I have a MT HAPAC3 behind and internet router (supplied by ISP).
Network looks therefore
WAN/Internet - (some dynamic IP)-ISP Router-(xxx.yyy.zzz.1/24) --- (xxx.yyy.zzz.30/24)-MT AC3-(xxx.yyy.bb.10/24) --- LAN(xxx.yyy.bb.0/24)
I want to route all internet directed traffic through a VPN connection.
WAN/Internet --- VPN End point-(k.l.m.23) --- (Wireguard tunnel) --- (10.2.0.1)-MT AC3-(xxx.yyy.bb.10/24) --- LAN(xxx.yyy.bb.0/24)
With the configuration below the connection works for LAN ip addresses listed explicitly in wg-pvpn.
If I however want to route all IP addresses with : /routing rule add action=lookup-only-in-table disabled=no src-address=xxx.yyy.bb.0/24 table=wg-pvpn,
than I lose access to the router. Otherwise this works. I suppose that with this rule all (..) traffic is directed through the tunnel, including what is destined for the router itself.
How could I allow the full LAN to access internet via the VPN, and exclude traffic, originating from and destined for the LAN, including access to the router, from being routed through the VPN
Configuration:
/interface bridge add name=bridge_lan
/interface wireguard add listen-port=51820 mtu=1420 name=PVPN
/routing table add comment="some comment" disabled=no fib name=wg-pvpn
/interface bridge port add bridge=bridge_lan ingress-filtering=no interface=ether2
/interface bridge port add bridge=bridge_lan ingress-filtering=no interface=ether3
/interface bridge port add bridge=bridge_lan ingress-filtering=no interface=ether4
/interface bridge port add bridge=bridge_lan ingress-filtering=no interface=ether5
/interface wireguard peers add allowed-address=0.0.0.0/0 endpoint-address=k.l.m.23 endpoint-port=51820 interface=PVPN persistent-keepalive=40m public-key="somekey"
/ip address add address=xxx.yyy.bb.10/24 interface=bridge_lan network=xxx.yyy.bb.0
/ip address add address=xxx.yyy.zzz.30/24 interface=ether1 network=xxx.yyy.zzz.0
/ip address add address=10.2.0.2/24 interface=PVPN network=10.2.0.0
/ip dns set allow-remote-requests=yes servers=10.2.0.1
/ip firewall nat add action=masquerade chain=srcnat out-interface=PVPN
/ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=xxx.yyy.zzz.1 pref-src="" routing-table=main suppress-hw-offload=no
/ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=PVPN pref-src="" routing-table=wg-pvpn suppress-hw-offload=no
/routing rule add action=lookup-only-in-table disabled=no src-address=xxx.yyy.bb.99/32 table=wg-pvpn
/routing rule add action=lookup-only-in-table disabled=no src-address=xxx.yyy.bb.81/32 table=wg-pvpn