Applying VLAN firewall rules to a WireGuard client

Started by JamieR007, August 28, 2025, 05:16:53 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 28, 2025, 05:16:53 PM Last Edit: August 28, 2025, 05:23:39 PM by JamieR007
Hi,

I'm trying to make a WireGuard client behave like a device on an existing VLAN, i.e. subject to the same existing VLAN firewall rules (including inter-VLAN restrictions) without duplicating policy.

What I've tried:

WireGuard interface rules — pf only sees the outer UDP tunnel, so rules targeting specific inner IP/port combinations never match.

SNAT to a VLAN IP — makes the client appear as a VLAN host, but the firewall still evaluates rules on the WireGuard interface instead of the VLAN, so it doesn't defer to the VLAN rules.

Bridging WireGuard into the VLAN — technically difficult and unreliable, because WireGuard is L3-only and doesn't support true bridging.

Workaround options:

Enforce policy on each destination VLAN, using SNAT so the client looks like VLAN traffic.

Move the VLAN firewall policy into Floating rules with Quick mode, applying to both the VLAN and WireGuard interface — eliminating duplication.

Question:
Is there a cleaner, recommended approach in OPNsense to have WireGuard clients inherit VLAN firewall rules without rule duplication?

Thanks!
September 02, 2025, 12:02:22 PM #1
Any comments or suggestions greatly appreciated. Do others just create separate VLAN access rules for WireGuard clients? I'm trying to avoid duplication of these rules.

Thanks
September 02, 2025, 12:40:42 PM #2
Quote from: JamieR007 on August 28, 2025, 05:16:53 PMWireGuard interface rules — pf only sees the outer UDP tunnel, so rules targeting specific inner IP/port combinations never match.

Rules on the Wireguard interface group or a Wireguard interface if assigned operate on the traffic inside the tunnel.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions