So first up - absolutely amazing videos! Over the last few weeks I have discovered PF Sense +, PF Blocker and Wire guard. I had hardly touched my firewalls in years.
Now for my slight issue!
Following both yours and Christians videos, I now have a shiny wire guard site to site installed between my home in England and my holiday home in France. It replaced an old Open VPN site to site and speed has gone from circa 50meg to closer to 500meg - which is great considering all the streaming shows the kids do!
I have fibre both in England and France, and pfsense running on latest pfsense plus.
I had a little firewall rule that routed the IP from my TV in France to my home (England) network and out the pfsense firewall there (so I could watch UK IP TV like discovery, disney etc).
I thought it would be simple to just point the existing rule at the new gateway and it would work…
Alas it is not the case. I turned on Firewall logging for the rule and I can see the firewall in France passes traffic out - so I checked out the states and I get lots of CLOSED:SYN_SENT
Reading up - seems it could be asynch routing? So I checked that NAT was set correctly going out from my pfsense in England and it seems to be.
Would be grateful for any advice?
Thanks
Stuart
It might be easier and more flexible to use the pfSense Tailscale package. Tailscale is a layer built on top of Wireguard. I set up site to site MESH VPN between two pfSense locations is less than 30 minutes. it works automagically! Tailscale has a free tier, which is more than suitable for most personal needs. I simply watched the video on the blog post and followed along while setting it up.
Hi Elvis,
Thanks for the feedback - I actually do have tailscale installed as a backup but the throughput is less than I get with open VPN circa 30 meg. I am keen to work out what the issue is with wireguard - site to site as it works perfectly, when I use IP addressed for dockers / virtual machines in the other locations.
30 Meg just wouldnt be enough to stream multiple TVS in 4k / you tubes etc you know what kids are like!
I have till the summer hols to figure it out 
Cheers
Stuart
mbroute is an alias - basically some IPs I want to route and WraysburyGW is my gateway to England which works great.
I have my static route setup along with my Gateway under routing and that all works perfectly when I use an IP address in England form France.
No joy with Internet though.
IF I try and ping a site I get
C:\Users\schfo>ping news
Pinging news.bbc.co.uk.pri.bbc.co.uk [212.58.249.144] with 32 bytes of data:
Reply from 192.168.100.1: Destination host unreachable.
Reply from 192.168.100.1: Destination host unreachable.
Reply from 192.168.100.1: Destination host unreachable.
Reply from 192.168.100.1: Destination host unreachable.
Ping statistics for 212.58.249.144:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
192.168.100.1 is the IP address of my French PFSense I am connected to (just popped my pc in the alias group to route via England for all InterneT).
So If I try a couple of Trace Routes…
**
C:\Users\schfo>tracert yahoo
Tracing route to yahoo.co.uk [74.6.143.18]
over a maximum of 30 hops:
1 cmfw01.local.lan [192.168.100.1] reports: Destination host unreachable.
Trace complete.
C:\Users\schfo>tracert 192.168.0.21
Tracing route to MBNUC1 [192.168.0.21]
over a maximum of 30 hops:
1 31 ms 31 ms 31 ms 10.100.90.0
2 31 ms 31 ms 31 ms MBNUC1 [192.168.0.21]
Trace complete.
**
It is like it thinks I can not access the internet over the wireguard VPN but for an internal IP it routes it ok?
So frustrating!
Cheers
Stuart
For anyone else who is stuck - you have to add 0.0.0.0/0 to the Allowed IPs on the client side peer for the wireguard tunnel - in my case the French side.
For security reasons wouldn’t you want to only allow the French LAN? Because 0.0.0.0/0 is all interfaces.
I believe that if I wish to send internet traffic from France to the UK to then exit from the UK, I must allow 0.0.0.0/0 eg everything to pass over the wireguard tunnel to be able to exit the UK (and look as if it coming from the UK)
Previously it was just the tunnel and access to the UK Lan that was allowed, certainly making that change has it all working.
Cheers
Stuart
