Two Layer pfSense (homelab) and Wireguard


I have a pfSense virtual lab running wireguard behind my REAL pfsense. I can connect from a local machine outside the lab using wireguard. but I want to connect to wireguard from OUTSIDE (i.e. internet) I set up a port forward from the WAN to my lab pfsense IP on the correct port but no joy.

I have tried to look about and I feel like I did all the steps mentioned. Probably missed something dead obvious… The lab pfSense does not register any attempt to handshake.

Anyone got any idea of where to look? I can share more details if it helps.

Can you please post a screenshot of the port forward rule.

And is the WAN IP of my lab pfsense

Can you please verify the following:

  • the filter rule associated with the port forward rule is enabled and set to pass
  • on the lab firewall’s WAN interface, block private networks and block bogon networks are both unchecked
  • on the lab firewall’s WAN interface, the gateway is set correctly to the address of the main firewall

In the associated filter rule on the main firewall, enable logging and verify in the logs that traffic does indeed reach the main firewall when attempting to connect from the internet.

Have you actually attempted to send traffic through the tunnel? AFAIK, by default, Wireguard will not handshake unless it needs to.

Filter rule:

the block private/bogon is fine.
the gateway looks correct. (LAN ip of my main firewall)

Yes I tried to ping/ssh to my box behind the firewall.
This worked fine from my local box but not from my VPS in the cloud I am testing the outside access from.

wireguard on the vps does not show a successful connection, which is different from when I run it locally.

EDIT: I added logging and can’t see anything. Digging into that now. Makes me think I have my external IP wrong in some way…