Team,
I'm looking for the correct routing and ruleset for accessing an internal WG server.
The structure is as follows:
Modem[Internet](192.168.y.1) <-> [WAN](192.168.y.2)OPNsense[LAN](192.168.x.1) <-> Router(192.168.x.11) <-> WG-Server(10.xyz.1)[PORT:ppp)
Pass rule for the WAN interface to allow connections to the Wireguard port
Firewall: Rules: WAN
Action: Pass
Interface: WAN / Internet?
Direction: in
TCP/IP version: IPv4
Protocol: UDP
Source: any
Destination: Internet address
Destination port: ppp
Port Forward rule to forward incoming connections from WAN port to the Wireguard server port
Firewall: NAT: Port Forward
Interface: WAN / Internet?
TCP/IP: IPv4
Protocol: UDP
Destination: WAN address / Internet address?
Destinatoin port range: ppp
Redirect target IP: 192.168.x.11[Router]
Redirect target port: ppp
Firewall: NAT: Outbound
Interface = Internet
TCP/IP Version = IPv4
Protocol = UDP
Source address = 192.168.x.11
Source Port: ppp
Destination: any
Translation/target = Interface address
Where is the error or is a routing still missing?
Thank you.
Quote from: Neurothiker on April 03, 2025, 04:22:03 PMPass rule for the WAN interface to allow connections to the Wireguard port
Firewall: Rules: WAN
Action: Pass
Interface: WAN / Internet?
Direction: in
TCP/IP version: IPv4
Protocol: UDP
Source: any
Destination: Internet address
Destination port: ppp
The destination has to be the secondary routers IP 192.168.x.11, since this is what pfSense forwards the traffic to.
Why don't you just use "add associated filter rule" in Port Forwarding? Then OPNsense would create the correct rule automatically.
Quote from: Neurothiker on April 03, 2025, 04:22:03 PMFirewall: NAT: Outbound
Interface = Internet
TCP/IP Version = IPv4
Protocol = UDP
Source address = 192.168.x.11
If using automatic outbound NAT mode OPNsense should have added a rule for the source of the LAN subnet automatically. This should include 192.168.x.11.
Quote from: viragomann on April 03, 2025, 05:29:08 PMWhy don't you just use "add associated filter rule" in Port Forwarding? Then OPNsense would create the correct rule automatically.
If using automatic outbound NAT mode OPNsense should have added a rule for the source of the LAN subnet automatically. This should include 192.168.x.11.
Thanks for responding.
I have now setup the Port Forwarding rule again and OPNsense created the FW-Rule WAN automitcally! - Are the rules correct?
Modem[Internet](192.168.y.1) <-> [WAN](192.168.y.2)OPNsense[LAN](192.168.x.1) <-> Router(192.168.x.11) <-> WG-Server(10.xyz.1)[PORT:ppp)
Firewall: NAT: Port Forward
Interface: WAN / Internet?
TCP/IP: IPv4
Protocol: UDP
Destination: Internet address
Destinatoin port range: ppp
Redirect target IP: 192.168.x.11[Router]
Redirect target port: ppp
Firewall: Rules: WAN
Action: Pass
Interface: WAN / Internet?
Direction: in
TCP/IP version: IPv4
Protocol: UDP
Source: any
Destination: 192.168.x.11[Router]
Destination port: ppp
I activated the Hybrid mode for Firewall: NAT: Outbound and can't see an automatically generated rule...
1. Why not?
2. If manually generated is it correct?
Firewall: NAT: Outbound
Interface = Internet
TCP/IP Version = IPv4
Protocol = UDP
Source address = 192.168.x.11
Source Port: ppp
Destination: any
Translation/target = Interface address
Thanks
Are you really trying to VPN in through 3 layers of NAT? Modem + OPN + Router?
You shouldn't have to create explicit rules for outbound NAT for this scenario.
That was the 2nd part of the first reply.
I ran a simpler form of this as a test a few weeks back (edge-OPN - internal-OPN-Wireguard-Server) and I did NOT have to mess with outbound NAT on either.
Quote from: EricPerl on April 03, 2025, 08:35:38 PMAre you really trying to VPN in through 3 layers of NAT? Modem + OPN + Router?
