I’ve viewed Tom’s and Christian McDonalds Youtube videos on setting up ‘roadwarrior’ (not LAN to LAN) connections to remote networks and found it great for remote support.
However, the demonstrated connections bring the user into the network on VLAN 1. At a site that I support, I need staff to be able to log in, using Wireguard, to view security cameras. These cameras are on VLAN 60. How do I set up Wireguard to do this? (I’m using ‘full tunnel’ remote access.)
I don’t know the videos you’re referencing, but I can make some general comments.
When you connect from a remote peer with a Wireguard peer running on pfSense, your remote peer is not automatically part of (or bridged to) any existing network the pfSense is connected to. Wireguard is purely a layer 3 VPN. Every connection between the virtual Wireguard network and any other (physical) network happens through routing/forwarding, not through switching. Therefore, in order to access any network, regardless of which VLAN tag (if any) pfSense happens to use for that network, you simply have to create the respective Allow rules on the firewall, i.e. set the destination according to the network you want to allow access to.
Do you mean in /Firewall/Rules/Wireguard (edit the rule or add a rule?)
Wireguard is using 192.168.2.0/24 and the Vlan 60 uses 10.6.0.0/16.
Wouldn’t this be a routing issue rather than a firewall issue?
pfSense does routing, forwarding and firewall. Routing is the process of discovering or establishing routes to networks and building a routing table. Forwarding is taking packets that come in on one interface and sending them out another interface based on the routing table. To regulate the forwarding process, you create firewall rules that determine which packets are allowed to be forwarded and which aren’t.
So, yes, you would create a firewall rule on the appropriate interface with
10.6.0.0/16 as the destination.
Under Firewall → Rules, “Wireguard” is not an interface, but an interface group. Which interfaces are part of that group can be set via VPN → Wireguard → Settings → Interface Group Membership. If you created a dedicated interface for that tunnel, your rules should go there, otherwise in the “Wireguard” group.