Skip to main content

Mullvad WireGuard RouterOS LAN/NAT

Source

LAN Routing

After updating to RouterOS 7.2.3 I noticed that my setup in the previous post still works but the router was unreachable via ping and winbox. So to reach my Mikrotik again I re-did my "noVPN" Mangle rules. I will give these just for IPv4 but something similar should work for IPv6.

The basic idea is to not route-mark anything that is originating from a local interface to a local interface, if we did, it would be send out to Mullvad (or the VPN Provider in general). Since we have to use the prerouting chain we can't use "out interfaces", therefore we will filter by "dst. address" or "dst. address list". I will be doing the example with "dst. Address list" and "in. interface list" because it is the most flexible approach I found. I will be assuming that ether2 and ether3 are LAN interfaces with the IP networks 192.168.88.0/24 and 192.168.89.0/24.

To start we need an interface list and an address list:

/interface/list/add name=LAN
/interface/list/member/add list=LAN interface=ether2
/interface/list/member/add list=LAN interface=ether3

/ip/firewall/address-list/add address=192.168.88.0/24 list=noVPN
/ip/firewall/address-list/add address=192.168.89.0/24 list=noVPN

With these two objects we can now create mangle rules to exclude traffic from being route marked.

/ip/firewall/mangle/add chain=prerouting in-interface-list=Lan dst-address-list=noVPN \
        action=mark-connection new-connection-mark=noVPN
/ip/firewall/mangle/add chain=prerouting connection-mark=noVPN action=accept

These two mangle rules need to be above/before the "mark routing" rules from my other blog post!

Allow none VPN NAT

With the same method we can allow NAT rules on our own public IP to work. Assuming the WAN interface is named "Internet" we can do something like this:

/ip/firewall/mangle/add chain=prerouting in-interface=Internet connection-nat-state=dstnat \
        action=mark-connection new-connection-mark=nat
/ip/firewall/mangle/add chain=prerouting connection-mark=nat action=accept

These two mangle rules need to be above/before the "mark routing" rules from my other blog post! With that, responses to "normal" NAT rules are not send through WireGuard.