Kill switch set-up - Wireguard (Surfshark) - ROS 7.8

malabar · April 3, 2023, 9:30am

Dears,

first message in this forum, so I introduce myself. I currently have one hAP AC2 as router (running ROS 7.8), behind a fiber ONT in Spain.
I’ve sucessfully setup Surfshark Wireguard VPN, and now looking to implement a kill switch (if VPN connection is lost, VPN traffic is blackholed). I only have one device in my LAN going through the VPN, rest is non-VPN.

I’ve already gone through http://forum.mikrotik.com/t/nordlynx-server-wireguard-setup/156064/22 but I’m not getting it.
See my configuration bellow for Mangle - NAT, as well as routing - rules - tables.

I guess I’m missing something with rules?

Mangle
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=
Surfshark_blackhole passthrough=yes src-address-list=Under_VPN

add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface=
WG-Surfshark passthrough=yes protocol=tcp tcp-flags=syn

add action=set-priority chain=postrouting new-priority=4 out-interface=vlan3
passthrough=yes

add action=set-priority chain=postrouting new-priority=1 out-interface=
pppoe-out1

NAT
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN

add action=masquerade chain=srcnat comment=masquerade-ovpn src-address=
192.168.76.0/24

add action=masquerade chain=srcnat comment=“default configuration”
out-interface-list=Vlan2&3

add action=masquerade chain=srcnat comment=masq-surfshark out-interface=
WG-Surfshark

ROUTE
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=WG-Surfshark
pref-src=“” routing-table=Surfshark scope=30 suppress-hw-offload=no
target-scope=10

TABLE
/routing table
add disabled=no fib name=Surfshark

RULES
/routing rule
add action=lookup-only-in-table disabled=no interface=bridge src-address=
192.168.87.241/32 table=Surfshark

Thanks in advance for your support!

Regards,

anav · April 4, 2023, 10:58am

There is no requirement for a kill switch when using wireguard.
Wireguard does not leak.

It looks like you only have one IP address using surfshark wireguard.
If the surfshark connection is down, the router does not route traffic anywhere already.

Kill switch is not needed.

malabar · April 4, 2023, 11:35am

Thanks @anav for your answer, much appreciated.

anav · April 4, 2023, 2:40pm

De Nada, Go Barca!! jajajajaja

dgalizi · May 31, 2023, 10:17pm

Hello Anav. THank you for the answer!!!
Is it safe to use wireguard without any kind of “protection”?
What about the DNS query and package leak?
I’m routing all the traffic to the tunnel, if for some reason the connection is down…

Thanks in advance!!
Dan

userarrayuser · August 8, 2023, 9:59am

Could you please post your settings? I’m trying to migrate from IKEv2 to WireGuard, but I can’t manage it

Thank You so much

anav · August 8, 2023, 12:01pm

@dgalizi.

I am more familiar with using routing rules…
in this case lets say I have three subnets… 192.168.0.0/24, 192.168.30.0/24, 192.168.50.0/24
and assume there is some need for intervlan traffic, shared printer even…

Then I would do
add fib table=use-WG
add dst-address=0.0.0.0/0 gateway=wg-interface-name table=use-WG

Routing rules
add dst-address=192.168.0.0/18 action=lookup-only-in-table table=main comment=“keeps local traffic possible”
add src-address=192.168.0.0/24 action=look-up-only-in-table table=use-WG
add src-address=192.168.30.0/24 action=look-up-only-in-table table=use-WG
add src-address=192.168.50.0/24 action=look-up-only-in-table table=use-WG

The function of action means, if there is no connection, DO NOT LOOK for an alternate.
If we had used solely ‘lookup’ then the router is instructed, if there is no connection at the designated table, to see if their is an available route on the main table.

userarrayuser · August 8, 2023, 3:56pm

I am more familiar with using routing rules…
in this case lets say I have three subnets… 192.168.0.0/24, 192.168.30.0/24, 192.168.50.0/24
and assume there is some need for intervlan traffic, shared printer even…

Then I would do
add fib table=use-WG
add dst-address=0.0.0.0/0 gateway=wg-interface-name table=use-WG

Routing rules
add dst-address=192.168.0.0/18 action=lookup-only-in-table table=main comment=“keeps local traffic possible”
add src-address=192.168.0.0/24 action=look-up-only-in-table table=use-WG
add src-address=192.168.30.0/24 action=look-up-only-in-table table=use-WG
add src-address=192.168.50.0/24 action=look-up-only-in-table table=use-WG

The function of action means, if there is no connection, DO NOT LOOK for an alternate.
If we had used solely ‘lookup’ then the router is instructed, if there is no connection at the designated table, to see if their is an available route on the main table.

