Wireguard Site to Site Firewall Rules

I’ve got a pfSense based Site to Site Wireguard VPN running between my house and my off-site workshop, and it works great.

With that said though, I am struggling to understand how applying firewall rules on each side of the tunnel work. When I first built this out, I set it up with “Allow All” rules on each side, and as expected it worked perfectly fine. Now that I want to lock traffic down a bit more I’m struggling to understand what I’m seeing via firewall rules.

For example, I have a self-hosted Bitwarden server on my home network. I don’t want to have every machine on my Workshop side to have access to the Bitwarden server, but my laptop and workstations certainly should have access to it.

So, I replaced the “Allow All” rule on my Home side with rules to limit Workshop networks and hosts access to services on my Home network (Bitwarden, DNS, Unifi Protect, etc.)

Wireguard Firewall Rules1149×1274 135 KB

All of these rules, for the most part, work just fine, though there is a caveat that I don’t understand.

The alias “VPN_Remote_Networks” contains a list of my Workshop networks, and I use it as the Source to limit which networks on the Workshop side can connect to which services on the Home side. The various destination aliases work the same.. pretty basic stuff here.

What I’m struggling with is that none of this actually works unless I put my Wireguard peer network (10.50.1.0/30) in that “VPN_Remote_Networks” alias. Additionally, that “BitwardenClients” alias (FQDNs of machines that should have Bitwarden access) doesn’t work at all.

So I added a manually “Block Everything” rule at the bottom to log requests and found that when a Host on the Workshop attempts to connect to say, Bitwarden, I don’t get a log entry with the source as the IP address of the connecting Host, instead it is the Workshop’s Wireguard Peer address of 10.50.1.2.

Screenshot 2025-12-30 164334792×260 29.2 KB

All of this said, I know my firewall rules are probably not the best thought through and I’ll happily take some advice on that front. However, I think more importantly, I feel like I’m missing a fundamental aspect of how Wireguard and Firewalls are meant to work together in a situation like this.

Maybe I am naive thinking I can just make a network or host based rule (as the source) WITHOUT the Wireguard Peer Network and that it would be more transparent than what I’m seeing. It doesn’t seem terribly helpful to try to make a rule if everything on one side of the tunnel shows up as a single IP on the other side, no?

What am I missing?

I would allow or deny by specific IP addresses instead of certain networks

In the “BitwardenClients” alias I’ve listed each of the specific machines that need access to Bitwarden by FQDN and the rule never hits. Reviewing my firewall log, even in this case, shows the Tunnel Network IP of my Workshop as the source rather than the IP of the machine attempting access to Bitwarden.

I just don’t really understand why it does that

Ok, I figured out what my issue was. Originally I had followed the video @LTS_Tom posted on this topic:

https://www.youtube.com/watch?v=WXkWP-JZOd8

After a LOT of reading however, it turns out that what I really needed was to navigate to Interfaces > WG_VPN (My Wireguard Interface) and set “IPv4 Upstream gateway” from the Wireguard Gateway I created per the video and other tutorials to “None”. Per the Netgate documentation this “causes the firewall to treat the interface as a LAN type interface rather than a WAN type interface.

I made this change on both of my Firewalls and everything works as expected now; The source of traffic is no longer my Tunnel Endpoint IP and instead is the IP of the host, as I was originally hoping / expecting.

So yeah, not a firewall rule thing or even a Wireguard thing when you really boil it down, it was just setting the Gateway of the Wireguard interface to behave differently than I had configured. Unless I’m missing something obvious, if you want to see the remote networks as local, you have to set the Upstream Gateway to “None”.

I’m not sure of the use case where you wouldn’t want this behavior.

I hope this thread helps someone else confused by this issue.

When I set up a Wireguard connection to my VPN provider, I’ve set it to their IP instead of none, I believe that would be the use case.