DNS Resolver WireGuard ACL Inconsistency
Initially, I had two pfsense nodes connected via the WireGuard package. My tunnel network was 10.0.3.0/30 for p2p. I then added another pfsense node to make the topology hub and spoke. Naturally, I had to make my tunnel network larger, so I changed the WG interface subnets to /29 instead and proceeded with adding the third node. Everything is working properly except for the fact that the Unbound ACL that's created by WireGuard on the first two nodes did not change from /30 to /29. It says in the description not to touch those but I manually changed them to /29 instead just to make things consistent. However, after restarting the pfsense box, it just goes back to /30.
Updated by Kevin Mychal Ong almost 2 years ago
Christian McDonald wrote in #note-2:
I am having a hard time replicating this based on your initial issue description. Can you please outline an exact sequence of steps necessary to replicate so that I can investigate more thoroughly? Thanks
Here's exactly what I did:
1. Two pfsense boxes connected via WG S2S in the 10.0.3.0/30 tunnel network. WG interfaces are used and IP's assigned to them.
2. Added a third pfsense box and changed the tunnel network to 10.0.3.0/29. Since the third pfsense box is a new spoke, it doesn't exhibit the same issue. It has /29 in its DNS Resolver WG ACL.
3. The two original pfsense boxes' DNS Resolver WG ACL's stayed at /30.
4. Manually changed the wrong ACL's to /29.
5. Restarted the WG service and both ACL's are back to /30 again.