I think I need this solution too, my question: in this case I need to disable mangle right?

anav · August 8, 2023, 4:56pm

Well I would have to see the context of the entire config, why are you mangling now?

userarrayuser · August 9, 2023, 12:51pm

Here is my config:

# RouterOS 7.10.2
# model = RB5009UG+S+

/interface bridge
add ingress-filtering=no name=LAN-BRIDGE vlan-filtering=yes

/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard-surfshark

/interface vlan
add interface=LAN-BRIDGE name=GEUST_VLAN vlan-id=30
add interface=LAN-BRIDGE name=TEST_VLAN vlan-id=20

/interface list
add name=WAN
add name=VLAN
add name=GUEST_VLAN

/interface wifiwave2 channel
add disabled=no frequency=2300-7300 name=5GHz width=20/40/80mhz
add disabled=no frequency=2300-7300 name=2GHz width=20/40mhz

/interface wifiwave2 datapath
add bridge=LAN-BRIDGE disabled=no name=GUEST vlan-id=30

/interface wifiwave2 security
add authentication-types=wpa3-psk disabled=no name=WPA3 wps=disable
add authentication-types=wpa2-psk disabled=no name=WPA2 wps=disable
add authentication-types=wpa2-psk disabled=no name=GUEST wps=disable

/interface wifiwave2 configuration
add country="United States" disabled=no name=HOME-5GHz security=WPA3 ssid=\
    HOME-5GHz
add country="United States" disabled=no name=HOME-2GHz security=WPA2 ssid=\
    HOME-2GHz
add country="United States" datapath=GUEST disabled=no name=GUEST security=\
    GUEST ssid=GUEST

/ip pool
add name=dhcp_pool0 ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool1 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool2 ranges=192.168.30.2-192.168.30.254

/ip dhcp-server
add address-pool=dhcp_pool0 interface=LAN-BRIDGE name=dhcp1
add address-pool=dhcp_pool1 interface=TEST_VLAN name=dhcp2
add address-pool=dhcp_pool2 interface=GEUST_VLAN name=dhcp3

/routing table
add disabled=no fib name=surfshark

/interface bridge port
add bridge=LAN-BRIDGE interface=sfp-sfpplus1
add bridge=LAN-BRIDGE interface=ether2
add bridge=LAN-BRIDGE interface=ether3
add bridge=LAN-BRIDGE interface=ether4
add bridge=LAN-BRIDGE interface=ether5
add bridge=LAN-BRIDGE interface=ether6
add bridge=LAN-BRIDGE interface=ether7
add bridge=LAN-BRIDGE interface=ether8

/interface bridge vlan
add bridge=LAN-BRIDGE tagged=LAN-BRIDGE,ether3 vlan-ids=20
add bridge=LAN-BRIDGE tagged=LAN-BRIDGE,ether3,ether8 vlan-ids=30

/interface list member
add interface=ether1 list=WAN
add interface=GEUST_VLAN list=VLAN
add interface=LAN-BRIDGE list=VLAN
add interface=TEST_VLAN list=VLAN

/interface wifiwave2 capsman
set ca-certificate=auto enabled=yes package-path="" require-peer-certificate=\
    no upgrade-policy=none

/interface wifiwave2 provisioning
add action=create-dynamic-enabled disabled=no master-configuration=HOME-5GHz \
    supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=HOME-2GHz \
    slave-configurations=GUEST supported-bands=2ghz-n

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=us-chi.prod.surfshark.com \
    endpoint-port=51820 interface=wireguard-surfshark public-key=\
    "DpMfulanF/MVHmt3AX4dqLqcyE0dpPqYBjDlWMaUI00="

