Wireguard S2S and pfSense HA connecttion issue

CapitanBlack

Have two sites connected by Wireguard via WAN - everything works great but can't figure out one thing:

HQ_LAN <===> pfSense1 <=> WAN <==[ WG_tunnel ]==> WAN <==> pfSense 3 <===> BRANCH_LAN  
                |                                            |
             HA_LAN                                       HA_LAN  
                |                                            | 
HQ_LAN <===> pfSense2                                      pfSense4  <===> BRANCH_LAN  

I can't connect to pfSense4 from HQ_LAN and can't connect to pfSense2 from BRANCH_LAN. I can ping these hosts but no TCP connection. Tcpdump shows incoming SYNs but no answer is sent. The rest of communication between sites works just fine.

Ryu945

@CapitanBlack Can you give some details on how you set up the LAN and how you setup the Wireguard Tunnel. Also, what is in the allowed IPs of your Wireguard Peer? I don't know what HA LAN is so I can't comment on that.

CapitanBlack

@Ryu945 said in Wireguard S2S and pfSense HA connecttion issue:

@CapitanBlack Can you give some details on how you set up the LAN and how you setup the Wireguard Tunnel. Also, what is in the allowed IPs of your Wireguard Peer? I don't know what HA LAN is so I can't comment on that.

HQ_LAN = 192.168.1.0/24
BRANCH_LAN = 192.168.2.0/24
wg_tunnel = 192.168.10.0/24

pfSense1 LAN IP 192.168.1.1
pfSense2 LAN IP 192.168.1.2

pfSense3 LAN IP 192.168.2.1
pfSense4 LAN IP 192.168.2.2

pfSense1 WG tunnel IP = 192.168.10.1/24
pfSense3 WG tunnle IP = 192.168.10.2/24

pfSense1 peer AllowedIPs = 192.168.10.0/24, 192.168.2.0/24
pfSense3 peer AllowedIPs = 192.168.10.0/24, 192.168.1.0/24

I can access any IPs on both sides without any problem but NOT:

• 192.168.2.2 from 192.168.1.0/24
• 192.168.1.2 from 192.168.2.0/24

The HA_LAN is an isolated LAN for pfSense High Availability (HA) and sync and doesn't play any role here. Shown for info purposes.

Neverstopdreaming

@CapitanBlack
If I undestood correctly your setup, you need an outbound NAT rule for the HQ_LAN on the pfsense3 and BRANCH_LAN on pfsense1

https://docs.netgate.com/pfsense/en/latest/troubleshooting/ha-vpn-secondary.html

CapitanBlack

@Neverstopdreaming said in Wireguard S2S and pfSense HA connecttion issue:

@CapitanBlack
If I undestood correctly your setup, you need an outbound NAT rule for the HQ_LAN on the pfsense3 and BRANCH_LAN on pfsense1

https://docs.netgate.com/pfsense/en/latest/troubleshooting/ha-vpn-secondary.html

Thanks a lot - looks like what I need! I remebr I did it once six years ago but forgotten details.

CapitanBlack

@Neverstopdreaming said in Wireguard S2S and pfSense HA connecttion issue:

@CapitanBlack
If I undestood correctly your setup, you need an outbound NAT rule for the HQ_LAN on the pfsense3 and BRANCH_LAN on pfsense1

https://docs.netgate.com/pfsense/en/latest/troubleshooting/ha-vpn-secondary.html

It worked great! Thanks again!