Concurrent Wireguard peers

[mumu]

Just poking around to see if anyone has managed to run concurrent Wireguard peers with routing Tables and AllowedIPs set to 0.0.0.0/0, ::/0?

On Debian this is possible with the 'ip rule' command. Is there an equivalent on FreeBSD?

 

[SirDice]

AllowedIP '0.0.0.0/0' simply means allow everything, here it acts as an ACL or filter. But in a routing table '0.0.0.0/0' is the 'default' gateway. There can only ever be 1 (one) default gateway per routing table. That's what 'default' means. Cisco calls this "gateway of last resort", which is a much better description of it. If the destination doesn't match with anything else in the routing table it will use the "gateway of last resort", i.e. the default gateway.

     A destination of default is a synonym for the default route.  For IPv4 it
     is -net -inet 0.0.0.0, and for IPv6 it is -net -inet6 ::.

 

[mumu]

I was thinking it could be done with FIB's or something. In short it is basically a single FreeBSD host using multiple Wireguard peers as external gateways. If anyone has done it, please share, thank you.

 

[SirDice]

I was thinking it could be done with FIB's or something.

That could be a solution, as I said, there's one default gateway per routing table. Multiple FIBs basically means multiple routing tables and each individual routing table can have its own 'default' gateway.

 

[mumu]

Multiple FIBs basically means multiple routing tables and each individual routing table can have its own 'default' gateway.

In the not so distant past, I tried that on a VM + HE.NET tunnel. The VM had IPv6 from the provider and HE.NET as a second provider. The second fib(fib 2) somehow seems to reference fib 0 and pings/traceroute's would fail. I had at that time came to the conclusion that FreeBSD FIB's only works with physical interfaces.