/ip address
add address=192.168.1.1/24 interface=LAN-BRIDGE network=192.168.1.0
add address=192.168.20.1/24 interface=TEST_VLAN network=192.168.20.0
add address=192.168.30.1/24 interface=GEUST_VLAN network=192.168.30.0
add address=10.14.0.2/16 interface=wireguard-surfshark network=10.14.0.0

/ip dhcp-client
add interface=ether1

/ip dhcp-server lease
add address=192.168.1.2 client-id=1:48:a9:8a:8b:48:ef comment=AX-AP mac-address=\
    48:A9:8A:8B:48:EF server=dhcp1
add address=192.168.30.11 client-id=1:0:c:29:f8:91:1b comment=TEST-CLIENT \
    mac-address=00:0C:29:F8:91:1B server=dhcp3


/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=162.252.172.57 gateway=192.168.30.1

/ip dns
set allow-remote-requests=yes

/ip firewall address-list
add address=192.168.30.11 list=GUEST-DEVICE1

/ip firewall filter
add action=accept chain=input comment="ALLOW ESTABLISHED AND RELATED" \
    connection-state=established,related
add action=accept chain=input comment="ALLOW VLAN ACCESS ROUTER SERVICES" \
    in-interface-list=VLAN
add action=drop chain=input comment=DROP
add action=accept chain=forward comment="ALLOW ESTABLISHED AND RELATED" \
    connection-state=established,related
add action=accept chain=forward comment="ALL VLANS INTERNET ACCESS ONLY" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="ALLOW GUEST VLAN TO WIRESHARK ACCESS" \
    connection-state=new in-interface-list=VLAN out-interface=\
    wireguard-surfshark
add action=drop chain=forward comment=DROP

/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
    protocol=tcp tcp-flags=syn
add action=mark-routing chain=prerouting new-routing-mark=surfshark \
    passthrough=no src-address-list=GUEST-DEVICE1

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=wireguard-surfshark

/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=wireguard-surfshark \
    routing-table=surfshark suppress-hw-offload=no

So I use mangle for force traffic into WG tunnel, but If wireguard interface become disabled, it switches to ISP internet, so it isn’t a leak or this scenario only possible if I disable the wireguard interface manually?
Additional problem: I cannot add subnet (only specific machines ie: 192.168.30.11)

Thank You so much

userarrayuser · August 11, 2023, 2:19pm

@anav

Is my config that bad?

anav · August 11, 2023, 2:26pm

Hahah, no I just have a life LOL.
I am not qualified to comment on any config that contains Non wifi settings in wifi settings, aka datapath, capsman etc…
I prefer the simpleton approach with wifi settings that just deal in wifi.

If datapath and capsman meant no changes to the current bridge/vlan construct as decscribd by pcunite, then my tune would be different.
The only reason I ever fathomed to use capsman is that one needs to isolate wifi users from landline users in the same subnet, which is rare.

userarrayuser · August 12, 2023, 8:25am

Ok then I won’t show your comment to my wife, it would ruin my excuses

But if you need to manage 20+ AP-s how you do that without capsman?

Ok I turned off wifi settings, so here is my basic setup:

# RouterOS 7.10.2
# model = RB5009UG+S+

/interface bridge
add ingress-filtering=no name=LAN-BRIDGE vlan-filtering=yes

/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard-surfshark

/interface vlan
add interface=LAN-BRIDGE name=GEUST_VLAN vlan-id=30
add interface=LAN-BRIDGE name=TEST_VLAN vlan-id=20

/interface list
add name=WAN
add name=VLAN
add name=GUEST_VLAN

/ip pool
add name=dhcp_pool0 ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool1 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool2 ranges=192.168.30.2-192.168.30.254

/ip dhcp-server
add address-pool=dhcp_pool0 interface=LAN-BRIDGE name=dhcp1
add address-pool=dhcp_pool1 interface=TEST_VLAN name=dhcp2
add address-pool=dhcp_pool2 interface=GEUST_VLAN name=dhcp3

