Community discussions

MikroTik App
 
Cablenut9
Long time Member
Long time Member
Topic Author
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Separate Wireguard and QUIC in firewall rules

Sat Jul 03, 2021 4:07 pm

I have a setup where I have a webserver that supports QUIC (UDP port 443) and Wireguard which can be any port. To bypass restrictive firewalls, I want it so that both WG and QUIC can work with my NAT but I need some way to differentiate between them. Could L7 filters work or is there a simpler way?
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Separate Wireguard and QUIC in firewall rules

Sat Jul 03, 2021 5:30 pm

Encrypted traffic for both so no. Connection tracking is handling this and look at the source port on the client side to differeniate.

Example WG using 443-->443 en Quic 1000-65000-->443
 
Cablenut9
Long time Member
Long time Member
Topic Author
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: Separate Wireguard and QUIC in firewall rules

Sat Jul 03, 2021 5:50 pm

So, all I need to do to do QUIC NAT is to add a rule where dst-port=443 and src-port=1000-65000? Then I add a firewall input accept rule for src-port=443 and dst-port=443.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Separate Wireguard and QUIC in firewall rules

Sat Jul 03, 2021 6:02 pm

Quic wil never connect from source port 443 to your server, providing the Quic connection. No need to put any extra lines into NAT.

So if your WG is using accepting other source addresses than 443 then only connection tracking or internal tracking by the router the WG it provides. I don't use WG and when I remember it well you have a separate port to connect to setup the connection. Then a new port is used to have the WG connection.

If you WG server is not the router but an other device in you network then internal tracking by the router is not possible and only connection tracking is possible.

You have view this as an statefull firewall and all connection are unique and if a connection is made that is not know then the firewall will block that connection attempt.
 
Cablenut9
Long time Member
Long time Member
Topic Author
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: Separate Wireguard and QUIC in firewall rules

Sat Jul 03, 2021 6:41 pm

I'm setting the source port in my WG client to 4430 and I excluded source port 4430 from the NAT, but it's still not working. Is there another way to differentiate them? The WG is hosted on the router.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Separate Wireguard and QUIC in firewall rules

Sat Jul 03, 2021 7:02 pm

Do you have WG working when you disable Quic access to your server?

This is a topic about WG on a Mikrotik router: viewtopic.php?f=23&t=174417&p=865133&hi ... rd#p865133
 
Cablenut9
Long time Member
Long time Member
Topic Author
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: Separate Wireguard and QUIC in firewall rules

Sat Jul 03, 2021 7:18 pm

WG actually used to work before my RB4011 "bricked" and had to be rebooted, but not it doesn't. :( I can't find any differences between then and now, including the keys.
 
Cablenut9
Long time Member
Long time Member
Topic Author
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: Separate Wireguard and QUIC in firewall rules

Sat Jul 03, 2021 8:38 pm

The Fix: I just changed the WG port to 80 so it uses the same one as HTTP and this will work for now.
 
Cablenut9
Long time Member
Long time Member
Topic Author
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: Separate Wireguard and QUIC in firewall rules

Sat Jul 10, 2021 9:53 pm

I just realized that I can use port knocking to add myself to an address list that gets redirected to Wireguard, and addresses that don't use port knocking get redirected to QUIC. Solved!
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Separate Wireguard and QUIC in firewall rules

Sat Jul 10, 2021 10:32 pm

Nice solution. :-)
 
Cablenut9
Long time Member
Long time Member
Topic Author
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: Separate Wireguard and QUIC in firewall rules  [SOLVED]

Fri Jul 16, 2021 2:26 am

Another solution: My webserver which uses QUIC is protected by Buttflare. Since Buttflare has a set list of IPs that they request from, I can specify the NAT rule for QUIC (and also TCP 443) for only these IPs, and have the VPNs available for all other addresses. This also has a bonus feature of blocking bots from knowing where my real webserver is located. Actually, this is the solution I'm going to use.

Who is online

Users browsing this forum: Ahrefs [Bot], Amazon [Bot], britgent, migod, mtkvvv, sindy and 98 guests