reference: Pfsense - Wireguard Tunnel - Route traffic from a specific host via the remote sites WAN : r/PFSENSE
Re-map the traffic from of one or more devices on Site A so that their source IP appears to be coming from Site B's WAN IP, which is on the far side of a site-to-site WireGuard tunnel.
This solution makes use of several pfSense technologies and techniques:
- Static Routing
- Polilcy-based Routing
- Manual Outbound NAT
- IP Aliases
- WireGuard
For reference, in the screenshots below, here are what the depicted networks represent:
| Net | Description |
|---|---|
| 192.168.20.0/24 | Site A LAN |
| 192.168.100.0/23 | Site B LAN |
| 172.16.40.200/31 | WG Transit Network |
| 192.168.20.44 | Laptop that we want to reroute the traffic of |
Wherever "CORESITE" is shown, that is "SITE B"
Create a site-to-site WireGuard tunnel between Site A and Site B
Follow the general guidelines on setting up the tunnel, especially setting the correct MTU (e.g.
1420)
On the Site A side, put 0.0.0.0/0 in the Allowed IPs section, because we'll be using Static & Policy Based Routing to control which packets flow across the tunnel.
Give the tunnel an Assigned Interface, which allows the VPN to work with NAT rules and helps with return routing.
In the Site B WireGuard peer configuration, enter the transit network and the LAN subnet of Site A:
On the Site A router, create a Network Alias to contain the IPs/network ranges that you want to get re-routed to the far end of the tunnel. In the example below I just put a single LAN IP:
Create another Network Alias defining the LAN subnets at the far-end (Site B) site:
Make sure that you have an "allow all" type rule on the assigned WireGuard tunnel interfaces on both Site A and Site B:
You can tighten it later if you want, once you confirm everything is working.
Add a Firewall Rule to Site A's LAN interface
Source should be set to the first Alias you defined above:
Click Advanced Options
Set the Gateway to the WireGuard Tunnel:
Should look like this when saved:
In System → Routing → Static Routes, configure a route as follows:
- Destination network: (2nd alias you created in the Aliases section above)
- Gateway: (WireGuard tunnel)
Enter the LAN subnet of Site A and set the gateway to the WireGuard tunnel:
BOTH Sites A and B should be configured in either Hybrid or Manual Outbound NAT mode:
Add manual outbound NAT rules according to the screenshots below:
On the device you defined at Site A, try navigating to http://ipquail.com or https://myip.addr.tools/pfsense and hopefully you will see the IP of the WAN at Site B displayed.