Hi,
I successfully enable a wireguard vpn connection.
I would like to restrict to a single internal IP (actually after the connection i can freely access anywhere inside the lan).
How I should proceed?
Thank you
Re: wireguard connection restricted to a single internal IP
Get your story straight for starters.
Is this the mT has the wireguard server and you are accessing the router remotely ( to config router or to access local services )?
Is this the mT has the wireguard server and you are accessing the router remotely ( to config router or to access local services )?
Re: wireguard connection restricted to a single internal IP
The mT is fully configured for a ppoe connection and there is an internal LAN.
I already configured one wireguard interface correctly for remote access to the LAN and even for the mT configuration.
I created an additional wireguard interface (working) that I would like to restrict only for reaching a specific IP/port in the LAN from a remote connection.
Should I work on the IP/firewall Filter rules not only for forwarding the port but also for restricting the destination?
I already configured one wireguard interface correctly for remote access to the LAN and even for the mT configuration.
I created an additional wireguard interface (working) that I would like to restrict only for reaching a specific IP/port in the LAN from a remote connection.
Should I work on the IP/firewall Filter rules not only for forwarding the port but also for restricting the destination?
Last edited by androx on Tue Oct 24, 2023 9:37 pm, edited 1 time in total.
Re: wireguard connection restricted to a single internal IP [SOLVED]
Its best to put the restriction on the incoming server side and there is no forwarding no dstnat required............. you are directly accessing the LAN through the tunnel!
You have two options.....
one create a second interface for wireguard. on MT router
two create a second IP address for wireguard on MT router
for example
add address=192.168.55.1/24 interface=wg1 network=192.168.55.0
add address=192.168.65.1/24 interface=wg1 network=192.168.65.0
typical firewall rules.
{forward chain}
(default rules to keep)
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
(admin rules)
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
************
add action=drop chain=forward comment="drop all else"
Before the drop all else rule, add any additional allow rules for traffic ******* ........
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=accept chain=forward comment="wg trusted users to LAN" in-interface=wg1 src-address=192.168.55.0/24 out-interface-list=LAN
add action=accept chain=forward comment="wg other use to Server" in-interface=wg1 src-address=192.168.65.0/24 dst-address=singleLANIP dst-port-xxxxxx
add action=drop chain=forward comment="drop all else"
OR
if you have two interfaces..........
add address=192.168.55.1/24 interface=wg1 network=192.168.55.0
add address=192.168.65.1/24 interface=wg2 network=192.168.65.0
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=accept chain=forward comment="wg trusted users to LAN" in-interface=wg1 out-interface-list=LAN
add action=accept chain=forward comment="wg other user to Server" in-interface=wg2 dst-address=singleLANIP dst-port-xxxxxx
add action=drop chain=forward comment="drop all else"
You have two options.....
one create a second interface for wireguard. on MT router
two create a second IP address for wireguard on MT router
for example
add address=192.168.55.1/24 interface=wg1 network=192.168.55.0
add address=192.168.65.1/24 interface=wg1 network=192.168.65.0
typical firewall rules.
{forward chain}
(default rules to keep)
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
(admin rules)
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
************
add action=drop chain=forward comment="drop all else"
Before the drop all else rule, add any additional allow rules for traffic ******* ........
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=accept chain=forward comment="wg trusted users to LAN" in-interface=wg1 src-address=192.168.55.0/24 out-interface-list=LAN
add action=accept chain=forward comment="wg other use to Server" in-interface=wg1 src-address=192.168.65.0/24 dst-address=singleLANIP dst-port-xxxxxx
add action=drop chain=forward comment="drop all else"
OR
if you have two interfaces..........
add address=192.168.55.1/24 interface=wg1 network=192.168.55.0
add address=192.168.65.1/24 interface=wg2 network=192.168.65.0
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=accept chain=forward comment="wg trusted users to LAN" in-interface=wg1 out-interface-list=LAN
add action=accept chain=forward comment="wg other user to Server" in-interface=wg2 dst-address=singleLANIP dst-port-xxxxxx
add action=drop chain=forward comment="drop all else"
Re: wireguard connection restricted to a single internal IP
Following you indication
I created two different wgs with two different internal subnet as assignment and then I created the two firewall forward chain.
An additional question: as source address and dst address i can use a /xx for defining a subrange of IP? So i do not need to duplicate the rule for other peers?
The result is great.
Many thanks
I created two different wgs with two different internal subnet as assignment and then I created the two firewall forward chain.
An additional question: as source address and dst address i can use a /xx for defining a subrange of IP? So i do not need to duplicate the rule for other peers?
The result is great.
Many thanks
Re: wireguard connection restricted to a single internal IP
Correct you can use src or dst address with the subnet to cover off a single subnet
This is actually the best way
For two or more subnets that may have a common firewall purpose, use interface lists
For a group of users less than a subnet, or group of users from different subnets, that may have a common firewall purpose, use FIREWALL ADDRESS LIST. You can add subnets to the firewall list as well if its also in this common purpose.
