Firewall State Policy Floating States needed but why

Bob.Dig

I have two VPS, both with pfSense CE. They are connected via WireGuard. I have a port forward from one WAN to a host on the other VPS, via the wireguardtunnel. But this works if both CEs have Firewall State Policy: Floating States. I have no clue why Interface Bound States doesn't work.

viragomann

@Bob-Dig
On the destination site you have to move over the pass rule for incoming traffic from remote from the Wireguard interface group to the dedicated WG instance interface.

Best to remove any pass rules from the Wireguard group tab.

Bob.Dig

@viragomann I got none. And gave up on it. But if you have further advice, I will take it. Kinda looks to me, it could be CE related.

Bob.Dig

Maybe someone is willing to help me understanding this.

This is the rule in question at the destination pfSense. If I set only its State Policy to Floating States, it will work.

Interestingly the screen doesn't show that an advanced setting is changed/set.

This Interface is configured as a WAN-type interface (gateway set), SNAT is manually disabled.

Bob.Dig

I tested this with pfSense Plus and CE and only CE is affected. My guess is that the new Firewall State Policy is not fully implemented in CE right now. Or it is a difference in the WireGuard Package.
Edit: I created a report on redmine.

Working:

Spoiler

Not working:

Spoiler

Edit: Fixed it by upgrading to plus.

Bob.Dig

@jimp According to this poster, the problem with the Firewall State Policy still exists in CE 2.8. He is using a DSL-Connection as secondary WAN. So the problem is with Port Forwards on WANs which are not the default gateway.