Quantcast
Viewing all articles
Browse latest Browse all 16039

General • Re: Can't access device on management VLAN remotely via Wireguard

@Verylab

1. The client device has nothing to do with accepting an incoming handshake, the request to join wireguard comes from the client device and is outbound traffic. The router wireguard service is hosted on the Server device at the incoming handshake and thus needs the input chain rule TO the router.

2. Each rule in the firewall chain has a purpose and there is logic. Thus if you deviate from the logic, then the config quickly becomes inefficient.
The rules are viewed first then second and so forth on a particular chain.
The idea being you want to minimize any traffic going through the entire chain so you want the majority of traffic to be executed as quickly as possible.

Hence for example the accepted,established rule is normally first in input chain
and
the fastrack rule, and then accepted,established rules are normally first in the forward chain.

3. Lets say you have a user that wants to go the internet.
The first packets hit the firewall rules and lets say hits the allowed,established rule. Its a new session and thus the router passes the rule to the next rule as there is no match.
Note: One doesnt have to state new, as its implied and if the router doesnt know about it, its new.
The next rule is drop invalid traffic. Since this is legit traffic it passes. For security reasons we want to ensure any invalid traffic is dropped soonest.
The next rule might be allow LAN to WAN traffic ( to the internet ) and we have a match on the first packets.................. as they are 'captured' by the rule and due to routes indicated in IP routes, the traffic heads out the WAN Port.
Now the connection which was new is now considered accepted/established and the rest of the packets ARE NOT put through the the rest of the firewall rules as they hit the first rule ( accepted/established) and then go directly out WAN PORT. Hence why this rule is first, as it is the most efficient way to process traffic through the firewall rules.

4. If you want to better understand packet flow etc.......
https://help.mikrotik.com/docs/display/ ... n+RouterOS

Statistics: Posted by anav — Sun Dec 31, 2023 4:39 pm



Viewing all articles
Browse latest Browse all 16039

Trending Articles