Something wrong with your config and it centres around vlan60.
(1) Vlan filtering is not turned on for the bridge itself
(2) You mix apples and oranges, much cleaner if going vlans to go all vlans and have no dhcp associated with the bridge,,,,,,,, personal preference.
(3) Its not clear in bridge ports which etheport vlan60 is associated with.... is going over an access port (pvid?) or a trunk port
(4) THis is a nonsensical entry for bridge vlans which really muddies the waters ..........
/interface bridge vlan
add bridge=bridge vlan-ids=60
(5) Where did you get this rule from................ what was your intention with this rule???
add action=accept chain=output comment=\
"Wireguard allow destination access via port" dst-address=198.54.134.162 \
dst-port=51820 protocol=udp
Even if your MT was a server, it would be input chain not output chain!
(6) In forward chain, you have mixed up an old default rule with an attempt to add new rules.
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="Allow Port Forwarding - DSTNAT" \
connection-nat-state=dstnat in-interface-list=WAN
add action=drop chain=forward comment="Camer IP blocked from internet" \
out-interface=ether1 src-address-list=Cameras
FIXED:
add action=drop chain=forward comment="drop cameras" src-address-list=Cameras out-interface-list=WAN
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment='into wg tunnnel" src-address=10.0.60.0/24 out-interface=mullvad-upstream
add action=accept chain=forward comment="Port Forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="Drop All Else"
(6) I would do the out the wireguard without mangling. IN fact your mangle rule makes no sense. If your traffic is originating in vlan60 why are you mangling traffic coming in on wireguard.................
Get rid of it and the Route and the Routing rule and modify to the below! The table is okay!
Table, Route, Routing Rule
/routing table add fib name=mullvad
/ip route
add dst-address=0.0.0.0/0 gateway=mullvad-upstream routing-table=mullvad
/routing rule add src-address=10.0.60.0/24 action=lookup table=mullvad
If you dont want vlan60 to ever be able to use your local internet, if mullvad is down then change action to "lookup-only-in-table"
(1) Vlan filtering is not turned on for the bridge itself
(2) You mix apples and oranges, much cleaner if going vlans to go all vlans and have no dhcp associated with the bridge,,,,,,,, personal preference.
(3) Its not clear in bridge ports which etheport vlan60 is associated with.... is going over an access port (pvid?) or a trunk port
(4) THis is a nonsensical entry for bridge vlans which really muddies the waters ..........
/interface bridge vlan
add bridge=bridge vlan-ids=60
(5) Where did you get this rule from................ what was your intention with this rule???
add action=accept chain=output comment=\
"Wireguard allow destination access via port" dst-address=198.54.134.162 \
dst-port=51820 protocol=udp
Even if your MT was a server, it would be input chain not output chain!
(6) In forward chain, you have mixed up an old default rule with an attempt to add new rules.
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="Allow Port Forwarding - DSTNAT" \
connection-nat-state=dstnat in-interface-list=WAN
add action=drop chain=forward comment="Camer IP blocked from internet" \
out-interface=ether1 src-address-list=Cameras
FIXED:
add action=drop chain=forward comment="drop cameras" src-address-list=Cameras out-interface-list=WAN
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment='into wg tunnnel" src-address=10.0.60.0/24 out-interface=mullvad-upstream
add action=accept chain=forward comment="Port Forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="Drop All Else"
(6) I would do the out the wireguard without mangling. IN fact your mangle rule makes no sense. If your traffic is originating in vlan60 why are you mangling traffic coming in on wireguard.................
Get rid of it and the Route and the Routing rule and modify to the below! The table is okay!
Table, Route, Routing Rule
/routing table add fib name=mullvad
/ip route
add dst-address=0.0.0.0/0 gateway=mullvad-upstream routing-table=mullvad
/routing rule add src-address=10.0.60.0/24 action=lookup table=mullvad
If you dont want vlan60 to ever be able to use your local internet, if mullvad is down then change action to "lookup-only-in-table"
Statistics: Posted by anav — Mon Dec 25, 2023 4:08 pm