Is WireGuard blocking LAN NTP requests?

[ks]

Hello there.

I setup a bare metal OPNsense firewall/router for my home lab LAN, and is running fine with no particular issues.
The box is acting also as NTP server for the whole LAN, until the dedicated NTP+PTP and DHCP IPv4+IPv6 Kea servers will be operational.


All my outbound traffic, no exceptions, need to be routed through my VPN provider, so I enabled WireGuard and configured with Mullvad. It seems working correctly, according the Mullvad check leaks website.

And here the fun starts: after implementing WG the LAN clients cannot access anymore the OPNsense NTP server.
I wish all LAN clients NTP requests remain in the local LAN, no NTP requests should go outside, but I do not understand why this behaviour from WG.

All other LAN service are functional, just NTP is having issues.

Probably is a matter to set a rule in the firewall, but it shouldn't be done by WG?

Any help would be greatly appreciated.

[Patrick M. Hausen]

You have a firewall rule on LAN with WG as gateway, right? Please show that rule.

[ks]

There is one floating rule

[Patrick M. Hausen]

Change destination to "LAN net" with "destination invert" activated.

[ks]

Change destination to "LAN net" with "destination invert" activated.

It worked.

Thanks a lot Patrick for the quick and fast resolution.

[Patrick M. Hausen]

If you tell OPNsense to route destination "any" to the WG gateway it will do exactly as told. Including NTP queries or *anything*. Nothing WG specific here. How should WG know you want something different if you specifically tell the packet filter to do what it did?