Community discussions

MikroTik App
 
Chasteaux
just joined
Topic Author
Posts: 2
Joined: Sat Nov 26, 2022 7:29 am

Route specific source connections through WG

Sat Nov 26, 2022 7:43 am

I am sure I am missing something basic.
I am trying to route traffic from a specific list of hosts through wireguard vpn.
# nov/25/2022 21:36:20 by RouterOS 7.6
# software id = 18FZ-89CU
#
# model = RB3011UiAS
/ip firewall address-list
add address=192.168.88.253 list=wireguard
I setup wireguard on my router:
# nov/25/2022 23:41:45 by RouterOS 7.6
# software id = 18FZ-89CU
#
# model = RB3011UiAS

/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface wireguard peers
add endpoint-address=us9690.nordvpn.com endpoint-port=51820 interface=wireguard1 persistent-keepalive=25s public-key=\
    "<pub>"
Now how do I tell it to route everything from that list, through the wireguard vpn, but still allow LAN connections (192.168.88.0/24)?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route specific source connections through WG

Sun Nov 27, 2022 3:34 am

Need full config please, if I am to be of assistance.
/export hide-sensitive file=anynameyouwish ( minus router serial number and any public WANIP information )
 
wuhoatu
just joined
Posts: 8
Joined: Tue Nov 15, 2022 4:22 am

Re: Route specific source connections through WG  [SOLVED]

Sun Nov 27, 2022 8:17 am

Put this on the top of mangle tab, so it will accept all your local connection without routing to any other interface.
/IP firewall mangle
add action=accept chain=prerouting disabled=no src-address=192.168.88.0/24 dst-address=192.168.88.0/24 in-interface=BridgeLAN
Then, you can route an IP list connection via VPN routing table with dst-address-type is not local
/ip firewall mangle
add action=mark-routing chain=prerouting src-address-list=ListA dst-address-list=ListB dst-address-type=!local new-routing-mark=VPN_routing_table passthrough=no
 
Chasteaux
just joined
Topic Author
Posts: 2
Joined: Sat Nov 26, 2022 7:29 am

Re: Route specific source connections through WG

Mon Nov 28, 2022 11:42 pm

Put this on the top of mangle tab, so it will accept all your local connection without routing to any other interface.
/IP firewall mangle
add action=accept chain=prerouting disabled=no src-address=192.168.88.0/24 dst-address=192.168.88.0/24 in-interface=BridgeLAN
Then, you can route an IP list connection via VPN routing table with dst-address-type is not local
/ip firewall mangle
add action=mark-routing chain=prerouting src-address-list=ListA dst-address-list=ListB dst-address-type=!local new-routing-mark=VPN_routing_table passthrough=no
I got it to work by adding a new routing table with the wireguard as the default gateway, and creating a routing rule to use this table for the specific clients that I want to go through vpn.
Is that basically what this mangle rule is doing?
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.2.1
add disabled=no dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=usWG1 suppress-hw-offload=no
/routing table
add fib name=usWG1
/routing rule
add action=lookup disabled=no src-address=192.168.88.254/32 table=usWG1
add action=lookup disabled=no src-address=192.168.88.250/32 table=usWG1
add action=lookup disabled=no src-address=192.168.88.251/32 table=usWG1
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route specific source connections through WG

Tue Nov 29, 2022 1:31 am

That is the better way yes, you can do an entire subnet or 3 individual users. All good.

By the way if they need also to access a different subnet on the lan, just put another routing rule BEFORE the wg ones, so that they can access local devices aka like a printer.
add dst-address=IPofPrinter action=lookup-only-in-table table=main
 
User avatar
malabar
just joined
Posts: 9
Joined: Sat Apr 01, 2023 10:56 pm
Location: Barcelona

Re: Route specific source connections through WG

Wed Apr 05, 2023 4:01 pm

That is the better way yes, you can do an entire subnet or 3 individual users. All good.

