Mon Mar 25, 2024 3:22 pm
1. This indicates an issue
add interface=*24 list=LAN
2. Input chain rules are a bit funny.
add action=accept chain=input comment="Allow established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="Allow LAN DNS traffic udp" in-interface-list=LAN port=53 protocol=udp
add action=accept chain=input comment="Allow LAN DNS traffic tcp" in-interface-list=LAN port=53 protocol=tcp
add action=accept chain=input comment="Allow WireGuard traffic" dst-port=13231 protocol=udp
add action=accept chain=input comment="Allow WireGuard traffic" dst-port=13300 protocol=udp
add action=accept chain=input comment="Allow traffic from LAN interface list to the router" in-interface-list=LAN
add action=drop chain=input comment="Drop all else"
You should note that you actually dont need the DNS rules if you keep the other green rule because the second green rule allows DNS as well..........
The reason for the DNS rules is that all users SHOULD NOT have full access on the input chain and thus why we provide only needed services to LAN list on input chain.
What you should do on input chain is allow create an "AUTHORIZED" source address-list and allow to access the input chain
..... admin IP on local bridge ( pc ) *static DHCP lease*
... admin IP on local bridge ( laptop ) *static DHCP lease*
... admin IP on local bridge ( smartphone/ipad )
.. remote admin IP wireguard ( whatever devices admin connects to from, could be laptop and smartphone )
Then once thats done remove the full access of the LAN to the input chain, keeping the good DNS rules.
(5) No need for two wireguard input chain handshake rules ???
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
(4) Now onto the port forwarding
firewall rule is fine
Format for hairpin is not quite correct.
Typically its ( and no out interface nor protocol )
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=172.16.10.0/24 src-address=172.16.10.0/24
However, you can I suppose truncate it a bit but I dont recommend it especially if you add servers as the above covers all but if you look at what you did,
So it could be
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=172.16.10.3/32 src-address=172.16.10.0/24
FORMAT of the destination nat rule..... should be
/ip firewall address-list
add address=name=hf1090s67e0.sn.mynetname.net list=MYWANIP
add address=85.146.118.0/24 comment="Probes @ Lab" list=Remote_Probes
add address=82.173.82.17 comment="B2B Probes @ Lab" list=Remote_Probes
--------------------------------------------------------------------------------------------
add action=dst-nat chain=dstnat comment="server X dst-port=8086 dst-address-list=MYWANIP \
protocol=tcp src-address-list=Remote_Probes to-addresses=172.16.10.3