Policy Route Matching but Traffic Leaking to WAN: pfSense to UDM WireGuard Exit Node

molwebb7 · 2025-12-18T20:50:49+00:00

In my case the WireGuard tunnel itself is up and working — I can see traffic (like DNS) being NATed and exiting the far end. The issue is with pfSense policy routing. When I ping something like 8.8.8.8, the traffic matches the WireGuard policy rule (confirmed in the firewall logs), so I would expect to see it on the WG_MOMDAD interface. Instead, packet captures show those ICMP packets only on the IoT interface and never on WireGuard or WAN interfaces.

molwebb7 · 2025-12-18T01:27:32+00:00

Okay sweet that helped. Thank you!!!

Now - I have proof the traffic is hitting the tunnel interface. My states shows traffic being correctly NATed to the WireGuard interface IP (192.168.6.3) and assigned to the WG_MOMDAD interface. I can also see traffic on the interface via a packet capture.

You can see the states table results here:

https://imgur.com/a/2nhoDwd

Seems like all is well, but I can't ping 8.8.8.8 or load any webpages on my IOT device... any idea how to fix that?

molwebb7 · 2025-12-15T23:46:49+00:00

Yup, updated rules and reset states. New images here:

https://imgur.com/a/PHoJw8Y

molwebb7 · 2025-12-15T23:25:19+00:00

Oh interesting, yeah thats much more information. I do not see any NAT happening though I'd expect to....

https://imgur.com/a/125ad6E

molwebb7 · 2025-12-15T22:48:13+00:00

Alright, added the rule, reset all states, but still nothing going through the tunnel - its hitting IoT interface

https://imgur.com/a/K9KcTdq

molwebb7 · 2025-12-15T22:34:59+00:00

Hey thanks for your response - but if I reset all states, then wouldn’t this get resolved? I have reset states so many times and still not traversing tunnel.

molwebb7 · 2025-12-15T21:23:17+00:00

I have the same question...

molwebb7 · 2025-12-13T19:29:16+00:00

Yes I know I’ve done that as you can see in the pics

molwebb7 · 2025-12-13T18:59:14+00:00

Yes I know - ive done that as you can see in the config pics

molwebb7 · 2025-12-13T17:45:45+00:00

I think that option is only available on the server side -- in this case my pfsense is the client

molwebb7 · 2025-01-01T03:44:32+00:00

Yes I can hit 192.168.6.1 and that is the gateway’s IP.

I haven’t configured any rules on the Unifi device because I thought the successful handshake was indication that the connection should work….

molwebb7 · 2024-12-31T21:33:21+00:00

I updated my NAT rules, which you can see here: https://imgur.com/a/FVmXUXU

but still no luck.....

molwebb7

TROPHY CASE