Back to home works without Internet

RouterOS General
1

I have configured the ‘Back to Home’ VPN, which seems to be working on my iOS devices. This allows me to access my router and LAN devices whenever I am staying at a hotel. However, I would also like to enable public internet access for the VPN. What is the best way to configure this? Any help would be greatly appreciated. I have attached my configuration file.

# 2024-02-05 14:33:08 by RouterOS 7.13.3
# software id = 79VK-VRAH
#
# model = RB5009UPr+S+
# serial number = xxxxxxxxxxx
/interface bridge
add name=bridge-local port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] poe-out=off
/interface wireguard
add comment=back-to-home-vpn listen-port=45415 mtu=1420 name=back-to-home-vpn
/interface vlan
add interface=ether1 loop-protect=off name=vlan1.6 vlan-id=6
/interface pppoe-client
add add-default-route=yes allow=pap disabled=no interface=vlan1.6 keepalive-timeout=20 max-mru=1500 max-mtu=1500 name=pppoe-client user=00-4A-77-6A-43-50@internet
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.0.100-192.168.0.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge-local lease-time=10m name=dhcp1
/ppp profile
set *0 only-one=yes use-compression=yes use-upnp=no
/snmp community
set [ find default=yes ] addresses=192.168.0.0/24
/interface bridge port
add bridge=bridge-local interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge-local ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge-local ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge-local ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge-local ingress-filtering=no interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge-local ingress-filtering=no interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge-local ingress-filtering=no interface=ether8 internal-path-cost=10 path-cost=10
add bridge=bridge-local ingress-filtering=no interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=pppoe-client list=WAN
/interface wireguard peers
add allowed-address=192.168.216.4/32 comment="RB5009UPr+S+ (iPhone16,2)" interface=back-to-home-vpn public-key="xxxxxxxxxxxxxxxxx"
/ip address
add address=192.168.0.1/24 interface=bridge-local network=192.168.0.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.0.4 name=diskstation
/ip firewall address-list
add address=192.168.0.2-192.168.0.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
/ip firewall filter
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=bridge-local log=yes log-prefix=!public_from_LAN out-interface=!bridge-local
add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp protocol=icmp
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=ether1 log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=bridge-local log=yes log-prefix=LAN_!LAN src-address=!192.168.0.0/24
add action=drop chain=input dst-port=8080 in-interface=ether1 protocol=tcp src-address=0.0.0.0/0
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip proxy
set cache-administrator=xxxxx max-cache-object-size=50000KiB src-address=192.168.0.1
/ip upnp
set show-dummy-rule=no
/ipv6 address
add address=::1 from-pool=kpn-pool interface=bridge-local
/ipv6 dhcp-client
add add-default-route=yes interface=pppoe-client pool-name=kpn-pool pool-prefix-length=48 request=prefix use-peer-dns=no
/ipv6 firewall address-list
add address=fe80::/16 list=allowed
add address=ff02::/16 comment=multicast list=allowed
/ipv6 firewall filter
add action=accept chain=input comment="allow established and related" connection-state=established,related
add action=accept chain=input comment="accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/16
add action=accept chain=input comment="allow allowed addresses" src-address-list=allowed
add action=drop chain=input in-interface=pppoe-client log=yes log-prefix=dropLL_from_public src-address=fe80::/16
add action=drop chain=input
/ipv6 nd
set [ find default=yes ] interface=bridge-local
/routing igmp-proxy interface
add interface=bridge-local
/system clock
set time-zone-name=Europe/Amsterdam
/system note
set show-at-login=no
No wan access using back to home
Back To Home VPN not tunneling traffic to outside network on iPhone
2
  1. Modify your interface list members to include wireguard which affects relevent firewall rules and also can be shortened…

/interface list member
add interface=bridge list=LAN
add interface=back-to-home-vpn list=LAN
add interface=pppoe-client list=WAN

  1. Modified cleaned up firewall rules. Also to note there was no input chain rule allowing your wireguard connection to the input chain so you should have not been able to access the router for config purposes from wireguard. The only allow list only included the LAN users not the wireguard user. Also missing the wireguard address definition. Surprized anything worked ???
    /ip firewall address-list
    add address=192.168.0.1XY/32 list=Authorized comment=“Admin PC”
    add address=192.168.216.4/32 list=Authorized comment=“admin remote wireguard”

/ip firewall filter
{ default rules to keep }
add action=accept chain=input comment=“default configuration” connection-state=established,related**,untracked**
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
{ admin rules }
add action=accept chain=input in-interface-list=LAN src-address-list=Authorized comment=“admin config access”
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp comment=“dns services to users”
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp comment=“dns services to users”
add action=accept chain=input protocol=icmp
add action=drop chain=input comment=“drop all else”
+++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=“Established, Related” connection-state=established,related**,untracked**
add action=drop chain=forward comment=“Drop invalid” connection-state=invalid log=yes log-prefix=invalid
{ admin rules }
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat
add action=accept chain=forward in-interface=back-to-home-vpn out-interface-list=LAN
add action=drop chain=forward comment=“drop all else”

3

Hi!

Also to note there was no input chain rule allowing your wireguard

Quote from https://help.mikrotik.com/docs/display/ROS/Back+To+Home “NOTHING has to be configured in RouterOS to use Back to Home.”
I was also surprized at first, but I believe RoS sets some kind of hidden FW rule to allow BTH.

4

And here it is:

[admin@kk-r1-rb5009] /ip/firewall/filter> print dynamic 
Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; back-to-home-vpn
      chain=input action=accept protocol=udp dst-port=28949

Update:
now I start to understand how this works, it adds also this, so I have NAT for my 192.168.216.x:

[admin@kk-r1-rb5009] /ip/firewall/nat> print  dynamic all 
Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; back-to-home-vpn
      chain=srcnat action=masquerade src-address=192.168.216.0/24
5

Interesting so BTH creates
a. an input chain rule automatically
b. creates a sourcenat rule automatically
c. what about a wireguard address??
d. anything else???
what about allowed-IPs?? why are they showing on the config??

Why did any of this NOT show on the ops config???
or perhaps more to the point.
Why is there NOT any BTH config block showing on the export??

6

@Anav: good questions, I can’t answer all of them, but for myself the most important question is: why are the answers to these question (and further details) not to be found on help.mikrotik.com??
At least the answer to your question c:

[admin@kk-r1-rb5009] /ip/address> print 
Flags: D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
#   ADDRESS           NETWORK        INTERFACE       
0   10.1.1.2/24       10.1.1.0       vl2lan          
[...]   
;;; back-to-home-vpn
8 D 192.168.216.1/24  192.168.216.0  back-to-home-vpn
9 D [w.x.y.z]/23   [w.x.y.z]    br-inet

Also this: I believe OP did not configure BTH itself correctly, as on my device there is a BTH block in the export:

/ip cloud set back-to-home-vpn=enabled ddns-enabled=yes ddns-update-interval=10m update-time=yes
/ip cloud advanced set use-local-address=yes
/ip cloud back-to-home-users add allow-lan=yes disabled=no expires=never name=[...] private-key="[...] public-key=[...]"