After testing with different configurations, I've come to the following conclusions:
The "Detect Internet" setting does not affect external WireGuard connections as long as they are properly configured. However, I noticed something unexpected with this setup, I'm able to access Home Assistant from the LAN using its external domain name. That was unexpected.
At the time I was testing WireGuard connections without success, I also had some NAT rules in place that were causing issues. I had to modify those rules in order to successfully establish WireGuard connections. The goal was to intercept all client DNS requests and redirect them to the router’s DNS server, even if the clients were using external resolvers.
The proper way to set up a WireGuard connection was shared by @CGGXANNX in a previous post. There’s also an official MikroTik video about WireGuard, which I watched some time ago, but didn’t fully understand at the time:
https://www.youtube.com/watch?v=vn9ky7p5ESM
Last week, I set up AdGuard Home in an LXC container with the IP address 192.168.10.126, and configured the router’s DNS server to point to that IP. The DNS provided via DHCP on the LAN is still 192.168.10.1 (the router’s IP), so I had to adjust the router’s DNS server settings accordingly.
Additionally, I had to update the DNS-related NAT rules to ensure compatibility with WireGuard.
Current NAT Rules
Everything seems to be working fine now. However, I’m not entirely sure if my NAT rules are set up correctly. Now I can't access Home Assistant from within the LAN using its external domain name unless I define a DNS rewrite in AdGuard Home.
Thanks!
The "Detect Internet" setting does not affect external WireGuard connections as long as they are properly configured. However, I noticed something unexpected with this setup, I'm able to access Home Assistant from the LAN using its external domain name. That was unexpected.
Code:
/interface detect-internetset detect-interface-list=INTERNET/interface list memberadd comment=defconf interface=bridge-lan list=LANadd comment=defconf interface=ether1-isp list=WANadd comment=INTERNET interface=ether1-isp list=INTERNET/ip dnsset allow-remote-requests=yes cache-max-ttl=1d mdns-repeat-ifaces=bridge-lan servers=1.1.1.1,8.8.8.8/ip firewall filteradd action=accept chain=input comment="Allow WireGuard port" dst-port=12313 protocol=udpadd action=accept chain=input comment="Allow WireGuard Clients to access LAN" dst-address=192.168.10.0/25 src-address=192.168.5.0/29add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=invalidadd action=accept chain=input comment="defconf: accept ICMP" protocol=icmpadd action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LANadd action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsecadd action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsecadd action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yesadd action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" connection-state=invalidadd action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN/ip firewall natadd action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WANadd action=src-nat chain=srcnat comment="Force traffic to IoT-Lan to appear from gateway" dst-address=192.168.20.0/27 log-prefix=nat-iot src-address=192.168.10.0/25 to-addresses=192.168.20.1Code:
/ip firewall natadd action=redirect chain=dstnat comment="Redirect DNS Requests to Router IP" disabled=no dst-port=53 log-prefix=redirect protocol=udp to-ports=53add action=redirect chain=dstnat comment="Redirect DNS Requests to Router IP" disabled=no dst-port=53 log-prefix=redirect protocol=tcp to-ports=53https://www.youtube.com/watch?v=vn9ky7p5ESM
Code:
/interface wireguard peersadd allowed-address=192.168.5.2/32 client-address=192.168.5.2/32 comment="Peer 1" interface=wg name=wg0 public-key="bDIm="add allowed-address=192.168.5.3/32 client-address=192.168.5.3/32 comment="Peer 2" interface=wg name=wg1 public-key="NpgN="Additionally, I had to update the DNS-related NAT rules to ensure compatibility with WireGuard.
Current NAT Rules
Code:
/ip firewall natadd action=redirect chain=dstnat comment="Redirect DNS UDP to router" disabled=no dst-port=53 in-interface=bridge-lan protocol=udp src-address-list=!dns-resolvers to-ports=53add action=redirect chain=dstnat comment="Redirect DNS TCP to router" disabled=no dst-port=53 in-interface=bridge-lan protocol=tcp src-address-list=!dns-resolvers to-ports=53/ip firewall address-listadd address=192.168.10.1 list=dns-resolversadd address=192.168.10.126 list=dns-resolversThanks!
Statistics: Posted by HoracioDos — Tue Mar 25, 2025 5:05 pm