1
Virtual private networks / [SOLVED] Wireguard site to site works, but firewalls cannot ping eachother
« on: February 22, 2024, 05:07:58 pm »
Hello,
I've setup a Wireguard site to site tunnel between two OPNSense 24.1.2_1 instances.
So far so good, tunnel is up, firewall rules allow any IPv4 traffic on "Wireguard (Group)" interfaces.
From any computer on site A (10.0.0.0/24) I can ping any computer on site B (10.0.1.0/24) and from B to A, so everything looks good.
But, ping (and others protocols) doesn't work from the firewall itself, eg OPNSense A (10.0.0.1) to OPNSense B (10.0.1.1), neither does it work from OPNSese B to OPNSense A.
Now the strange part is, if I happen to add the OPNSense source IP to the ping, eg `ping -S 10.0.0.1 10.0.1.1`, the ping works.
I'm a bit puzzled here.
The routing tables look good (10.0.1.0/24 via wg0 on OPNSense A and 10.0.0.0/24 via wg0 on OPNSense B).
It looks like the originating IP isn't good when running ping from OPNSense.
So basically, from OPNSense A:
`ping 10.0.1.1` does not work
`ping -S 10.0.0.1 10.0.1.1` works
Why do I need to specify the source IP when trying to ping the other firewall ?
I need the firewalls to be able to speak with eachother (for DNS resolution), how can I achieve this ?
Looks like a bug to me.
Best regards.
PS: I've verified (multiple times) my config according to the docs.
Any idea is welcome ^^
PS2: Shall I configure an outgoing NAT rule ? Doesn't ring right to me.
I've setup a Wireguard site to site tunnel between two OPNSense 24.1.2_1 instances.
So far so good, tunnel is up, firewall rules allow any IPv4 traffic on "Wireguard (Group)" interfaces.
From any computer on site A (10.0.0.0/24) I can ping any computer on site B (10.0.1.0/24) and from B to A, so everything looks good.
But, ping (and others protocols) doesn't work from the firewall itself, eg OPNSense A (10.0.0.1) to OPNSense B (10.0.1.1), neither does it work from OPNSese B to OPNSense A.
Now the strange part is, if I happen to add the OPNSense source IP to the ping, eg `ping -S 10.0.0.1 10.0.1.1`, the ping works.
I'm a bit puzzled here.
The routing tables look good (10.0.1.0/24 via wg0 on OPNSense A and 10.0.0.0/24 via wg0 on OPNSense B).
It looks like the originating IP isn't good when running ping from OPNSense.
So basically, from OPNSense A:
`ping 10.0.1.1` does not work
`ping -S 10.0.0.1 10.0.1.1` works
Why do I need to specify the source IP when trying to ping the other firewall ?
I need the firewalls to be able to speak with eachother (for DNS resolution), how can I achieve this ?
Looks like a bug to me.
Best regards.
PS: I've verified (multiple times) my config according to the docs.
Any idea is welcome ^^
PS2: Shall I configure an outgoing NAT rule ? Doesn't ring right to me.