Page 1 of 1

Disable WIREGUARD clients from local LAN

Posted: Thu Apr 18, 2024 1:23 pm
by suszi
Hi
I have Wireguard set up on AX2, works well.

How to prevent LAN users to connect locally to the WG service on Gateway Router ?
Users forgot to deactivate tunnel while beying in the office, it leads into problems

filtering on firewall seems to not have an effect - some part of the config:
/ip firewall filter
add action=accept chain=input dst-address=127.0.0.1
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid

add action=accept chain=input dst-port=443 in-interface-list=WAN protocol=udp
add action=drop chain=input dst-port=443 protocol=udp

add action=accept chain=input dst-port=53 in-interface=wireguard1 protocol=udp
add action=drop chain=input 

add action=drop chain=forward dst-address=xxx.xxx.xxx.xxx dst-port=443 protocol=udp src-address=192.168.11.0/24


/ip firewall raw
add action=drop chain=prerouting dst-port=443 in-interface-list=LAN protocol=udp
add action=drop chain=prerouting dst-address=xxx.xxx.xxx.xxx dst-port=443 protocol=udp src-address=192.168.11.0/24
xxx.xxx.xxx.xxx - public IP
192.168.11.0/24 - LAN subnet

i dont see any other working way to filter LAN traffic to WireguardServer on port 443/UDP

Re: Disable WIREGUARD connecting by LAN users

Posted: Thu Apr 18, 2024 1:39 pm
by normis
The issue is that people that use this WG while away from the office, return to office and their tunnel is still enabled?
I think it should pose no issue, maybe just fix whatever routing or IP address conflict you have and they can keep their WG active all the time

Re: Disable WIREGUARD clients from local LAN

Posted: Thu Apr 18, 2024 2:08 pm
by suszi
Thanks for quick reply.

Yes, exactly, they dont turn off the tunnel.

But, leaving this ON while in the office have a performnce issues - the network speed is 1Gbps, and WG performance is around 300Mbps (or is AX2 capable to do 1Gbps encryption? )

downloading anything from servers will be 3x longer, CPU usage on gateway will be higher than needed, etc.

I'm seeking to block WG connecting from LAN or stick WG server to WAN interfacfe only...

Re: Disable WIREGUARD clients from local LAN

Posted: Thu Apr 18, 2024 3:34 pm
by llamajaja
You are mistaken, the only traffic that is really slowed down by wireguard is wireguard traffic as the the CPU handles this functionality.
The tunnels are supposed to maintain 'touch' at both ends, hence the keep alive function.
This activity will not harm the ax3 or have any effects on other normal traffic. In other words this issue is a nothing burger.

What would be cool but unlikely is if somehow MT could move the encryption for CPU to hardware encryption, but dont think this is physically possible.

Re: Disable WIREGUARD clients from local LAN

Posted: Thu Apr 18, 2024 4:08 pm
by normis
In my opinion, if this particular user is really worried about 300Mbit vs 1000Mbit as a problem, he can turn off the tunnel himself.

Re: Disable WIREGUARD clients from local LAN

Posted: Thu Apr 18, 2024 4:41 pm
by ips
Users usually forget to disable the tunnel, then they experience a slowdown and they loudly complain to the IT guys even before checking if the VPN is still active. That's my experience, yours can be different, but I understand the point.

Re: Disable WIREGUARD clients from local LAN

Posted: Thu Apr 18, 2024 6:22 pm
by llamajaja
The traffic that will appear slower to the user on the router will be the traffic going out Wireguard.
Other traffic going out the local WAN should not be affected.

Re: Disable WIREGUARD clients from local LAN

Posted: Fri Apr 19, 2024 10:23 am
by pajapatak
edit: just tested the rule mentioned above
add action=drop chain=forward dst-address=xxx.xxx.xxx.xxx dst-port=443 protocol=udp src-address=192.168.11.0/24
and it does work...
Is the order of the rules in your firewall correct?