Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Policy Routing over WG

    Scheduled Pinned Locked Moved Routing and Multi WAN
    3 Posts 2 Posters 459 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H Offline
      hardlivinlow
      last edited by

      Need some routing help. Trying to route subnet 172.16.31.0/24 from FW1 over two WG tunnels and out the public interface of FW3 using outside NAT. These are peer to peer tunnels so I cant set the 2 WG interfaces on FW2 on the same subnet so I can do policy based routing on FW1. I tried to change up the tunnels to a site to multisite so all will be on the same subnet, but when I set a policy gateway for FW3 it still routes outside nat at FW2 and not FW3. I have added the allowed ips of 0.0.0.0/0 and still the same thing.

      how can I accomplish this with pfsense? all the documentation ive seen online shows that peer config for IP forwarding on FW3 would be needed to send traffic to FW1 in a site to multi site set up.

      Id rather route the traffic with a peer to peer and not multisite. iBGP is used for internal routing.

      PF.JPG

      V 1 Reply Last reply Reply Quote 0
      • V Offline
        viragomann @hardlivinlow
        last edited by

        @hardlivinlow
        You just need to policy-route the traffic on FW2 as well.

        On FW2 you have to assign interfaces to both WG1 and WG2 instances.
        Then on the WG1 interface add a policy-routing rule for the source 172.16.31.0/24 and state the WG2 gateway.

        Remember that no pass on the Wireguard tab must match this traffic, because these rules would have precedence and the policy-routing wouldn't take effect.
        If you need common pass rules there, add a block rule for the source 172.16.31.0/24 to the top of the rule set.

        On FW3 WAN you need an outbound NAT rule for 172.16.31.0/24, you know.
        According to the drawing, the return route is managed with static routes.
        Then it should work, I think.

        H 1 Reply Last reply Reply Quote 0
        • H Offline
          hardlivinlow @viragomann
          last edited by

          @viragomann Thanks for the info! ill give that a go and see if I can get it working, knew it was probably something small I'm missing.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.