[SOLVED] Wireguard site to site works, but firewalls cannot ping eachother

[deajan]

Hello,

I've setup a Wireguard site to site tunnel between two OPNSense 24.1.2_1 instances.
So far so good, tunnel is up, firewall rules allow any IPv4 traffic on "Wireguard (Group)" interfaces.

From any computer on site A (10.0.0.0/24) I can ping any computer on site B (10.0.1.0/24) and from B to A, so everything looks good.

But, ping (and others protocols) doesn't work from the firewall itself, eg OPNSense A (10.0.0.1) to OPNSense B (10.0.1.1), neither does it work from OPNSese B to OPNSense A.

Now the strange part is, if I happen to add the OPNSense source IP to the ping, eg `ping -S 10.0.0.1 10.0.1.1`, the ping works.

I'm a bit puzzled here.
The routing tables look good (10.0.1.0/24 via wg0 on OPNSense A and 10.0.0.0/24 via wg0 on OPNSense B).
It looks like the originating IP isn't good when running ping from OPNSense.

So basically, from OPNSense A:
`ping 10.0.1.1` does not work
`ping -S 10.0.0.1 10.0.1.1` works

Why do I need to specify the source IP when trying to ping the other firewall ?
I need the firewalls to be able to speak with eachother (for DNS resolution), how can I achieve this ?

Looks like a bug to me.

Best regards.

PS: I've verified (multiple times) my config according to the docs.
Any idea is welcome ^^

PS2: Shall I configure an outgoing NAT rule ? Doesn't ring right to me.

[meyergru]

What did you specify for the tunnel network? The two subnets are disjoint, so there must be a separate network between them. When you use a ping to reach the other side, it is probably the tunnel IP that is the default for the ping. Be careful to have that subnet not overlap one of the others.

Wireguard also wants you to specify which IP ranges are allowed to pass the tunnel, you on either side you have to specify the tunnel IP of the other OpnSense plus the network behind it. Otherwise, packets will be blocked, but you cannot see that in the firewall logs. So "firewall rules allow any IPv4 traffic" will not suffice.

[deajan]

Tunnel network is ouside of the site networks, eg the addresses are 192.168.100.1/24 and 192.168.100.2/24.
Allowed networks are 10.0.0.0/24 on site B and 10.0.1.0/24 on site A.

I don't have any blocked traffic, and every "non firewall" IP can happily communicate with every remote IP.

It's only both firewalls that cannot ping each other.

If I happen to setup an outgoing NAT "this firewall" to "remote" translate to LAN address, the firewalls can ping each other, but this just doesn't seem right.

As a side note, I cannot ping the remote tunnel IPs, eg Side A cannot ping tunnel IP side B and vice versa.

[zan]

Source address selection algorithm will pick the address assigned to the interface it will be used to send the traffic.
In your case it will pick your WG interface address (192.168.100.1). So it works as intended, not a bug.
Do a packet capture to verify.

No need to add a NAT, just add a pass firewall rule on the other side for 192.168.100.x network.

[deajan]

I've got a any any firewall rule on both sides on the wireguard (group) interface.
What broader firewall rule am I supposed to create ?

[chemlud]

Is 192.168.100.1/32 and 192.168.100.2/32,respectively, in the respective Peer configuration under "Allowed IP's"?

[deajan]

Nope, transfer net isn't in allowed ips, and of course this makes perfect sense, since wireguard would just deny the tunnel ips themselves.
I'll check that once I am onsite and report back.
Thanks.

[deajan]

I've added the transfer tunnel network into the allowed IPs on each peer, and voilà, everything works as expected.
Sorry for the noise, should have found that myself.

Thanks for your help @chemlud