Community discussions

MikroTik App
 
abracadabricx
just joined
Topic Author
Posts: 4
Joined: Sun Mar 06, 2022 9:41 pm

Wireguard VPN Peer setup: avoid dst local network from routing through VPN?

Sun Nov 20, 2022 5:54 pm

I have a MT HAPAC3 behind and internet router (supplied by ISP).

Network looks therefore

WAN/Internet - (some dynamic IP)-ISP Router-(xxx.yyy.zzz.1/24) --- (xxx.yyy.zzz.30/24)-MT AC3-(xxx.yyy.bb.10/24) --- LAN(xxx.yyy.bb.0/24)

I want to route all internet directed traffic through a VPN connection.
WAN/Internet --- VPN End point-(k.l.m.23) --- (Wireguard tunnel) --- (10.2.0.1)-MT AC3-(xxx.yyy.bb.10/24) --- LAN(xxx.yyy.bb.0/24)

With the configuration below the connection works for LAN ip addresses listed explicitly in wg-pvpn.
If I however want to route all IP addresses with : /routing rule add action=lookup-only-in-table disabled=no src-address=xxx.yyy.bb.0/24 table=wg-pvpn,
than I lose access to the router. Otherwise this works. I suppose that with this rule all (..) traffic is directed through the tunnel, including what is destined for the router itself.

How could I allow the full LAN to access internet via the VPN, and exclude traffic, originating from and destined for the LAN, including access to the router, from being routed through the VPN

Configuration:

/interface bridge add name=bridge_lan
/interface wireguard add listen-port=51820 mtu=1420 name=PVPN
/routing table add comment="some comment" disabled=no fib name=wg-pvpn
/interface bridge port add bridge=bridge_lan ingress-filtering=no interface=ether2
/interface bridge port add bridge=bridge_lan ingress-filtering=no interface=ether3
/interface bridge port add bridge=bridge_lan ingress-filtering=no interface=ether4
/interface bridge port add bridge=bridge_lan ingress-filtering=no interface=ether5
/interface wireguard peers add allowed-address=0.0.0.0/0 endpoint-address=k.l.m.23 endpoint-port=51820 interface=PVPN persistent-keepalive=40m public-key="somekey"
/ip address add address=xxx.yyy.bb.10/24 interface=bridge_lan network=xxx.yyy.bb.0
/ip address add address=xxx.yyy.zzz.30/24 interface=ether1 network=xxx.yyy.zzz.0
/ip address add address=10.2.0.2/24 interface=PVPN network=10.2.0.0
/ip dns set allow-remote-requests=yes servers=10.2.0.1
/ip firewall nat add action=masquerade chain=srcnat out-interface=PVPN
/ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=xxx.yyy.zzz.1 pref-src="" routing-table=main suppress-hw-offload=no
/ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=PVPN pref-src="" routing-table=wg-pvpn suppress-hw-offload=no
/routing rule add action=lookup-only-in-table disabled=no src-address=xxx.yyy.bb.99/32 table=wg-pvpn
/routing rule add action=lookup-only-in-table disabled=no src-address=xxx.yyy.bb.81/32 table=wg-pvpn
 
abracadabricx
just joined
Topic Author
Posts: 4
Joined: Sun Mar 06, 2022 9:41 pm

Re: Wireguard VPN Peer setup: avoid dst local network from routing through VPN?

Sun Nov 20, 2022 6:18 pm

And I think I may have solved it, from another post:
If you want it to be able to reach a local subnet simply put another routing rule BEFORE the existing one.
/routing rule
add action=lookup disabled=no dst-address=other_local_subnet table=main
add action=lookup disabled=no src-address=192.168.7.0/24 table=tablWG
I adapted the network and table name, and now it seems to have been solved.

Not sure why/how though, could anyone maybe explain?

Anyway, thanks Anav, Marisusz
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard VPN Peer setup: avoid dst local network from routing through VPN?

Sun Nov 20, 2022 6:35 pm

The router looks at the traffic requested and applies the rules in order.
Therefore if it sees a local user in a subnet wants to visit another local subnet address address and YOU DONT HAVE the new routing rule in place,
the router will send it out the vpn regardless as that is what you have instructed the router to do............

Who is online

Users browsing this forum: abdullanetworking, Bing [Bot], holvoetn, uxertxo and 42 guests