# Wireguard (not on router) connecting two LANs - pf rules?



## wxppro (Aug 16, 2021)

Hello folks,

I have been fooling with wireguard on FreeBSD and succeeded for the most part.  But I cannot get the part of connecting two LANs to work.  I need some help.

I have no problem installing and configuring wireguard on FreeBSD. A mobile device can connect to my LAN through wireguard without any problem. I did the same for my other LAN and it also worked fine.

The problem is connecting the two LANs. I would like my mobile device to be able to access both LANs, but there is only partial success.

Here is a diagram of the network topology, and what happened:

A mobile device can connect to LAN A’s wireguard server.  It then can have access LAN A without any problem.
The mobile device can also do the same on LAN B.
I set up a wireguard tunnel between the two wireguard servers.  On the wireguard server, it is possible to ping all devices on the other LAN.  But the mobile device cannot.  If it is connected to LAN A, it cannot ping any device on LAN B.  The error message is "Redirect Host (New nexthop: ..."





My guess is that it is related to routing configuration on the two wireguard servers?  Something to do with pf?  

For your information, the goal is actually achieved with wireguard on Debian 11, with the PostUp and PostDown lines in the wireguard configuration file.  But I just cannot figure out the equivalence in FreeBSD due to my limited knowledge of FreeBSD.  Any help will be greatly appreciated.


Configuration details of LAN A’s wireguard server (192.168.1.10, FreeBSD 13):

/usr/local/etc/wireguard/lana_wg.conf

```
[Interface]
### Wireguard on LAN A FreeBSD server
PrivateKey = [Private Key]
Address = 10.0.1.10/24
ListenPort = 51111

[Peer]
### Wireguard on LAN B FreeBSD server
PublicKey = [Public Key]
Endpoint = lanb.example.com:52222
AllowedIPs = 10.0.1.20/32, 172.16.1.0/24

[Peer]
# Mobile device
PublicKey = [Public Key]
AllowedIPs = 10.0.1.30/32
```

/etc/pf.rules

```
# Interfaces
ext_if = "re0"
wireguard_if = "lana_wg"

# Wireguard Settings
wireguard_net_v4 = "10.0.1.0/24"

# Options
set skip on lo

# Nat all wireguard to non-wireguard traffic
nat on $ext_if inet from $wireguard_net_v4 to { any, !$wireguard_net_v4 } -> ($ext_if)

# Filtering
pass inet all
```

And in /etc/rc.conf, wireguard, pf, and gateway are enabled.  I also checked to make sure net.inet.ip.forwarding=1.


Configuration on LAN B is the same, except some port number, and IP addresses.


----------



## Deleted member 30996 (Aug 17, 2021)

Do you have inetd enabled in /etc/rc.conf?


```
inetd_enable="YES"
```

Take a look at the CUPS version of the pf ruleset I have in my tutorial, down towards the bottom of the page. It may serve as an example to help you get things straightened out. 









						Beginners Guide - How To Set Up A FreeBSD Desktop From Scratch
					

I'm going to guide you though the process of getting a fully functional FreeBSD 13.0-RELEASE desktop up and running, complete with system files and security settings, step-by-step as if you've never used UNIX or the command line. Now let's get started:  Insert your boot media and at the Welcome...




					forums.freebsd.org


----------



## Jose (Aug 17, 2021)

Is pf running on the Wireguard server? What does traceroute(8) from the mobile device to the LANs say?


----------



## wxppro (Aug 18, 2021)

Trihexagonal said:


> Do you have inetd enabled in /etc/rc.conf?
> 
> 
> ```
> ...


No.  Not yet.  Will test the effect of having inetd enabled.  And thanks for sharing the tutorial.


----------



## wxppro (Aug 18, 2021)

Jose said:


> Is pf running on the Wireguard server? What does traceroute(8) from the mobile device to the LANs say?


Yes, pf is running on both wireguard servers.

On LAN A's wireguard server, traceroute LAN B's device shows no problem.  10.0.1.10 --> 10.0.1.20 --> 172.16.1.50

```
traceroute to 172.16.1.50 (172.16.1.50), 64 hops max, 40 byte packets
 1  10.0.1.20 (10.0.1.20)  19.785 ms  19.538 ms  19.459 ms
 2  172.16.1.50 (172.16.1.50)  23.352 ms  21.197 ms  19.405 ms
```

On the mobile device (Windows) that is wireguard connected to LAN A, tracert shows a broken link: 10.0.1.30 --> 10.0.1.10  *--X-->* 10.0.1.20 --> 172.16.1.50

```
Tracing route to 172.16.1.50  over a maximum of 30 hops
  1   129 ms   105 ms   104 ms  Wireguard_A [10.0.1.10]
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
```

There is no route from 10.0.1.10 to 10.0.1.20.


----------



## Deleted member 30996 (Aug 18, 2021)

wxppro said:


> No. Not yet. Will test the effect of having inetd enabled.


You've already tested it without it being enabled:

```
# Filtering
pass inet all
```


----------

