WireGuard keeps wrecking my IPv4 routing

[dmho]

Hi, I have a rather weird issue. I first thought I might have messed up some config or there was some kind of issue with the storage device—but now, that it happened the second time, I got curious what could be up here.

The problem: "Suddenly" (I'll get to that) every IPv4 routing inside the LAN network, and the LAN network only, stops working. Other networks (Guest and IoT in this case) are unaffected and can still communicate inside the network and outside to the internet via NAT. If I send packages from outside into the LAN network, the firewall logs them as PASS and they are subsequently nowhere to be found. If I send packages from one LAN client to another, they also get lost in the OPNsense.
IPv6, however, continues to work just fine.

Regarding the "suddenly": At the first time, I did some config changes to a Wireguard site-to-site connection (allowing another subnet through the tunnel) and, after that, also installed the pending updates (iirc, 24.7.9 -> 24.7.10). After the reboot from the update, I noticed that my IPv4 connectivity was down. I blamed the update, because I reverted the WG config changes right after I realized that the v4 routing was broken and my first thought was that I somehow created some kind of routing black hole with my WG config.

After lots of troubleshooting, numerous pcaps, really verbose firewall inspection and a downgrade back to 24.7.9, I gave up for the night. On the next morning, I flashed a USB flash drive with a live image of OPNsense 24.7.9, booted it and selected the config importer. After importing the config, my firewall came right up, with full working v4 connectivity. Then, I restored the changes I made to the WG config earlier, with no effects to the routing this time, and came to the conclusion that it must have been some kind of corruption in the base system. So I reflashed the router, imported the config and went along fine for a few weeks.

Today, "suddenly", the issue came right back up. As you might have guessed, I did another WG config change (adding another site-to-site WG connection). After applying it, I was back with the exact same issue—no v4 routing possible for the LAN subnet. So I started a the live system from a few weeks ago, imported the current config, and the v4 routing was right back working.


I am completely clueless what could be the underlying reason, my only guess right now is that it must be connected to something in the Wireguard setup process (possibly the part that generates and registers the routes from the allowed IPs section). I would really appreciate any tips or approaches for further investigation!


Thanks, Karl

[Aerowinder]

Would you mind posting your configs without the keys?

[dmho]

Would you mind posting your configs without the keys?

Hi! Is there a way to do this easily? Like Mikrotik's /export hide-sensitive

[Patrick M. Hausen]

Copy and paste the configuration, replace the keys with e.g. ***** - done.

[CreeperKong]

Hi, I have a rather weird issue. I first thought I might have messed up some config or there was some kind of issue with the storage device—but now, that it happened the second time, I got curious what could be up here.

The problem: "Suddenly" (I'll get to that) every IPv4 routing inside the LAN network, and the LAN network only, stops working. Other networks (Guest and IoT in this case) are unaffected and can still communicate inside the network and outside to the internet via NAT. If I send packages from outside into the LAN network, the firewall logs them as PASS and they are subsequently nowhere to be found. If I send packages from one LAN client to another, they also get lost in the OPNsense.
IPv6, however, continues to work just fine.

Regarding the "suddenly": At the first time, I did some config changes to a Wireguard site-to-site connection (allowing another subnet through the tunnel) and, after that, also installed the pending updates (iirc, 24.7.9 -> 24.7.10). After the reboot from the update, I noticed that my IPv4 connectivity was down. I blamed the update, because I reverted the WG config changes right after I realized that the v4 routing was broken and my first thought was that I somehow created some kind of routing black hole with my WG config.

After lots of troubleshooting, numerous pcaps, really verbose firewall inspection and a downgrade back to 24.7.9, I gave up for the night. On the next morning, I flashed a USB flash drive with a live image of OPNsense 24.7.9, booted it and selected the config importer. After importing the config, my firewall came right up, with full working v4 connectivity. Then, I restored the changes I made to the WG config earlier, with no effects to the routing this time, and came to the conclusion that it must have been some kind of corruption in the base system. So I reflashed the router, imported the config and went along fine for a few weeks.

Today, "suddenly", the issue came right back up. As you might have guessed, I did another WG config change (adding another site-to-site WG connection). After applying it, I was back with the exact same issue—no v4 routing possible for the LAN subnet. So I started a the live system from a few weeks ago, imported the current config, and the v4 routing was right back working.


I am completely clueless what could be the underlying reason, my only guess right now is that it must be connected to something in the Wireguard setup process (possibly the part that generates and registers the routes from the allowed IPs section). I would really appreciate any tips or approaches for further investigation!


Thanks, Karl

Have you set the WireGuard interface address as same as LAN? I found out that this breaks IPv4 routing on the new kernel but not the old ones.