Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Wireguard Routing help - 1 way working only

    Scheduled Pinned Locked Moved WireGuard
    11 Posts 2 Posters 86 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      andresbraga
      last edited by

      Hi everyone,
      This is a noob question but already tried multiple and I hope some one can help with this.
      I have a Wireguard Tunnel configured and handshake is successfully performed and I can ping the server from the laptop but can't do it otherwise. Already deactivate the NAT feature and all the rules and no luck.
      Pfsense and this server is located in a Proxmox Server, laptop is a local.

      Any ideas? Thank you.

      patient0P 1 Reply Last reply Reply Quote 0
      • patient0P Online
        patient0 @andresbraga
        last edited by

        @andresbraga can show a diagram of your network layout (hand-draw is ok)?

        What was the reason to deactivate NAT? Did you decative it in general or only for the WG connection?

        Do you have firewall rule(s) for the WG connection that allows clients to access the firewall?

        relevant pfSense documentation:

        Remote Access VPN:

        https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-ra.html

        Wireguard help overview:

        https://docs.netgate.com/pfsense/en/latest/vpn/wireguard/index.html

        A 1 Reply Last reply Reply Quote 0
        • A Offline
          andresbraga @patient0
          last edited by

          @patient0 said in Wireguard Routing help - 1 way working only:

          What was the reason to deactivate NAT? Did you decative it in general or only for the WG connection?
          General but still doesn't work.
          Wireguard has any-any, None in the WAN and LAN has Any-any
          Just tried everything to make this work and still no luck.

          Here it is the schema of the network:
          f6754a26-83b2-4c4e-b499-8b5e9e7269de-image.png

          A patient0P 2 Replies Last reply Reply Quote 0
          • A Offline
            andresbraga @andresbraga
            last edited by

            Also, can ping the 10.10.1.1(Pfsense) with the Wireguard connected but not the 10.10.6.1(Wireguard).

            1 Reply Last reply Reply Quote 0
            • patient0P Online
              patient0 @andresbraga
              last edited by

              @andresbraga you have firewall rules in for LAN to allow to access the Wireguard subnet and in WIREGUARD or WG0 you rules to allow access to the LAN subnet?

              Can you post a screenshot of the rules sets?

              A 1 Reply Last reply Reply Quote 0
              • A Offline
                andresbraga @patient0
                last edited by

                Hi @patient0,
                Thank you for the patience,
                Thew only rule that I have in LAN is this one:
                4f6be282-09e6-4245-88ac-6691ecd71b01-image.png

                But now that you say it makes sense.

                patient0P 1 Reply Last reply Reply Quote 0
                • patient0P Online
                  patient0 @andresbraga
                  last edited by patient0

                  @andresbraga yep, the rules are (except on floating rules) working for traffic into an interface. 'into' LAN means traffic origination from LAN, for example. 'into' WIREGUARD would refer to traffic originating from the Wireguard interface.

                  Therefore you would need a rule or rules on the WIREGUARD interface for traffic originating from it.

                  Btw: have you cropped the LAN rules? There should be a 'Allow All' rule on the LAN interface (that is created by the installer).

                  A 1 Reply Last reply Reply Quote 0
                  • A Offline
                    andresbraga @patient0
                    last edited by

                    Hi again @patient0,
                    No, I didn't. An yeah I deleted all the rules here for this Wireguard tests.

                    A 1 Reply Last reply Reply Quote 0
                    • A Offline
                      andresbraga @andresbraga
                      last edited by

                      Also Wireguard, only this rule:
                      e3d43645-b317-4434-81f4-3394f15bd876-image.png

                      patient0P 1 Reply Last reply Reply Quote 0
                      • patient0P Online
                        patient0 @andresbraga
                        last edited by

                        @andresbraga that looks good, the same is needed for LAN.

                        A 1 Reply Last reply Reply Quote 0
                        • A Offline
                          andresbraga @patient0
                          last edited by

                          Hi again @patient0,
                          Sorry to bother, already added but still the same issue.
                          0c2b7578-b3d2-481e-9804-2c7cd634a2e2-image.png

                          Laptop can ping the server in the pfsense network but not the Wireguard
                          f4f57aeb-7c80-407c-a0b4-ba74bffb0714-image.png

                          7c6ef05c-9b95-4efb-9537-25772867ad7e-image.png

                          Also, Server cannot ping the laptop but can ping the wireguard:
                          ddfceaf9-4883-4190-840d-a3e31e522e47-image.png

                          Any more suggestions? Thank you,

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.