Incoming traffic on WG interface behind ISP modem

My setup is as follows:

[pfSense] ---- [internet] ---- [ISP modem] ---- [OpenWrt]

I have a Wireguard connection between the pfSense and OpenWrt devices. On OpenWrt I have created two LAN zones/subnets/SSIDs, with one going out to the internet directly, and the other via the Wireguard tunnel. This works as expected.

My issue is, that from the pfSense network, I can not connect to the OpenWrt device (ping, Luci, SSH, etc). I'm not trying to connect to the devices behind OpenWrt, but the OpenWrt device itself.

Unfortunately, I'm bound to use an ISP provided modem. It does not support bridge mode, and I can't change the subnet. I expect my issue has to do with the ISP modem's subnet being similar to the pfSense WG subnet:

  • pfSense WG subnet: 192.168.80.0/24
  • ISP modem subnet: 192.168.2.0/24

I assume the routing table will route all traffic to 192.168.80.0/24 over the WAN gateway, instead of replying over the WG interface. I've been tinkering with routing tables etc, but I can't get it to work.

From the pfSense network I can connect to other WG clients in the 192.168.80.0 subnet, so it's not a routing issue on the pfSense side.

Details of my OpenWrt configuration:

/etc/network

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '1.1.1.3'
	list dns '1.0.0.3'
	option delegate '0'

config interface 'wgwan'
	option proto 'wireguard'
	option private_key 'redacted'
	list addresses '192.168.80.10/32'
	option peerdns '0'
	list dns '192.168.80.1'
	option delegate '0'

config wireguard_wgwan
	option description 'pfSense'
	option public_key 'redacted'
	option preshared_key 'redacted'
	list allowed_ips '0.0.0.0/0'
	option persistent_keepalive '25'
	option endpoint_host 'redacted'
	option endpoint_port 'redacted'

config interface 'lan'
	option proto 'static'
	option ipaddr '172.16.11.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'wglan'
	option proto 'static'
	option ipaddr '172.16.12.1'
	option netmask '255.255.255.0'
	option delegate '0'

config rule
	option in 'wglan'
	option lookup '300'

config route
	option interface 'wgwan'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option table '300'

/etc/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option drop_invalid '1'
	option flow_offloading '1'

config zone
	option name 'wan'
	list network 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'wan'

config zone
	option name 'wgwan'
	option network 'wgwan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config zone
	option name 'wglan'
	option network 'wglan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option src 'wglan'
	option dest 'wgwan'

config rule
	option name 'Allow-Ping'
	list proto 'icmp'
	option src 'wgwan'
	option target 'ACCEPT'
	
config rule
	option name 'Allow-Luci'
	list proto 'tcp'
	option src 'wgwan'
	option dest_port '443'
	option target 'ACCEPT'

If the pfsense endpoint (and the associated hosts on that network) are fully trusted, simply change the input rule for the wgwan zone to ACCEPT and you should be able reach the OpenWrt router itself from the pfsense device/network.

I have tried this, but it does not resolve the issue.

To determine the correct firewall and zone settings, I have connected an OpenWrt device with Wireguard client directly to the internet (so no ISP modem with NAT in between). It actually works with the settings from my first post, leading me to suspect the routing table / ISP modem subnet as the cause.

How are you trying to access the OpenWrt device? I was assuming that the WG tunnel is already established and the pfsense side attempts to connect through the tunnel using the address 192.168.80.10 or 172.16.11.1 (172.16.12.1 would work, too).

A route would need to exist on the pfsense router for 172.16.11.0/24 or 172.16.12.0/24 via 192.168.50.10.

Indeed, the tunnel is already up and working correctly. On the pfSense side I'm trying to ping/HTTPS to 192.168.80.10.

Is this coming from the pfsense device itself (such as an ssh session into this router), or a host behind the pfsense?

Both don't work.

In the setup with the second OpenWrt WG client I mentioned, I can successfully ping to it from both the pfSense device as well as from any host in the pfSense network.

hmmm... what's strange to me is that the OpenWrt device is the endpoint on that end, so it should be reachable via the tunnel directly.

