Pfsense port forwarding across Wireguard VPN - Asymmetric routing issue
-
Trying to setup a VPS so when my router fails over to 5G with CG-NAT, my exchange servers can still receive on port 25.
I want the VPS to foward smtp traffic across the wireguard vpn and the server to respond across the correct gateway.
VPS site - Pfsense with static public IP WAN, wireguard network 10.8.0.0/30 gateway is 10.8.0.2
home site - Pfsense with dynamic cable wan, fail over to 5G, home network ip address range 192.168.1.0/24. wireguard gateway is 10.8.0.1exchange server dag address 192.168.1.31
port fowarding is setup on VPS site to 192.168.1.31
packets arrive ok at the exchange dag however replies are being set out the local gateway.I have tried setting up a rule on home site LAN to send anything from exchange dag port 25 to the VPN gateway. Still goes out local wan
I have tried setting outbound nat rules, doesn't work.
Messed around with the reply-to settings, tried tagging traffic, nothing works.
Only way it works is if i set up a static route on the home site to the public IP (i'm testing from) and set the vpn at the gateway.
Surely there is a way to get this working?
-
@Tom5051
On the home pfSense assign an interface to the Wireguard instance in Interfaces > Assignments.
Select the proper wg instance, e.g. wg01, at "available network ports" and hit Add. Go into the new interface settings, enable it and enter a friendly name if desired.Then go to Firewall > Rules > Wireguard, which is an interface group for wg instances in fact, edit the pass rule and change the interface to this you have added before.
Note that there must no pass rule on an interface group or on the floating tab match the forwarded traffic from the remote site for proper routing back the response packets.
-
I figured it out in the end.
The guide I followed to setup the site to site wireguard tunnel specified not setting the upstream gateways on the tunnels and using static routes to avoid double nat.
It also stops reply-to working correctly.
