Okay,
- Modify allowed IPs from:
/interface wireguard peers
add allowed-address=0.0.0.0/0,::/0 endpoint-address=
endpoint-port= interface=wg-nordvpn name=peer1 public-key=“”
TO:
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=“as provided”
endpoint-port=51820 interface=wg-nordvpn name=peer1 public-key=“as provided” persistent-keep-alive=25s
2. From
add address=10.5.0.2/16 interface=wg-nordvpn network=10.5.0.0
TO
add address=10.5.0.2**/24 i**nterface=wg-nordvpn network=10.5.0.0
-
From
add action=masquerade chain=srcnat
add action=masquerade chain=srcnat out-interface=wg-nordvpn
TO:
/ip firewall nat
add action=masquerade chain=srcnat out-interface=lte1
add action=masquerade chain=srcnat out-interface=wg-nordvpn -
from
/ip route
add blackhole distance=5 routing-table=private_route
add distance=2 gateway=wg-nordvpn@main routing-table=private_route
/routing rule
add action=lookup-only-in-table src-address=192.168.1.100/32 table=
private_route
TO:
/ip route
add dst-address=0.0.0.0/0 gateway=wg-nordvpn routing-table=private_route
/routing rule
add action=lookup-only-in-table dst-address=50.50.50.0/24 table=main
add action=lookup-only-in-table src-address=50.50.50.0/24 table=private_route -
from:
_/ip dhcp-server network
add address=50.50.50.0/24 dns-server=1.1.1.1,1.0.0.1,9.9.9.9 gateway=_
TO:
/ip dhcp-server network
add address=50.50.50.0/24 dns-server=103.86.96.100 gateway=50.50.50.1 -
to ensure the router knows about this address…
/ip route
add dst-address=103.86.96.100 gateway=wg-nordvpn routing-table=main -
from:
add action=accept chain=forward comment=“Allow VPN Traffic” out-interface=
wg-nordvpn src-address-list=access_vpn
TO:
add action=accept chain=forward comment=“Allow VPN Traffic” out-interface=
wg-nordvpn src-address=50.50.50.0/24
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
What is not clear to me, never having configured LTE is whether or not there is an option for
default route and default DNS in LTE settings etc… as there is no IP DHCP client etc.
You should let us know what you have done here ( but no public IP information or passwords etc..)
-
Add
/ip dns
set server=1.1.1.1,9.9.9.9 -
Finally, a discussion about black hole. My assessment is that you dont need one. I get the sense that you dont want the users on 50.50 to use the regular internet for traffic to the WWW.
a. because the subnet is directed to wireguard table, via the routing rule, it will never go out main table. Normally one uses the action _lookup only in tabl_e to ensure this fact.
However it is actually not necessary as the router has no way with wireguard protocol to know if the interface has gone down and is not available so it will never have to ask or answer the action question in the routing rule.
To feel a bit more confident about that, firewall rules help to ensure there is no local wan traffic.
So I would do something like.
{FORWARD CHAIN}
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment=“Subnet to wireguard” out-interface=wg-nordvpn src-address=50.50.50/0/24
add action=drop chain=forward comment=“drop all else”
In this way the subnet has no access to the WAN out the LTE1.
You will note that we also have setup the users to use the provided DNS through the Tunnel and thus no leakage out LTE for dns requests by users.
To make this a little stronger one can
/ip firewall nat
add chain=dstnat action=dst-nat src-address=50.50.50.0/24 dst-port=53 protocol=udp to-address=103.86.96.100
add chain=dstnat action=dst-nat src-address=50.50.50.0/24 dst-port=53 protocol=tcp to-address=103.86.96.100