You shouldn't have to create explicit rules for outbound NAT for this scenario.
That was the 2nd part of the first reply.
I ran a simpler form of this as a test a few weeks back (edge-OPN - internal-OPN-Wireguard-Server) and I did NOT have to mess with outbound NAT on either.
Thank you for your dedicated feedback.
Since your "solution support" is rather limited to accusations and "I solved it differently" maybe you can kindly give me specific hints on my architecture to solve my problem...I can NOT rebuild the architecture right now and I know that OPNsense provides a WG on its own.
Since I am neither a product owner of OPNsense nor a network architect, I have come to the forum in the expectation of a support with "my" problem.
Thank you
There is no "team" here. This is a community forum. Users helping but also discussing things with users. So while Eric is not offering much help, it is also his prerogative to question your general approach. If that is not changeable for reasons outside your control, just say so. I did not read his reply as particularly condescending or lecturing or some such.
I can get to writing a more helpful answer tomorrow latest, possibly tonight even, but for now I still have some work to do so please have patience.
Quote from: Patrick M. Hausen on April 03, 2025, 09:23:55 PMI can get to writing a more helpful answer tomorrow latest, possibly tonight even, but for now I still have some work to do so please have patience.
Thank you for your reply.
Please take your time, I have not questioned this either!
OK, that went faster than expected. So let's do some community work ;-)
Modem[Internet](192.168.y.1) <-> [WAN](192.168.y.2)OPNsense[LAN](192.168.x.1) <-> Router(192.168.x.11) <-> WG-Server(10.xyz.1)[PORT:ppp)
1. Get the network structure and routing right - you probably did that already?
- add 192.168.x.11 as a gateway in OPNsense
- add a static route for 10.xyz.0/24 (?) via that gateway
Can you ping the WG server from OPNsense? Before that works, no use doing anything else. The WG server needs a default route to that internal router. The internal router needs a default route to OPNsense.
2. Inbound port forwarding
The rules you outlined in your first post look correct - "ppp" is 51820 or similar I suppose? And make sure it's UDP!
3. Outbound NAT
OPNsense only automatically does NAT for connected networks, not for ones reached via static routes. Minor drawback.
I prefer full control and set NAT > Outbound as "manual". Hybrid is also possible, but I'll go with manual for now.
- create a firewall alias named "internal networks" or similar. Type "network(s)", add all internal networks you want NATed - that's at least 192.168.x.0/24 and 10.xyz.0/24 (?)
- create a rule: interface WAN, source "internal networks", NAT to "interface address"
4. Depending on what you want to do add your WG network
If the network inside the WG tunnel should be using OPNsense for outbound Internet access etc.
- create another static route on OPNsense for the WG tunnel network via the internal router
- create a static route on the internal router for that same tunnel network pointing to the WG gateway
- add the WG tunnel network to the "internal networks" alias for NAT
That should do it.
Quote from: Patrick M. Hausen on April 03, 2025, 09:43:57 PMOK, that went faster than expected. So let's do some community work ;-)
Modem[Internet](192.168.y.1) <-> [WAN](192.168.y.2)OPNsense[LAN](192.168.x.1) <-> Router(192.168.x.11) <-> WG-Server(10.xyz.1)[PORT:ppp)
1. Get the network structure and routing right - you probably did that already?
- add 192.168.x.11 as a gateway in OPNsense
- add a static route for 10.xyz.0/24 (?) via that gateway
Can you ping the WG server from OPNsense?
Currently not because OPNsense Gateway can not find the WG-Server.
PING 10.xyz.1 (10.0.49.1) 56(84) bytes of data.
From OPNsense Gateway(Internet (opt3) pppoe0) icmp_seq=1 Destination Net Unreachable
This is the situation before I will start to follow your instructions above.
Update_1:
Setup Gateway and routing --> ping works!
Quote from: Patrick M. Hausen on April 03, 2025, 09:43:57 PMIf the network inside the WG tunnel should be using OPNsense for outbound Internet access etc.
- create another static route on OPNsense for the WG tunnel network via the internal router
- create a static route on the internal router for that same tunnel network pointing to the WG gateway
- add the WG tunnel network to the "internal networks" alias for NAT
That should do it.