By the way if they need also to access a different subnet on the lan, just put another routing rule BEFORE the wg ones, so that they can access local devices aka like a printer.
add dst-address=IPofPrinter action=lookup-only-in-table table=main
Hi anav,

I'm promoting this post as I have a very similar situation described. Let me know if I need to open a new post.
See below my network diagram:

Image

My problem is, when I access my local network via Wireguard - Road Warrior from outside (laptop with IP 192.168.50.2), I have access to my router and all LAN devices (I added Wireguard interface to LAN interface list), except access to the Raspberry Pi which is routed to Surfshark VPN (via Wireguard), since I need all traffic from this device to go out via VPN.

My question is, how can I keep this Raspberry routed to Surfshark VPN, and at the same time be able to access it from outside my local network?

Here's routing code:
/routing rule
add action=lookup-only-in-table comment="Orange Pi" disabled=no interface=\
    bridge src-address=192.168.87.241/32 table=Surfshark
I've already tried to change to "lookup" in action, but doesn't work.

Firewall address lists and filters:
/ip firewall address-list
add address=192.168.87.241 list=Under_VPN
add address=192.168.87.247 disabled=yes list=Under_VPN
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="Allow OpenVPN" dst-port=1194 protocol=\
    tcp
add action=accept chain=input comment="Allow Wireguard - Road Warrior" \
    dst-port=22134 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow IPSec" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="accept vpn encrypted input traffic" \
    ipsec-policy=in,ipsec src-address=192.168.67.0/24
add action=accept chain=input comment=\
    "Allow Wireguard - Road Warrior reach LAN" disabled=yes src-address=\
    192.168.50.0/24
add action=accept chain=input comment=\
    "Accept vlan2 & 3  (IPTV & VoIP) multicast & broadcast traffic" \
    dst-address-type=!unicast in-interface-list=Vlan2&3
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment=\
    "drop communication from LAN to GUEST network" dst-address=\
    192.168.77.0/24 src-address=192.168.87.0/24
add action=drop chain=forward comment=\
    "drop communication from GUEST network to LAN" dst-address=\
    192.168.87.0/24 src-address=192.168.77.0/24
add action=drop chain=forward comment="Block Brother printer to Internet" \
    out-interface-list=WAN src-address=192.168.87.249
add action=drop chain=forward comment=\
    "Drop all new unicast traffic from vlan3 & 2 (Voip & Iptv) not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new dst-address-type=\
    unicast in-interface-list=Vlan2&3
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN

IP addresses:
/ip address
add address=192.168.87.1/24 comment=defconf interface=bridge network=\
    192.168.87.0
add address=192.168.77.1/24 interface=bridge-guests network=192.168.77.0
add address=10.14.0.2/16 interface=WG-Surfshark network=10.14.0.0
add address=192.168.50.1/24 interface=Wireguard-rw network=192.168.50.0

Thanks in advance,
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route specific source connections through WG

Wed Apr 05, 2023 4:40 pm

First try this....

/routing rule
add action=lookup-only-in-table dst-address=192.168.50.2 table=main { has to be first rule }
add action=lookup-only-in-table comment="Orange Pi" src-address=192.168.87.241/32 table=Surfshark { note dont need bridge interface in there }
 
User avatar
malabar
just joined
Posts: 9
Joined: Sat Apr 01, 2023 10:56 pm
Location: Barcelona

Re: Route specific source connections through WG

Wed Apr 05, 2023 5:36 pm

First try this....

/routing rule
add action=lookup-only-in-table dst-address=192.168.50.2 table=main { has to be first rule }
add action=lookup-only-in-table comment="Orange Pi" src-address=192.168.87.241/32 table=Surfshark { note dont need bridge interface in there }

Ah yes! It works:

- I removed "bridge" interface as mentioned.
- Added in first position the rule you said. As I have several devices going through Wireguard, I specified whole range of IPs (192.168.50.0/24), I guess it's OK?

Image

Thanks anav,
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route specific source connections through WG

Wed Apr 05, 2023 6:02 pm

Yup if you need lan to lan traffic from the users going out wireguard " THIS THE WAY "

Who is online

Users browsing this forum: JDF and 41 guests