I followed the help page for Wireguard setup and encountered an issue where my vpn connection ended up in the default drop rule for dstnat. It happened due to def rule checks for wan list and wireguard interface becomes a dynamic member of wan list in addition to my static assignment of it to the lan list. I updated the drop rule to my physical wan interface instead and everything works. Does the help page need an update?
Nope, you need to better understand how wireguard works and what the interfaces on MT RoS are used for.
So firstly are you connecting to a third party VPN server?
If so, then generally speaking you will need to SOURCENAT all your LAN traffic heading in the directiion of the server to have ONE source IP address.
The address the 3rd party VPN provider gave you. Any other adddresses arriving at the other end , if not the assigned address, will be dropped
To do this we must either:
a. manually add the rule
add chain=srcnat action=masquerade out-interface=wireguard1
OR
b. include wireguard interface in interface list as a member of the WAN list.
add interface=wireguard1 list=WAN
Then the standard default sourcenat rule will include automatically the functionality provided by the manual rule.
Assuming the existing rule looks like so:
add chain=srcnat action=masquerade out-interfac-list=WAN
IF your router is actually a host, a peer Server at handshake, then typically the wireguard interface is added to the LAN list for firewall rule purposes.
++++++++++++++++++++++++++++++++++++++
Without seeing the context of the rest of the config, one can only guess at what you are doing.
Thanks for the reply! But I’m not sure this explains my problem and what I’m seeing in the help documentation. Let me try to explain it better
The help page of interest is the following
The guide suggests the wireguard interface to be added to the LAN list
/interface list member
add interface=wireguard1 list=LAN
The default router configuration from Mikrotik has the following ip firewall filter rule
12 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=""
But the problem now becomes that it will cause frames from the wireguard interface to be dropped as the wireguard is a static member of the LAN list and a dynamic member of the WAN list.
2 LAN wireguard1
4 D WAN wireguard1
And mikrotik def config already has a NAT rule for the WAN interface
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none
The documentation is not HOW to setup your router for all situations, its simply for a given scenario this is an option.
So I tried to elicit the scenario you are dealing with to apply applicable rules…
Suggest you ignore the documentation and understand each line on the config and what it does and then the answers will come clearly.
So, are you connecting to a third party server or not?
The config currently is not the important thing, what is important is to describe your requirements
a. identify all the users
b. identify what traffic they need.
If you insist on being obtuse, I will move on.
Setup is simplest possible, a road warrior setup where one user on a cell phone needs to connect with wireguard vpn to reach the lan on the mikrotik router.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys )
I have resolved my problem so my vpn works. I changed the following line
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=""
to this
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1 log=no log-prefix=""
I’m wondering though about the wireguard interface being a member of both WAN and LAN interface if configured as in the Mikrotik manual.
I suspect your config is sub-optimal as those config lines have nothing to do with VPN.