Wireguard Site to Site Internet Passthrough
-
Hard to tell - I've never had access to Internet done this way - i.e. via the "main" site.
I would suggest enable and configure Squid package on main site's pfSenses, make it listening to a CARP IP and then
- route all remote site's TCP 80/443 traffic to the proxy using a floating rule.
OR - enforce all remote site hosts using proxy server by Puppet, Ansible or/and GPO.
That will let you controlling users access to internet at remote (and main?) site(s).
- route all remote site's TCP 80/443 traffic to the proxy using a floating rule.
-
@CapitanBlack I tried a traceroute to an IP address on the internet from the remote server and it says that it can't reach the LAN Router IP. This only happens when I have the internet setup to go through Wireguard. It can reach it fine when it is setup to go through WAN.
-
Did you go to Firewall | NAT | Outbound and change the Outbound NAT Mode to Hybrid Outbound NAT. You also need to add a Mapping for the remote subnet. pfSense automatically generates the entries for all subnets local to the firewall. Since you are wanting to NAT out from the main site you need to add the subnets to the main site.
-
@lnguyen I already added this on the main site since that is the only one going to the outside internet. It shouldn't be needed on the remote site since that traffic should be going over wireguard.
-
@Ryu945 The source IP address is not the tunnel but the remote lan subnet
-
@lnguyen Thankyou for this. I forgot that since wireguard did not rewrite the outgoing packed ( which is an option) then the source is the remote LAN Network. I'll try this and see how it works.
-
@lnguyen I am getting internet through wireguard now but I have another issue with internet. I can ping any external site but I can't get DNS resolution. I have rules in place that allow anything to the server on the wireguard firewall rules. I also have DNS redirect rules to server.
-
@Ryu945 Did you add the remote subnet to the main site @ Services | DNS Resolver | Access Lists?
-
@lnguyen I added both the wireguard interface and LAN address of the remote site to the main router's access list. I added the wireguard interface to the access list of the remote server. I still do not get DNS.
-
I tried
nslookup website.com DNSIPcommand to see where the DNS is failing. I see the router on remote LAN network it resolved correctly. When I specify the wireguard address, it fails instantly. When I specify the other server`s router on the main LAN site, it failes instantly.
edit: It is strange that I can ping the servers over port 53 with a traceroute but I can't get the DNS to work.