Please excuse another question of understanding:
The WG server has already had 7 clients set up from the past.
What exactly may I understand by your instructions, please:
- create another static route on OPNsense for the WG tunnel network via the internal router
- add 192.168.x.11 as a gateway in OPNsense
- add a static route for 10.xyz.0/24 (?) via that gateway
--> ins't it the same???
- create a static route on the internal router for that same tunnel network pointing to the WG gateway - I sould setup WGServer (49.xyz as Gateway as well???)
- add the WG tunnel network to the "internal networks" alias for NAT
Thanks you
Those clients have IP addresses in WireGuard that are probably not mentioned in your first diagram. OPNsense needs to know about that network, too. Unless the WG server performs NAT for the clients dialling in.
Quote from: Patrick M. Hausen on April 03, 2025, 10:32:31 PMThose clients have IP addresses in WireGuard that are probably not mentioned in your first diagram. OPNsense needs to know about that network, too. Unless the WG server performs NAT for the clients dialling in.
OK, of course there are the client-IPs...for each client-IP a route?!
Quote from: Patrick M. Hausen on April 03, 2025, 10:32:31 PMThose clients have IP addresses in WireGuard that are probably not mentioned in your first diagram. OPNsense needs to know about that network, too. Unless the WG server performs NAT for the clients dialling in.
The old setup of WG server and client still established.
WG-Server: 10.xyz.1/24, DNS is the current internal router.
Did it. All client-IPs have now routes to internal router(192.xyz.11)
"- create a static route on the internal router for that same tunnel network pointing to the WG gateway"
I didn't setup a WG gateway in OPNsense or does it meant to setup internal router to WG 10.xyz.1/24?
Quote from: Neurothiker on April 03, 2025, 10:35:35 PMQuote from: Patrick M. Hausen on April 03, 2025, 10:32:31 PMThose clients have IP addresses in WireGuard that are probably not mentioned in your first diagram. OPNsense needs to know about that network, too. Unless the WG server performs NAT for the clients dialling in.
OK, of course there are the client-IPs...for each client-IP a route?!
Just one route for the entire /24. Not each client individually.
Quote from: Neurothiker on April 03, 2025, 10:54:34 PMQuote from: Patrick M. Hausen on April 03, 2025, 10:32:31 PMThose clients have IP addresses in WireGuard that are probably not mentioned in your first diagram. OPNsense needs to know about that network, too. Unless the WG server performs NAT for the clients dialling in.
Did it. All client-IPs have now routes to internal router(192.xyz.11)
"- create a static route on the internal router for that same tunnel network pointing to the WG gateway"
I didn't setup a WG gateway in OPNsense or does it meant to setup internal router to WG 10.xyz.1/24?
Gateways are always locally connected. OPNsense needs routes to the WG gateway network (10.something) and the WG tunnel network with the clients. Both routes pointing to that .11 router connected to OPNsense.
That router in turn needs to know about the tunnel/client network.
Dear Mr. Hausen,
first of all I thank you for your extremly detaild support - phenomenal!
Unfortunately, it also clearly showed me that the OPNsense system is far beyond my horizon - and perhaps not my solution after all.
I'm switching from Fritzbox DSL to OPNsense fiber and yes, the network architecture is still from that time, but I can't change it directly due to various dependencies - hence my requests of suuport here in the forum.
Ok, back to my biggest issue at all:
Quote from: Patrick M. Hausen on April 03, 2025, 09:43:57 PM1. Get the network structure and routing right - you probably did that already?
- add 192.168.x.11 as a gateway in OPNsense
- add a static route for 10.xyz.0/24 (?) via that gateway
Accomplished - ping WG-IP works.
Quote from: Patrick M. Hausen on April 03, 2025, 09:43:57 PM2. Inbound port forwarding
The rules you outlined in your first post look correct - "ppp" is 51820 or similar I suppose? And make sure it's UDP!
