Hi
I created a lab with two OPNsense virtual machines in Pnetlab.
I set up Wireguard as a site-to-site VPN on both of them. The Wireguard itself seems to be working fine, as you can see from the images below:
(https://images2.imgbox.com/c4/a2/lJcEu0II_o.jpg) (https://imgbox.com/lJcEu0II) (https://images2.imgbox.com/80/16/4MiriALg_o.jpg) (https://imgbox.com/4MiriALg)
On both OPnsense VMs, I set VLANs with a few VPCs, and I tried to reach them through the Wireguard tunnel, but they can't even ping each other.
However, I can ping the VPCs from the diagnostic tools in the OPNsense VMs
I think I have already tried just about everything (set firewall rules etc) to get everything working, but I still find myself banging my head against this problem for about a week.
Could you please help figure it out? Thanks
My LAB topology
(https://thumbs2.imgbox.com/38/1a/qQE28Es2_t.jpg) (https://imgbox.com/qQE28Es2)
There are only five steps to take and each can be verified seperately:
1. You must have a working Wireguard connection (it looks like you do)
2. The allowed networks must contain the remote networks (could be that it is a problem, because if you sub-divide the 10/8 network into several /24 networks for each VLAN, then 10.0.0.0/24 is only one of them)
3. The routing on both sides must know where to direct the packets to
4. The firewall rules must allow the packets to pass
5. The VPCs must answer to routed ping requests (Windows firewall by default only allows requests on the same local subnet)
Quote from: meyergru on September 22, 2024, 01:38:42 PM
There are only five steps to take and each can be verified seperately:
1. You must have a working Wireguard connection (it looks like you do) // Yes, I have
2. The allowed networks must contain the remote networks (could be that it is a problem, because if you sub-divide the 10/8 network into several /24 networks for each VLAN, then 10.0.0.0/24 is only one of them)// the
10.0.0.0/24 is about the wireguard network [site A 10.0.0.1 and site B 10.0.0.2]
3. The routing on both sides must know where to direct the packets to // I suspect that it may be the problem about. As far as I know when you create a wireguard interface it should also manage the routing too
4. The firewall rules must allow the packets to pass //No block entry in the firewall logs
5. The VPCs must answer to routed ping requests (Windows firewall by default only allows requests on the same local subnet)// I know but the ping fail via VPCs [192.168.10.52 icmp_seq=1 timeout]
Thanks
10.0.0.0/24 looks suspicious to me. If this is your tunnel network, it should look like 10.0.0.*/32 in the widget.
Quote from: Bob.Dig on September 22, 2024, 06:14:18 PM
10.0.0.0/24 looks suspicious to me. If this is your tunnel network, it should look like 10.0.0.*/32 in the widget.
I tried it too. Nothing changed
Thanks anyway
It's a firewall issue apparently
If I set a pass floating rule any to any for each VLAN interface on both Firewall, it works.
However, as soon as I make them more more restrictive, even the ping stops working.
This one on VLAN on both side
(https://images2.imgbox.com/f3/a2/hhX5ZBV2_o.jpg) (https://imgbox.com/hhX5ZBV2)
"More restrictive" - how so, exactly? There's something too restrictive in your rules, obviously. Post the rules, please.
Quote from: Patrick M. Hausen on September 23, 2024, 10:16:31 AM
"More restrictive" - how so, exactly? There's something too restrictive in your rules, obviously. Post the rules, please.
How can I print all the rules from command line? Thanks
If I set the two floating rules on both side this way, the VLANs can't reach one another anymore:
(https://images2.imgbox.com/e5/d1/oD8Vos7R_o.jpg) (https://imgbox.com/oD8Vos7R) (https://images2.imgbox.com/3f/d9/olkDzs2k_o.jpg) (https://imgbox.com/olkDzs2k)
Any idea about that?
Why are you using floating rules? The ones for 51820/UDP should definitely go on WAN.
Second, assuming you have an "allow all" rule on the respective VLAN interfaces you only need to allow the traffic in through the wireguard interface on the corresponding remote. Did you assign the WG interfaces so you can actually apply rules to them? I suspect the floating rules get evaluated before the WG interfaces are up so they are never applied.
Better assign the interfaces, then put a rule on each:
source: remote LAN + tunnel network, destination: my VLAN, action: allow.
Since they're VLAN interfaces, they probably wouldn't have the "Default allow LAN to any rule", so those would have to be created too. I haven't actually followed this guide myself, but it appears to cover creation of the proper rules.... https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html
Quote from: Patrick M. Hausen on September 24, 2024, 10:48:22 AM
Why are you using floating rules? The ones for 51820/UDP should definitely go on WAN.
It's actually on the WAN.
Quote
Second, assuming you have an "allow all" rule on the respective VLAN interfaces you only need to allow the traffic in through the wireguard interface on the corresponding remote. Did you assign the WG interfaces so you can actually apply rules to them? I suspect the floating rules get evaluated before the WG interfaces are up so they are never applied.
Better assign the interfaces, then put a rule on each:
source: remote LAN + tunnel network, destination: my VLAN, action: allow.
The floating rules already allow all" on the VLANs:
(https://thumbs2.imgbox.com/66/4c/Hxo3J3tB_t.jpg) (https://imgbox.com/Hxo3J3tB)
I also set an "allow any" on the wireguard interface:
(https://thumbs2.imgbox.com/39/58/ZamXE4Rx_t.jpg) (https://imgbox.com/ZamXE4Rx)
For the record, I set Wireguard S2S tunnels more than once, even on different devices such as Mikrotik, Linux machines and other OPNsense VMS, and I have never gone through this problem. Very strange. Thanks
Quote from: dseven on September 24, 2024, 10:58:30 AM
Since they're VLAN interfaces, they probably wouldn't have the "Default allow LAN to any rule", so those would have to be created too. I haven't actually followed this guide myself, but it appears to cover creation of the proper rules.... https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html
I followed this very guide myself too. Thanks
Quote from: ricksense on September 24, 2024, 08:10:31 PM
I followed this very guide myself too. Thanks
Then why are you creating floating rules? Nothing in that guide tells you to do that......
Quote from: dseven on September 24, 2024, 08:35:56 PM
Quote from: ricksense on September 24, 2024, 08:10:31 PM
I followed this very guide myself too. Thanks
Then why are you creating floating rules? Nothing in that guide tells you to do that......
Again, without the floating rules the VLANs can't reach one another, so that guide is useless in my case.
You need to put the rules on the interfaces, not in "floating"!
Quote from: Patrick M. Hausen on September 24, 2024, 09:29:01 PM
You need to put the rules on the interfaces, not in "floating"!
I already did it, tried everything. Nothing seems to work but the floating rules.
Quote from: ricksense on September 24, 2024, 09:37:46 PM
I already did it, tried everything.
In other words: You don't know, what you are doing but you want to stick with it.
Quote from: Bob.Dig on September 25, 2024, 09:51:24 AM
In other words: You don't know, what you are doing but you want to stick with it.
Just the opposite!
What I know for sure is that I first followed the official guide here:
https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html (https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html)
and it didn't work. So, what would you have done in this case? Tinkering with the setup, right?
It is exactly what I did until I got the job done. Does that mean that I am happy with it? Of course not, because I want to find out what is wrong with it. As I already said, it is not the first time I set a wireguard tunnel on very different devices; never had any problem before.
Thanks