Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: ricksense on November 25, 2023, 09:50:21 PM

Title: Wireguard site-to-site stopped working after setting dual wan failover
Post by: ricksense on November 25, 2023, 09:50:21 PM
Hi,

I started with this setup
PC A: Dual WAN failover + wireguard setup
PC B: One simple gateway (no failover) + wireguard setup
Everything worked as expected. PC A and PC B can access each other's resource via SAMBA, and PC B can even connect to PC A via RDP

I setup a dual wan failover on PC B (same setup as PC A) too, and the wireguard tunnel stopped working.
I mean, the handshake seems to be up, but devices on opnsense's LAN side can't reach devices on the other opnsense's LAN anymore, not even ping one another.

I haven't yet understood what may have been wrong.

Could you please give me an hint as a starting point, just to see where I need to check the possible misconfiguration? Thanks

for the record, here are the two tutorials I followed to setup dual wan failover and wireguard for both machine:

https://www.youtube.com/watch?v=CcXYiFj9mBA (https://www.youtube.com/watch?v=CcXYiFj9mBA)  -> dual wan failover
https://www.youtube.com/watch?v=ah0Kkkqqfcg (https://www.youtube.com/watch?v=ah0Kkkqqfcg) -> wireguard site-to site setup



Thanks
Title: Re: Wireguard site-to-site stopped working after setting dual wan failover
Post by: ricksense on November 26, 2023, 04:07:48 PM
I noticed that if I set the LAN pass rule to "default" instead of the failover group, the wireguard connection gets back to work. But I don't think it is what it is supposed to be.
Title: Re: Wireguard site-to-site stopped working after setting dual wan failover
Post by: Bob.Dig on November 26, 2023, 05:33:59 PM
Make an RFC1918 alias and use that for the higher rule as the destination, gateway "default". Then make another rule with destination any and gateway your failovergroup.
Title: Re: Wireguard site-to-site stopped working after setting dual wan failover
Post by: ricksense on November 26, 2023, 06:54:43 PM
Quote from: Bob.Dig on November 26, 2023, 05:33:59 PM
Make an RFC1918 alias and use that for the higher rule as the destination, gateway "default". Then make another rule with destination any and gateway your failovergroup.

it is pretty much what I did.  I set a pass rule from LAN to any on the default gateway above the "failover_group" one.

Now, the wireguard tunnel to PC_B works. Anyway, if WAN1 on PC A goes down it switches to WAN2 and I still have internet connection, but the wireguard tunnel to PC_B doesn't work anymore. I think I tried everything I could think of, but there was no way to make it work on the second/backup WAN2.
Title: Re: Wireguard site-to-site stopped working after setting dual wan failover
Post by: Bob.Dig on November 26, 2023, 09:00:53 PM
Quote from: ricksense on November 26, 2023, 06:54:43 PM
Quote from: Bob.Dig on November 26, 2023, 05:33:59 PM
Make an RFC1918 alias and use that for the higher rule as the destination, gateway "default". Then make another rule with destination any and gateway your failovergroup.

it is pretty much what I did.
No.
Title: Re: Wireguard site-to-site stopped working after setting dual wan failover
Post by: ricksense on November 26, 2023, 09:21:48 PM
Quote from: Bob.Dig on November 26, 2023, 09:00:53 PM
No.

but it works anyway. So, why?
Title: Re: Wireguard site-to-site stopped working after setting dual wan failover
Post by: ricksense on December 02, 2023, 02:34:20 PM
Quote from: Bob.Dig on November 26, 2023, 09:00:53 PM
No.

then, like this?

(https://images2.imgbox.com/be/14/FCM25f1X_o.jpg) (https://imgbox.com/FCM25f1X)
Text only | Text with Images