Accomplished
Firewall: NAT: Port Forward
Interface: WAN
TCP/IP: IPv4
Protocol: UDP
Destination: Internet address
Destinatoin port range: ppp
Redirect target IP: 192.168.x.11[Router]
Redirect target port: ppp
Quote from: Patrick M. Hausen on April 03, 2025, 09:43:57 PM3. Outbound NAT
- create a firewall alias named "internal networks" or similar. Type "network(s)", add all internal networks you want NATed - that's at least 192.168.x.0/24 and 10.xyz.0/24 (?)
- create a rule: interface WAN, source "internal networks", NAT to "interface address"
Accomplished
- Firewall: Aliases
Name: interne Netzwerke
Host(s)
Content: 192.168.x.0/24 10.xyz.0/24
Description: Anbindung an WG
- Firewall: NAT: Outbound
Interface = WAN
TCP/IP Version = IPv4
Protocol = UDP
Source address = interne Netzwerke
Source Port: 47362
Destination: any
Translation/target = Interface address
Quote from: Patrick M. Hausen on April 03, 2025, 09:43:57 PM4. Depending on what you want to do add your WG network
If the network inside the WG tunnel should be using OPNsense for outbound Internet access etc.
- create another static route on OPNsense for the WG tunnel network via the internal router
- create a static route on the internal router for that same tunnel network pointing to the WG gateway
- add the WG tunnel network to the "internal networks" alias for NAT
Accomplished
- System: Routes: Configuration
Network Address: WG-Clients IP
Gateway: internal router(192.168.x.1)
As I setup the WG-Server in the past I pointed to the WG gateway(internal router[192.168.x.1])
Quote from: Patrick M. Hausen on April 03, 2025, 09:43:57 PM- add the WG tunnel network to the "internal networks" alias for NAT
Does it mean to add all WG-client IP to "internal network"?
Thank you
Quote from: Neurothiker on April 04, 2025, 10:48:35 AMDoes it mean to add all WG-client IP to "internal network"?
If the WG clients are supposed to go to the Internet through the tunnel and back out through OPNsense again, then yes. You need to NAT them. Easiest way is to add them to that alias. But a single entry with the entire network (/24?) is enough, no need to add each client separately.
If the WG clients only access the local networks while connecting to the Internet wherever they are located, then no.
At the risk of not being helpful again...
You may feel a bit discouraged right now but your setup is not exactly for beginners.
I'm no expert either. Patrick is one though.
The inbound PF rule does not look correct to me.
It should likely point to the WG-server (xyz.1).
The outbound NAT rule also seems weird. Why is a source port specified? * is likely more appropriate.
FWIW, if you'd kept hybrid mode, you would only need rules for the downstream networks and could replicate the default rules.
Have you tested any of the configuration changes you made?
Testing the outbound NAT rules is "easy". Connect a machine in that network (eg 10.xyz) and verify connectivity.
Testing the inbound PF is a bit more difficult. You need a WG client in the y network configured to use y.2 as a server.
But you also might also need to disable reply-to in OPN (in Firewall > Settings > Advanced). Some OPN weirdness here.
Then you can use the same WG client on the Internet (pointing to your public IP).
I assume you have some inbound port forward on that "modem" too, pointing to y.2.
Unless there's a terminology issue, you've never indicated the WG tunnel network.
WG-server is listening to WG UDP traffic on xyz.1:ppp, then decapsulated traffic is generated on that WG tunnel network.
Each peer of the WG-server instance is getting an IP in that network, likely with access to some networks behind the internal router.
Going back to your setup, you have "modem" - OPN - router - WG.
Given the y network subnet, I assume there's some NAT on the "modem".
We know there's some NAT on OPN.
You don't seem to have any NAT on router (my bad for assuming this in my initial question, but it was my way of asking for clarification).
BECAUSE you don't have NAT there, for each network downstream of OPN (behind router), you need:
* GW pointing to router + static route for the network pointing to the GW (so packets going through OPN targeting that network make it to the next hop to their destination).
* outbound NAT for the downstream network on OPN. Otherwise, I believe packets are "just" routed on OPN WAN and I suspect it will go downhill from there.
So, if your WG clients (once connected to WG-server) need to get back out through OPN, you need to do the above for the WG tunnel.
The terminology issue would arise from WG-server listening on x.11:ppp (explaining the PF destination IP) and using xyz.1/24 as WG tunnel address.