This is actually the best way
For two or more subnets that may have a common firewall purpose, use interface lists
For a group of users less than a subnet, or group of users from different subnets, that may have a common firewall purpose, use FIREWALL ADDRESS LIST. You can add subnets to the firewall list as well if its also in this common purpose.
-
-
enricosm60
just joined
- Posts: 6
- Joined:
Re: wireguard connection restricted to a single internal IP
Hi Anav,
I did follow your instructions and successfully setup on my MK hEX S router a WG access limited to one of my Synology NAS DSM VM. Tks very much for this firewall configuration.
Because I'm a newbie and in the process to learn the complex MK, I would like to know if the firewall configuration you informed is enough to secure the MK or is recommended to add more rules. On my hEX I did start whit the default rules but after configure the ones in your article I disabled the defaults and wonder if some or all of the disabled rules should be activated.
Attached a file whit the rules I have.
Sincerely,
Enrico
I did follow your instructions and successfully setup on my MK hEX S router a WG access limited to one of my Synology NAS DSM VM. Tks very much for this firewall configuration.
Because I'm a newbie and in the process to learn the complex MK, I would like to know if the firewall configuration you informed is enough to secure the MK or is recommended to add more rules. On my hEX I did start whit the default rules but after configure the ones in your article I disabled the defaults and wonder if some or all of the disabled rules should be activated.
Attached a file whit the rules I have.
Sincerely,
Enrico
Re: wireguard connection restricted to a single internal IP
Nope, the rules are not in order and you have mixed things up...
Cleaned up
...
Since you didnt provide the entire config I dont know how many subnets you have.
If there are users in the same subnet as the server and they are using the WANIP to access the server you will need a hairpin NAT rule.
add chain=srcnat action=masquerade src-address=192.168.88.0/24 dst-address=192.168.88.0
Cleaned up
...
Code: Select all
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
connection-nat-state=dstnat
add action=accept chain=forward comment=\
"WG DS02 Administracion - trusted users to LAN" in-interface=WG_ADMIN \
out-interface-list=LAN
add action=accept chain=forward comment="WG DS02_VM2 - other user to Server" \
dst-address=192.168.88.12 in-interface=WG_VM02
add action=drop chain=forward comment="drop all else"
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
in-interface="ether1[WAN]" packet-mark="" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="DS02 - Ofidata1" dst-address=\
190.141.32.176 dst-port=443 protocol=tcp to-addresses=192.168.88.2 \
to-ports=443
add action=dst-nat chain=dstnat comment="DS02 - Ofidata1" dst-address=\
190.141.32.176 dst-address-list="" dst-port=80 protocol=tcp to-addresses=\
192.168.88.2 to-ports=80
add action=masquerade chain=srcnat comment=\
"DS02 - Ofidata1 (para accesar local)" dst-address=192.168.88.2If there are users in the same subnet as the server and they are using the WANIP to access the server you will need a hairpin NAT rule.
add chain=srcnat action=masquerade src-address=192.168.88.0/24 dst-address=192.168.88.0
-
-
enricosm60
just joined
- Posts: 6
- Joined:
Re: wireguard connection restricted to a single internal IP
Hello Anav,
Tis very much for the firewall / NAT configuration. I did set up the MK as you informed and I can access my Synology server using WG tunnel.
I have another question and would like to know if it is possible to set up.
On this Synology I have also a docker app, so once connected to WG I can access this app writing this address on my browser (Ex. 192.168.88.2:12101).
I do also have on this Synology a package called Web Station and there I configured for another docker app hostname (fs24a01).
- Synology Web Portal: https://kb.synology.com/en-id/DSM/help/ ... ?version=7
So when local, I just write this hostname on my browser and this docker app start. This is very convenient because I don't have to remember any ip/port just the app given hostname.
see screen captures how this is set up on the Synology... What I would like to do, is configure the MK to accomplish the same when I'm connected by the WireGuard tunnel; so when I write on my remote laptop browser the hostname: fs24a01 this app would start as I would be local.
Pls let me know any comment It would be much appreciated.
Enrico
Tis very much for the firewall / NAT configuration. I did set up the MK as you informed and I can access my Synology server using WG tunnel.
I have another question and would like to know if it is possible to set up.
On this Synology I have also a docker app, so once connected to WG I can access this app writing this address on my browser (Ex. 192.168.88.2:12101).
I do also have on this Synology a package called Web Station and there I configured for another docker app hostname (fs24a01).
- Synology Web Portal: https://kb.synology.com/en-id/DSM/help/ ... ?version=7
So when local, I just write this hostname on my browser and this docker app start. This is very convenient because I don't have to remember any ip/port just the app given hostname.
see screen captures how this is set up on the Synology... What I would like to do, is configure the MK to accomplish the same when I'm connected by the WireGuard tunnel; so when I write on my remote laptop browser the hostname: fs24a01 this app would start as I would be local.
Pls let me know any comment It would be much appreciated.
Enrico
Who is online
Users browsing this forum: Bing [Bot], HokieCat and 21 guests