Snaky In this case, there are two pfSense in two sites. Both sites connected with Wireguard.
Site A
WG IP = 10.1.0.1
pfSense WAN = 10.2.1.2
pfSense LAN1 = 192.168.10.2
Site B
WG IP = 10.1.0.2
pfSense WAN = 10.2.2.2
pfSense LAN1 = 192.168.11.2
Both sites are runing Proxmox, pfSense is VM Guest inside PVE. WG is directly configured on PVE.
In PVE, both nodes are having vmbr0 (public ip), vmbr101 (wg ip), vmbr102 (pfSense WAN), vmbr192 (pfSense LAN1).
I have a vm guest (192.168.11.52) with RDP open. If I set the default gateway as 192.168.11.1 (vmbr192 ip address), this is okay to connect in and out. However, if I set default gateway as 192.168.11.2 (pfSense LAN1 ip address), suppose it LAN1 will NAT to WAN, so connect to public internet is no issue, but while I connect from other wg client to it via RDP, it will failed. pfSense show it blocked by “Default deny rule IPv4 (1000000103)”. I made search in google, and tried many method, this is still not able to resolve.
I ended up made it connected.
First, create a gateway in pfSense -> System -> Routing. Add a new Gateway with 192.168.11.1.
Then, create firewall rule in LAN1.
Protocol = TCP
Source = internal ip
Destination = internal ip
TCP Flag = Set SYN and ACK; out of SYN and ACK.
State type = Sloopy
Gateway = the gateway just added on above which is 192.168.11.1
Save it.
Then, create one more firewall rule in Floating.
Action = Pass
Interface = LAN1
Direction = out
Protocol = TCP
Source = internal ip
Destination = internal ip
TCP Flag = Set SYN and ACK; out of SYN and ACK.
State type = Sloopy
Gateway = the gateway just added on above which is 192.168.11.1
Save it.
That’s it.