remote office branch I can access pfSense box over the tunnel using local IP 10.0.0.2, but from main office (HUB) I can't access remote office pfSense
      box using it's IP 10.1.0.1 over tunnel.
      So, it only seems traffic is going one way over tunnel, and other issues I can't access anything on main office (HUB) local network other than pfSense box IP of 10.1.0.2.
      I see nothing being blocked on Palo Alto Firewall at main office (HUB) I'm thinking this may be a asymmetric routing issue but not sure if it's on pfSense box in main office (HUB) or PA Firerall at main office (HUB)

      Any suggestion would be greatly appreciated

      P 1 Reply Last reply Reply Quote 0
      • P
        paoloposo @aero45
        last edited by

        @aero45 Did you create the necessary gateways and routes in pfSense? The Wireguard plugin in pfSense does not automatically add routes for the networks set in "Allowed IPs".

        A 1 Reply Last reply Reply Quote 0
        • A
          aero45 @paoloposo
          last edited by

          @paoloposo If you are referring to System>Routing and creating Gateway and Static Route for Wireguard network, yes I did.
          One portion of information I forgot to mention was when I do a IP scan from remote office to main office over the wireguard tunnel. I am able to see three internal IP address on main office network and that is it.
          One IP is our Global Protect IP that is NAT to internal to external, second IP is the pfsense Box LAN IP address and third IP is Dell Equal Logic SAN internal.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post