I wonder if the issue is related to your custom routing tables.

What happens if you remove these two items:

Removing the custom routing makes no change.

Could it not be I actually need to add something to the routing? Because of the ISP modem subnet?

The ISP modem+router lan is connected to the OpenWrt's wan port, right? If so, the tunnel doesn't know about or care about the modem's subnet.

That said, is there any overlap of any of the networks on either side, or are they all unique subnets?

Correct, OpenWrt's WAN into ISP modem LAN.

There is no overlap of /24s.

  • pfSense WG subnet: 192.168.80.0/24
  • ISP modem subnet: 192.168.2.0/24
  • OpenWrt WAN IP: 192.168.2.1

wgwan should be 192.168.80.10/24 (not 32) so that a route to anywhere in the tunnel (in particular 192.168.80.1) is automatically set up via wgwan. Also you shoulld install a route to the pfsense site's LAN via wgwan with gateway 192.168.80.1. The remote pfsense site's LAN must not overlap other IPs such as the OpenWrt router's WAN or LAN.

The Wireguard tunnel is working correctly, in the sense that any host in the wglan zone can connect to any host in the pfSense network. So there actually is a route to anywhere in the tunnel already (because of the list allowed_ips '0.0.0.0/0). Or am I not understanding your point correctly?

This is the routing table:

My thinking is, OpenWrt actually receives the ping over wgwan, but the reply is sent via the main routing table to the 192.168.2.254 gateway. Although that wouldn't explain why it works in my second setup.

What other subnets exist on the pfsense router (i.e. lan(s) on that side)? Is the pfsense router's wan a public IP or is it behind another router?

pfSense has a public IP. There are a few more subnets, all 192.168.x0.0. There is no 192.168.2.0 at the pfSense side.

Why do you have a separate wglan interface?

Is you goal to only allow traffic from PFSense and route all other traffic via your WAN?

If so I would do away with wglan and table 300 and set allowed IPs to only allow traffic from PFSense and enable route allowed IPs

Under Allowed IPS use and the :

        list allowed_ips '192.168.80.0/24'
        list allowed_ips '<LAN subnet of PFSENSE>'

Make sure you have Enabled Route Allowed IPs:

       option route_allowed_ips '1'

As PFsense can be trusted you can set option input to ACCEPT in the wgwan zone as @psherman already noted
(If you want you can also ACCEPT forward and add a forward rule)

I use a separate wglan zone/subnet/SSID because I want all traffic in wglan to be routed via wireguard to pfSense.

But that seems a bit besides the point, as I described I have another OpenWrt WG client with the same zone/subnet/SSID setup where I can connect to the OpenWrt device from pfSense. Only difference: this device is connected directly to the internet.

I have tried this, but it does not resolve the issue.

Ok I understand your need for a separate interface, but do you have the same setup including wglan etc on another router and that is working without the ISP router?

Because as you have it now your LAN has no way to know how and where to send traffic to your PFsense.
Traffic from the PFsense will not use table 300 so you have to add return routing both for WireGuard (192.168.80.0/24) and the PF sense subnet via the WG interface

Did you follow @mk24 advice?

Yes, 100% similar. Down to the same OpenWrt image (same device) and configuration backup being used (just different keys and endpoint IP for the WG interface).

lan indeed doesn't (wglan does), but how's that relevant for the OpenWrt device itself not replying to ping/HTTPS/SSH over the Wireguard connection?

Devices in wglan can access all devices on the pfSense side perfectly. I assume you're saying I need to add a route for traffic specifically from the OpenWrt device itself? Because that has been my assumption all along, I just can't get the settings working.

Yes and I've replied to his post.

Yes that is what I am thinking also.

You should have a route to route the WG subnet via the WG interface.
That should be taken care automatically by setting wgwan's address to192.168.80.10/24
Please do so, reboot or restart network and check with (from command line):
ip route show

This should already let you ping the WG interface on the other side (192.168.80.1 ?) from the OpenWRT router itself