Disable WIREGUARD clients from local LAN

suszi · Thu Apr 18, 2024 1:23 pm

Hi
I have Wireguard set up on AX2, works well.

How to prevent LAN users to connect locally to the WG service on Gateway Router ?
Users forgot to deactivate tunnel while beying in the office, it leads into problems

filtering on firewall seems to not have an effect - some part of the config:

/ip firewall filter
add action=accept chain=input dst-address=127.0.0.1
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid

add action=accept chain=input dst-port=443 in-interface-list=WAN protocol=udp
add action=drop chain=input dst-port=443 protocol=udp

add action=accept chain=input dst-port=53 in-interface=wireguard1 protocol=udp
add action=drop chain=input 

add action=drop chain=forward dst-address=xxx.xxx.xxx.xxx dst-port=443 protocol=udp src-address=192.168.11.0/24


/ip firewall raw
add action=drop chain=prerouting dst-port=443 in-interface-list=LAN protocol=udp
add action=drop chain=prerouting dst-address=xxx.xxx.xxx.xxx dst-port=443 protocol=udp src-address=192.168.11.0/24

xxx.xxx.xxx.xxx - public IP
192.168.11.0/24 - LAN subnet

i dont see any other working way to filter LAN traffic to WireguardServer on port 443/UDP

Thu Apr 18, 2024 1:39 pm

The issue is that people that use this WG while away from the office, return to office and their tunnel is still enabled?
I think it should pose no issue, maybe just fix whatever routing or IP address conflict you have and they can keep their WG active all the time

suszi · Thu Apr 18, 2024 2:08 pm

Thanks for quick reply.

Yes, exactly, they dont turn off the tunnel.

But, leaving this ON while in the office have a performnce issues - the network speed is 1Gbps, and WG performance is around 300Mbps (or is AX2 capable to do 1Gbps encryption? )

downloading anything from servers will be 3x longer, CPU usage on gateway will be higher than needed, etc.

I'm seeking to block WG connecting from LAN or stick WG server to WAN interfacfe only...

llamajaja · Thu Apr 18, 2024 3:34 pm

You are mistaken, the only traffic that is really slowed down by wireguard is wireguard traffic as the the CPU handles this functionality.
The tunnels are supposed to maintain 'touch' at both ends, hence the keep alive function.
This activity will not harm the ax3 or have any effects on other normal traffic. In other words this issue is a nothing burger.

What would be cool but unlikely is if somehow MT could move the encryption for CPU to hardware encryption, but dont think this is physically possible.

Thu Apr 18, 2024 4:08 pm

In my opinion, if this particular user is really worried about 300Mbit vs 1000Mbit as a problem, he can turn off the tunnel himself.

ips · Thu Apr 18, 2024 4:41 pm

Users usually forget to disable the tunnel, then they experience a slowdown and they loudly complain to the IT guys even before checking if the VPN is still active. That's my experience, yours can be different, but I understand the point.

llamajaja · Thu Apr 18, 2024 6:22 pm

The traffic that will appear slower to the user on the router will be the traffic going out Wireguard.
Other traffic going out the local WAN should not be affected.

pajapatak · Fri Apr 19, 2024 10:23 am

edit: just tested the rule mentioned above

add action=drop chain=forward dst-address=xxx.xxx.xxx.xxx dst-port=443 protocol=udp src-address=192.168.11.0/24

and it does work...
Is the order of the rules in your firewall correct?

Disable WIREGUARD clients from local LAN

Disable WIREGUARD clients from local LAN

Re: Disable WIREGUARD connecting by LAN users

Re: Disable WIREGUARD clients from local LAN

Re: Disable WIREGUARD clients from local LAN

Re: Disable WIREGUARD clients from local LAN

Re: Disable WIREGUARD clients from local LAN

Re: Disable WIREGUARD clients from local LAN

Re: Disable WIREGUARD clients from local LAN

Who is online