I have two openSense firewalls both are Version 25.7.7.
I set up wireguard acording to the official documentation, without creating a interface for wireguard.
Wireguard it self, works fine - tunnel is established.
Topology is like that:
Site A: 192.168.1.0/24 - Tunnel IP 172.16.0.1
Site B: 192.168.10.0/24 - Tunnel IP 172.16.0.10
I have an allow -all- rule on the LAN and wg group firewall rule set.
I can ping from site B to the tunnel IP from the firewall on site A, and the other way around.
But I cannot, for christ sake ping any IP adress from one network to the other.. -> I see in the logs the the paket is allowed but ping for example never comes back.
But I can ping the tunneld network directly from the firewall itself.. So I also tried to disable outbound NAT for wireguard, still does not work. So I am clueless.
I would appriciate any help.
What is the AllowedIP settings in the WireGuard peer on each side?
Quote from: austrian-firewaller on December 01, 2025, 02:46:42 PMwithout creating a interface for wireguard
Create one on both sides.
Thank you for your reply.
The allowed IP in Site A:
172.16.0.10/32, 192.168.10.0/24
Site B:
172.16.0.1/32, 192.168.1.0/24
so in each instance it is the fw tunnel IP and the network from the oposite site.
That should be correct right?
Quote from: Bob.Dig on December 01, 2025, 07:00:06 PMQuote from: austrian-firewaller on December 01, 2025, 02:46:42 PMwithout creating a interface for wireguard
Create one on both sides.
Why? It should not be necessary? And I think i did that as well, nothing changed. I found other sources telling not to do so.
If both firewalls can ping one another (BTW: on which address? The tunnel IP or their LAN IP?), then it seems obvious that your firewall rules created in step 6 of the official instructions are wrong. You should not have to use NAT on the Wireguard interfaces. Just follow the docs.
From both firewalls I can ping the tunnel IP and all Hosts from the other Network.
But it is not possible from a host inside a LAN network to get to the other network. Only to the other tunnel IP adress.
So for example, I ping from a host Site B to firewall Site A
192.168.10.190 -> 192.168.1.10
I see in the firewall Liveview (FW B):
LAN IN from 192.168.10.190 to Dest 192.168.1.10
wg OUT from 192.168.10.190 to Dest 192.168.1.10
And on FW Site A I see nothing.
I have allow "all in" traffic on the LAN and wireguard interface on both opensense still nothing...
Now I have created interfaces for the wireguard tunnels still no change.
WG Tunnel it self is stable. Because from my PC (192.168.10.190) i can ping Firewall Site A with 65000 Bytes of load with no dropped packets over longer time.