I’ve setup wireguard on my Mikrotik to pass all the traffic from my LAN to this interface and it works well.
I’ve used this doc : http://littlefool.de/posts/mullvad-wireguard-with-routeros-7/
However, my NAT rules (port forwarding) are not working properly anymore. I mean, the traffic on the WAN interface (not wireguard) is incoming well, however as I’ve got a masquerade rule telling the whole traffic have to go through the wireguard interface, I do think something is wrong here.
Therefore, how can I “mark” the traffic that is incoming on my WAN interface and have to go out still through my WAN interface and not the wireguard one.
Why is mangling required at all??
Can you explain more clearly how external traffic is entering your router (for presumably some work, lets say to reach a server on a lan subnet) is not able to then go out the same WAN in response.
How the heck does this have anything to do with traffic originating from the LAN going out the wireguard tunnel.
Nothing makes sense…
A diagram would be helpful but is it fair to assume you have a MT device at home and want to use mullvad VPN for either
one of the lan subnets behind your router, or some specific IPs on subnets behind the router FOR INTERNET TRAFFIC.
If this is the case mangling is NOT required.
There should be no interference from external users coming into the router to access servers and your use of the VPN for internet traffic.
Also is there a reason that the MT router could not also be a server (to allow you to connect to the router remotely and securely for example)?
When you use the same ether port or/and source address then you need to split traffic again.
When you have your internal network in the same subnet as the gateway of the WG tunnel then you would not need NAT. I explained that before that the internet does not know which internal network sits behind which router.
I have a router on a stick and then I can cheat by NATting on the inner router to the WG subnet and get away with a routing rule. Works great an not needing double NAT…however the WG provider does double NAT to hide my public addres.
If I simply deactivate the mangle rule, I just cannot browse the Internet at all. I’m not a networking expert, therefore I found this guide very helpful in my case http://littlefool.de/posts/mullvad-wireguard-with-routeros-7/ ; I guess, the mangle rule is correlated to the routing rules added which are required to route the traffic through the Wireguard Interface as Mullvad/ProtonVPN is giving some IP address to use on the interface created previously.
If there is another way to do the same, without mangle rule, why not, in my case it’s now working well. I just want to pass my Internet traffic from my LAN through a wireguard Interface. However I still want to have my server hosted on the LAN reachable from the Internet using the dedicated IP my ISP gave to me. That’s it
There is no need to be “rude” or anything like this. Thank you.
Hi Saphir,
Yes this can be done without mangling and the “tone” is not towards you LOL, its for msatter…but he is used to it.
Post your config
/export hide-sensitive file=anynameyouwish
Just be sure NOT to post actual public IPs or gateway IPs.
++++++++++++++++++++++++++++++++++++++++++++++++
Its quite simple actually, but to be clear do you want to pass ALL your LAN traffic to mulvad for internet access or just one subnet out of ???
If you have just one subnet thats fine.
Also, what happens if the wireguard tunnel is not available for some reason, do you want the option of allowing your LAN users to go out the regular ISP for internet??
Absolutely! and how astute of you! Cookie for Sob.
Because I am clairvoyant, I know that the OP wants to
a. have a clean config
b. have an efficient config
c. have a fast config
Conclusion, if mangling can be removed requirements of a, b, c can be met.
But since you and msatter think otherwise.
I will leave this thread, buh bye…
