Hi,
I'm trying to make a WireGuard client behave like a device on an existing VLAN, i.e. subject to the same existing VLAN firewall rules (including inter-VLAN restrictions) without duplicating policy.
What I've tried:
WireGuard interface rules — pf only sees the outer UDP tunnel, so rules targeting specific inner IP/port combinations never match.
SNAT to a VLAN IP — makes the client appear as a VLAN host, but the firewall still evaluates rules on the WireGuard interface instead of the VLAN, so it doesn't defer to the VLAN rules.
Bridging WireGuard into the VLAN — technically difficult and unreliable, because WireGuard is L3-only and doesn't support true bridging.
Workaround options:
Enforce policy on each destination VLAN, using SNAT so the client looks like VLAN traffic.
Move the VLAN firewall policy into Floating rules with Quick mode, applying to both the VLAN and WireGuard interface — eliminating duplication.
Question:
Is there a cleaner, recommended approach in OPNsense to have WireGuard clients inherit VLAN firewall rules without rule duplication?
Thanks!
Any comments or suggestions greatly appreciated. Do others just create separate VLAN access rules for WireGuard clients? I'm trying to avoid duplication of these rules.
Thanks
Quote from: JamieR007 on August 28, 2025, 05:16:53 PMWireGuard interface rules — pf only sees the outer UDP tunnel, so rules targeting specific inner IP/port combinations never match.
Rules on the Wireguard interface group or a Wireguard interface if assigned operate on the traffic inside the tunnel.