I have a setup where my main router has a DNS server accessible to clients on LAN. On the outside, there will be a Wireguard tunnel on port 53, the same port as DNS. If I add an input rule for port 53 from WAN, which router service will come first? Is there a way to disallow DNS from WAN and only allow WG?
If you want to block it in RAW on TCP/UDP(53) traffic coming from the WAN.
This won’t work because then I won’t be able to use Wireguard with a listen port of 53.
Sincerely, is a very bad idea to use wireguard on port 53.
As WISP I block all “53” traffic from my clients if is not directed directly to the CPE
All Italian ISP are forced to do this for idiot laws wrotten from someone then totally ignore of how internet works.
We do not inject or intercept unfound results, simply block all “blacklisted” sites from Italian law.
Using the port 53 just cause some warning on ISP, because see some anomalous traffic on that port, and probably close that.
I have to use port 53 to bypass firewalls which block everything except ICMP, TCP port 80/443, and DNS. My ISP doesn’t care that much about “weird” traffic.
Not now, not today, but sooner or later ISP notices…
Your provider lock all UDP??? (also UDP on 53…)
Not my provider, but at some places like a coffee shop, they have those restrictions.
Ah, now with some other details I understand.
Move local wireguard on another port and change on dst-nat the incoming port 53 udp from wan to local wireguard port
dst-nat is applied before routing, and routing is applied before input chain,
the packet change destination port and can reach internal service on another port.
https://help.mikrotik.com/docs/display/ROS/Packet+Flow+in+RouterOS#PacketFlowinRouterOS-Chains
If WG is running on router itself, then you might have a problem … normally only one service can use a protocol/port number (e.g. TCP/53). When another service tries to acquire access to already used port, it’s denied. In linux it is possible to attach service to one of configured IP addresses and another one to same combo of protocol/port number but on another IP address.
ROS UI OTOH provides address property which might be actually used in manner similar to how src-address property is used by e.g. DST-NAT: if packet’s src address doesn’t match, then packet is queued to input chain. I guess you’ll have to try yourself.
If you’re port forwarding WG somewhere else, then it’s possible. From packet flow diagram: part of pre-routing is DST-NAT which provides information to routing decission and that one affect choice of different firewall chains (input versus forward).
BTW, never mind @rextended, he seems quite strong-minded and likes to troll whenever somebody tries to do something he doesn’t approve.
what are you writing? I already suggested the same thing you suggested 13 minutes before…
I have already helped other times @Cablenut9, if I don’t remember correctly he can tell you too, I don’t seem to have ever bothered him,
@Cablenut9 you make it clear, please…
You gave me the dst-nat solution before mkx did, but mkx explained how my original setup might actually work.
Okay, I wasn’t clear, I was asking you if I bothered you, like mkx want say…
Maybe, but I can see why the ISP would want to block DNS.
When I start to write reply, sometimes it takes some time to formulate it so that it fits the question as much as possible (trying to verify things on the go). It seems like you are much faster at writing your posts. But then, when I finished the answer and tried to post it, forum informed me that there were other posts. I reviewed them and I thought they didn't cover everything I wrote so I decided to post it anyway.
I see you are trolling again, this time about post (later than yours) essentially saying same as you did. But then, if this bothers you so much, why do you do the same occasionally? I could comlain about your posts being later than mine and saying the same a few times already. But I don't bother.
+1 for mkx
@cablenut9
Sorry, I did not noticed that you used port 53 also for WG. It is really strange and your ISP is keeping an eye on that port because of DDos attacks.
I try to explain better: is for the "troll part", I want to notice to you I already have write possibly helping solution, not one "troll post".
also @msatter say "It is really strange and your ISP is keeping an eye on that port because of DDos attacks"
and is what the same I want to say to @Cablenut9, not for bother him...
Try not to always think badly, I understand that sometimes I deserve a kick in the balls, but really this time there was nothing wrong...
Hehehe, since Cable is in this thread I would have used a different word..... " I deserve a kick in the "nuts"! ;-))
Your first post in this thread (the #4) was all about why OP should not do something and nothing about how OP could achieve what he wanted to do. Even if your goal was sincere (based on yor own policy as ISP) it was still unhelpful because OP's backround is unknown to you. At the time I was writing my post it was your only post in this thread.
Since you have habit of strongly expressing your views on posters' problems (generally on this forum), I feel you're trolling occasionally. Don't get me wrong, most of your posts are very useful and some even informative (your posts tend to be terse in providing solution without explanation why the solution is good/the best). It's just they are a bit rude sometimes (I attribute that to the fact you're not native English speaker and I understand that sometimes it's hard to find appropriate word).
