Wireguard Site to Site Internet Passthrough
-
I have a site to site working between two Pfsense servers. One is the main site and the other is the remote site that connects into the main site. How do I setup internet passthrough so the remote site goes through the main site. I am looking for what additional steps I need to setup over the basic site to site.
-
@Ryu945 You define the S2S GW as the default gateway in your LAN rules for the remote site.
-
@lnguyen I did that but it still doesn't work. I even tried pinging an ip address and nothing could be reached. I need every change that needs to be added to both the servers.
I can find guides on how to setup a wireguard S2S but I can't find the additional steps needed to enable internet passthrough.
-
@Ryu945 said in Wireguard Site to Site Internet Passthrough:
@lnguyen I did that but it still doesn't work. I even tried pinging an ip address and nothing could be reached. I need every change that needs to be added to both the servers.
I can find guides on how to setup a wireguard S2S but I can't find the additional steps needed to enable internet passthrough.
What is in AllowedIP on remote site?
-
The mainsitelan/24, Tunneladdressip/32 and 0.0.0.0/0
I also have NAT rules on the main site saying
Interface: WAN
Source IP: Tunnel address ip on that side /24
Destination: Any
Gateway WANI also have a firewall rule on the remote side saying
Interface: LAN
Source: LAN Subnet
Destination: any
Gateway: Wireguard ConnectionOn the Main Site, I have a Fire wall rule on the Wireguard Connection Interface allowing any connection. I also tried putting a rule saying to use WAN.
-
Hard to tell - I've never had access to Internet done this way - i.e. via the "main" site.
I would suggest enable and configure Squid package on main site's pfSenses, make it listening to a CARP IP and then
- route all remote site's TCP 80/443 traffic to the proxy using a floating rule.
OR - enforce all remote site hosts using proxy server by Puppet, Ansible or/and GPO.
That will let you controlling users access to internet at remote (and main?) site(s).
- route all remote site's TCP 80/443 traffic to the proxy using a floating rule.
-
@CapitanBlack I tried a traceroute to an IP address on the internet from the remote server and it says that it can't reach the LAN Router IP. This only happens when I have the internet setup to go through Wireguard. It can reach it fine when it is setup to go through WAN.
-
Did you go to Firewall | NAT | Outbound and change the Outbound NAT Mode to Hybrid Outbound NAT. You also need to add a Mapping for the remote subnet. pfSense automatically generates the entries for all subnets local to the firewall. Since you are wanting to NAT out from the main site you need to add the subnets to the main site.
-
@lnguyen I already added this on the main site since that is the only one going to the outside internet. It shouldn't be needed on the remote site since that traffic should be going over wireguard.
-
@Ryu945 The source IP address is not the tunnel but the remote lan subnet
-
@lnguyen Thankyou for this. I forgot that since wireguard did not rewrite the outgoing packed ( which is an option) then the source is the remote LAN Network. I'll try this and see how it works.
-
@lnguyen I am getting internet through wireguard now but I have another issue with internet. I can ping any external site but I can't get DNS resolution. I have rules in place that allow anything to the server on the wireguard firewall rules. I also have DNS redirect rules to server.
-
@Ryu945 Did you add the remote subnet to the main site @ Services | DNS Resolver | Access Lists?
-
@lnguyen I added both the wireguard interface and LAN address of the remote site to the main router's access list. I added the wireguard interface to the access list of the remote server. I still do not get DNS.
-
I tried
nslookup website.com DNSIPcommand to see where the DNS is failing. I see the router on remote LAN network it resolved correctly. When I specify the wireguard address, it fails instantly. When I specify the other server`s router on the main LAN site, it failes instantly.
edit: It is strange that I can ping the servers over port 53 with a traceroute but I can't get the DNS to work.