10/12/2023 0 Comments Mikrotik wireguard firewall![]() ![]() So you can either add wireguard1 interface into the LAN interface list (if you do not want extra firewalling on it, and understand the implications), or add two accept rules (one for src-address of your wiregaurd1 network, another for dst-address) into forward chain.Hello everyone. except it still may not pass traffic, because chances are that you don't forward traffic between subnets in your firewall. Up until firewall you had it correct in the accept chain you don't specify addresses (unless you do site-to-site, and know their public IPs), and there's no need for NAT.Īdd listen-port=$whatever-port-you-run-wg-on mtu=1420 name=wireguard1Īdd address=a.b.c.1/24 interface=wireguard1 network=a.b.c.0Īdd allowed-address=a.b.c.2/32 interface=wireguard1 public-key="whatever"Īdd action=accept chain=input comment="allow wireguard" dst-port=$whatever-port-you-run-wg-on protocol=udp What would be the recommended firewall/NAT rules to be configured to make this setup work and increase security ? Should i also specify the Wireguard network (10.0.12.) in the firewall rules ? ![]() It actually works, but i have a few questions about firewall and NAT rules.Īre the above firewall and NAT rules correct ? ip firewall nat add action=src-nat chain=srcnat comment=" Wireguard SRC-NAT Wireguard:10.0.12.0/24 -> ether1 traffic" out-interface=ether1 src-address= 10.0.12.0/24 to-addresses= added a NAT rule and also moved it high up: ip firewall filter add action=accept chain=input comment="Allow Wireguard" dst-port=37850 protocol=udp src-address= 10.0.12.0/24 added a firewall rule and moved it almost to the top of the list: interface/wireguard/peers add allowed-address= 10.0.12.2/32 interface=wireguard1 persistent-keepalive=25 comment="client1". interface wireguard add listen-port=37850 mtu=1420 name=wireguard1 I have some remote roadwarrior clients, who should be able to reach the internal network and a few machines inside it. I've configured a Wireguard server on my router running RouterOS 7.1. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |