Asymmetric routing with a wireguard vpn

digitalgimpus · May 19, 2025, 4:45 PM

Topology is as such:

I've got a pfsense instance with a WAN connection and a WireGuard VPN tunnel (tunnelling over the WAN connection).

I've got a few VLAN's including 1 that's named PRIVACY which has a firewall rule with the gateway set to the WireGuard VPN tunnel which basically mirrors this Lawrence Systems video down to the kill switch.

Cool, that all works. IP when I curl ip.me or any other ip address echo service is the VPN IP. The only interface that exists has an IP for the PRIVACY VLAN.

Now I tried using port forwarding from the VPN to a device on my PRIVACY VLAN.

Seems pretty straightforward, creates the appropriate firewall rule in the interface (the only rule there). Testing however doesn't indicate the port actually working. Testing the device itself from my primary LAN, i can telnet to the port, so the device itself isn't at question, this is something firewall or above.

Digging through my firewall logs and searching for where dest port equals the port I forwarded I see a ton of:

Interestingly the destination IP is the IP of the WAN.

Any clues as to how to diagnose what's going on here?

viragomann · May 19, 2025, 5:01 PM

@digitalgimpus said in Asymmetric routing with a wireguard vpn:

Seems pretty straightforward, creates the appropriate firewall rule in the interface (the only rule there).

You have to ensure, that this rule matches the forwarded traffic.

If there is any matching pass rule on the Wireguard tab (interface group) this one is applied and the reply-to doesn't work.

digitalgimpus · May 19, 2025, 5:21 PM

@viragomann said in Asymmetric routing with a wireguard vpn:

You have to ensure, that this rule matches the forwarded traffic.

It does. A single port.

If there is any matching pass rule on the Wireguard tab (interface group) this one is applied and the reply-to doesn't work.

I don't see anything of that nature.

Bob.Dig · May 19, 2025, 5:24 PM

@digitalgimpus Why do you think that it is not a problem of your VPN? What VPN is it.

digitalgimpus · May 19, 2025, 5:25 PM

@Bob-Dig The only thing i've ruled out is the client device, because i can telnet into the port. So it's clearly not an application issue, the port is open and responding to commands.

viragomann · May 19, 2025, 7:10 PM

@digitalgimpus
So show all your firewall rules, please.

digitalgimpus · May 21, 2025, 5:59 PM

@viragomann

digitalgimpus · May 22, 2025, 2:50 AM

VPN Only is essentially just the rule up above.

NAT wise I've added this rule: