That is the better way yes, you can do an entire subnet or 3 individual users. All good.
By the way if they need also to access a different subnet on the lan, just put another routing rule BEFORE the wg ones, so that they can access local devices aka like a printer.
add dst-address=IPofPrinter action=lookup-only-in-table table=main
Hi anav,
I'm promoting this post as I have a very similar situation described. Let me know if I need to open a new post.
See below my network diagram:
My problem is, when I access my local network via Wireguard - Road Warrior from outside (laptop with IP 192.168.50.2), I have access to my router and all LAN devices (I added Wireguard interface to LAN interface list),
except access to the Raspberry Pi which is routed to Surfshark VPN (via Wireguard), since I need all traffic from this device to go out via VPN.
My question is,
how can I keep this Raspberry routed to Surfshark VPN, and at the same time be able to access it from outside my local network?
Here's routing code:
/routing rule
add action=lookup-only-in-table comment="Orange Pi" disabled=no interface=\
bridge src-address=192.168.87.241/32 table=Surfshark
I've already tried to change to "lookup" in action, but doesn't work.
Firewall address lists and filters:
/ip firewall address-list
add address=192.168.87.241 list=Under_VPN
add address=192.168.87.247 disabled=yes list=Under_VPN
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="Allow OpenVPN" dst-port=1194 protocol=\
tcp
add action=accept chain=input comment="Allow Wireguard - Road Warrior" \
dst-port=22134 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow IPSec" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="accept vpn encrypted input traffic" \
ipsec-policy=in,ipsec src-address=192.168.67.0/24
add action=accept chain=input comment=\
"Allow Wireguard - Road Warrior reach LAN" disabled=yes src-address=\
192.168.50.0/24
add action=accept chain=input comment=\
"Accept vlan2 & 3 (IPTV & VoIP) multicast & broadcast traffic" \
dst-address-type=!unicast in-interface-list=Vlan2&3
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment=\
"drop communication from LAN to GUEST network" dst-address=\
192.168.77.0/24 src-address=192.168.87.0/24
add action=drop chain=forward comment=\
"drop communication from GUEST network to LAN" dst-address=\
192.168.87.0/24 src-address=192.168.77.0/24
add action=drop chain=forward comment="Block Brother printer to Internet" \
out-interface-list=WAN src-address=192.168.87.249
add action=drop chain=forward comment=\
"Drop all new unicast traffic from vlan3 & 2 (Voip & Iptv) not DSTNATed" \
connection-nat-state=!dstnat connection-state=new dst-address-type=\
unicast in-interface-list=Vlan2&3
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
IP addresses:
/ip address
add address=192.168.87.1/24 comment=defconf interface=bridge network=\
192.168.87.0
add address=192.168.77.1/24 interface=bridge-guests network=192.168.77.0
add address=10.14.0.2/16 interface=WG-Surfshark network=10.14.0.0
add address=192.168.50.1/24 interface=Wireguard-rw network=192.168.50.0
Thanks in advance,