Disable WIREGUARD clients from local LAN
Posted: Thu Apr 18, 2024 1:23 pm
Hi
I have Wireguard set up on AX2, works well.
How to prevent LAN users to connect locally to the WG service on Gateway Router ?
Users forgot to deactivate tunnel while beying in the office, it leads into problems
filtering on firewall seems to not have an effect - some part of the config:
xxx.xxx.xxx.xxx - public IP
192.168.11.0/24 - LAN subnet
i dont see any other working way to filter LAN traffic to WireguardServer on port 443/UDP
I have Wireguard set up on AX2, works well.
How to prevent LAN users to connect locally to the WG service on Gateway Router ?
Users forgot to deactivate tunnel while beying in the office, it leads into problems
filtering on firewall seems to not have an effect - some part of the config:
Code: Select all
/ip firewall filter
add action=accept chain=input dst-address=127.0.0.1
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input dst-port=443 in-interface-list=WAN protocol=udp
add action=drop chain=input dst-port=443 protocol=udp
add action=accept chain=input dst-port=53 in-interface=wireguard1 protocol=udp
add action=drop chain=input
add action=drop chain=forward dst-address=xxx.xxx.xxx.xxx dst-port=443 protocol=udp src-address=192.168.11.0/24
/ip firewall raw
add action=drop chain=prerouting dst-port=443 in-interface-list=LAN protocol=udp
add action=drop chain=prerouting dst-address=xxx.xxx.xxx.xxx dst-port=443 protocol=udp src-address=192.168.11.0/24
192.168.11.0/24 - LAN subnet
i dont see any other working way to filter LAN traffic to WireguardServer on port 443/UDP