Hello,
I've setup wireguard on my Mikrotik to pass all the traffic from my LAN to this interface and it works well.
I've used this doc : http://littlefool.de/posts/mullvad-wire ... outeros-7/
However, my NAT rules (port forwarding) are not working properly anymore. I mean, the traffic on the WAN interface (not wireguard) is incoming well, however as I've got a masquerade rule telling the whole traffic have to go through the wireguard interface, I do think something is wrong here.
Therefore, how can I "mark" the traffic that is incoming on my WAN interface and have to go out still through my WAN interface and not the wireguard one.
Hope it's clear enough! Thanks for your help.
Re: Setup Wireguard but NAT does not work with outgoing packet through WAN [SOLVED]
Where you mark traffic for WireGuard exclude dst-nat traffic.
add connection-nat-state=!dstnat in section 3 of the manual
add connection-nat-state=!dstnat in section 3 of the manual
Code: Select all
/ip/firewall/mangle/add chain=prerouting in-interface=ether2 action=mark-routing new-routing-mark=mullvad passthrough=no connection-nat-state=!dstnatRe: Setup Wireguard but NAT does not work with outgoing packet through WAN
I've tried so many "complicated" things before and your answer solves it simply. Thank you very much!
Re: Setup Wireguard but NAT does not work with outgoing packet through WAN
Why is mangling required at all??
Can you explain more clearly how external traffic is entering your router (for presumably some work, lets say to reach a server on a lan subnet) is not able to then go out the same WAN in response.
How the heck does this have anything to do with traffic originating from the LAN going out the wireguard tunnel.
Nothing makes sense...
A diagram would be helpful but is it fair to assume you have a MT device at home and want to use mullvad VPN for either
one of the lan subnets behind your router, or some specific IPs on subnets behind the router FOR INTERNET TRAFFIC.
If this is the case mangling is NOT required.
There should be no interference from external users coming into the router to access servers and your use of the VPN for internet traffic.
Also is there a reason that the MT router could not also be a server (to allow you to connect to the router remotely and securely for example)?
Can you explain more clearly how external traffic is entering your router (for presumably some work, lets say to reach a server on a lan subnet) is not able to then go out the same WAN in response.
How the heck does this have anything to do with traffic originating from the LAN going out the wireguard tunnel.
Nothing makes sense...
A diagram would be helpful but is it fair to assume you have a MT device at home and want to use mullvad VPN for either
one of the lan subnets behind your router, or some specific IPs on subnets behind the router FOR INTERNET TRAFFIC.
If this is the case mangling is NOT required.
There should be no interference from external users coming into the router to access servers and your use of the VPN for internet traffic.
Also is there a reason that the MT router could not also be a server (to allow you to connect to the router remotely and securely for example)?
Re: Setup Wireguard but NAT does not work with outgoing packet through WAN
When you use the same ether port or/and source address then you need to split traffic again.
When you have your internal network in the same subnet as the gateway of the WG tunnel then you would not need NAT. I explained that before that the internet does not know which internal network sits behind which router.
I have a router on a stick and then I can cheat by NATting on the inner router to the WG subnet and get away with a routing rule. Works great an not needing double NAT...however the WG provider does double NAT to hide my public addres.
When you have your internal network in the same subnet as the gateway of the WG tunnel then you would not need NAT. I explained that before that the internet does not know which internal network sits behind which router.
I have a router on a stick and then I can cheat by NATting on the inner router to the WG subnet and get away with a routing rule. Works great an not needing double NAT...however the WG provider does double NAT to hide my public addres.
Re: Setup Wireguard but NAT does not work with outgoing packet through WAN
you answering OP or me. its his config, I want his responses so I can understand his network. your input just confuses me further.
Re: Setup Wireguard but NAT does not work with outgoing packet through WAN
Diagrams please.........
Re: Setup Wireguard but NAT does not work with outgoing packet through WAN
Hello,Why is mangling required at all??
Can you explain more clearly how external traffic is entering your router (for presumably some work, lets say to reach a server on a lan subnet) is not able to then go out the same WAN in response.
How the heck does this have anything to do with traffic originating from the LAN going out the wireguard tunnel.
Nothing makes sense...
