Today I noticed that when my Windows machine connects via IKE2 and self Signed SSL certificate to my HAP AC3 it can not access router's winbox for management.
Router is listening for IKE2 connection - dynamic peer.
Rule that disallows my management via IKE2 tunnel is :
Drop input from interface list !LAN. (WAN interface does not belong to LAN interface list)
This is a good rule, since I do not want to allow management from WAN.
However, my IKE2 traffic originates from WAN, and that rule creates a problem.
Is it possible to mark my connection from Dynamic Peer and simply create filter rule higher than interface rule for marked connection?
If so how do I do it?
What other ways do you suggest without disabling rule mentioned above?