Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Wireguard S2S and pfSense HA connecttion issue

    Scheduled Pinned Locked Moved
    WireGuard
    3
    6
    63
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      CapitanBlack
      last edited by CapitanBlack

      Have two sites connected by Wireguard via WAN - everything works great but can't figure out one thing:

      HQ_LAN <===> pfSense1 <=> WAN <==[ WG_tunnel ]==> WAN <==> pfSense 3 <===> BRANCH_LAN  
                |                                            |
             HA_LAN                                       HA_LAN  
                |                                            | 
HQ_LAN <===> pfSense2                                      pfSense4  <===> BRANCH_LAN

      I can't connect to pfSense4 from HQ_LAN and can't connect to pfSense2 from BRANCH_LAN. I can ping these hosts but no TCP connection. Tcpdump shows incoming SYNs but no answer is sent. The rest of communication between sites works just fine.

      R 1 Reply Last reply Reply Quote 0
      • R
        Ryu945 @CapitanBlack
        last edited by

        @CapitanBlack Can you give some details on how you set up the LAN and how you setup the Wireguard Tunnel. Also, what is in the allowed IPs of your Wireguard Peer? I don't know what HA LAN is so I can't comment on that.

        C 1 Reply Last reply Reply Quote 0
        • C
          CapitanBlack @Ryu945
          last edited by CapitanBlack

          @Ryu945 said in Wireguard S2S and pfSense HA connecttion issue:

          @CapitanBlack Can you give some details on how you set up the LAN and how you setup the Wireguard Tunnel. Also, what is in the allowed IPs of your Wireguard Peer? I don't know what HA LAN is so I can't comment on that.

          HQ_LAN = 192.168.1.0/24
          BRANCH_LAN = 192.168.2.0/24
          wg_tunnel = 192.168.10.0/24

          pfSense1 LAN IP 192.168.1.1
          pfSense2 LAN IP 192.168.1.2

          pfSense3 LAN IP 192.168.2.1
          pfSense4 LAN IP 192.168.2.2

          pfSense1 WG tunnel IP = 192.168.10.1/24
          pfSense3 WG tunnle IP = 192.168.10.2/24

          pfSense1 peer AllowedIPs = 192.168.10.0/24, 192.168.2.0/24
          pfSense3 peer AllowedIPs = 192.168.10.0/24, 192.168.1.0/24

          I can access any IPs on both sides without any problem but NOT:

          • 192.168.2.2 from 192.168.1.0/24
          • 192.168.1.2 from 192.168.2.0/24

          The HA_LAN is an isolated LAN for pfSense High Availability (HA) and sync and doesn't play any role here. Shown for info purposes.

          N 1 Reply Last reply Reply Quote 0
          • N
            Neverstopdreaming @CapitanBlack
            last edited by

            @CapitanBlack
            If I undestood correctly your setup, you need an outbound NAT rule for the HQ_LAN on the pfsense3 and BRANCH_LAN on pfsense1

            https://docs.netgate.com/pfsense/en/latest/troubleshooting/ha-vpn-secondary.html

            C 2 Replies Last reply Reply Quote 1
            • C
              CapitanBlack @Neverstopdreaming
              last edited by

              @Neverstopdreaming said in Wireguard S2S and pfSense HA connecttion issue:

              @CapitanBlack
              If I undestood correctly your setup, you need an outbound NAT rule for the HQ_LAN on the pfsense3 and BRANCH_LAN on pfsense1

              https://docs.netgate.com/pfsense/en/latest/troubleshooting/ha-vpn-secondary.html

              Thanks a lot - looks like what I need! I remebr I did it once six years ago but forgotten details.

              1 Reply Last reply Reply Quote 0
              • C
                CapitanBlack @Neverstopdreaming
                last edited by

                @Neverstopdreaming said in Wireguard S2S and pfSense HA connecttion issue:

                @CapitanBlack
                If I undestood correctly your setup, you need an outbound NAT rule for the HQ_LAN on the pfsense3 and BRANCH_LAN on pfsense1

                https://docs.netgate.com/pfsense/en/latest/troubleshooting/ha-vpn-secondary.html

                It worked great! Thanks again!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post