On Tue, 2023-11-07 at 19:19 +1100, Roger Plant via Public wrote:
The dstnat rule is one way to enforce internet packets. If the mikrotik is the main gateway, you can choose source interface. If not you can have match source address to not (address list of lan addresses).
Thanks Roger. I've puzzled over the above for a while, and have to confess I don't understand your second and third sentences unless they both relate to dstnat. The dstnat rule is there to make sure that a packet coming in for a particular port gets sent to the right place - basic port-forwarding. And I have indeed chosen the source interface in the dstnat rule ("in- interface=e1-uplink"). As far as srcnat is concerned I have had a bit of a LOL moment; it's really not part of the solution. Progress has been made though, in my understanding if nothing else. I have allowed my own outside address as one of the remote end's allowed- addresses (0.0.0.0/0 will be needed at both ends eventually I guess). Sniffing shows that my dstnatted packets are now arriving at the remote end of the wireguard link, and also shows that replies are trying to get home over the remote end's uplink, instead of back over the wireguard link. So Andrew Oakley's suggestion re connection marking seems to be the last piece needed. If only I understood it :-) Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160