Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
[SOLVED] Wireguard site to site works, but firewalls cannot ping eachother
« previous
next »
Print
Pages: [
1
]
Author
Topic: [SOLVED] Wireguard site to site works, but firewalls cannot ping eachother (Read 2492 times)
deajan
Newbie
Posts: 36
Karma: 1
[SOLVED] Wireguard site to site works, but firewalls cannot ping eachother
«
on:
February 22, 2024, 05:07:58 pm »
Hello,
I've setup a Wireguard site to site tunnel between two OPNSense 24.1.2_1 instances.
So far so good, tunnel is up, firewall rules allow any IPv4 traffic on "Wireguard (Group)" interfaces.
From any computer on site A (10.0.0.0/24) I can ping any computer on site B (10.0.1.0/24) and from B to A, so everything looks good.
But, ping (and others protocols) doesn't work from the firewall itself, eg OPNSense A (10.0.0.1) to OPNSense B (10.0.1.1), neither does it work from OPNSese B to OPNSense A.
Now the strange part is, if I happen to add the OPNSense source IP to the ping, eg `ping -S 10.0.0.1 10.0.1.1`, the ping works.
I'm a bit puzzled here.
The routing tables look good (10.0.1.0/24 via wg0 on OPNSense A and 10.0.0.0/24 via wg0 on OPNSense B).
It looks like the originating IP isn't good when running ping from OPNSense.
So basically, from OPNSense A:
`ping 10.0.1.1` does not work
`ping -S 10.0.0.1 10.0.1.1` works
Why do I need to specify the source IP when trying to ping the other firewall ?
I need the firewalls to be able to speak with eachother (for DNS resolution), how can I achieve this ?
Looks like a bug to me.
Best regards.
PS: I've verified (multiple times) my config according to the docs.
Any idea is welcome ^^
PS2: Shall I configure an outgoing NAT rule ? Doesn't ring right to me.
«
Last Edit: February 27, 2024, 10:58:37 am by deajan
»
Logged
The world has 6 strings, and I got a pick
meyergru
Hero Member
Posts: 1684
Karma: 165
IT Aficionado
Re: Wireguard site to site works, but firewalls cannot ping eachother
«
Reply #1 on:
February 22, 2024, 05:20:01 pm »
What did you specify for the tunnel network? The two subnets are disjoint, so there must be a separate network between them. When you use a ping to reach the other side, it is probably the tunnel IP that is the default for the ping. Be careful to have that subnet not overlap one of the others.
Wireguard also wants you to specify which IP ranges are allowed to pass the tunnel, you on either side you have to specify the tunnel IP of the other OpnSense plus the network behind it. Otherwise, packets will be blocked, but you cannot see that in the firewall logs. So "firewall rules allow any IPv4 traffic" will not suffice.
Logged
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005
1100 down / 440 up
,
Bufferbloat A+
deajan
Newbie
Posts: 36
Karma: 1
Re: Wireguard site to site works, but firewalls cannot ping eachother
«
Reply #2 on:
February 22, 2024, 05:33:26 pm »
Tunnel network is ouside of the site networks, eg the addresses are 192.168.100.1/24 and 192.168.100.2/24.
Allowed networks are 10.0.0.0/24 on site B and 10.0.1.0/24 on site A.
I don't have any blocked traffic, and every "non firewall" IP can happily communicate with every remote IP.
It's only both firewalls that cannot ping each other.
If I happen to setup an outgoing NAT "this firewall" to "remote" translate to LAN address, the firewalls can ping each other, but this just doesn't seem right.
As a side note, I cannot ping the remote tunnel IPs, eg Side A cannot ping tunnel IP side B and vice versa.
Logged
The world has 6 strings, and I got a pick
zan
Full Member
Posts: 175
Karma: 31
Re: Wireguard site to site works, but firewalls cannot ping eachother
«
Reply #3 on:
February 23, 2024, 03:09:25 pm »
Source address selection algorithm will pick the address assigned to the interface it will be used to send the traffic.
In your case it will pick your WG interface address (192.168.100.1). So it works as intended, not a bug.
Do a packet capture to verify.
No need to add a NAT, just add a pass firewall rule on the other side for 192.168.100.x network.
Logged
deajan
Newbie
Posts: 36
Karma: 1
Re: Wireguard site to site works, but firewalls cannot ping eachother
«
Reply #4 on:
February 23, 2024, 03:13:04 pm »
I've got a any any firewall rule on both sides on the wireguard (group) interface.
What broader firewall rule am I supposed to create ?
Logged
The world has 6 strings, and I got a pick
chemlud
Hero Member
Posts: 2485
Karma: 112
Re: Wireguard site to site works, but firewalls cannot ping eachother
«
Reply #5 on:
February 23, 2024, 03:18:29 pm »
Is 192.168.100.1/32 and 192.168.100.2/32,respectively, in the respective Peer configuration under "Allowed IP's"?
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
deajan
Newbie
Posts: 36
Karma: 1
Re: Wireguard site to site works, but firewalls cannot ping eachother
«
Reply #6 on:
February 23, 2024, 03:24:38 pm »
Nope, transfer net isn't in allowed ips, and of course this makes perfect sense, since wireguard would just deny the tunnel ips themselves.
I'll check that once I am onsite and report back.
Thanks.
Logged
The world has 6 strings, and I got a pick
deajan
Newbie
Posts: 36
Karma: 1
Re: Wireguard site to site works, but firewalls cannot ping eachother
«
Reply #7 on:
February 27, 2024, 10:58:26 am »
I've added the transfer tunnel network into the allowed IPs on each peer, and voilà, everything works as expected.
Sorry for the noise, should have found that myself.
Thanks for your help @chemlud
Logged
The world has 6 strings, and I got a pick
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
[SOLVED] Wireguard site to site works, but firewalls cannot ping eachother