Roadwarrior working locally but being blocked by pfblockerng coming into the WAN address
-
I have 3 sites with 6100s. WG site to site working great for many years already. Need to be able to access from time to time from my phone.. got Road Warrior up and running on 2 sites (that do not have pfblockerng), the 3rd site has pfblockerng and I think it's blocking my phone. Is there something I need to do to pfblockerng to make it work with Wireguard? Tried NAT rule, poured over google, turned pfBlockerNG off.. hoping you guys have an answer or suggestion. Thank you guys!
-
@a-dresner
Is there any other incoming access possible on the problematic site?If so enable logging in pfBlockerNG and in WAN firewall rules and also logging of the default block rule. Then try to access and check the logs after.
-
@viragomann thank you for taking time to suggest that. I have 2 IPSEC connections and 2 site to site Wireguard working fine. The Wireguard ports are managed via an Alias so I just need to add the new port to the Alias and it should be enough for the rules.
Many other incoming connections working fine... RDP Gateway, Active Sync, and more.
It's been a minute since I had to troubleshoot my PFSense, I will figure out how to turn on those logs and check what you suggest.
-
@viragomann RESOLVED, thank you
I followed your recommendations and found this issue in the logs:
Mar 23 12:50:30 WAN1 Default deny rule IPv4 (1000000103)I added a new rule (separate from my alias based port allow rule) and boom, I'm working. I also found that my WG port allow alias rule was set to TCP (the other 2 6100 are UDP), I wonder how long that has been like that and why my tunnels were working so well all this time lol