I asked on Reddit but didn’t get a good answer: https://www.reddit.com/r/mikrotik/comments/ot6uuw/wireguard_off_a_specific_port/
I don’t understand how I connect my bridge network to the Wireguard interface.
Any tips please?
Reddit is the new “users forum” for MikroTik?
I have no idea what the OP is asking, and no I am not going to go to other websites to read…
So best
a. provide a network diagram
b. a clear set of requirements (what he/she wants users to be able to do) without discussing the config
c. provide current effort
/export hide-sensitive file=anynameyouwish
Pics unless specifically requested dont do much for me, hard on my eyes LOL.
but I did see the word wireguard.
http://forum.mikrotik.com/t/mikrotik-wireguard-server-with-road-warrior-clients/148392/1
Wireguard is a layer 3 tunnel and cannot be bridged. I would call it a bug that it even allows you to add it as a bridge port, since other tunnel types that cannot be bridged (like GRE) are hidden from the list of potential bridge ports.
If I can’t bridge, how do I route my devices connected on ether4/ether5 that are reliant on dhcpd? Surely I route through to Wireguard via a NAT?
The guide https://help.mikrotik.com/docs/display/ROS/WireGuard is incomplete to me because it doesn’t show how to connect the VPN to a port.
Furthermore it would be nice if they showed how to test the connection.
As requested, a diagram
and my config https://s.natalian.org/2021-07-31/vpn.rsc
I need some guidance to set up a nat or whatever I need to do to get my ports onto the wireguard interface please.
Thank you in advance,
Is there a specific reason using Wireguard ?
Wireguard I know works, I’m familiar with using sudo wg-quick up wg0 to use this UK VPN. Now I just want to get Mikrotik to effectively do the same thing with more devices.
You can route between devices, connected to ethernet ports, and wireguard. You just can’t have both LAN and wireguard in same IP subnet. At the same time you don’t really want to extend broadcast domain over some (relatively low speed and high delay) tunnel.
Unless you have very specific reasons for that. But if you do, you’ll need some kind of Ethernet over IP solution. I guess (I never tried) you could run EoIP tunnel over wireguard tunnel, the problem with this solution is that EoIP is Mikrotik proprietary protocol meaning the other end has to be mikrotik as well. EoIP interface is L2 interface and you can bridge it with other L2 interfaces (ethernet, wireless). Beware of MTU changes when you add EoIP interface to bridge.
Wireguard doesnt connect to a port.
It connects to the router (server) on its wireguard interface which you create and define.
Destination Route for the subnet or IP address at the client with gateway being the wiregaurd interface.
If you want the users on the WG interface to be able to access LAN resources, then suggest
this could possible be done using firewall rules.
add chain=forward action=accept in-interface=wginterface [ out-interface=, or dst-address=, etc… ]
I’m still confused about how to set up the routing for the ukvpn bridge. When I attach a client, it doesn’t seem to know to go via wireguardUK!
[admin@MikroTik] /ip/route> print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, s - STATIC, d - DHCP, y - COPY; + - ECMP
Columns: DST-ADDRESS, GATEWAY, DISTANCEDST-ADDRESS GATEWAY D
0 As+ 0.0.0.0/0 wireguardUK 1
DAd+ 0.0.0.0/0 192.168.1.1 1
DAc 192.168.1.0/24 bridgeLocal 0
DAc 192.168.2.0/24 ukvpn 0
DAc 192.168.2.4/32 wireguardUK 0
[admin@MikroTik] /ip/route> /ip/firewall/
address-list calea connection filter layer7-protocol mangle nat raw service-port export
[admin@MikroTik] /ip/route> /ip/firewall/filter/print
Flags: X - disabled, I - invalid; D - dynamic
0 chain=forward action=accept in-interface=wireguardUK out-interface=ukvpn
Sorry, not sure what you are doing using a separate UK VPN?
One only needs wireguard and not some other VPN on top (too complicated for me, plus dont touch layer 7 with a ten foot pole))
Currently you are doing ECMP it looks like, which is doing load balancing where some traffic is going over your regular connection and some is going over wireguard UK but you don’t have control over what traffic is using what.
