Correct. Each remote subnet must be a separate entry.
The purpose is so that if local lan users need to reach remote subnets, the router knows where to send the local users!!
The purpose is also so that remote users coming in to access local servers or use the local WAN, have their return traffic go back through the wireguard tunnel.
Which is the case or both for you???
The only time it would be easier is if you only had to worry about incoming and at the other end they sourcenatted their traffic out the wireguard tunnel and then you would not have to create any subnets, as the router would simply use the DAC route created by the wireguard IP address. If, as you state, you have local users going to all those remote networks (originating traffic) then there is no easy shortcut that comes to mind.
What you could do is lets say you have an address list of the remote subnets that you would like to reach through wireguard called REMOTE.
Lets say you have 5 local subnets and that only two of them require this routing and make an interface list called Subnets-To-WG
/Ip table
add fib name=useWG
/ip nat (mangle)
add chain=prerouting action=mark-routing in-interface-list=Subnets-To-WG dst-address-list=REMOTE new-routing-mark=UseWG
/ip route
add dst-address=0.0.0.0/0 interface=wireguard1 routing-table=useWG
/ip firewall filter
add chain=forward action=accept in-interface-list=Subnets-To-WG dst-address-list=REMOTE
Dont forget that with mangling one has to either turn fastrack off or make adjustments to fastrack.
In this case not marking connections so one cannot use the standby of simply adding mark=no-mark to the fastrack rule.
Suggestion: Modify the forward chain as follows........
/ip firewall filter
add action=accept chain=forward connection-state=established,related src-address-list=REMOTE
add action=accept chain=forward connection-state=established,related dst-address-list=REMOTE
{default fastrack rule}
The purpose is so that if local lan users need to reach remote subnets, the router knows where to send the local users!!
The purpose is also so that remote users coming in to access local servers or use the local WAN, have their return traffic go back through the wireguard tunnel.
Which is the case or both for you???
The only time it would be easier is if you only had to worry about incoming and at the other end they sourcenatted their traffic out the wireguard tunnel and then you would not have to create any subnets, as the router would simply use the DAC route created by the wireguard IP address. If, as you state, you have local users going to all those remote networks (originating traffic) then there is no easy shortcut that comes to mind.
What you could do is lets say you have an address list of the remote subnets that you would like to reach through wireguard called REMOTE.
Lets say you have 5 local subnets and that only two of them require this routing and make an interface list called Subnets-To-WG
/Ip table
add fib name=useWG
/ip nat (mangle)
add chain=prerouting action=mark-routing in-interface-list=Subnets-To-WG dst-address-list=REMOTE new-routing-mark=UseWG
/ip route
add dst-address=0.0.0.0/0 interface=wireguard1 routing-table=useWG
/ip firewall filter
add chain=forward action=accept in-interface-list=Subnets-To-WG dst-address-list=REMOTE
Dont forget that with mangling one has to either turn fastrack off or make adjustments to fastrack.
In this case not marking connections so one cannot use the standby of simply adding mark=no-mark to the fastrack rule.
Suggestion: Modify the forward chain as follows........
/ip firewall filter
add action=accept chain=forward connection-state=established,related src-address-list=REMOTE
add action=accept chain=forward connection-state=established,related dst-address-list=REMOTE
{default fastrack rule}
Statistics: Posted by anav — Wed Jan 03, 2024 8:54 pm