Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Asymmetric routing with a wireguard vpn

    Scheduled Pinned Locked Moved Routing and Multi WAN
    8 Posts 3 Posters 491 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      digitalgimpus
      last edited by

      Topology is as such:

      I've got a pfsense instance with a WAN connection and a WireGuard VPN tunnel (tunnelling over the WAN connection).

      I've got a few VLAN's including 1 that's named PRIVACY which has a firewall rule with the gateway set to the WireGuard VPN tunnel which basically mirrors this Lawrence Systems video down to the kill switch.

      Cool, that all works. IP when I curl ip.me or any other ip address echo service is the VPN IP. The only interface that exists has an IP for the PRIVACY VLAN.

      Now I tried using port forwarding from the VPN to a device on my PRIVACY VLAN.
      bc4b0366-2833-4a97-b281-3dfd12383960-image.png

      Seems pretty straightforward, creates the appropriate firewall rule in the interface (the only rule there). Testing however doesn't indicate the port actually working. Testing the device itself from my primary LAN, i can telnet to the port, so the device itself isn't at question, this is something firewall or above.

      Digging through my firewall logs and searching for where dest port equals the port I forwarded I see a ton of:
      36fd7a6d-6a0c-4367-8df5-130ac7329aa8-image.png

      Interestingly the destination IP is the IP of the WAN.

      Any clues as to how to diagnose what's going on here?

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @digitalgimpus
        last edited by

        @digitalgimpus said in Asymmetric routing with a wireguard vpn:

        Seems pretty straightforward, creates the appropriate firewall rule in the interface (the only rule there).

        You have to ensure, that this rule matches the forwarded traffic.

        If there is any matching pass rule on the Wireguard tab (interface group) this one is applied and the reply-to doesn't work.

        D 1 Reply Last reply Reply Quote 0
        • D
          digitalgimpus @viragomann
          last edited by

          @viragomann said in Asymmetric routing with a wireguard vpn:

          You have to ensure, that this rule matches the forwarded traffic.

          It does. A single port.

          If there is any matching pass rule on the Wireguard tab (interface group) this one is applied and the reply-to doesn't work.

          I don't see anything of that nature.

          Bob.DigB 1 Reply Last reply Reply Quote 0
          • Bob.DigB
            Bob.Dig LAYER 8 @digitalgimpus
            last edited by

            @digitalgimpus Why do you think that it is not a problem of your VPN? What VPN is it.

            D 1 Reply Last reply Reply Quote 0
            • D
              digitalgimpus @Bob.Dig
              last edited by

              @Bob-Dig The only thing i've ruled out is the client device, because i can telnet into the port. So it's clearly not an application issue, the port is open and responding to commands.

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @digitalgimpus
                last edited by

                @digitalgimpus
                So show all your firewall rules, please.

                D 1 Reply Last reply Reply Quote 0
                • D
                  digitalgimpus @viragomann
                  last edited by

                  @viragomann
                  2497855a-50b5-4604-ae73-26729e94ffa9-image.png

                  D 1 Reply Last reply Reply Quote 0
                  • D
                    digitalgimpus @digitalgimpus
                    last edited by

                    eabc93a8-57d3-42a7-a238-9dc201c9bca6-image.png

                    VPN Only is essentially just the rule up above.

                    NAT wise I've added this rule:
                    68d71407-e473-4694-b9ec-6679e6575c41-image.png

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.