Also you are using 192.168.2.0/24 and .0 is not a valid final octet for an IPv4 address except for /32 and /31 subnets.
If you want to send traffic for some systems across to wireguard UK and other systems to go through the regular network, you need to configure policy routing.
ukvpn is a bridge, just so that I can organise a dhcpd for connected devices on ether{4,5}
I presume what you are trying to do is get the devices on ether4 and ether5 to go online through the wireguard VPN whereas everything else should go online the normal way. Is this correct? If so, you need to do policy routing, and those devices should not have IPs on the wireguard subnet but on a different subnet (ex. 192.168.3.0/24).
With Michael’s help, I got there with https://s.natalian.org/2021-08-01/vpn-working.rsc
Sorry bumping old topic… this is what I want to do also on my network.
May I know how to do that?
Thanks..
Me too.
In short, WireGuard does not work with Bridge-LAN. That’s it?
Exactly. You can’t bridge a layer2 network directly into wireguard. Use a encapsulation Mechanism like VXLAN or EoIP and then route the traffic over the wireguard interfaces.
Wireguard doesn’t work with a bridge-lan is a ridiculous statement that means nothing!
Wireguard is a peer to peer layer3 construct.
If you want to connect subnets at layer 2 then
a. use zerotier
b. eiop over wg
c. vxlan over wg. etc.
I will connect Two routers, with bridge-LANS using WG. EASY PEASY.[/color]
Lets say Router one has a single subnet 192.168.1.0/24 attached to a bridge.
Lets say Router two has a single subnet 192.168.2.0/24 attached to a bridge.
Each bridge feeds ports 2,3,4,5
The user requirements is that users from each subnet should be able to reach users in the other subnet.
R1 acts as server for handshake.
/allowed-addresses=10.10.10.2/32,192.168.2.0/24 … Peer1=R2
/allowed-addresses=10.10.10.3/32 …Peer2 { admin on remote connection }
R2 acts as client for handshake
/allowed-addresses=10.10.10.0/24,192.168.1.0/24 persistent-keep-alive=30s …Single Peer=R1
R1 fw rules
add chain=input action=accept dst-port=wireguardlisteningport protocol=udp
add chain=input action=accept in-interface=wg1 src-address=10.10.10.3 { admin wireguard remote config access }
add chain=forward action=accept in-interface=wg1 out-interface=bridge1
add chain=forward action=accept in-interface=bridge1 out-interface=wg1
add chain=forward action=accept in-interface=wg1 out-interface=wg1 { allow admin to relay to R2 }
R1 Routes
/ip route
add dst-address=192.168.2.0/24 gwy=wg1 table=main
R2 fw rules
add chain=input action=accept in-interface=wg2 src-address=10.10.10.3 { allow remote admin to config R2 }
add chain=forward action=accept in-interface=wg2 out-interface=bridge2
add chain=forward action=accept in-interface=bridge2 out-interface=wg2
R2 Routes
/ip route
add dst-address=192.168.1.0/24 gwy=wg2 table=main
DONE" Connected two bridge-lans via wireguards, so please stop smoking dope and then posting.
The alternative comment perhaps more fruitful IS
State the user requirements clearly and accurately.
If you want some ideas on using Wireguard to attempt to join subnets at a Layer 2 level —> https://forum.mikrotik.com/viewtopic.php?t=194646
…
To Clarify !
- A few users in a subnet can deviate from the rest of the user/devices on a subnet and go out wireguard or the normal WAN depending, with routing rules
- A whole subnet can deviate from the rest of the subnets behind a router, and go out wireguard or normal WAn depending, with routing rules.
- A group of users ( a subset of one subnet, contiguous or not, or even a group of users from various subnets ) can go out wireguard or normal WAN depending, by putting them on a firewall address list and using mangling.
- Single remote users ( single wireguard IP ) is not the topic here.
- No one should be using wireguard addresses for users behind a router… as noted by ( dont get how mud is charming) guy, dont use wireguard addresses as though it was a normal user subnet.