On Mon, Jul 15, 2024 at 6:17 PM Stuart Henderson <[email protected]> wrote: > Your main options are to use PF route-to (config for this is reasonably > obvious, but make sure that wgaip is set to allow the relevant addresses), > > route-to is reasonably obvious.
The problem I'm having with route-to is the packets go out the wg interface but replies are lost. For instance either: pass in quick on $int_if from <vlanhosts> to !$int_if:0 route-to wg4 or pass in quick on $int_if from <vlanhosts> to !$int_if:0 route-to wg4 nat-to wg4 work to get the packets to the wg interface but they don't get back to the host on the vlan a tcpdump on the wg interface while pinging yahoo.com from the host gives: 15:05:23.348778 192.168.77.182 > 74.6.143.25: icmp: echo request (DF) 15:05:23.397312 74.6.143.25 > 10.2.0.2: icmp: echo reply (DF) 15:05:24.348037 192.168.77.182 > 74.6.143.25: icmp: echo request (DF) 15:05:24.395843 74.6.143.25 > 10.2.0.2: icmp: echo reply (DF) the wg interface address is 10.2.0.2 and the wgaip is 0.0.0.0/0 I also do not see the reply hitting the $int_if which it would need to do to get to the switch so the switch can route it to the vlan I must be missing something.
