Hello everyone, I have a problem, I cannot enter winbox when I am connected through wireguard. If I can access the server via remote desktop. If you can help me, I would appreciate it.
#
# model = RB760iGS
/interface bridge
add admin-mac=XXXXXXXXXX auto-mac=no comment=defconf name=bridge \
port-cost-mode=short
/interface wireguard
add listen-port=13235 mtu=1420 name=XXXXXXXXXX
add listen-port=13236 mtu=1420 name=XXXXXXXXXX
add listen-port=13237 mtu=1420 name=XXXXXXXXXX
add listen-port=13238 mtu=1420 name=XXXXXXXXXX
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.0.2-192.168.0.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1 \
internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.10.3.2/32 interface=XXXXXXXXXX public-key=\
"XXXXXXXXXX"
add allowed-address=10.10.4.2/32 interface=XXXXXXXXXX public-key=\
"XXXXXXXXXX"
add allowed-address=10.10.5.2/32 interface=XXXXXXXXXX public-key=\
"XXXXXXXXXX"
add allowed-address=10.10.6.2/32 interface=XXXXXXXXXX public-key=\
"XXXXXXXXXX"
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=\
192.168.0.0
add address=10.10.3.1/24 interface=XXXXXXXXXX network=10.10.3.0
add address=10.10.4.1/24 interface=XXXXXXXXXX network=10.10.4.0
add address=10.10.5.1/24 interface=XXXXXXXXXX network=10.10.5.0
add address=10.10.6.1/24 interface=XXXXXXXXXX network=10.10.6.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.0.100 client-id=XXXXXXXXXX mac-address=\
XXXXXXXXXX server=defconf
add address=192.168.0.3 client-id=XXXXXXXXXX mac-address=\
XXXXXXXXXX server=defconf
add address=192.168.0.2 client-id=XXXXXXXXXX mac-address=\
XXXXXXXXXX server=defconf
add address=192.168.0.10 mac-address=XXXXXXXXXX server=defconf
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=XXXXXXXXXX
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
xxxxxxx
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="wireguard " dst-port=13237 protocol=\
udp
add action=accept chain=input comment="wireguard " dst-port=13235 protocol=\
udp
add action=accept chain=input comment="wireguard " dst-port=13238 protocol=\
udp
add action=accept chain=input comment="wireguard " dst-port=13236 protocol=\
udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=input dst-port=8291 in-interface-list=WAN protocol=tcp
add action=drop chain=input in-interface-list=WAN protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=53 protocol=udp to-addresses=\
192.168.0.1 to-ports=53
/ip firewall raw
add action=drop chain=prerouting comment=\
"DMNTR SecurIP: Block WAN connections from BlackList" in-interface-list=\
WAN src-address-list=dmntr-blacklist
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=America/Argentina/Buenos_Aires
/system identity
set name=RouterOS
/system note
set show-at-login=no
/system scheduler
add comment="DMNTR SecurIP 30m Update Script" interval=3h name=\
dmntr_securipupdate on-event="/system script run dmntr_securip" policy=\
read,write,policy,test start-date=1970-01-01 start-time=00:00:00
add comment="DMNTR SecurIP OnBoot Script" name=dmntr_securipupdateOnBoot \
on-event=":delay 30;system script run dmntr_securip" policy=\
read,write,policy,test start-time=startup
/system script
add comment="DMNTR SecurIP Script" dont-require-permissions=no name=\
dmntr_securip owner=admin policy=read,write,policy,test source="# DMNTR Ne\
twork Solutions SecurIP Installer\
\n# 2022 dmntr@dmntr.net\
\n:local destPath \"securip_dmntr.rsc\";\
\n:local priority \"2\";\
\n:do { /file remove \$destPath } on-error={};\
\n/tool fetch mode=https url=\"https://intelligence.dmntr.net/dmmntr-secur\
ip-lite.rsc\" user=\"XXXXXXXXXX\" password=\"XXXXXXXXXX\" dst-path=\"\$de\
stPath\" output=file;\
\n/system logging disable numbers=0\
\n/import file-name=\$destPath;\
\n/system logging enable numbers=0\
\n/file remove \$destPath;"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
access to winbox by wireguard
Last edited by Greyhard on Thu Mar 28, 2024 8:17 pm, edited 1 time in total.
Re: access to winbox by wireguard
Deleted the super long blacklist, it is not needed here.
The sequence of firewall rules is not correct for you. Remove the last 2 rules from the forward section...
And what was the point of this-
add action=drop chain=input dst-port=8291 in-interface-list=WAN protocol=tcp ?
