Dear forum,
i am reaching out because of an essentially nonfunctional net-to-net-connection between two Ipfires.
Ipfire1 (green subnet is 192.168.111.0/24) is behind a normal IPV4-Telekom-DSL connection with dynamic DNS domain and is the “server” of the wireguard connection. I have created the net-to-net connection on this box.
The wireguard server has no roadwarrior connections, just the net-to-net connection. If it is relevant, the client pool is 172.22.111.0/24 and the DNS setting is the IP of the green interface of Ipfire1.
Ipfire2 is behind a mobile LTE connection with a public IP in the 10.x.x.x range. I have imported the connection config file and activated the wireguard dameon. The connection shows green in both Ipfires, however i cannot ping the remote green IPs of the respective Ipfires. I have set up firewall rules on both machines to allow all protocol traffic from the wireguard IP to green interfaces (and in the reverse direction as well).
Strangely, the connection IP of the remote end in Ipfire1 is not the 10.x.x.x adress but rather a 176.x.x.x address.
I would appreciate any hints of what i am doing incorrectly.
Best regards, Jonas
You don’t need to do this as all required firewall rules to enable a wireguard connection are automatically created when wireguard is enabled on its WUI page.
Dear Adolf and Tom,
thank you for the replies.
I have not changed the default firewall policy (drop) and default firewall behaviour (forwarding and outgoing allowed).
I have also removed the redundant traffic allow rules from the wireguard-net to green (and reverse). The connectivity issue remains unchanged.
Could my issue be due to Carrier-grade NAT on the LTE side? Is that why there is a “gap” in the chain?
Best regards, Jonas
That will mean that trying to initiate the connection from the other IPFIre that is not CGNAT will not work due to not having a port forward connection to connect to the CGNAT system.
However it should work if you try and enable the connection from the CGNAT system first as that will connect through to the other system and then enabling that second system should work as once a connection in one direction has been made then all return traffic is associated with that first connection.
There have been some other posts in this forum related to setting up n2n systems with CGNAT at one end. Most were related to OpenVPN but the principle should work also for WireGuard.
I have never had to deal with CGNAT so it is not something I have any experience of.
Hopefully there are other users who have been able to get WireGuard or OpenVPN working with CGNAT at one end so you can use their experience as a starting point for your setup.
I have now rebooted both Ipfires (1&2). Now i have connectivity, including into the remote blue subnet.
I have redone the steps with a third Ipfire and again had no connectivity between Ipfire2 and Ipfire3 until i rebooted both of them.
Therefore i will mark this issue as solved.
If someone has a more elegant solution of bridging all three Ipfires together with less three VPN net-to-net connections, please feel free to leave it here or write a direct message.
Best regards, Jonas