/routing table
add disabled=no fib name=surfshark

/interface bridge port
add bridge=LAN-BRIDGE interface=sfp-sfpplus1
add bridge=LAN-BRIDGE interface=ether2
add bridge=LAN-BRIDGE interface=ether3
add bridge=LAN-BRIDGE interface=ether4
add bridge=LAN-BRIDGE interface=ether5
add bridge=LAN-BRIDGE interface=ether6
add bridge=LAN-BRIDGE interface=ether7
add bridge=LAN-BRIDGE interface=ether8

/interface bridge vlan
add bridge=LAN-BRIDGE tagged=LAN-BRIDGE,ether3 vlan-ids=20
add bridge=LAN-BRIDGE tagged=LAN-BRIDGE,ether3,ether8 vlan-ids=30

/interface list member
add interface=ether1 list=WAN
add interface=GEUST_VLAN list=VLAN
add interface=LAN-BRIDGE list=VLAN
add interface=TEST_VLAN list=VLAN

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=us-chi.prod.surfshark.com \
    endpoint-port=51820 interface=wireguard-surfshark public-key=\
    "DpMfulanF/MVHmt3AX4dqLqcyE0dpPqYBjDlWMaUI00="

/ip address
add address=192.168.1.1/24 interface=LAN-BRIDGE network=192.168.1.0
add address=192.168.20.1/24 interface=TEST_VLAN network=192.168.20.0
add address=192.168.30.1/24 interface=GEUST_VLAN network=192.168.30.0
add address=10.14.0.2/16 interface=wireguard-surfshark network=10.14.0.0

/ip dhcp-client
add interface=ether1

/ip dhcp-server lease
add address=192.168.30.11 client-id=1:0:c:29:f8:91:1b comment=TEST-CLIENT \
    mac-address=00:0C:29:F8:91:1B server=dhcp3

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=162.252.172.57 gateway=192.168.30.1

/ip dns
set allow-remote-requests=yes

/ip firewall address-list
add address=192.168.30.11 list=GUEST-DEVICE1

/ip firewall filter
add action=accept chain=input comment="ALLOW ESTABLISHED AND RELATED" \
    connection-state=established,related
add action=accept chain=input comment="ALLOW VLAN ACCESS ROUTER SERVICES" \
    in-interface-list=VLAN
add action=drop chain=input comment=DROP
add action=accept chain=forward comment="ALLOW ESTABLISHED AND RELATED" \
    connection-state=established,related
add action=accept chain=forward comment="ALL VLANS INTERNET ACCESS ONLY" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="ALLOW GUEST VLAN TO WIRESHARK ACCESS" \
    connection-state=new in-interface-list=VLAN out-interface=\
    wireguard-surfshark
add action=drop chain=forward comment=DROP

/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
    protocol=tcp tcp-flags=syn
add action=mark-routing chain=prerouting new-routing-mark=surfshark \
    passthrough=no src-address-list=GUEST-DEVICE1

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=wireguard-surfshark

/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=wireguard-surfshark \
    routing-table=surfshark suppress-hw-offload=no

anav · August 12, 2023, 12:07pm

If I had to manage 20, one by one LOL. It takes me at most 5 minutes to setup a capac,
Its pretty much set and forget. Its not like one is going to be changing anything frequently.
One typically has 2-3-4 WIFI LANs and thats it.
THe DCHP and all else is handled by the router.
THe only reason to touch the capac is to upgrade the software.
Also, I highly doubt 20 capacs would be configured the same, maybe in some fiction book.

userarrayuser · September 9, 2023, 11:59am

@anav

If we use this method is communication between vlans will be possible? In this case the traffic from 192.168.30.0/24 to 192.168.50.0/24 will forced to wireguard right?
Isn’t mangle is better in this case?

Thank You

anav · September 9, 2023, 2:14pm

If you look carefully at the first routing rule… what does it say?

Any traffic heading for a local subnet shall be routed using the main table aka it will flow!!
Then after that traffic has been taken care of, the rules deal with wireguard traffic.

