Couldn't get to which router? I think we need to put internet access to one side for a moment and get a good working site to site config in place. That gives a starting point and somewhere to fall back to if/when things don't work when trying to get the internet working.
Can you get your configs on each end setup so the peer has Allowed IPs for opposing WG interface and subnet. That should give devices at each site access to resources at the other site. If that's working then we can build on that to get internet access from the OpenWrt end via the pfSense end.
Sorry! Should have been more clear - meant OpenWrt. Will be more careful to identify.
You are right, 100% agree!
That makes sense! I think I have that, but let me explain - I may be wrong! On the pfSense side, I have (the OpenWrt WG IP, and DHCP subnet),
192.168.253.3/32, 192.168.0.0/24
And on OpenWrt, setting is (WG subnet, internet test address, .1.x and .2.x subnets on pfSense side, and OpenWrt subnet ... seems to be required for ping FROM OpenWrt to work),
Change 192.168.253.0/24 to the actual IP address for the WG interface on pfSense (192.168.253.1/32?)
Get rid of 216.115.184.69/32, and 192.168.0.0/24. And also remove 192.168.1.0/24 unless you have any need to access that subnet from the OpenWrt end.
Restart the WG interface after making changes.
Can you post the output of uci export network; uci export firewall; ip ro from the OpenWrt router. Remove any sensitive info like public IPs or encryption keys.
FYI, a bit more digging / debugging, to me it's looking like this is on the OpenWrt side (but I may be wrong!). Let me explain why I say this - by all means correct me!
And to clarify up front - I added 216.115.184.69/32 to the Allowed IPs list on OpenWrt, just so I can get to a single (internet) IP, for testing. What I tried,
On OpenWrt, ping -I wg0 ip4.me, and on pfSense, tcpdump -i wg0 host ip4.me => try to ping the internet from OpenWrt, watch for traffic over the WG tunnel. The output,
17:45:04.158322 IP 192.168.253.3 > 216.115.184.69: ICMP echo request, id 21456, seq 0, length 64
17:45:04.196934 IP 216.115.184.69 > 192.168.253.3: ICMP echo reply, id 21456, seq 0, length 64
17:45:05.160106 IP 192.168.253.3 > 216.115.184.69: ICMP echo request, id 21456, seq 1, length 64
17:45:05.199040 IP 216.115.184.69 > 192.168.253.3: ICMP echo reply, id 21456, seq 1, length 64
Great! And I do get a ping reply. This is from the 192.168.253.3 address (OpenWrt WG IP).
Same thing (tcpdump), but from the OpenWrt subnet (.0.x), so ping -I br-lan ip4.me => no traffic at all arriving at pfSense.
Make sense? Do I need to somehow forward the .0.x sourced traffic to the WG tunnel (on OpenWrt)? Or did I just do something stupid here (entirely possible )?
Yep! Just can't get from the OpenWrt .0.x subnet to the internet (even to the IP specified in Allowed IPs on the OpenWrt side). It seems that traffic initiated from .0.x (OpenWrt, to pfSense) is not getting in to the WG tunnel.
If that were the case then you wouldn't be able to access devices in the pfSense subnet from devices in the OpenWrt subnet. So it could be that internet traffic at the OpenWrt end isn't being routed properly through the WG tunnel, but internet access wasn't working when you had 0.0.0.0/0 as the Allowed IP and the WG tunnel set as the default route. Or there's a misconfiguration at the pfSense end.
Everything seems to be working as it should be from an OpenWrt perspective. Unless you can replace the pfSense end with an OpenWrt device (if only temporarily) I'm not sure there's much further that can be done to assist you.
Sorry! I mis-spoke earlier - I can't get from the OpenWrt subnet to pfSense. I checked ping, but I need to be careful to use -I br-lan ... or it comes from WG directly. Apologies!
No, nothing gets to pfSense, from OpenWrt .0.x. It does get there from .253.3 (WG direct).
And I don't need anything like this, right?
Trying to figure out how to get traffic to pfSense, from .0.x.
Thanks!!!
EDIT: So your comment above is correct ... "OpenWrt end isn't being routed properly through the WG tunnel".
Yep! I actually have 3 other WG clients - 2 iPhones, and a laptop. All work, going through pfSense, and can get to the pfSense subnet, also the internet (redirecting all traffic, using 0.0.0.0/0). I also checked (on all 3) my public IP, and it's correct (shows my pfSense public IP). So I know it's going through the box.
And even from OpenWrt, if I use the wg0 interface (e.g. ping -I wg0 ip4.me) .. I see the traffic in tcpdump on pfSense, and I do get ping replies (from the internet). It only fails when I use the OpenWrt .0.x subnet (i.e. ping -I br-lan ip4.me), and in that case no traffic seen at pfSense (tcpdump left running).
So it really seems like traffic from .0.x is not getting on to the WG tunnel (on the OpenWrt end), agreed?
Are any of those other devices behind the OpenWrt router? You really need to be using a client device within the subnet to be doing this testing and not trying to fudge it with pings from router interfaces.
And, if I'm reading your previous thread correctly, when you did test with devices in the OpenWrt subnet they could access devices within the pfSense subnet. Is that correct? I'm not concerned with internet access at the moment, just access between local devices (not the routers) at each end.
OK, to get back on this, keep others informed as well - seems the key issue is that NAT needs to be done ... either in OpenWrt (all traffic to pfSense using the WG IP address), or on pfSense, with multiple IP addresses (WG IP, OpenWrt DHCP subnet) across the link. As the OpenWrt box is remote (for me ), pfSense is local ... I'll mess with pfSense. Easier to undo breakage locally ... LOL!
But just to understand, it seems like I could potentially do this using the Firewall > NAT Rules on OpenWrt, right?