Create a VLAN natted to Wireguard VPN Client

RouterOS General
1

Hello everyone,

I’m trying to create a Wireguard client on an hap ac2 which has to connect some clients of my 2nd house to the first one, while leaving the others on normal network. Some of them are Wireless and a couple wired.

I’ve managed to create wireguard peer and see traffic passing but I’m struggling trying to configure the next step:

  • A VLAN where to redirect all VPN Traffic
  • Assign 2 phisical port of the hap ac2 to that VLAN and a wireless SSID
  • Tag that VLAN on the main port (the hap ac2 is not the router in my case)
  • NAT all VLAN traffic to the VPN, which has a single address available for the client.

I’ve been trying since a week setting in different ways but no one of them is working. Sometimes I can see the devices in the vlan, they get an ip address from dhcp server I’ve configured but don’t make traffic, some other they never get the address but I can see they’re on the correct VLAN etc etc..

I’d be so glad if someone can point me in the right direction

Thanks from Italy

2

For a virtual bottle of Wine, anything is possible!

Provide a network diagram showing what you are trying to accomplish as it is not clear.
Then provide both MT configs.
/export file=anynameyouwish (minus router serial number, public wanip information, keys etc.)

3

Even for a real one :smiley:

I’ll try to explain in a better way:

Wgd Server (remote) <—> Wgd Client (this hap ac2) <—NAT—> Virtual Network on hap ac2 <—>2 LAN Ports and 1 Wireless Ntwk

Here’s the config:

# 2023-07-26 15:27:11 by RouterOS 7.10.1
# software id = 0XTX-RZ67
#
# model = RBD52G-5HacD2HnD
# serial number = ************
/interface bridge
add admin-mac=2C:**:**:**:C8:5C auto-mac=no ingress-filtering=no name=\
    LAN_Bridge vlan-filtering=yes
/interface wireguard
add disabled=yes listen-port=51821 mtu=1420 name=vpnext
/interface list
add name=WAN
add name=LAN
add name=VLAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    LAN_Password supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    Guest_Password supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge name="LAN 2.4 GHz" security-profile=LAN_Password ssid=SSID \
    wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-n/ac channel-width=20/40/80mhz-XXXX \
    country=italy disabled=no distance=indoors frequency=auto installation=\
    indoor mode=ap-bridge name="LAN 5.0 GHz" security-profile=LAN_Password \
    ssid=SSID wireless-protocol=802.11 wps-mode=disabled
/ip pool
add name=VPN_DHCP ranges=10.10.39.100-10.10.39.199
/interface bridge port
add bridge=LAN_Bridge ingress-filtering=no interface=ether2
add bridge=LAN_Bridge ingress-filtering=no interface=ether3
add bridge=LAN_Bridge ingress-filtering=no interface=ether4
add bridge=LAN_Bridge ingress-filtering=no interface=ether5
add bridge=LAN_Bridge ingress-filtering=no interface="LAN 2.4 GHz"
add bridge=LAN_Bridge ingress-filtering=no interface="LAN 5.0 GHz"
add bridge=LAN_Bridge ingress-filtering=no interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=LAN_Bridge tagged=ether5 vlan-ids=39
/interface list member
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface="LAN 5.0 GHz" list=LAN
add interface="LAN 2.4 GHz" list=LAN
add interface=ether1 list=LAN
add interface=*10 list=VLAN
add interface=ether5 list=VLAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=0.0.0.0/0,::/0 disabled=yes endpoint-address=\
    *************.ddns.net endpoint-port=51821 interface=vpnext \
    persistent-keepalive=1m public-key=\
    "**************************************"
/ip address
add address=10.10.38.3/24 interface=LAN_Bridge network=10.10.38.0
/ip dhcp-server
add address-pool=VPN_DHCP interface=*19 lease-time=10m name=VPN_DHCP
/ip dhcp-server network
add address=10.10.39.0/24 dns-server=9.9.9.9,149.112.112.112 gateway=\
    10.10.39.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=10.10.38.4,10.10.38.9
/ip dns static
add address=10.10.38.10 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="Management Winbox" dst-address=\
    10.10.38.3 dst-port=8291 protocol=tcp
add action=accept chain=input comment="Management HTTP" dst-address=\
    10.10.38.3 dst-port=80 protocol=tcp
add action=accept chain=input comment="Management HTTPS" dst-address=\
    10.10.38.3 dst-port=443 protocol=tcp
add action=accept chain=forward comment="Allow VPNext" out-interface=vpnext \
    src-address=10.10.39.0/24
add action=drop chain=forward comment="Drop LAN to GUEST" disabled=yes \
    dst-address=10.10.39.0/24 src-address=10.10.38.0/24
add action=drop chain=forward comment="Drop GUEST to LAN" disabled=yes \
    dst-address=10.10.38.0/24 src-address=10.10.39.0/24
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.10.38.1 routing-table=main \
    suppress-hw-offload=no
/ip service
set www-ssl certificate=webssl disabled=no
/routing bfd configuration
add disabled=no
/system clock
set time-zone-name=Europe/Rome
/system note
set note="Alex Pichetto / Occhieppo Inferiore / AP1" show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
4

What is the remote wireguard Server ( third party VPN, another MT >??? )

What the heck is a virtual network… I understand local subnets behind the router.

5

The remote wireguard server is a Debian vm on my primary lan at home

And yes, a local subnet behind the router, which has to be binded to two ports, a wireless network and also be a tagged vlan on another port.

6

Again confused, if your debian home wg server is remote, then where are you located and what device do you have …
My last comment lost patience, as you refuse to be clear or provide a picture.

7

First of all, thank you for your patience, I understand that’s unclear.

Assume “Home 1” is where I live and “Home 2” is my gf’s house where I spend a lot of time. She has an awful ISP router, a Zyxel 8P Managed Switch and an hAP ac2 which was used only as Access Point to extend the ISP router’s wireless coverage.

I’d like to know if I can create a second network which routes all traffic of connected clients to my house (not only my house’s LAN addresses).

So, I tried my best:

The final result I wanna achieve is to have some devices (not all of them) both wireless and wired with all traffic going through the VPN tunnel to my first house (light blue arrow), where I have some IP-related services and also local servers.

Other devices (like smartphones, smart tv, etc…) don’t have to be routed on the VPN to save troughput.

I don’t need only the local subnet of “Home 1” to be router but all the traffic coming from that VLAN clients.

Other info: the “Home 1” vm is running a Wireguard instance linked to my mobile devices also. I assign 1 static IP per device, like I did for the Mikrotik hAP ac2 in “Home 2”, so I’d like the Mikrotik to NAT “VLAN 2” connections and route them (with Wireguard VPN) to “Home 1 LAN”.

Actually I have a Wireguard peer handshaking from Mikrotik hAP ac2 to my house, but I don’t know how to route those devices over it.

Thank you again,

8

Its getting a bit clearer but when you try and talk traffic and config at the same time it gets jumbled.

Does the ISP ROUTER/MODEM provide a public IP address or a fixed private LAN IP?
Does your home WAN provide you with a public IP address of a fixed private LANIP.

9

The ISP Router provide a fixed private LAN IP, then I bind a port to it to have Wireguard working as expected.

When you ask about my home wan, what are you referring to?

There’s a router with a public fixed WAN IP. The router bind a port to wireguard vm which is inside LAN with its fixed LAN IP