English Forums > Virtual private networks
Wireguard connections bound to specific WAN interface
zemsten:
I'm having a bit of trouble setting up two wireguard client connections, with two different WAN interfaces.
I have WAN1 and WAN2, two independent connections to the internet. WAN2 generally has higher bandwidth and is the preferred connection in my gateway group for WAN_FAILOVER.
I have two wireguard clients configured. WG_WAN1 and WG_WAN2. These connect to two separate endpoints. I want WG_WAN1 to only connect via WAN1 and WG_WAN2 to only connect via WAN2. So far I've achieved this by adding static routes to their endpoint IPs, defining which interface I want to route the traffic on.
Now normally this works great and everything functions as expected. The trouble I run into is when WAN2 goes down for any appreciable time and things failover to WAN1. Initially I see WG_WAN2 go down as expected, but if WAN2 stays down for a while, eventually WG_WAN2 will come back up, routed through WAN1. This is the part that I do not want to happen.
I do have default gateway switching turned on in the firewall, as I want traffic originated from it to handle a single WAN failure (for DNS). Everything else is policy routed through my gateway groups and works great. I believe that a static route should have precedence over discovered routes, but I may be wrong there.
I should also add that I'm running these wireguard clients with their own assigned interfaces, if that wasn't obvious from context.
Am i missing a crucial element in how to bind a WG client to a particular WAN interface in a failover setup?
mimugmail:
Can you install the kmod pkg? Usually wireguard take routing table to send packets and not Pf. Maybe kmod helps here
zemsten:
Sorry, I definitely should have mentioned that in my initial post as well. I am using the kmod implementation. That slipped my mind as I've been using it basically the entire time I've been using wireguard. 8)
mimugmail:
Can you try floating rules, source WAN address, source port wg, Gateway WAN, outbound direction. Same for WAN2. I think the validation was removed some time ago
zemsten:
This is a novel idea! I just got it setup and it hasn't broken anything, so I'll rock it for a while and see what happens. Thanks much, I appreciate all you do around here!
Navigation
[0] Message Index
[#] Next page
Go to full version