Trouble replicating routed /29 WireGuard setup from pfSense to VyOS

General questions
, , ,
4

What is your topology? Is it like this?:

Internet --> VyOS --> pfSense?

If you’re going to have both VyOS and pfSense running, you won’t want both devices to have a LAN address of 192.168.5.1/24.

I’m assuming the IP address you’re receiving from your internet is in the 192.168.1.0/24 range (also assuming you-re on something with CG-NAT like Starlink or 5G). You’ll want to modify your static routes, since right now they’re load balancing. You want to prefer the paths over wireguard. You can do something like this:

delete protocols static route 0.0.0.0/0 next-hop x.108

set protocols static route 0.0.0.0/1 next-hop x.108
set protocols static route 128.0.0.0/1 next-hop x.108

set protocols static route 134.199.56.1/32 next-hop 192.168.1.1

You can see that the pfSense connected to Vyos is receiving traffic, but it’s unable to send outbound traffic. I think I might be missing a firewall rule on Vyos.

You’re not running the firewall right now on VyOS; it doesn’t run by default, you’ll need to configure it.

With that said, if you’re not sending from pfSense to VyOS, then the issue would be on pfSense. You can verify if the traffic is reaching VyOS by running this on VyOS and generating traffic from pfSense:

sudo tcpdump -ni eth2 src x.114

If traffic isn’t reaching VyOS, then your issue is on pfSense; likely routing or firewall. If traffic is reaching VyOS, then it may just be that:

  • The asymmetric routing causing issues with your traffic.
    • traffic came from CoreTransit, but returned via your normal internet connection due to the same cost static defaults
    • My suggested updates to your static routing should help fix that.
  • You were trying to return traffic to 134.199.56.1 via the wireguard tunnel itself, causing tunnel recursion (e.g. trying to send to the tunnel endpoint via the tunnel itself, which is obviuosly not possible).
    • My suggested updates to your static routing should also help fix that.

Once you get this working, you’ll definitely want to configure the firewall in VyOS since it has a public IP address. And of course make sure you replace and delete the default vyos user account.