I don't understand Step 9 of 'WireGuard Selective Routing to external provider'

[134]

Hello,

I've got my selective routing up and running for awhile with just 2 tunnels to Mullvad. I followed this official documentation:

https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html

What I don't understand is the purpose of Step 9 with that Floating rule. My setup doesn't seem to be affected with or without that rule. Can somebody explain to me what it does ? I consider myself pretty familiar with firewall rules, but with a Floating rule not selecting any interface i don't understand. Beside that, pfsense guide does not have that step which is even weirder to me.

Also, I have 2 tunnels each with both IPv4 and IPv6 gateways. Does that mean I need total of 4 of that floating rules for 4 gateways?

Thanks!

[zan]

What I don't understand is the purpose of Step 9 with that Floating rule.

Looks to me that step 9 is for routing traffic from WG address to WG network via WG gateway. IMO it's unnecessary because such route will be auto created when we configure a tunnel gateway nowadays.
For example, this is an excerpt from my routing table:

Code Select Expand

10.2.1.0/31        link#21            U           wg4
10.2.1.1           link#21            UHS         lo0
The route to my WG network(10.2.1.0/31) was auto created correctly using -net route on the wg iface.
My guess is that step 9 is from an old guide when we still need to manually create such rule. It's not needed anymore.

but with a Floating rule not selecting any interface i don't understand

When we don't select any interface in floating rule it means the rule applies to all interfaces.

[Sfynx]

Looks to me that step 9 is for routing traffic from WG address to WG network via WG gateway. IMO it's unnecessary because such route will be auto created when we configure a tunnel gateway nowadays.
For example, this is an excerpt from my routing table:

That's not what I'm seeing, this is all WireGuard routing info when following the guide, including disabling routes and adding a gateway instead, which is needed for selective routing:

Code Select Expand

10.64.0.1          10.66.165.1        UGHS        wg1
10.66.165.1        link#19            UHS         wg1
10.66.165.89       link#19            UH          lo0

10.66.165.89/32 = interface address as supplied by external VPN provider
10.66.165.1 = IP of VPN gateway created through System - Gateways - Single, for selective routing purposes
10.64.0.1 = next hop for VPN connections for gateway monitoring purposes (the Monitor IP set on above gateway))

What did you do that caused the /31 route to appear?

[Sfynx]

I guess this route gets added when setting an IP on the VPN interface itself, which is not what the guide tells you to do (both IPv4 and IPv6 on None).

[134]

Looks to me that step 9 is for routing traffic from WG address to WG network via WG gateway. IMO it's unnecessary because such route will be auto created when we configure a tunnel gateway nowadays.
For example, this is an excerpt from my routing table:

That's not what I'm seeing, this is all WireGuard routing info when following the guide, including disabling routes and adding a gateway instead, which is needed for selective routing:

Code Select Expand

10.64.0.1          10.66.165.1        UGHS        wg1
10.66.165.1        link#19            UHS         wg1
10.66.165.89       link#19            UH          lo0

10.66.165.89/32 = interface address as supplied by external VPN provider
10.66.165.1 = IP of VPN gateway created through System - Gateways - Single, for selective routing purposes
10.64.0.1 = next hop for VPN connections for gateway monitoring purposes (the Monitor IP set on above gateway))

What did you do that caused the /31 route to appear?

If i stick to the guide on documentation, gateway IP would be 10.66.165.88 in your case (Tunnel address minus 1). Also Far gateway checkbox must be ticked otherwise that gateway IP cannot be set because it's out of range. It appears that this Gateway IP can be pretty much anything and OPNsense guide chose minus 1 tip for convenience.

I don't have 10.66.165.1 or 10.64.0.1 in the route table of Opnsense, but i have 10.66.165.88 because i followed that minus 1 tip.

I don't have that step 9 and selective routing is working, that's why i created this post for more information. I  suspected that step was actually useful.

Have you tried 10.64.0.1 as Gateway IP and tunnel address as 10.66.165.89/10? This allows us to untick the Far gateway option.