Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Traffic between WG interfaces is blocked...

    Scheduled Pinned Locked Moved WireGuard
    3 Posts 3 Posters 346 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JustAnotherUserJ
      JustAnotherUser
      last edited by JustAnotherUser

      WireGuardIssue2.png
      Computer 1 & 3 can reach everything.
      Computer 2 can only reach the local LANs (and the WANs).

      Computer 2 can reach (ping) WG1's interface IP
      Computer 2 can NOT reach (ping) WG0's interface IP
      Computer 2 can NOT reach the Router 2.

      Wireguard, WG0, and WG1 's firewall rules are ALLOW ALL (all protocols)

      WG0's qateways and routing is set correctly because Computer 1 & 3 reach everything.

      The issue is that WG1 traffic is not being routed to the WG0 interface on Router 1.

      I CAN NOT find what is preventing this.

      AllowedIPs are:

      Router 1
      WG0:192.168.253.2/32, 192.168.2.0/24
      WG1: 192.168.254.11/32

      Router 2
      WG0:192.168.253.1/32, 192.168.1.0/24

      Computer 2
      WG1: 0.0.0.0/0

      Gateway and static routes are setup and working because Computer 1 & # can reach everything.

      NOTE: WG1 is a dynamic IP (the ISP is blocking incoming connections) so Computer 2 is 'client only'. This is important. every configuration that I have tried, machines on ISP NAT'd connects all can't connect between WG tunnels.
      This is the common factor because I set up a 'site to site' router on an ISP NAT'd (client only) connection and it behaved the same way.

      @Jarhead said in Wireguard - Traffic between WG interfaces is blocked...:

      @JustAnotherUser Also, you would have to allow computer 2 & 4's subnets across the WG0 tunnel.

      I did. I removed Router 2's WG1 (to take it out of the equation) and I added Computer 2's subnet to the Allowed IPs on router 2. No affect. Still broken.

      The ONE commonality of this issue is that ONLY machines on Dynamic IPs (Computer 2)s are affected. They are 'client only' and do not have the 'server part' setup (because they are on connections that are NAT'd by the ISP and can't accept incoming connections).

      The issue is that Router 1 is not passing data between WG1 and WG0 (WG1's IP is pingable, WG0's IP is not from Computer 2).

      I feel as though this is a NAT issue (though I don't know why NAT is even involved since these are all local subnets) because the gateways and static routes are all setup and work fine on the SITE2SITE connections.

      AND the NAT outbound rules are all automatic and work fine for the SITE2SITE (WG0) connections.

      Bob.DigB J 2 Replies Last reply Reply Quote 0
      • JustAnotherUserJ JustAnotherUser referenced this topic on
      • Bob.DigB
        Bob.Dig LAYER 8 @JustAnotherUser
        last edited by Bob.Dig

        @JustAnotherUser said in Traffic between WG interfaces is blocked...:

        Computer 2 can NOT reach (ping) WG0's interface IP

        What IP do you mean exactly?

        @JustAnotherUser said in Traffic between WG interfaces is blocked...:

        WG1 is a dynamic IP (the ISP is blocking incoming connections) so Computer 2 is 'client only'. This is important.

        This is nothing special. So Site1 has an open port for WireGuard for Computer 2 to reach. Don't forget to set persistent-keepalive on Computer 2 towards Site 1.

        1 Reply Last reply Reply Quote 0
        • J
          Jarhead @JustAnotherUser
          last edited by

          @JustAnotherUser I guess I'll say it again, you would have to allow computer 2 across the WG0 tunnel.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.