Okay, its becoming clearer.
(1) In that case simply on the client device for allowed IPs put in this instead of anything else 0.0.0.0/0
That will include any LAN access, and the router via the wireguard IPs....
(2) No the only reason to put the output chain is traffic to the router.
Since you have WAN1 as primary all traffic leaves the router on WAN1 im assuming that folks connect via wireguard over WAN1.
If WAN1 fails, the domain name/url pointing to WAN1 would get redirected to WAN2 and thus reachable via WAN2 for wireguard or any servers etc..
In this case, the output chain rules are not required.
If you had a reverse situation all traffic going out WAN1 but wanted wireguard to come in via WAN2, then you would need output chain mangles.
(3) Dont recommend DMZ at any time, ONLY if you can forward the single needed wireguard port to the MT router. Since you have hardly any firewall rules its a bad practice especially!!! Will suggest default firewall rule setup after you post your latest config.
(4) For the mangles it was not an order change it was an addition of two new ones at the top and getting rid of the Output chain one and all the useless ones.......
/ip firewall mangle Get rid of these..............
add action=accept chain=prerouting comment="bridge access" dst-address-list=\
local in-interface=bridge-lan
add action=accept chain=prerouting comment="LB PCC by buananet.com" \
dst-address-list=LOCAL-IP src-address-list=LOCAL-IP
add action=accept chain=postrouting comment="LB PCC by buananet.com" \
dst-address-list=LOCAL-IP src-address-list=LOCAL-IP
add action=accept chain=forward comment="LB PCC by buananet.com" \
dst-address-list=LOCAL-IP src-address-list=LOCAL-IP
add action=accept chain=input comment="LB PCC by buananet.com" \
dst-address-list=LOCAL-IP src-address-list=LOCAL-IP
add action=accept chain=output comment="LB PCC by buananet.com" \
dst-address-list=LOCAL-IP src-address-list=LOCAL-IP
The rest were okay I think
Please post your config after more changes..........
(1) In that case simply on the client device for allowed IPs put in this instead of anything else 0.0.0.0/0
That will include any LAN access, and the router via the wireguard IPs....
(2) No the only reason to put the output chain is traffic to the router.
Since you have WAN1 as primary all traffic leaves the router on WAN1 im assuming that folks connect via wireguard over WAN1.
If WAN1 fails, the domain name/url pointing to WAN1 would get redirected to WAN2 and thus reachable via WAN2 for wireguard or any servers etc..
In this case, the output chain rules are not required.
If you had a reverse situation all traffic going out WAN1 but wanted wireguard to come in via WAN2, then you would need output chain mangles.
(3) Dont recommend DMZ at any time, ONLY if you can forward the single needed wireguard port to the MT router. Since you have hardly any firewall rules its a bad practice especially!!! Will suggest default firewall rule setup after you post your latest config.
(4) For the mangles it was not an order change it was an addition of two new ones at the top and getting rid of the Output chain one and all the useless ones.......
/ip firewall mangle Get rid of these..............
add action=accept chain=prerouting comment="bridge access" dst-address-list=\
local in-interface=bridge-lan
add action=accept chain=prerouting comment="LB PCC by buananet.com" \
dst-address-list=LOCAL-IP src-address-list=LOCAL-IP
add action=accept chain=postrouting comment="LB PCC by buananet.com" \
dst-address-list=LOCAL-IP src-address-list=LOCAL-IP
add action=accept chain=forward comment="LB PCC by buananet.com" \
dst-address-list=LOCAL-IP src-address-list=LOCAL-IP
add action=accept chain=input comment="LB PCC by buananet.com" \
dst-address-list=LOCAL-IP src-address-list=LOCAL-IP
add action=accept chain=output comment="LB PCC by buananet.com" \
dst-address-list=LOCAL-IP src-address-list=LOCAL-IP
The rest were okay I think
Please post your config after more changes..........
Statistics: Posted by anav — Thu Dec 21, 2023 2:35 am