Firewall Rules for Wireguard S2S VPN in a Multi-WAN Environment with Multiple LAN
-
I have a S2S WG VPN running for a while but recently I got another ISP connections for some redundancy in terms of general connectivity.
I only have a single LAN so I setup a loadbalanced GW Group with both WAN1 and WAN2 on Tier 1. In the firewall rules of LAN on, I changed the "Default Allow Any Rule" on LAN from using "default (follows the system routing table)" to using the loadbalanced GW Group.
Everything worked fine but the S2S VPN stopped working. After some googling, I managed to get it work by setting up another firewall rule , above the "Default Allow Any Rule", that routes everything destined to the remote site's LAN to use the "default (follows the system routing table)" in the rule's gateway settings.
My question is, if I have multiple LAN interfaces, do I have to create such rule for each interface, or do a floating rule, in order for clients connected to those interfaces to be able to reach the remote site via the S2S VPN?
-
@algo7 said in Firewall Rules for Wireguard S2S VPN in a Multi-WAN Environment with Multiple LAN:
My question
With your changed rule you forced everything through the gatewaygroup. But your S2S is not reachable by WAN, it is reachable differently. So you need more rules or do it differently. One suggestion, keep "default" as the gateway in your LAN-rule and change the Default Gateway in SystemRoutingGateways to your new gatewaygroup.
-
@Bob-Dig I see. So setting the default gateway to the gateway group should do the trick in general?
I was just a bit confused when watching this vid here from Lawrence Systems:
https://youtu.be/acDvlzmsnaE?t=317&si=8e8gKj_7g9BsbEQh
From 5:23 (link already set to start from there) to around 6:30, he changed the default LAN to Any rule to use the gateway group instead of changing the default gateway in the "Routing" tab.
-
EDIT:
Changing the default gateway under the "Routing" tab again caused the remote site to be inaccessible via the S2S VPN.