Project

General

Profile

Actions

Bug #11679

open

Policy-based Routing (outbound) and port forwarding (inbound) "selectively" working through WG tunnel

Added by Kevin Mychal Ong 8 months ago. Updated 3 months ago.

Status:
Feedback
Priority:
Normal
Category:
WireGuard
Target version:
-
Start date:
03/15/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

This is my main thread about this issue: https://forum.netgate.com/topic/161293/policy-based-routing-outbound-and-port-forwarding-inbound-through-wg-tunnel

To sum it all up:

1. PBR issue

I have PBR rules on one side (Site B) to route traffic from specific source IP's from the LAN on that site to the Internet through the WG tunnel. I have the necessary outbound NAT rule on the other side (Site A). I did a packet capture on Site B's WG interface and saw the packets reaching that interface so that means that the packets are being routed correctly. However, when I do a packet capture on site B's WG interface with the same source IP, I don't see any results. The interesting part here is that it works for the "first" source IP that I did a PBR on but no for the rest.

2. Port forwarding issue

I have port forwarding rules on Site A's WAN interface to forward traffic to clients in Site B's LAN. I tested first using my usual external open port test site (https://www.yougetsignal.com/tools/open-ports/). Everything works as expected! I can reach the site B clients through Site A's WAN interface. So I thought everything was working properly.

I then tested with another external open port test site (https://www.canyouseeme.org/) and now it's not working. The same exact behavior happens like the PBR issue above and that is the inbound packets reaches Site A's WG0 interface but stops there. Site B's WG0 interface never sees these packets.

So these point to the same exact issue but just reverse of each other. It's happening on two pfsense 2.5 boxes so that can't be a coincidence. At first, I thought it was an issue with reply-to's so I created outbound NAT rules that SNAT's traffic from the local end traversing the WG tunnel to the WG interface's IP but this did not fix it. I also set the MSS field to 1420 (max mss 1380) on the WG interface on both sides but it didn't really help. At this point, I'm totally out of ideas and I'm considering this as a bug.

Actions #1

Updated by Jim Pingle 7 months ago

  • Target version set to Future
Actions #2

Updated by Tigger 2014 3 months ago

Actions #3

Updated by Christian McDonald 3 months ago

  • Status changed from New to Feedback
  • Assignee set to Christian McDonald
  • Target version deleted (Future)
  • Affected Version deleted (2.5.0)
Actions

Also available in: Atom PDF