Project

General

Profile

Actions

Bug #12924

open

DNS Resolver WireGuard ACL Inconsistency

Added by Kevin Mychal Ong 4 months ago. Updated 3 months ago.

Status:
New
Priority:
Normal
Category:
WireGuard
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.6.0
Affected Plus Version:
Affected Architecture:

Description

Initially, I had two pfsense nodes connected via the WireGuard package. My tunnel network was 10.0.3.0/30 for p2p. I then added another pfsense node to make the topology hub and spoke. Naturally, I had to make my tunnel network larger, so I changed the WG interface subnets to /29 instead and proceeded with adding the third node. Everything is working properly except for the fact that the Unbound ACL that's created by WireGuard on the first two nodes did not change from /30 to /29. It says in the description not to touch those but I manually changed them to /29 instead just to make things consistent. However, after restarting the pfsense box, it just goes back to /30.

Actions #1

Updated by Christian McDonald 4 months ago

  • Assignee set to Christian McDonald
Actions #2

Updated by Christian McDonald 4 months ago

Hi Kevin,

I am having a hard time replicating this based on your initial issue description. Can you please outline an exact sequence of steps necessary to replicate so that I can investigate more thoroughly? Thanks

Actions #3

Updated by Kevin Mychal Ong 4 months ago

Christian McDonald wrote in #note-2:

Hi Kevin,

I am having a hard time replicating this based on your initial issue description. Can you please outline an exact sequence of steps necessary to replicate so that I can investigate more thoroughly? Thanks

Hey Christian,

Here's exactly what I did:

1. Two pfsense boxes connected via WG S2S in the 10.0.3.0/30 tunnel network. WG interfaces are used and IP's assigned to them.
2. Added a third pfsense box and changed the tunnel network to 10.0.3.0/29. Since the third pfsense box is a new spoke, it doesn't exhibit the same issue. It has /29 in its DNS Resolver WG ACL.
3. The two original pfsense boxes' DNS Resolver WG ACL's stayed at /30.
4. Manually changed the wrong ACL's to /29.
5. Restarted the WG service and both ACL's are back to /30 again.

Actions #4

Updated by Kevin Mychal Ong 3 months ago

Hey Christian. Were you able to recreate this problem already?

Actions

Also available in: Atom PDF