A diagram would be helpful but is it fair to assume you have a MT device at home and want to use mullvad VPN for either
one of the lan subnets behind your router, or some specific IPs on subnets behind the router FOR INTERNET TRAFFIC.
If this is the case mangling is NOT required.
There should be no interference from external users coming into the router to access servers and your use of the VPN for internet traffic.
Also is there a reason that the MT router could not also be a server (to allow you to connect to the router remotely and securely for example)?
If I simply deactivate the mangle rule, I just cannot browse the Internet at all.
I'm not a networking expert, therefore I found this guide very helpful in my case http://littlefool.de/posts/mullvad-wire ... outeros-7/ ; I guess, the mangle rule is correlated to the routing rules added which are required to route the traffic through the Wireguard Interface as Mullvad/ProtonVPN is giving some IP address to use on the interface created previously.
If there is another way to do the same, without mangle rule, why not, in my case it's now working well. I just want to pass my Internet traffic from my LAN through a wireguard Interface. However I still want to have my server hosted on the LAN reachable from the Internet using the dedicated IP my ISP gave to me. That's it
There is no need to be "rude" or anything like this. Thank you.
Re: Setup Wireguard but NAT does not work with outgoing packet through WAN
Hi Saphir,
Yes this can be done without mangling and the "tone" is not towards you LOL, its for msatter.....but he is used to it.
Post your config
/export hide-sensitive file=anynameyouwish
Just be sure NOT to post actual public IPs or gateway IPs.
++++++++++++++++++++++++++++++++++++++++++++++++
Its quite simple actually, but to be clear do you want to pass ALL your LAN traffic to mulvad for internet access or just one subnet out of ?????
If you have just one subnet thats fine.
Also, what happens if the wireguard tunnel is not available for some reason, do you want the option of allowing your LAN users to go out the regular ISP for internet??
Yes this can be done without mangling and the "tone" is not towards you LOL, its for msatter.....but he is used to it.
Post your config
/export hide-sensitive file=anynameyouwish
Just be sure NOT to post actual public IPs or gateway IPs.
++++++++++++++++++++++++++++++++++++++++++++++++
Its quite simple actually, but to be clear do you want to pass ALL your LAN traffic to mulvad for internet access or just one subnet out of ?????
If you have just one subnet thats fine.
Also, what happens if the wireguard tunnel is not available for some reason, do you want the option of allowing your LAN users to go out the regular ISP for internet??
Re: Setup Wireguard but NAT does not work with outgoing packet through WAN
The hars tone was not directed at me! It is your trade to be rude.Hi Saphir,
Yes this can be done without mangling and the "tone" is not towards you LOL, its for msatter.....but he is used to it.
Post your config
/export hide-sensitive file=anynameyouwish
Just be sure NOT to post actual public IPs or gateway IPs.
Re: Setup Wireguard but NAT does not work with outgoing packet through WAN
Once again, either have something useful to assist the OP or bug off.The hars tone was not directed at me! It is your trade to be rude.Hi Saphir,
Yes this can be done without mangling and the "tone" is not towards you LOL, its for msatter.....but he is used to it.
Post your config
/export hide-sensitive file=anynameyouwish
Just be sure NOT to post actual public IPs or gateway IPs.
Re: Setup Wireguard but NAT does not work with outgoing packet through WAN
Good luck. It's sort of useful post, right?Yes this can be done without mangling ...
Re: Setup Wireguard but NAT does not work with outgoing packet through WAN
Absolutely! and how astute of you! Cookie for Sob.
Because I am clairvoyant, I know that the OP wants to
a. have a clean config
b. have an efficient config
c. have a fast config
Conclusion, if mangling can be removed requirements of a, b, c can be met.
But since you and msatter think otherwise.
I will leave this thread, buh bye........
Because I am clairvoyant, I know that the OP wants to
a. have a clean config
b. have an efficient config
c. have a fast config
Conclusion, if mangling can be removed requirements of a, b, c can be met.
But since you and msatter think otherwise.
I will leave this thread, buh bye........
Re: Setup Wireguard but NAT does not work with outgoing packet through WAN
Don't give up so easily, if you invent some solution I didn't think about, you can then be extra proud of it.