only 1 lan device via wireguard

RouterOS Beginner Basics
1

Hi,

i want to have a single device accessing the internet via wireguard, but i want this device still be able to be accessed from my lan.

/ip/firewall/mangle
add action=mark-routing chain=prerouting new-routing-mark=iptv passthrough=yes src-address-list=iptv




/ip/firewall/nat
add action=masquerade chain=srcnat out-interface=wg_protonvpn




/routing
add fib name=iptv




/ip/route
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=10.2.0.1 routing-table=iptv scope=30 suppress-hw-offload=no target-scope=10

As soon as i enable the route everything works as expected but i lose the connection to my device from my local network.

What am i missing?

2

Have you added the wireguard interface to the LAN interface list?
Made any changes to the firewall (forward chain)?

3

I dont have any interface lists, so no i guess.
No, i made no changes to my firewall yet.

I have a couple of wireguard connections already running but always networks behind that that i need to access, so i have made changes in my firewall for that.

When trying to access my iptv device from my local network i have no block entries in my log so i dont think i need firewall changes.

4

Conceptually I understand you have a third party VPN provider (proton) of which you want to send ONE IP address out the wirguard for external internet.

This is easily accomplished without any Mangling. Instead use Routing Rules.

  1. Table
    add fib name=useProton

  2. Route
    add dst-address=0.0.0.0/0 interface=wireguardP routing-table=useProton

  3. Routing Rules (order is critical as the first rule allows LAN users to communicate locally with device before all its traffic routed out the tunnel)
    add action=lookup-only-in-table min-prefix=0 table=main
    add src-address=singleDevice action=lookup-only-in-table table=usePROTON