The sequence of firewall rules is not correct for you. Remove the last 2 rules from the forward section...
And what was the point of this-
add action=drop chain=input dst-port=8291 in-interface-list=WAN protocol=tcp ?
Re: access to winbox by wireguard
If anyone complains about your long list of code, they should look inwards for not supporting my recommendation for a first post process !!!
Now for the OP......
(1) WIREGUARD is not a local SUBNET, so you only assign an IP address, nothing else!!
(2) Get rid of this default setting, its on the static menu found at /ip dns
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
(3) No need for blacklists, waste of time. Get rid of them you will be safe and the associated raw rule.
(4) DROP these two rules, they are NOT required!
A. add action=drop chain=input dst-port=8291 in-interface-list=WAN protocol=tcp
B. add action=drop chain=input in-interface-list=WAN protocol=udp
A. There is no need to block an attempt to 8291, winbox port, because you have the following rule:
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
Any traffic coming from the WAN that is not already permitted ( aka wireguard ports ), then any such traffic will be dropped already!!
B. Same logic applies here. After the above drop rule identified, any incoming WAN traffic will be dropped!!
(4) What is the purpose of this DANGEROUS rule??
add action=dst-nat chain=dstnat dst-port=53 protocol=udp to-addresses=\
192.168.0.1 to-ports=53
You are very concerned with perceived outside threats and then you OPEN your router to the whole world to abuse your DNS and possibly cause your ISP to blacklist your WANIP etc.....
REMOVE THIS RULE for now, as its not well conceived and state your requirement and we can replace it with something more valid.
Now for the OP......
(1) WIREGUARD is not a local SUBNET, so you only assign an IP address, nothing else!!
(2) Get rid of this default setting, its on the static menu found at /ip dns
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
(3) No need for blacklists, waste of time. Get rid of them you will be safe and the associated raw rule.
(4) DROP these two rules, they are NOT required!
A. add action=drop chain=input dst-port=8291 in-interface-list=WAN protocol=tcp
B. add action=drop chain=input in-interface-list=WAN protocol=udp
A. There is no need to block an attempt to 8291, winbox port, because you have the following rule:
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
Any traffic coming from the WAN that is not already permitted ( aka wireguard ports ), then any such traffic will be dropped already!!
B. Same logic applies here. After the above drop rule identified, any incoming WAN traffic will be dropped!!
(4) What is the purpose of this DANGEROUS rule??
add action=dst-nat chain=dstnat dst-port=53 protocol=udp to-addresses=\
192.168.0.1 to-ports=53
You are very concerned with perceived outside threats and then you OPEN your router to the whole world to abuse your DNS and possibly cause your ISP to blacklist your WANIP etc.....
REMOVE THIS RULE for now, as its not well conceived and state your requirement and we can replace it with something more valid.
Re: access to winbox by wireguard [SOLVED]
Now to answer your question directly
Do this
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=wireguardInterfaceX list=LAN
add interface=wireguardInterfaceY list=LAN
etc...
add comment=defconf interface=ether1 list=WAN
Do this
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=wireguardInterfaceX list=LAN
add interface=wireguardInterfaceY list=LAN
etc...
add comment=defconf interface=ether1 list=WAN
Re: access to winbox by wireguard
If anyone complains about your long list of code, they should look inwards for not supporting my recommendation for a first post process !!!
Now for the OP......
(1) WIREGUARD is not a local SUBNET, so you only assign an IP address, nothing else!!
(2) Get rid of this default setting, its on the static menu found at /ip dns
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
(3) No need for blacklists, waste of time. Get rid of them you will be safe and the associated raw rule.
(4) DROP these two rules, they are NOT required!
A. add action=drop chain=input dst-port=8291 in-interface-list=WAN protocol=tcp
B. add action=drop chain=input in-interface-list=WAN protocol=udp
A. There is no need to block an attempt to 8291, winbox port, because you have the following rule:
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
Any traffic coming from the WAN that is not already permitted ( aka wireguard ports ), then any such traffic will be dropped already!!
B. Same logic applies here. After the above drop rule identified, any incoming WAN traffic will be dropped!!
(4) What is the purpose of this DANGEROUS rule??
add action=dst-nat chain=dstnat dst-port=53 protocol=udp to-addresses=\
192.168.0.1 to-ports=53
You are very concerned with perceived outside threats and then you OPEN your router to the whole world to abuse your DNS and possibly cause your ISP to blacklist your WANIP etc.....
REMOVE THIS RULE for now, as its not well conceived and state your requirement and we can replace it with something more valid.
Thank you very much for your answer. I apologize for the delay in my response. I have not seen the forum email informing me of your response.
