Having Difficulty Routing within WG Network

kevdog · March 8, 2025, 1:30pm

I have the following setup – which is basically a site to site WG VPN defined between two remote sites using pfSense on both sides of the tunnel

I’m not even sure its possible but I’m trying to route a connection (ICMP) from Remote Client (10.1.0.200/23) to the ATT Modem at 192.168.50.254.32

I’m not sure how to exactly do this. My Remote Client (10.1.0.200/23) can reach every other LAN device at 10.0.0.0/23 including both pfsense Instances (10.1.0.1/23 and 10.0.1.1/23).

I’ve tried to further debug the problem by ssh into the pfsense router @ 10.1.0.1 and then tried to ping 192.168.50.254, however I get network unreachable.

I have a static route defined on pfsense (10.1.0.1/23) for 192.168.50.0/24 to go across the WG tunnel. On the remote pfsense (10.0.1.1/23) I have another static route defined for 192.168.50.0/24 to leave the WAN interface.

In terms of firewall rules, there are open rules (default) IPv4+6 * * * * on the WG tunnel on both sides of the tunnel. I’m not sure if I need another rule somewhere else. Really confusing me how to debug. I’ve tried traceroute but that isnt really getting me anywhere.

I did did discover the mtr tool (ping plus traceroute) – here is what I’m getting from a Remote Client on the 10.1.0.0/23 network:

(10.1.0.113) -> 192.168.50.254 (192.168.50.254)                   2025-03-08T08:19:31-0600
Keys:  Help   Display mode   Restart statistics   Order of fields   quit
                                                                        Packets               Pings
 Host                                                                 Loss%   Snt   Last   Avg  Best  Wrst StDev
 1. 10.1.0.1                                                           0.0%    83    5.7   4.9   2.8  11.2   1.6
 2. 10.99.210.1                                                        0.0%    83   41.6  40.6  36.9  45.6   1.8
 3. (waiting for reply)

So it’s hitting the WG tunnel and then isn’t going anywhere.

As a comparison, if I run a similar test with Local client trying to reach 10.0.5.0/24 which is network on other end of WG tunnel, I’m getting the following:

(10.1.0.113) -> 10.0.5.99 (10.0.5.99)                             2025-03-08T08:29:39-0600
Keys:  Help   Display mode   Restart statistics   Order of fields   quit
                                                                        Packets               Pings
 Host                                                                 Loss%   Snt   Last   Avg  Best  Wrst StDev
 1. 10.1.0.1                                                           0.0%     6    3.7   3.6   2.9   4.2   0.5
 2. 10.99.210.1                                                        0.0%     5   37.9  39.1  37.9  42.9   2.1
 3. 10.0.5.99                                                          0.0%     5   39.5  41.6  39.5  44.5   2.1

LTS_Tom · March 9, 2025, 11:08am

Sounds like you have the static route but also make sure you follow how I setup the interfaces for Wireguard in pfsense

kevdog · March 9, 2025, 2:19pm

In my example I’ve tried to set up a split DNS routing, but with one of the destination routes sitting on the other side of the remote WAN interface. If the routes (untagged, tagged VLANs) are on the LAN side of the remote peer, everything routes appropriately. I’ve read in the documentation that pfsense treats WAN defined interfaces differently than LAN interfaces as their is NAT involved. Do you think I need policy based routing setup on the remote client in order to make this work? I’m really stuck where to start with this one. I’ve watched your video and it’s very helpful but only covers connected peers and split DNS reaching peer defined LANs, not a network on the other side of WAN.