How to prevent LAN users to connect locally to the WG service on Gateway Router ?
Users forgot to deactivate tunnel while beying in the office, it leads into problems
filtering on firewall seems to not have an effect - some part of the config:
The issue is that people that use this WG while away from the office, return to office and their tunnel is still enabled?
I think it should pose no issue, maybe just fix whatever routing or IP address conflict you have and they can keep their WG active all the time
But, leaving this ON while in the office have a performnce issues - the network speed is 1Gbps, and WG performance is around 300Mbps (or is AX2 capable to do 1Gbps encryption? )
downloading anything from servers will be 3x longer, CPU usage on gateway will be higher than needed, etc.
I’m seeking to block WG connecting from LAN or stick WG server to WAN interfacfe only…
You are mistaken, the only traffic that is really slowed down by wireguard is wireguard traffic as the the CPU handles this functionality.
The tunnels are supposed to maintain ‘touch’ at both ends, hence the keep alive function.
This activity will not harm the ax3 or have any effects on other normal traffic. In other words this issue is a nothing burger.
What would be cool but unlikely is if somehow MT could move the encryption for CPU to hardware encryption, but dont think this is physically possible.
Users usually forget to disable the tunnel, then they experience a slowdown and they loudly complain to the IT guys even before checking if the VPN is still active. That’s my experience, yours can be different, but I understand the point.
The traffic that will appear slower to the user on the router will be the traffic going out Wireguard.
Other traffic going out the local WAN should not be affected.