I all,
I have installed a site to site wireguard with this tuto:
https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html
Site A Public fix IP
Site B shared IP from ISP
Opnsense B connect to Opnsense A well.
LAN B access to LAN A well. LAN A dont access to LAN B, Opnsense A dont send the packet for LAN B through wireguard.
I dont understand why, you know why ?
Best regards,
Joseph
Quote from: jaj1105 on February 04, 2025, 07:02:44 PMOpnsense B connect to Opnsense B well.
Small but important mistake during translation (from the French forum): Opnsense B connects to Opnsense *A* well.
The fact that Site A doesn't route through Wireguard was established with tracert.
I asked whether default routing was left alone (in instance advanced mode).
I imagine one can check in System > Routes > Status when the connection is established but I've never set this up so...
Thanks a lot Eric, I check the route status and i don't see thi route.
I just add the route in configuration manualy and its working now !!!
What route did you add? I have the same problem. OPNsense A can connect to OPNsense B via WG, and can see devices behind OPNsense B. OPNsense B cannot see OPNsense A via WG. I try pinging OPNsense A, from the Ping tool on OPNsense B and nothing.
Do you have both LAN networks and the tunnel network addresses in the respective AllowedIPs settings?
Yes Patrick, its working now with the help of EricPerl.
Thanks 🙏
Quote from: Patrick M. Hausen on February 05, 2025, 07:07:52 PMDo you have both LAN networks and the tunnel network addresses in the respective AllowedIPs settings?
I believe I do. Here are screenshots of the peers from each firewall. The initial tunnel is up but now I cannot get to devices from either side. I have just rebooted both firewalls, just to ensure everything was clean. What could I be missing?
If AllowedIPs looks good, then probably firewall rules. Without any rules applied to either the assigned WG interface (in case you did that) or the "WireGuard" group, the default applies which is "deny all".
Quote from: Patrick M. Hausen on February 06, 2025, 05:16:47 PMIf AllowedIPs looks good, then probably firewall rules. Without any rules applied to either the assigned WG interface (in case you did that) or the "WireGuard" group, the default applies which is "deny all".
I thought that could be it but checked. I have firewall rules in place for WAN(FIOS) and interface(WG). Do I need rules on the LAN interfaces? I have the default allow rule for each LAN interface.
In the rule on WG the source is not "WG net" but the LAN of the opposite site. "WG net" is the tunnel net only. All "X net" aliases are just the network directly connected to that particular interface not "anything reachable via that IF".
That was the 2nd rule for each site in step 6 of the guide...