Weird wireguard behavior

I have Ive set up a site to site vpn between a pfsense box and a ubiquiti edge router. I believe the tunnel is ok and the allowed ips because from the edge router i can ping the gateway of the subnet im trying to reach, and from the pfsense i can ping the lan side of the edge routers network just fine. the problem is getting from my network to the other network just from the pfsense side.

Any ideas on where i can begin looking.

Firewall rules on wireguard interface are allowing all
i even create a static route using the wireguard interface as the gateway interface and still nothing.

Can you post both firewall rules on pfsense and edge router. Because as I remember edgerouter is not stateful firewall so you need to declare that you are allowing return traffic. You may have missed that bit.

Im going to do that now… but i thought was odd that was that the tunnel is formed… and from the Pfsense ping diagnosis ping tab i can ping all the way to the device on the other network so. (src=192.168.2.3(the router) it can ping all the way to the end device 192.168.253.5) but from my computer on the lan side of the pfsense (src=192.168.2.7 i can not even ping the other side of the tunnel 10.1.2.2) I didnt know if that mean something along the lines that maybe its because my gateway is 192.168.2.3 vs 192.168.2.1) feels like it shouldnt matter but i dunno. on the edge router tho basically everything is allowed unless you drop it.

how about using the interface where 192.168.2.x is located as the source when you are doing ping test and see if you got the same result.

That works as well… I’m driving but I’ll screen shot that when I get to the office. Only doesn’t work from the actual lan… not reaching the other end of the tunnel gets me… computer can get to 10.1.2.1 but not 10.1.2.2.

Yet router on the 192.168.2.3 can reach all the way to the lan.

About to hire Tom lol

If that is the case if you run traceroute from any machine from the 192.168.2.x. Upto what point the packet reach?

So weird… following the EXACT same approach but on a different Pfsense box that i had laying around… The tunnel is working perfectly… i believe that it might be something with my computer or the network that im working on that is preventing this to work. I did not try anything new on the different box and it is great… but i am concerned about making the original router work, so if you can work with me id really appreciate it…
Messing with the tunnel i did change the addresses but the rest of the settings are still the same
10.1.2.1=172.16.3.1 = local tun_wg0 ip
10.1.2.2=172.16.3.2 = remote wg0 of edge router


even tho pc connects directly to 172.16.3.1 when trying to go to 172.16.3.2 it choses to go out 192.168.2.3

here is the route as well…

How about a pfsense device on each end? Would that make it easier to manage?

It’s actually been hard to get Netgate products lately: I’ve been just building… and this network is running really well with the edge router and all the services it has. Feels like something bizarre that I’d like to solve: even using the other pfsense box I’m using it’s working just fine. The network the problematic pfsense is on also has another router at 192.168.2.1/24 … don’t know if that could be making things weird. But my computer statically has the pfsense 192.168.2.3 as it’s gateway.
I’ll try creating another network later.

In a perfect world. If have pfsense everywhere.

So weird… following the EXACT same approach but on a different Pfsense box that i had laying around… The tunnel is working perfectly

Why not keep the working pfsense in place instead putting back the non-working pfsense. If that is not possible just checking on the non-working pfsense, the interface for the wireguard vpn did you configure a gateway on it? If yes have you tried removing the gateway?

one is a server blade that i have running the office (problematic one) and the other is a tiny dell that im just playing around with. I cant really swap them. I just wish i understood what the issue was… Do i regret not paying 700 dollars for a year of support? only a litttttle bit… this should be something i can figure out. Been wireguarding for like two years already and felt comfortable with how to do it… UNTIL NOW. lol

Well you check if TAC lite support is applicable to you because it is free for now and by next year it will $129 for a year still cheap instead of having a headache and your boss screaming at you.

Back up the configuration on both pfsense instances and compare them, you should be able to transfer the working parts of the config to the non-working config and import the edited file. Or if they are similar enough, edit the interfaces of the working config to reflect the interfaces on the other unit and upload this edited file.

That said, I have not worked with Wireguard so I may be wrong here.

I was beginning to question the interfaces being cheslio or something with the kernel cause it just doesnt make sense. I might do a complete fresh install… Ive been comparing configs for two days and really its a wireguard tunnel there arent to many places to look.

Most often Intel interfaces are recommended, I haven’t worked with Chelsio but I think I remember Tom having an issue with them on an XCP-NG test system. Not sure if that matters for pfsense.

not being able to ping the tunnel interface on the other side from lan devices… but sourcing from lan network on pfsense i make it all the way across to devices on opposite lan… and from the opposite lan i can ping the gateway interface of pfsense lan… to weird… traceroute to tunnel interface of edge router goes out the gateway interface not wireguard interface… its a directly connected route… makes no sense… i wouldnt think you need a rule or a route to go to an endpoint that is directly connected… TOMMMMM helppp… lol…
thank you for everyone engaging in this with me… really appreciate it

what i discovered was that when gateway monitoring was enabled and the interface was set to dynamic the tunnel would shut down. But when i disabled monitoring it began to work!
@reymond070605