Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    wireguard s2s firewall rule logs all have same source ip?

    Scheduled Pinned Locked Moved WireGuard
    7 Posts 2 Posters 140 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tyn
      last edited by

      Hi,
      I am pretty new to vpn's so please excuse my ignorance. I used the pfsense wireguard info (https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-s2s.html) and a lawrence systems youtube tutorial (https://www.youtube.com/watch?v=WXkWP-JZOd8) to setup a site to site wireguard vpn with 2 SG-2100's (latest updates applied).
      I have connectivity and now I am trying to restrict what each site can access with firewall rules on the wireguard interface (called VPN_SATELLITE or VPN_HQ in the pfsense doco).
      The unexpected thing I see when I log the current allow-all rule is the source address is always the address of the remote SG-2100's wireguard tunnel interface, not the network behind the tunnel. Note, I have multiple local networks behind the tunnel.
      Do I need to create multiple tunnels if I want to restrict each of the local networks independently?

      T 1 Reply Last reply Reply Quote 0
      • T
        tyn @tyn
        last edited by

        @tyn
        OR
        Do I need to do some NAT configuration? I haven't touched the NAT settings, they are the default automatic outbound NAT setting.

        T 1 Reply Last reply Reply Quote 0
        • T
          tyn @tyn
          last edited by

          @tyn
          Solved!
          I changed the NAT configuration to Hybrid NAT, and for the wireguard interface I disabled NAT.
          Now I get the remote site's local IP addresses in the firewall log and I assume I will be able to create some firewall rules to restrict which hosts can communicate.

          Bob.DigB 1 Reply Last reply Reply Quote 0
          • Bob.DigB
            Bob.Dig LAYER 8 @tyn
            last edited by

            @tyn said in wireguard s2s firewall rule logs all have same source ip?:

            I will be able to create some firewall rules to restrict which hosts can communicate.

            True. Although you wouldn't had to do anything of the other stuff if you had made your WireGuard-Interface a LAN-type interface, instead of a WAN-type interface (gateway set in the interface config).

            T 1 Reply Last reply Reply Quote 0
            • T
              tyn @Bob.Dig
              last edited by

              @Bob-Dig
              Thanks for the advice. I guess I must have done something in the wrong order because I do have the gateway set in the wireguard interface. If I remember correctly, I created the gateway at the same time as creating the interface.

              If I get a spare moment I will do some tests on my spare SG-1100 to see where I went wrong.

              Bob.DigB 1 Reply Last reply Reply Quote 0
              • Bob.DigB
                Bob.Dig LAYER 8 @tyn
                last edited by

                @tyn said in wireguard s2s firewall rule logs all have same source ip?:

                I do have the gateway set in the wireguard interface.

                Yes and with that it is a WAN-type interface.

                T 1 Reply Last reply Reply Quote 0
                • T
                  tyn @Bob.Dig
                  last edited by

                  @Bob-Dig
                  Yep, I get it. A bit of reconfiguration and I should have it working the way I had expected it to.

                  🙏 thanks

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.