Ping Across Wireguard Tunnel

[spetrillo]

Hello all,

I have a working Wireguard S2S tunnel running between two sites. I can access devices on one side, from the other side, and so on. What I cannot seem to do is the simple stuff, like pinging a device at Site A, from a device at Site B. Another example is doing a port probe from my OPNsense firewall at Site A to my OPNsense firewall at Site B. A simple test for port 8443, which is open for the OPNsense GUI to be accessed, is failing.

What am I missing?

Steve

[bmt]

For the port probe - check your port forwards perhaps.

As for the pinging - I found that sometimes I need to explicitly allow icmp on the LAN interface to be able to ping devices.

[spetrillo]

That's just it...why should I have to port forward? For example I can access the OPNsense GUI at site B, from a PC at site A. The URL contains a port of 8443. Since I can access that GUI I am assuming that port 8443 is flowing thru the WG tunnel?

[spetrillo]

Ok more info...

Site A can ping to devices at site B. Site B cannot ping to devices at site A. So here is my network setup.

Site A is an OPNsense firewall with direct connectivity to Internet ISP. Site B is an OPNsense firewall that is setup to be a DMZ host, behind an ISP router. On site A's firewall WAN interface I have Block Private Networks checked, whereas on the site B side this is unchecked.

There is a WG tunnel setup between the sites, so I am wondering if the block private networks option on site A is not allowing site B private IPs to be able to communicate with site A devices. My subnets on site B are 10.0.1.0/24 and 10.0.10.0/24, which are RFC1918 addresses.

Thoughts??