Policy-based Routing (outbound) and port forwarding (inbound) "selectively" working through WG tunnel
This is my main thread about this issue: https://forum.netgate.com/topic/161293/policy-based-routing-outbound-and-port-forwarding-inbound-through-wg-tunnel
To sum it all up:
1. PBR issue
I have PBR rules on one side (Site B) to route traffic from specific source IP's from the LAN on that site to the Internet through the WG tunnel. I have the necessary outbound NAT rule on the other side (Site A). I did a packet capture on Site B's WG interface and saw the packets reaching that interface so that means that the packets are being routed correctly. However, when I do a packet capture on site B's WG interface with the same source IP, I don't see any results. The interesting part here is that it works for the "first" source IP that I did a PBR on but no for the rest.
2. Port forwarding issue
I have port forwarding rules on Site A's WAN interface to forward traffic to clients in Site B's LAN. I tested first using my usual external open port test site (https://www.yougetsignal.com/tools/open-ports/). Everything works as expected! I can reach the site B clients through Site A's WAN interface. So I thought everything was working properly.
I then tested with another external open port test site (https://www.canyouseeme.org/) and now it's not working. The same exact behavior happens like the PBR issue above and that is the inbound packets reaches Site A's WG0 interface but stops there. Site B's WG0 interface never sees these packets.
So these point to the same exact issue but just reverse of each other. It's happening on two pfsense 2.5 boxes so that can't be a coincidence. At first, I thought it was an issue with reply-to's so I created outbound NAT rules that SNAT's traffic from the local end traversing the WG tunnel to the WG interface's IP but this did not fix it. I also set the MSS field to 1420 (max mss 1380) on the WG interface on both sides but it didn't really help. At this point, I'm totally out of ideas and I'm considering this as a bug.
Updated by Tigger 2014 3 months ago
Non-Bug in packaged version, Config issue