OPNsense Forum

Archive => 19.7 Legacy Series => Topic started by: christianw on December 27, 2019, 09:52:26 am

Title: No ruleset for wireguard + mtu question
Post by: christianw on December 27, 2019, 09:52:26 am

Hi,

I can't believe, that I'm the first one with this issue, so it's probably rather a problem between my keyboard and my chair...

After I installed WireGuard, there ist no ruleset (Firewall --> rules) for wireguard Interface. When I manually add a new Interface "WireGuard", there will be two rulesets "WireGuard". After removing of just added wireguard interface, everything seems okay, so there ist only one ruleset left.

Is that the intended workflow? :-)

And...

We have some udp traffic from collectd through wireguard tunnel. Unfortunately about 50% of those packets will not pass the tunnel, because wireguard mtu ist 1392 and those packets are > 1392.

Code: [Select]

IP 10.10.0.1.51518 > 172.16.200.6.2003: UDP, bad length 1393 > 1392
Has anybody an idea for best practice? I think of UDP fragmentation, adjust collectd packet size (possible?) or wireguard mtu changes.

Best regards...

Title: Re: No ruleset for wireguard + mtu question
Post by: mimugmail on December 27, 2019, 04:27:18 pm

WireGuard MTU can be changed in local instance configuration. Normally the Firewall should frag those packets when they arent set with DF bit. If DF is set, change your local clients.

Don't assign an interface and label it WireGuard .. use something like WG0.
If the firewall tab doesn't apprear after enabling wireguard, go to a firewall rule (no matter which one), edit and save without changes, then it's there

Title: Re: No ruleset for wireguard + mtu question
Post by: christianw on January 02, 2020, 05:28:16 am

Hi mimugmail,

thank you. I'll try turning UDP fragmentation on at client side.
The hint with saving some rules is what I was looking for. :-)