I have 2 sites R1 (router mode) and R2 (switch mode) peered using wireguard. The tunnel IP addresses are 192.168.32.1 and 192.168.32.2 resp. The LAN subnets are 172.16.165.0/24 and 192.168.40.0.24 resp.
On each router I check ping from tunnel source IP like so:
ping 172.16.165.104 src-address=192.168.32.1
SEQ HOST SIZE TTL TIME STATUS
0 172.16.165.104 56 64 815us
1 172.16.165.104 56 64 594us
As you can see R1 is able to route pings locally but R2 doesn’t.
192.168.32.0/24 Routing is the same for both and uses the wireguard interface as a gateway.
R1 172.16.165.0/24 route is bound to vlan interface gateway (that’s the ping that works)
R2 192.168.40.0/24 route is bound to LocalBridge interface gateway.
I am sure it’s something basic but can’t figure it out…
what is the device you ping - by default, Windows firewall only accepts ping requests coming from local subnets.
/tool/sniffer is very helpful when debugging this kind of issues, as it shows you how far the request got and thus where to look for the reason why it did not get further.
The device I am pinging on R2 is the ISP router, which works fine if I don’t specify the Wireguard interface as a source address.
I’ve been over the route/firewall/NAT settings a number of times but still missing something…it’s R2 pinging a local device from the local wireguard interface (not even going over the tunnel), routing should be the only thing needed. The firewall on R2 doesn’t even have any drop rules, just accept.
should the Wireguard interface be added to the LAN interface list or have it’s own list like S2S?
Since you ask this kind of questions, I’d say post anonymized exports of both R1 and R2 and a topology diagram where all the subnets taking part in the charade are depicted.
As they wrote above, either you must have the network allowed in the WG peers or you must snated local network with a WG address. Naturally, you must also have a route for the network in the corresponding router via WG!