• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

wireguard s2s firewall rule logs all have same source ip?

Scheduled Pinned Locked Moved WireGuard
7 Posts 2 Posters 442 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • T
    tyn
    last edited by 21 days ago

    Hi,
    I am pretty new to vpn's so please excuse my ignorance. I used the pfsense wireguard info (https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-s2s.html) and a lawrence systems youtube tutorial (https://www.youtube.com/watch?v=WXkWP-JZOd8) to setup a site to site wireguard vpn with 2 SG-2100's (latest updates applied).
    I have connectivity and now I am trying to restrict what each site can access with firewall rules on the wireguard interface (called VPN_SATELLITE or VPN_HQ in the pfsense doco).
    The unexpected thing I see when I log the current allow-all rule is the source address is always the address of the remote SG-2100's wireguard tunnel interface, not the network behind the tunnel. Note, I have multiple local networks behind the tunnel.
    Do I need to create multiple tunnels if I want to restrict each of the local networks independently?

    T 1 Reply Last reply 21 days ago Reply Quote 0
    • T
      tyn @tyn
      last edited by 21 days ago

      @tyn
      OR
      Do I need to do some NAT configuration? I haven't touched the NAT settings, they are the default automatic outbound NAT setting.

      T 1 Reply Last reply 21 days ago Reply Quote 0
      • T
        tyn @tyn
        last edited by 21 days ago

        @tyn
        Solved!
        I changed the NAT configuration to Hybrid NAT, and for the wireguard interface I disabled NAT.
        Now I get the remote site's local IP addresses in the firewall log and I assume I will be able to create some firewall rules to restrict which hosts can communicate.

        B 1 Reply Last reply 21 days ago Reply Quote 0
        • B
          Bob.Dig LAYER 8 @tyn
          last edited by 21 days ago

          @tyn said in wireguard s2s firewall rule logs all have same source ip?:

          I will be able to create some firewall rules to restrict which hosts can communicate.

          True. Although you wouldn't had to do anything of the other stuff if you had made your WireGuard-Interface a LAN-type interface, instead of a WAN-type interface (gateway set in the interface config).

          T 1 Reply Last reply 20 days ago Reply Quote 0
          • T
            tyn @Bob.Dig
            last edited by 20 days ago

            @Bob-Dig
            Thanks for the advice. I guess I must have done something in the wrong order because I do have the gateway set in the wireguard interface. If I remember correctly, I created the gateway at the same time as creating the interface.

            If I get a spare moment I will do some tests on my spare SG-1100 to see where I went wrong.

            B 1 Reply Last reply 20 days ago Reply Quote 0
            • B
              Bob.Dig LAYER 8 @tyn
              last edited by 20 days ago

              @tyn said in wireguard s2s firewall rule logs all have same source ip?:

              I do have the gateway set in the wireguard interface.

              Yes and with that it is a WAN-type interface.

              T 1 Reply Last reply 19 days ago Reply Quote 0
              • T
                tyn @Bob.Dig
                last edited by 19 days ago

                @Bob-Dig
                Yep, I get it. A bit of reconfiguration and I should have it working the way I had expected it to.

                🙏 thanks

                1 Reply Last reply Reply Quote 0
                7 out of 7
                • First post
                  7/7
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received