I do want for remote users can to be able to reach R1 and R2 and that is working without a problem.by anav » Wed Dec 27, 2023 4:53 pm
Comments: Okay so we solved the initial problems in that subnet .100 (r1) can reach subnet .88 (r2) and the reverse should not be possible.
So now I find it very confusing that you are asking R2 to be able to ping R1 subnet. Are you confused?? The only thing that should be pingable from R2 is the wireguard IP address of R1.
The only thing that makes sense to me is that you want remote wireguard users to be able to reach R1 and R2 subnets????
Sorry, deleted by accident, will provide it tomorrow.Observations
R1
(1) Missing the Wireguard peer settings!!
(2) Dont like your firewall input chain rules,
a. they are OUT of order and
b. messy and you have duplicate rules for wg handshake!!.........
c. not efficient, if your wireguard interface is part of the LAN interface then you allow all LAN interface members to your winbox port and no other rule is required.
d. not efficient as you do not need to allow LAN to DNS because you allow all LAN to router anyway via last rule
a. I will correct this with suggestions given in your post
b. I'm not sure i know about what rule do you talk about
c. I will do that and delete firewall rule that is not required.
d. Yea but after I modified drop all rule and removed connection state invalid it stopped working and this make it working again.
Yea after i removed option invalid in this rule i was unable to access DNS server on from VLANs 150 and 200.(3) Missing the invalid rule in the forward chain after the established related rule.
Road warriors can access R1 and subnets without a problem but I will made changes you suggested.(4) If you want to allow remote WG users to access R1 Subnets then on R1 Add.
add action=accept chain=forward comment="Internet traffic" in-interface-list=\
LAN out-interface-list=WAN
add action=accept chain=forward comment="Access to R2-outgoing" \
out-interface=wireguard1 src-address=192.168.100.0/24
add action=accept chain=forward in-interface=wireguard1 src-address-list=VPN out-interface-list=LAN { if not all vlans then state which one }
add action=accept chain=forward comment="Wireguard relay" in-interface=\
wireguard1 out-interface=wireguard1
add action=accept chain=forward comment="Port forwarding" \
connection-nat-state=dstnat
add action=accept chain=forward comment="VLAN200 to DNS" dst-address=\
192.168.100.103 in-interface=VLAN_200
add action=accept chain=forward comment="VLAN150 to DNS" dst-address=\
192.168.100.103 in-interface=VLAN_150
add action=drop chain=forward comment="drop all else"
5. Will delete, i forgot about that
6. All VLANs have same DNS server on VLAN100
7. I think i got it, we send subnet across tunnel and then on R2 we decide with firewall rules what go to LAN on R2.
8. Will be removed, it was just experimentation.
9. Yea, i removed connection state invalid because i didn't see it in your first post. Sorry
10. Will address that, i don't use IPv6, that's whole new level for me and i don't wanna go there...
Statistics: Posted by gigabyte091 — Wed Dec 27, 2023 8:28 pm