So no need for mangling and local traffic will be respected.

userarrayuser · September 9, 2023, 9:28pm

Ok, in this case something is wrong at me
(I have that rule but cross traffic not working, I keep trying then I come back if I can’t solve it)

anav · September 10, 2023, 12:29am

Do you have a forward chain rule allowing access to server??
Typically if you have vlans you need a rule.

add chain=forward action=accept in-interface-list=VLAN dst-address=server_IP

You could narrow this down to just one subnet to the server or a list of allowed LANIPs to the server.

userarrayuser · September 10, 2023, 1:21pm

Ok I give up

If I add these rules its works perfect (ping and can reach from 192.168.9.0/24 the 192.168.10.2), without it stops working:

/routing rule
add action=lookup-only-in-table disabled=no dst-address=192.168.10.0/24 src-address=192.168.9.0/24 table=main
add action=lookup-only-in-table disabled=no dst-address=192.168.9.0/24 src-address=192.168.10.0/24 table=main

Here are my settings:

/interface bridge
add name=BRIDGE-LAN vlan-filtering=yes

/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=ISP user=username533

/interface wireguard
add listen-port=51820 mtu=1420 name=WG-NORDVPN

/interface vlan
add interface=BRIDGE-LAN name=VLAN-LAN_VPN vlan-id=9
add interface=BRIDGE-LAN name=VLAN-TESTvlan-id=10
add interface=BRIDGE-LAN name=VLAN-GUEST vlan-id=100

/interface list
add name=WAN
add name=VLAN

/ip pool
add name=POOL-LAN ranges=192.168.1.2-192.168.1.254
add name=POOL-LAN_VPN ranges=192.168.9.2-192.168.9.254
add name=POOL-TEST ranges=192.168.10.2-192.168.10.254
add name=POOL-GUEST ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool=POOL-LAN interface=BRIDGE-LAN name=DHCP-LAN
add address-pool=POOL-LAN_VPN interface=VLAN-LAN_VPN name=DHCP-LAN_VPN
add address-pool=POOL-TEST interface=VLAN-TEST name=DHCP-TEST
add address-pool=POOL-GUEST interface=VLAN-GUEST name=DHCP-GUEST

/routing table
add disabled=no fib name=NORDVPN

/interface bridge port
add bridge=BRIDGE-LAN interface=sfp-sfpplus1
add bridge=BRIDGE-LAN interface=ether2
add bridge=BRIDGE-LAN interface=ether3 pvid=9
add bridge=BRIDGE-LAN interface=ether4 pvid=10
add bridge=BRIDGE-LAN interface=ether5
add bridge=BRIDGE-LAN interface=ether6
add bridge=BRIDGE-LAN interface=ether7 pvid=30
add bridge=BRIDGE-LAN interface=ether8

/interface bridge vlan
add bridge=BRIDGE-LAN tagged=BRIDGE-LAN,ether2,ether6 vlan-ids=9
add bridge=BRIDGE-LAN tagged=BRIDGE-LAN,ether2 vlan-ids=10
add bridge=BRIDGE-LAN tagged=BRIDGE-LAN vlan-ids=20
add bridge=BRIDGE-LAN tagged=BRIDGE-LAN,ether6 vlan-ids=30
add bridge=BRIDGE-LAN tagged=BRIDGE-LAN,ether2,ether6 vlan-ids=100

/interface list member
add interface=ISPlist=WAN
add interface=VLAN-LAN_VPN list=VLAN
add interface=VLAN-TEST list=VLAN
add interface=VLAN-TEST_SECURE list=VLAN
add interface=VLAN-GUEST list=VLAN

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=217.138.192.35 endpoint-port=51820 interface=WG-NORDVPN public-key="ksadnck34wrbwfjh34b"

/ip address
add address=192.168.1.1/24 interface=sfp-sfpplus1 network=192.168.1.0
add address=192.168.10.1/24 interface=VLAN-TEST network=192.168.10.0
add address=192.168.9.1/24 interface=VLAN-LAN_VPN network=192.168.9.0
add address=192.168.100.1/24 interface=VLAN-GUEST network=192.168.100.0
add address=10.5.0.2/24 interface=WG-NORDVPN network=10.5.0.0

/ip cloud
set ddns-enabled=yes

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.9.0/24 dns-server=192.168.9.1 gateway=192.168.9.1
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.100.0/24 dns-server=192.168.100.1 gateway=192.168.100.1

/ip dns
set allow-remote-requests=yes servers=103.86.96.100

/ip firewall filter
add action=drop chain=input comment="BLOCK WAN SIDE DNS REQUEST" dst-port=53 in-interface=ISP protocol=tcp
add action=accept chain=input comment="ALLOW LAN ACCESS ROUTER SERVICES" src-address=192.168.1.0/24
add action=accept chain=input comment="ALLOW ESTABLISHED AND RELATED CONNECTIONS" connection-state=established,related
add action=accept chain=input comment="ALLOW VLANS ACCESS ROUTER SERVICES" in-interface-list=VLAN
add action=drop chain=input comment="DROP ANYTHING ELSE" disabled=yes
add action=accept chain=forward comment="ALLOW LAN TRAFFIC TO EVERYWHERE" src-address=192.168.1.0/24
add action=accept chain=forward comment="ALLOW TRAFFIC FROM LAN_VPN TO LAN" dst-address=192.168.1.0/24 src-address=192.168.9.0/24
add action=accept chain=forward comment="ALLOW TRAFFIC FROM LAN_VPN TO LAN_VPN" dst-address=192.168.10.0/24 src-address=192.168.9.0/24
add action=accept chain=forward comment="ALLOW ESTABLISHED AND RELATED CONNECTIONS" connection-state=established,related
add action=accept chain=forward comment="ALLOW VLANS NORDVPN ACCESS" connection-state=new in-interface-list=VLAN out-interface=WG-NORDVPN
add action=drop chain=forward comment="DROP ANYTHING ELSE" disabled=yes

/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn

/ip firewall nat
add action=masquerade chain=srcnat comment=NAT-ISP out-interface=ISP
add action=masquerade chain=srcnat comment=NAT-VPN out-interface=WG-NORDVPN

/ip route
add disabled=no distance=5 dst-address=0.0.0.0/0 gateway=WG-NORDVPN pref-src="" routing-table=NORDVPN scope=30 suppress-hw-offload=no target-scope=10

/routing rule
add action=lookup-only-in-table comment="KEEPS LOCAL TRAFFIC POSSIBLE" disabled=no dst-address=192.168.0.0/16 table=main
add action=lookup-only-in-table comment="REDIRECT VLAN-LAN_VPN TRAFFIC VIA NORDVPN" disabled=no src-address=192.168.9.0/24 table=NORDVPN
add action=lookup-only-in-table comment="REDIRECT VLAN-TEST TRAFFIC VIA NORDVPN" disabled=no src-address=192.168.10.0/24 table=NORDVPN
add action=lookup-only-in-table comment="REDIRECT VLAN-GUEST TRAFFIC TO NORDVPN" disabled=no src-address=192.168.100.0/24 table=NORDVPN

anav · September 10, 2023, 2:55pm

No need to give up lets follow the logic.

The two rules you state are required to ensure that the subnets going out wireguard get routed FIRST to any other local subnets, for both traffic originating to other local subnets or returning traffic to the other local subnets. ALL GOOD!! you are on the right track.

I just simplified matters as you have multiple subnets. ALso you dont need to add source address to these rules…

A subnet mask /18 goes from 192.168.1.0 - 192.168.64.254 so that covers all your subnets except 192.168.100.0 but that is your guest one and assuming there is no traffic for guest except out internet etc…

If you want to include the ability to contact the guest pool etc, then either lower the guest pool to 192.168.64.0 or below or change the rule to /17

In your case its easier as you only want to cover 192.168.1 to 192.168.10 and thus simply use..
add dst-address=192.168.1.0/20 which covers 192.168.1.1 to 192.168.17.254

SO YES,
either OR are good
/routing rule
add action=lookup-only-in-table disabled=no dst-address=192.168.10.0/24 table=main
add action=lookup-only-in-table disabled=no dst-address=192.168.9.0/24 table=main
OR
add action=lookup-only-in-table disabled=no dst-address=192.168.1.0**/20** table=main

++++++++++++++++++++++++++++++++++++++++++++++++

Now that we have clarity, the other part of my previous response is that we still need to ensure fireall rules allow traffic to flow between subnets or devices.
Firewall rule dont route just give permission for traffic flows…

You seem to have that, but your firewall rules are sparse and wonky in their order so will look at that later today