Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Struggling to get wireguard working without static routes

    Routing and Multi WAN
    1
    1
    263
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      andres-asm
      last edited by

      Hello

      In my office I have two pfsense boxes for HA, one of them is in an unraid server, way faster, more powerful, but is restarted often. This one is my main firewall. The other one is in an aging microserver gen8 that has been rock solid for a decade but with VPN requirements it's a bit long in the tooth.

      I have them both configured with config sync (which I may as well forget if I can't figure this out, but I enjoy these kind of challenges). I have another site (my home) with another pfsense box, and I have a wireguard VPN configured between both office routers and my home router.

      I have CARP configured, so when router 1 goes down internet access is not affected and all is good in the universe.
      But keeping the VPN alive just doesn't work

      home:

      • network: 192.168.200.0/24
      • wireguard1 IP: 10.10.90.2/30
      • wireguard2 IP: 10.10.90.6/30

      office router 1

      • network: 192.168.1.0/24
      • wireguard IP: 10.10.90.1/30

      office router 2

      • network: 192.168.1.0/24
      • wireguard IP: 10.10.90.5/30

      First issue I had is config sync, because when using router 1 I want these routes:

      • home: 192.168.1.0/24 -> 10.10.90.1
      • office: 192.168.200.0/24 -> 10.10.90.2

      When using router 2 is up I want these:

      • home: 192.168.1.0/24 -> 10.10.90.5
      • office: 192.168.200.0/24 -> 10.10.90.6

      So if were to use static routes I couldn't possibly create different gateways due to config sync. To solve that I created the tunnel from the other box with another peer that will never go up. So that way I have two interfaces with two different IP addresses and two different gateways created.

      One gateway shows up as offline on each firewall.
      b4142ab9-f51c-40bd-9639-a7e4b4f03d5e-image.png

      So that's fine at all, then I created a gateway group, and then I added rules on the interfaces using the gateway group. I removed the static routes. on both sides and expected it to work.
      But no, no traffic passes on either side.

      So am I doing something wrong? without the static routes it just doesn't work, but shouldn't PBR allow me to bypass this?

      The other alternative would be easy, disable config sync for some items and just have a different gateway configuration on the two office routers. But I really want this to work as is, and logic tells me it should be correct. Or setup OSPF. But I'm stubborn.

      Why wouldn't traffic pass when the static routes are gone? traffic entering LAN would be routed correctly with PBR. Right? even if I were to use just on firewall this would happen none the less. I need the routes in place for the VPN to work despite rules being in place for this very purpose.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.