I have edited the post so that they do not see the block lists
Your response has been very helpful to me. I would like to know your opinion on how the configuration is now.
I'm new to mikrotik but I'm passionate about it. I learn a lot by reading your responses to the posts.
# model = RB760iGS
/interface bridge
add admin-mac=701 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=XXXXXXXXXXXXX
set [ find default-name=ether2 ] mac-address=XXXXXXXXXXXXX
set [ find default-name=ether3 ] mac-address=XXXXXXXXXXXXX
set [ find default-name=ether4 ] mac-address=XXXXXXXXXXXXX
set [ find default-name=ether5 ] mac-address=XXXXXXXXXXXXX
set [ find default-name=sfp1 ] mac-address=XXXXXXXXXXXXX
/interface wireguard
add listen-port=13235 mtu=1420 name=AreXXXXXXXXXXXXX
add listen-port=13236 mtu=1420 name=AzcuXXXXXXXXXXXXX
add listen-port=13237 mtu=1420 name=Emanuel
add listen-port=13238 mtu=1420 name=RuXXXXXXXXXXXXX
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.0.2-192.168.0.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=Emanuel list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.10.3.2/32 interface=AreXXXXXXXXXXXXX public-key=\
"XXXXXXXXXXXXX"
add allowed-address=10.10.4.2/32 interface=AzcXXXXXXXXXXXXX public-key=\
"XXXXXXXXXXXXX"
add allowed-address=10.10.5.2/32 interface=Emanuel public-key=\
"XXXXXXXXXXXXX"
add allowed-address=10.10.6.2/32 interface=RubXXXXXXXXXXXXX lic-key=\
"XXXXXXXXXXXXX"
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=\
192.168.0.0
add address=10.10.3.1/24 interface=Arenales network=10.10.3.0
add address=10.10.4.1/24 interface=Azcuenaga network=10.10.4.0
add address=10.10.5.1/24 interface=Emanuel network=10.10.5.0
add address=10.10.6.1/24 interface=Ruben network=10.10.6.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.0.100 client-id=1:XXXXXXXXXXXXX mac-address=\
XXXXXXXXXXXXX server=defconf
add address=192.168.0.3 client-id=XXXXXXXXXXXXX mac-address=\
XXXXXXXXXXXXX server=defconf
add address=192.168.0.2 client-id=XXXXXXXXXXXXX mac-address=\
XXXXXXXXXXXXX server=defconf
add address=192.168.0.10 mac-address=XXXXXXXXXXXXX server=defconf
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=45.90.28.18,45.90.30.18
/ip firewall address-lis
XXXXXXXXXXXXX
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="wireguard " dst-port=13237 protocol=\
udp
add action=accept chain=input comment="wireguard " dst-port=13235 protocol=\
udp
add action=accept chain=input comment="wireguard " dst-port=13238 protocol=\
udp
add action=accept chain=input comment="wireguard " dst-port=13236 protocol=\
udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=53 protocol=udp to-addresses=\
192.168.0.1 to-ports=53
/ip firewall raw
add action=drop chain=prerouting comment=\
"DMNTR SecurIP: Block WAN connections from BlackList" in-interface-list=\
WAN src-address-list=dmntr-blacklist
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system identity
set name=RouterOS
/system note
set show-at-login=no
/system scheduler
add comment="DMNTR SecurIP 30m Update Script" interval=3h name=\
dmntr_securipupdate on-event="/system script run dmntr_securip" policy=\
read,write,policy,test start-date=1970-01-01 start-time=00:00:00
add comment="DMNTR SecurIP OnBoot Script" name=dmntr_securipupdateOnBoot \
on-event=":delay 30;system script run dmntr_securip" policy=\
read,write,policy,test start-time=startup
/system script
add comment="XXXXXXXXXXXXX SecurIP Script" dont-require-permissions=no name=\
dmntr_securip owner=admin policy=read,write,policy,test source="# DMNTR Ne\
twork Solutions SecurIP Installer\
\n# 2022 dmntnet\
\n:local destPath \"securip_dmntr.rsc\";\
\n:local priority \"2\";\
\n:do { /file remove \$destPath } on-error={};\
\n/tool fetch mode=https url=\"httpsXXXXXXXXXXXXXtr.net/dmmntr-secur\
ip-lite.rsc\" user=\"XXXXXXXXXXXXX\" password=\"XXXXXXXXXXXXX\" dst-path=\"\$de\
stPath\" output=file;\
\n/system logging disable numbers=0\
\n/import file-name=\$destPath;\
\n/system logging enable numbers=0\
\n/file remove \$destPath;"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN