Closed adampetrovic closed 1 year ago
Hi @adampetrovic, are you using the UXG Pro, or the UniFi Security Gateway XG 8 as your device/wireguard server? You said "UniFi Security Gateway XG 8 - UGWXG" for Device but then said UXG-Pro in description.
UXG Pro (ive updated my description) - it wasn't an option in the template dropdown, so I picked the closest I could :)
Oh sorry, I didn't know it's a dropdown.
Anyhow, for the Unifi routers, the problem is Ubiquiti only forwards interfaces it created to its firewall rules. If you want to also forward the wireguard interface to the Ubiquiti firewall rules, you can add custom rules to jump to the correct chains like this in SSH:
iptables -A FORWARD -i wg0 -j UBIOS_LAN_IN_USER
iptables -A FORWARD -o wg0 -j UBIOS_LAN_OUT_USER
iptables -A INPUT -i wg0 -j UBIOS_LAN_LOCAL_USER
Make sure to change wg0
to your interface name if different. This will add the jumps for LAN IN, LAN OUT, and LAN LOCAL for the wireguard interface, which will make traffic from/to this interface honour all the rules.
You can also add it to PostUp/PreDown in your wg0.conf like so:
PostUp = iptables -A FORWARD -i %i -j UBIOS_LAN_IN_USER; iptables -A FORWARD -o %i -j UBIOS_LAN_OUT_USER; iptables -A INPUT -i %i -j UBIOS_LAN_LOCAL_USER
PreDown = iptables -D FORWARD -i %i -j UBIOS_LAN_IN_USER; iptables -D FORWARD -o %i -j UBIOS_LAN_OUT_USER; iptables -D INPUT -i %i -j UBIOS_LAN_LOCAL_USER
Please see if your firewall rules work with the above addition.
Thanks!
Perfect. That worked like a charm! Thanks @peacey
Hey @peacey, would you mind adding this to the wiki? Seems very useful to me.
Hi @UnlimitedCookies, sorry I meant to add it to the wiki but completely forgot. Will do it soon.
Hi @UnlimitedCookies, sorry I meant to add it to the wiki but completely forgot. Will do it soon.
Awesome!
Package version
1.0.20220627-1
Firmware version
v1.10.11
Device
UXG Pro
Issue description
I've had my UXG Pro as a Wireguard server running nicely for a while now. My use case is that I have a VPS box that holds open a Wireguard connection to my UXG so it can access some of my internal devices and services.
I don't want my VPS to be able to access all of my network, just a few specific hosts in a particular VLAN. My VPS box has a single /32 IP assigned when it connects to Wireguard, so I figured I could just easily add LAN In rules in my firewall to control what my VPN client can access, however deny rules don't seem to be taking any effect.
I can ping / interact with any VLAN even if I add a deny all for the client IP address.
Is it possible to set firewall rules for clients that connect to my wireguard server?
Configuration and log output
No response