• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Unable to set up matching rules for traffic with Wireguard

Scheduled Pinned Locked Moved WireGuard
1 Posts 1 Posters 100 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • R
    Rockojfonzo
    last edited by Mar 7, 2025, 9:28 AM

    Hi there,
    I already tried to get answers in the "Firewalling" section but we're out of ideas there.

    I have a perfectly working WG tunnel that connects remote network 192.168.100.0/24 with local 192.168.11.0/24.

    Now I want to just limit the traffic somehow. And for that I need a matching FW rule.

    First attempt: The whole tunnel, running on port 50450:

    [2.7.2-RELEASE][admin@fw]/root: tcpdump -ni igc2 port 50454
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on igc2, link-type EN10MB (Ethernet), snapshot length 262144 bytes
20:21:17.215574 IP6 2abc:1234:1234:30::2ac4.50454 > 2abd:11:5678:5678::e228:6dff:feb9:4ae8.50454: UDP, length 96
20:21:17.215589 IP6 2abc:1234:1234:30::2ac4.50454 > 2abd:11:5678:5678::e228:6dff:feb9:4ae8.50454: UDP, length 96
20:21:17.233468 IP6 2abd:11:5678:5678::e228:6dff:feb9:4ae8.50454 > 2abc:1234:1234:30::2ac4.50454: UDP, length 96
20:21:17.233699 IP6 2abd:11:5678:5678::e228:6dff:feb9:4ae8.50454 > 2abc:1234:1234:30::2ac4.50454: UDP, length 96

    Rule: no match, no logging:
    Bildschirmfoto 2025-03-05 um 13.52.45.png

    Next: Trying to match i.e. SMB 445 or 139 on LAN:

    [2.7.2-RELEASE][admin@fw]/root: tcpdump -ni igc1 port 445 or port 139
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on igc1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
21:06:49.795443 IP 192.168.11.6.43750 > 192.168.100.100.445: Flags [F.], seq 3855556357, ack 853146708, win 229, options [nop,nop,TS val 1399014346 ecr 112590208], length 0
21:06:49.795459 IP 192.168.11.6.43752 > 192.168.100.100.445: Flags [S], seq 334166509, win 29200, options [mss 1460,sackOK,TS val 1399014346 ecr 0,nop,wscale 7], length 0
21:06:49.814822 IP 192.168.100.100.445 > 192.168.11.6.43752: Flags [S.], seq 3542171948, ack 334166510, win 28960, options [mss 1460,sackOK,TS val 112593711 ecr 1399014346,nop,wscale 7], length 0
21:06:49.814986 IP 192.168.11.6.43752 > 192.168.100.100.445: Flags [.], ack 1, win 229, options [nop,nop,TS val 1399014365 ecr 112593711], length 0
21:06:49.833525 IP 192.168.100.100.445 > 192.168.11.6.43750: Flags [F.], seq 1, ack 1, win 227, options [nop,nop,TS val 112593711 ecr 1399014346], length 0
21:06:49.833684 IP 192.168.11.6.43750 > 192.168.100.100.445: Flags [.], ack 2, win 229, options [nop,nop,TS val 1399014384 ecr 112593711], length 0

    Floating Rules (direction any, I tried "in" and "out" also): no match, no logging
    Bildschirmfoto 2025-03-06 um 22.08.36.png
    I also tried this as an interface "Pass" rule.

    Are there any ideas you fine people have? Or is this impossible due to the nature of wireguard?

    Thanks a lot!

    1 Reply Last reply Reply Quote 0
    1 out of 1
    • First post
      1/1
      Last post
    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
      This community forum collects and processes your personal information.
      consent.not_received