Messages

Tottaly I switched back to site2site configuration.
To enable port forwarding on OPNsense via WireGuard, you just need to adjust the source IP, it should go through WG tunnel as local. This can be done under Firewall → NAT → Outbound.


P.S. with the selective routing all source IPs from the remote site appear as the gateway IP — which isn't suitable for my setup.

Thanks, I`m done with it!)

On both sides, I've configured custom routing lan => other side local networks with allowed IPs 0.0.0.0/0 in WG peers.
and this rule with reply-to wg gateway on OpnsenseB.

For that you will most likely need policy based routing, and unchecking that the wireguard itself installs system routes.

I apologize for asking so many questions — I'm still new to OPNsense, coming from Kerio Control.

Yes, the source is a public IP, which is why "port forwarding" only works from the local networks of opnsenseA — because in that case, the source IP is local.

What you can do is selecting if routes should be installed to the system routing table, or not, via an advanced option in the wireguard endpoint.

I have access from local nets of OpnsenseA to local nets of opnsenseB and vice versa. So is it means that the routing table is configured correct?

Also you might discover assymtric paths, if client A has a public IP address as source and gets port forwarded and routed through the wireguard tunnel, on the VPS the return packet will be sent via the default gateway, not returning back through the tunnel, as the target is a public IP. You have to use source NAT as well so the source looks like its an IP that can be routed back through the wireguard tunnel.

as I understand the issue is here but I added reply-to option with wgB gateway to the Wan rule which "associated" with port forwarding. If there anything else what I am missing?

Thank you for your help!)

Does your wireguard cryptokey routing (Allowed IPs) allow any IP address to get routed into the tunnel?

sorry for delay with reply)

Can you please correct me if I am wrong. "Allowed IPs" refers to the subnets or IP addresses that should be routed through the tunnel.

So if I uderstant you correct, No, its configured to route only local nets. What exactly I need Wan=>wg=>local ip.

P.S.
I added a rule to the WG interface on opnsenseB, which seems logical, but it didn't help. Anyway I don`t see any firewall logs on opnB that match or correspond to the redirect logs on opnA."

Hi,

I'm struggling with port forwarding through WireGuard.
Totally i have 3 conected to each other opnsense and all subnets are fully accessible from each other.
Each office is connected via a separate instance-peer setup, so each WG instance has its own interface.

I am trying to port forward from wan opnsenseA to lan opnsenseB but it only works from the OpnsenseA local networks.

I tried adding a reply-to gateway of the WG interface for Wan rule, but that didn't help either. Maybe I misconfigured the gateway for WireGuard?
( ip of WG instance of opnsenseA (tried B also), monitor ip is lan ip of opnsenseB) opnsenseB has a dynamic Wan ip.


OpnsenseA logs show that everything is working as expected.


Meanwhile, OpnsenseB shows nothing at all...

However, if I try accessing the WAN from the LAN network of OpnsenseA, both OpnsenseA and OpnsenseB logs show activity.
The logs of opnsenseB


Any ideas what I might be missing?

And second question how to debug it? How to check traffic flow to understand what is going wrong?

Добрый день,

Мучаюсь с пробросом портов через wireguard.
Внутри сетей opnsenseA проброс работает как часы но вот через WG тунель победить не могу)

Естественно все 3 opnsense подсети из каждой подсети доступны)

OpnsenseA:
port forwarding from static ip wan to opnsenseB local ip.
Reflection for port forwards and Automatic outbound NAT for Reflection are enabled.
wireguard intarface assigned. Rules - (pass, opnsenseB local nets to opnsenseA local nets).

OpnsenseB:
Reflection for port forwards and Automatic outbound NAT for Reflection are enabled.
wireguard intarface assigned. Rules - (pass, opnsenseA local nets to opnsenseB local nets).

Каждый офис соединен отдельными инстанс - пиир, чтобы для каждой подсети был свой интерфейс.
Итого такой проброс работает только из подсети opnsenseA.
читал что нужно в правиле для данного проброса указать reply-to интерфейс WG. Ок для этого в интерфейсе указываем Dynamic gateway policy, geteway создается указал его reply-to и тоже не фига))) Больше всего раздражает что хрен знает как отловить) в логах opnsesense идет проброс, в логах opnsenseb как будто нихрена не((( при этом если обратится к ван внутри подсети opnsesea то оба лога срабатывают) Надеюсь смог обьяснить! на всех последняя версия Opnsense.

Good day to Everyone)
Sorry if I'm being slow,
I have a similar situation.

<sup>OpnsenseA:
port forwarding from static ip wan to opnsenseB local ip.
Reflection for port forwards and Automatic outbound NAT for Reflection are enabled.
wireguard intarface assigned. Rules - (pass, opnsenseB local nets to opnsenseA local nets).

OpnsenseB:
Reflection for port forwards and Automatic outbound NAT for Reflection are enabled.
wireguard intarface assigned. Rules - (pass, opnsenseA local nets to opnsenseB local nets).</sup>
 

So port forwards works only from opnsenseA network. Can you please explain what i do wrong?
All networks are accessible from both opnsense networks.

There is a 3rd opnsenseC conected to opnsenseA and B, so each instance of WG Opnsense has 2 conections, can it be issue?

Hi,

Can you please help what I did wrong.
local network 10.0
remote 7.0
WireGuard Site-to-Site
Aftter that i have connected tunnel but I have access only to opnsense Ip from both sides.
As I understand something wrong with wireguard firewall rule? Or what screen do you need more?

Both rules mopstly are the same.  1st rule made just for checking
Ping from 10.0 to remote opnsense succes but for other remote machines not.