Hi,
I’ve setup Wireguard on my home router running -current.
The tunnel works, I have access to my LAN resources ONLY in case pf is
disabled. When I enable pf, Wireguard connects, does handshakes, however
I cannot even ping the router nor access anything in the network.
So that it seems my rules in pf are the reason. I admit I am a novice in
respect with pf. Therefore I’d like to ask you to help or direct me to
a solution.
My pf rules are pretty easy, basically taken from FAQ - building a
router. Here they are:
wan="em0"
lan="em1"
localnet=$lan:network
table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 \
203.0.113.0/24 }
set skip on lo0
set block-policy drop
set loginterface egress
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)
antispoof quick for { egress $lan }
block in quick on egress from <martians> to any
block return out quick on egress from any to <martians>
block all
pass out quick inet keep state
pass in on { $lan } inet keep state
pass in proto udp from any to any port XXX keep state
match out on egress from (wg0:network) to any nat-to (egress:0)
Last two lines are Wireguard related. Being a noob, I suspect the last
NAT line may be the problem,
Thank you in advance for any comments.
Regards
Jan
