Adding my wireguard interface to the LAN list resolved the DNS access issue for me, however it doesn’t work with just the input chain firewall rule for my wireguard subnet. My wireguard server subnet is 192.168.222.0/24, the client has 192.168.222.1 (router wireguard interface IP) for DNS and my firewall filter rule is as below:
/ip firewall filter add action=accept chain=input comment=“vpn server” src-address-list=192.168.222.0/24
Shouldn’t this still work without adding the wireguard interface to the LAN list because the firewall rule is accepting traffic from the source subnet without any restriction on ports or destination address?
In addition, which is preferrable for security implications? I only have the defconf drop all not coming from LAN rule using the LAN list at the moment.