I would like to get the following setup running:
- There is a WireGuard tunnel through which all internet traffic from a certain local network (guest = bridge1-vlan60) should be routed.
-> All other internet traffic should be routed via the regular WAN gateway as before.
- There is an IPv6 prefix available from the tunnel to be advertised in the guest network but only a few IPv4 addresses are available. This is why IPv4 should use NAT.
The setup HAD been working already but I cannot figure out why it stopped working.
(How did I verify that it had worked? On a device connected to the guest network I visited ipv6-test.com. Both IPv4 and IPv6 addresses shown were definitely correct.)
The setup still works for IPv6 traffic.
The problem just seems to be related with NAT for IPv4.
I can see packages leaving to the wireguard1 interface being NATted:
Code: Select all
prerouting: in:bridge1-vlan60 out:(unknown 0), src-mac 5a:a9:5b:x:x:x, proto TCP (SYN), 192.168.60.195:51213->17.57.146.173:5223, NAT (192.168.60.195:51213->100.x.x.177:51213)->17.57.146.173:5223, len 64
Code: Select all
prerouting: in:wireguard1 out:(unknown 0), proto TCP (SYN,ACK), 17.57.146.173:5223->100.x.x.177:51213, NAT 17.57.146.173:5223->(100.x.x.177:51213->192.168.60.195:51213), len 60
And even in the firewall connection list the connections are displayed with TCP state "syn received" without changes.
You can find my configuration in the following ... I hope I've included all relevant settings.
Code: Select all
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface wireguard peers
add allowed-address=0.0.0.0/0,::/0 endpoint-address=xxx endpoint-port=xxx interface=wireguard1 public-key="xxx"
/interface list
add name=public
add name=admin
add name=private
add name=non-admin
add include=private,public name=private-and-public
add include=admin,private name=admin-and-private
add name=guest
add name=vpn
/interface list member
add interface=bridge1-vlan29 list=public
add interface=bridge1-vlan92 list=admin
add interface=bridge1-vlan92 list=private
add interface=bridge1-vlan21 list=private
add interface=bridge1-vlan21 list=non-admin
add interface=bridge1-vlan29 list=non-admin
add interface=ether10 list=admin
add interface=bridge1-vlan60 list=guest
add interface=wireguard1 list=vpn
/ip address
add address=10.20.18.1/24 interface=ether10 network=10.20.18.0
add address=192.168.92.1/24 interface=bridge1-vlan92 network=192.168.92.0
add address=192.168.21.1/24 interface=bridge1-vlan21 network=192.168.21.0
add address=192.168.29.53/24 interface=bridge1-vlan29 network=192.168.29.0
add address=100.x.x.177/19 interface=wireguard1 network=100.x.x.0
add address=192.168.60.1/24 interface=bridge1-vlan60 network=192.168.60.0
/ip dhcp-client
add interface=bridge1-vlan29 use-peer-dns=no
/ip dhcp-server
add address-pool=dhcp-pool92 interface=bridge1-vlan92 lease-time=30m name=dhcp-server92
add address-pool=dhcp-pool21 interface=bridge1-vlan21 lease-time=30m name=dhcp-server21
add address-pool=dhcp-pool60 interface=bridge1-vlan60 lease-time=30m name=dhcp-server60
/ip dhcp-server network
add address=192.168.21.0/24 dns-server=192.168.21.1 gateway=192.168.21.1
add address=192.168.60.0/24 dns-server=100.x.x.1 gateway=192.168.60.1
add address=192.168.92.0/24 dns-server=192.168.92.1 gateway=192.168.92.1
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related hw-offload=yes
add action=drop chain=forward comment="Drop Invalid Connections" connection-state=invalid log=yes log-prefix=Invalid
add action=accept chain=forward comment="Accept Established,Related Connections" connection-state=established,related
add action=accept chain=forward comment="Accept from guest interfaces to vpn interfaces" in-interface-list=guest out-interface-list=vpn
add action=accept chain=forward comment="Accept from private interfaces to public interfaces" in-interface-list=private out-interface-list=public
add action=accept chain=forward comment="Accept from admin interfaces to admin and private interfaces" in-interface-list=admin out-interface-list=admin-and-private
add action=accept chain=forward comment="Accept incoming packets that are NATted" connection-nat-state=dstnat connection-state=new in-interface-list=public
add action=drop chain=forward comment="Drop everything else"
add action=drop chain=input comment="Drop Invalid Connections" connection-state=invalid log-prefix=Invalid
add action=accept chain=input comment="Accept Established,Related Connections" connection-state=established,related
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept DNS requests from private and public interfaces" dst-port=53 in-interface-list=private-and-public protocol=udp
add action=accept chain=input comment="Accept from admin interfaces" in-interface-list=admin
add action=drop chain=input comment="Drop everything else"
/ip firewall mangle
add action=change-mss chain=forward comment="Clamp to pmtu for outgoing" disabled=yes new-mss=clamp-to-pmtu out-interface-list=public passthrough=yes protocol=tcp tcp-flags=syn
add action=change-mss chain=forward comment="Clamp to pmtu for incoming" disabled=yes in-interface-list=public new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
add action=mark-connection chain=prerouting comment="special routing for guest network" connection-mark=no-mark in-interface-list=guest new-connection-mark=usevpn passthrough=yes
add action=mark-routing chain=prerouting comment="special routing for guest network" connection-mark=usevpn connection-nat-state=!dstnat in-interface-list=guest new-routing-mark=useVPN passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=vpn
add action=masquerade chain=srcnat comment="Default masquerade rule" out-interface-list=public
/ip firewall raw
add action=accept chain=prerouting comment="defconf: accept DHCP discover" dst-address=255.255.255.255 dst-port=67 in-interface-list=guest protocol=udp src-address=0.0.0.0 src-port=68
add action=accept chain=prerouting comment="defconf: accept DHCP discover" dst-address=255.255.255.255 dst-port=67 in-interface-list=private protocol=udp src-address=0.0.0.0 src-port=68
/ip route
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=100.x.x.1 pref-src=0.0.0.0 routing-table=useVPN scope=30 suppress-hw-offload=no target-scope=10
/routing table
add disabled=no fib name=useVPN
/routing rule
add action=lookup-only-in-table disabled=no routing-mark=useVPN table=useVPN
Any help is greatly appreciated.
Best wishes,
Tobi