No static IP devices visible on Wireguard site to site VPN

pwm802 · November 30, 2024, 11:46pm

Hi,
Noob question, I just setup a Wireguard site to site VPN tunnel following the Netgate example and I can see all remote devices that are using static DHCP but I cannot see 3 devices that have static IPs on the remote LAN. The remote pfSense VM has a static IP of 192.168.x.1 and it is visible.

Is that unusual or is there something else I need to add to routes or rules?

xMAXIMUSx · December 1, 2024, 2:01am

When you setup your static routes did you include the entire subnet of your LAN? Also, double check firewall rules. Screenshots would help.

pwm802 · December 1, 2024, 8:44pm

I’ll post the configurations of the both sites.

pwm802 · December 1, 2024, 8:53pm

Here are screen captures of the wireguard configuration of two sites. I could only upload 1 image at a time.

pwm802 · December 1, 2024, 8:54pm

pwm802 · December 1, 2024, 8:55pm

pwm802 · December 1, 2024, 8:56pm

pwm802 · December 1, 2024, 8:56pm

pwm802 · December 1, 2024, 8:57pm

pwm802 · December 1, 2024, 8:58pm

pwm802 · December 1, 2024, 8:58pm

pwm802 · December 1, 2024, 8:59pm

pwm802 · December 3, 2024, 10:28pm

@xMAXIMUSx I think the static route covers the entire subnet. Do you see anything wrong with the configuration that would exclude the static IPs? If I could set my ICX6450 to use DHCP for the GUI, this would be just a curiosity.

xMAXIMUSx · December 3, 2024, 11:51pm

What did you set for the firewall rules on the wireguard interface on both sides?

pwm802 · December 4, 2024, 1:08am

There are no rules defined for the wireguard interfaces.

xMAXIMUSx · December 4, 2024, 1:17am

You might want to look at the documentation for site to site configuration example. But look at the firewall rules section here.

https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-s2s.html#firewall-rules

pwm802 · December 4, 2024, 2:50am

I misspoke, I do have pass rules at both sites for their respective interfaces. I do not have any rules for the Wireguard tab.

pwm802 · December 5, 2024, 6:09pm

@xMAXIMUSx sorry for misunderstanding the question. The VPN tunnel was previously functioning. Network shares, SSH and ICMP work fine for the most clients between both LAN networks (192.168.1.0/24, 192.16815.0/24).

This remote client responds as expected:

pwm@WX-debian12-vm:~$ ping 192.168.15.31
PING 192.168.15.31 (192.168.15.31) 56(84) bytes of data.
64 bytes from 192.168.15.31: icmp_seq=1 ttl=253 time=40.1 ms
64 bytes from 192.168.15.31: icmp_seq=2 ttl=253 time=66.2 ms
64 bytes from 192.168.15.31: icmp_seq=3 ttl=253 time=89.1 ms
64 bytes from 192.168.15.31: icmp_seq=4 ttl=253 time=110 ms

pwm@WX-debian12-vm:~$ traceroute 192.168.15.31
traceroute to 192.168.15.31 (192.168.15.31), 30 hops max, 60 byte packets
 1  pfSense.home.arpa (192.168.1.1)  0.316 ms  0.304 ms  0.288 ms
 2  10.100.90.1 (10.100.90.1)  5.048 ms  5.031 ms  5.014 ms
 3  192.168.15.31 (192.168.15.31)  200.205 ms  201.840 ms  203.672 ms

pwm@WX-debian12-vm:~$ nmap -p80,8080 192.168.15.31
Starting Nmap 7.93 ( https://nmap.org ) at 2024-12-05 09:38 PST
Nmap scan report for 192.168.15.31
Host is up (0.063s latency).

PORT     STATE  SERVICE
80/tcp   open   http
8080/tcp closed http-proxy

Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds

But this client does not respond to trace route but I can access it’s configuration webpage:

pwm@WX-debian12-vm:~$ ping 192.168.15.22
PING 192.168.15.22 (192.168.15.22) 56(84) bytes of data.
64 bytes from 192.168.15.22: icmp_seq=1 ttl=62 time=5.78 ms
64 bytes from 192.168.15.22: icmp_seq=2 ttl=62 time=7.84 ms
64 bytes from 192.168.15.22: icmp_seq=3 ttl=62 time=7.08 ms

pwm@WX-debian12-vm:~$ traceroute 192.168.15.22
traceroute to 192.168.15.22 (192.168.15.22), 30 hops max, 60 byte packets
 1  pfSense.home.arpa (192.168.1.1)  0.336 ms  0.321 ms  0.306 ms
 2  10.100.90.1 (10.100.90.1)  5.243 ms  5.230 ms  5.218 ms
 3  * * *
 4  * * *
 5  * * *
...
29  * * *
30  * * *

pwm@WX-debian12-vm:~$ nmap -p80,8080 192.168.15.22
Starting Nmap 7.93 ( https://nmap.org ) at 2024-12-05 09:37 PST
Nmap scan report for 192.168.15.22
Host is up (0.0072s latency).

PORT     STATE    SERVICE
80/tcp   open     http
8080/tcp filtered http-proxy

Nmap done: 1 IP address (1 host up) scanned in 1.23 seconds

This ICX6450 has a static IP for the configuration GUI at 192.168.15.21 but it does not respond at all from the remote LAN:

pwm@WX-debian12-vm:~$ ping 192.168.15.21
PING 192.168.15.21 (192.168.15.21) 56(84) bytes of data.
^C
--- 192.168.15.21 ping statistics ---
23 packets transmitted, 0 received, 100% packet loss, time 22523ms

pwm@WX-debian12-vm:~$ traceroute 192.168.15.21
traceroute to 192.168.15.21 (192.168.15.21), 30 hops max, 60 byte packets
 1  pfSense.home.arpa (192.168.1.1)  0.304 ms  0.299 ms  0.285 ms
 2  10.100.90.1 (10.100.90.1)  4.893 ms  4.878 ms  4.891 ms
 3  * * *
 4  * * *
 5  * * *
...
30 * * *

pwm@WX-debian12-vm:~$ nmap -p80,8080 192.168.15.21
Starting Nmap 7.93 ( https://nmap.org ) at 2024-12-05 09:49 PST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.02 seconds

pwm@WX-debian12-vm:~$ nmap -Pn80,8080 192.168.15.21
Starting Nmap 7.93 ( https://nmap.org ) at 2024-12-05 09:49 PST
^C
pwm@WX-debian12-vm:~$

It appears that the remote network devices with static IP addresses do not respond through the Wireguard VPN. Device (192.168.15.22) responds to web access, SSH and ICMP but does not respond to trace route.

pwm802 · December 7, 2024, 4:58pm

@xMAXIMUSx Do you have any ideas?