I have a XE3000 router here which I want to connect via S2S VPN to my Pfsense. I have done this with 2 PfSense devices several times. I added the tunnel and Peer settings on the Pfsense side. Also add the Upstream GW and the static routes which are necessary for connection. I am pretty sure this is correct on this side.
On the XE3000 side I am not sure and think I missed an option here. I added the Wireguard Client settings. Also activated the “Remote Access LAN” option. I can start the service and it’s connecting. to the pfsense side - I see the handshake and everything looks good.
I can also ping the XE3000 but when I try to open the Web interface of the XE3000 through the VPN it’s not responding. My guess is that I have to add an “Upstream GW” on the XE3000 side l but I am not sure where to do this. I found a few other topics describing to add a static route on the XE3000 but no idea where and how to do that. Can someone help? Here is the config I have on the XE3000
On the pfsense side I created an Interface with a the Static IP, Gateway and Route
IP: 10.254.251.29/30
Upstream GW: 10.254.251.30/30 (Which is the Virtual IP of the XE3000)
Route: Destination: 192.168.8.0 (Which is the LAN Net of the XE3000) and the GW: 10.254.251.30/30
If I would use a 2nd Pfsense I would then create also WG-Interface with 10.254.251.30/30 and would setup a GW referring to the the 1st Pfsense but these options are different and I am not sure how to handle this correctly on XE3000 side.
When you mention that you can ping the XE3000 from pfSense, could you clarify
Whether you’re ping the virtual IP (10.254.251.30) or the LAN IP (192.168.8.1)?
Where you execute the ping, from PC connected to pfSense, or from pfSense itself?
is this the same IP address you use to access the XE3000 Admin Panel?
If you are ping the XE3000's LAN IP from a PC and pfSense does not have SNAT/Masquerade enabled for the VPN interface, please try SSH into the XE3000 and adding a static route using the following command to see if it helps.
# ip r add [VPN server router LAN subnet] via [VPN client WG tunnel IP] dev [WG client ifname]
ip r add 192.168.6.0/24 via 10.254.251.29 dev wgclient1
thank you very much for the quick response. Very good support
Whether you’re ping the virtual IP (10.254.251.30) or the LAN IP (192.168.8.1)?
Where you execute the ping, from PC connected to pfSense, or from pfSense itself?
I can ping both. Both answer to the ping, either from the pfsense FW or from a connected PC on Pfsense side:
Results
PING 10.254.251.30 (10.254.251.30): 56 data bytes
64 bytes from 10.254.251.30: icmp_seq=0 ttl=64 time=25.776 ms
64 bytes from 10.254.251.30: icmp_seq=1 ttl=64 time=25.662 ms
64 bytes from 10.254.251.30: icmp_seq=2 ttl=64 time=36.705 ms
--- 10.254.251.30 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 25.662/29.381/36.705/5.179 ms
Results
PING 192.168.8.1 (192.168.8.1): 56 data bytes
64 bytes from 192.168.8.1: icmp_seq=0 ttl=64 time=49.271 ms
64 bytes from 192.168.8.1: icmp_seq=1 ttl=64 time=72.117 ms
64 bytes from 192.168.8.1: icmp_seq=2 ttl=64 time=49.952 ms
--- 192.168.8.1 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 49.271/57.113/72.117/10.613 ms
C:\Windows\System32>ping 10.254.251.30
Ping wird ausgeführt für 10.254.251.30 mit 32 Bytes Daten:
Antwort von 10.254.251.30: Bytes=32 Zeit=62ms TTL=63
Antwort von 10.254.251.30: Bytes=32 Zeit=40ms TTL=63
Antwort von 10.254.251.30: Bytes=32 Zeit=44ms TTL=63
Antwort von 10.254.251.30: Bytes=32 Zeit=39ms TTL=63
C:\Windows\System32>ping 192.168.8.1
Ping wird ausgeführt für 192.168.8.1 mit 32 Bytes Daten:
Antwort von 192.168.8.1: Bytes=32 Zeit=1ms TTL=64
Antwort von 192.168.8.1: Bytes=32 Zeit=1ms TTL=64
Antwort von 192.168.8.1: Bytes=32 Zeit=2ms TTL=64
Antwort von 192.168.8.1: Bytes=32 Zeit=3ms TTL=64
root@GL-XE3000:~# ip r add 192.168.8.0/24 via 10.254.251.29 dev wgclient
RTNETLINK answers: File exists
I am not sure about the ssh anwer. I logged in the LuCI to Network/Interfaces and there see this:
When I try to open the Web interface (from a connected PC) it does not open
(It constantly tries but there is only a circle showing)
thanks again for your support. Yes really strange as SHH works but Web interface does not. As soon as Connect directly (VIA WLAN) to the router it instantly opens the WEB Interface. I tried with google and Firefox also in Private Mode. No chance. But what do you think about the error in ssh? I cannot add the route as mentioned above. Maye we are in a kind of asymmetric routing?
Based on the provided screenshots, it appears that the VPN connection is functioning correctly, though the speeds are relatively slow.
Please open your browser’s developer tools (press F12), navigate to the Network tab, and check whether any responses are coming from the XE3000.
Regarding the inability to ping the XE3000 via VPN after SSHing into it — this is expected behavior, as the router does not route its own traffic through the VPN.
To verify VPN connectivity, please run the following commands:
sorry for the late response. I did not had the time to test. Unfortunately - no it does not work. So please help to get this done. Here is the information you requested
