Help with routing wifi through vpn connection

gattoade · November 1, 2023, 6:12pm

Hi everyone,

I have a 1Gbps FTTH connection at home and a HAP AC3 + a “stupid” AP connected to one ethernet interface (mikrotik’s wifi is slow, not reaching 100 mbps). All the clients are connecting to the AP, the mikrotik’s wifi is not in use. I have one pc that connects to a wireguard vpn server and access the internet through this vpn connection.
To make the FTTH work, my ISP requires the Vlan id 835.
The fiber arrives to a converter that is connected to an ethernet interface on the mikrotik.

I want to modify the configuration to accomplish the following:

have the mikrotik connect to the wireguard vpn server
every client that connects to the mikrotik wifi should be routed through the vpn connection
the clients using the vpn must use a different dns server than the other ones

I have managed to connect to the vpn server, but i am not sure how to do everything else.
With my limited understanding, I think the mikrotik’s wifi should be on a different vlan with its own dhcp and dns, but I cannot figure this out.
I have basic networking knowledge, but not enough to do the configuration by myself.
I saw the Router-Switch-AP example configuration here on the forum http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 but I cannot understand how to apply that to my situation.

Could anyone help me, please?

I’ve managed to connect to the vpn server with this piece of config

# Create WireGuard Interface
/interface wireguard add name=wg0 private-key="<MY_PRIVATE_KEY>" listen-port=51820

# configure wireguard interface
/ip address add address=10.49.0.6/32 interface=wg0

# Add Peer Information
/interface wireguard peers 
add allowed-address=0.0.0.0/0,::/0 endpoint-address=*.*.*.* endpoint-port=51820 public-key="<MY_PUBLIC_KEY>" preshared-key="<MY_PRESHARED_KEY>" interface=wg0 persistent-keepalive=30m 

# Create a new bridge
/interface bridge add name=vpn_bridge

# Add WireGuard interface and wlan2 to the bridge
/interface bridge port add bridge=vpn_bridge interface=wg0
/interface bridge port add bridge=vpn_bridge interface=wlan2

# Set up NAT for VPN bridge
/ip firewall nat add chain=srcnat out-interface=wg0 action=masquerade

I have tried the vlan way for the wifi, but the clients cannot connect to it (without this config, the clients can connect to mikrotik’s wifi just fine)

/interface vlan
add interface=bridge name=wifi-vlan1 vlan-id=101
add interface=bridge name=wifi-vlan2 vlan-id=102

/ip address
add address=192.168.3.1/24 interface=wifi-vlan1 network=192.168.3.0
add address=192.168.4.1/24 interface=wifi-vlan2 network=192.168.4.0

/ip pool
add name=wifi-dhcp-pool1 ranges=192.168.3.50-192.168.3.200
add name=wifi-dhcp-pool2 ranges=192.168.4.50-192.168.4.200

/ip dhcp-server
add address-pool=wifi-dhcp-pool1 interface=wifi-vlan1 name=wifi-dhcp1
add address-pool=wifi-dhcp-pool2 interface=wifi-vlan2 name=wifi-dhcp2

/ip dhcp-server network
add address=192.168.3.0/24 gateway=192.168.3.1
add address=192.168.4.0/24 gateway=192.168.4.1

/interface bridge port
add bridge=bridge interface=wifi-vlan1
add bridge=bridge interface=wifi-vlan2

/interface wireless
set [ find default-name=wlan1 ] vlan-mode=use-tag vlan-id=101
set [ find default-name=wlan2 ] vlan-mode=use-tag vlan-id=102

My currently working config is

# oct/31/2023 23:41:28 by RouterOS 7.2.3
#
# model = RBD53iG-5HacD2HnD
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge

/interface vlan
add interface=ether1 name=vlan835 vlan-id=835

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk,wpa-eap,wpa2-eap mode=dynamic-keys name=profile1 supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=wifi-profile5 supplicant-identity=""
add authentication-types=wpa-psk,wpa2-psk group-ciphers=tkip,aes-ccm mode=dynamic-keys name=wifi-profile2 supplicant-identity="" unicast-ciphers=tkip,aes-ccm

/interface wireless
set [ find default-name=wlan1 ] country=italy ssid=MikroTik2 security-profile=wifi-profile2 mode=ap-bridge wireless-protocol=802.11 distance=indoors frequency=auto installation=indoor disabled=no
set [ find default-name=wlan2 ] country=italy ssid=MikroTik5 security-profile=wifi-profile5 mode=ap-bridge wireless-protocol=802.11 distance=indoors frequency=auto installation=indoor band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX 

/ip pool
add name=dhcp ranges=192.168.2.50-192.168.2.200

/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf

/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2

/ip neighbor discovery-settings
set discover-interface-list=LAN

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment=customconf interface=vlan835 list=WAN

/ip address
add address=192.168.2.1/24 comment=defconf interface=bridge network=192.168.2.0

/ip dhcp-client
add comment=confv2 interface=vlan835

/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf dns-server=1.1.1.1 gateway=192.168.2.1 netmask=24

/ip dns
set allow-remote-requests=yes

/ip dns static
add address=192.168.2.1 comment=defconf name=router.lan

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="confv2: accept from LAN" in-interface-list=LAN
add action=drop chain=input comment="confv2: drop everything not permitted"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="confv2: allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="confv2: allow dst-nat from both WAN and LAN (including port forwarding)" connection-nat-state=dstnat
add action=reject chain=forward comment="confv2: useful for tracking LAN issues" in-interface-list=LAN reject-with=icmp-admin-prohibited
add action=drop chain=forward comment="confv2: drop everything else"

/ip firewall mangle
add action=set-priority chain=forward new-priority=0 out-interface=vlan835 passthrough=yes

/ip firewall nat
add action=masquerade chain=srcnat comment="configv2: masquerade" out-interface=vlan835

/ip firewall service-port
set ftp disabled=yes
set irc disabled=yes
set sip disabled=yes

/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes

/system clock
set time-zone-name=Europe/Rome
/tool mac-server
set allowed-interface-list=LAN

anav · November 1, 2023, 7:33pm

(1) Why this???
/ip firewall mangle
add action=set-priority chain=forward new-priority=0 out-interface=vlan835 passthrough=yes

(2) What VPN service are you connecting to… did they give you DNS settting as well???

(3) The following is based on four vlans, one for home (what used to be the bridge, a separate vlan for MT wlan1 and wlan2, and third vlan just for the dumb Access point and the AP traffic we will put through to the wireguard server.

# model = RBD53iG-5HacD2HnD
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge  vlan-filtering=yes
/interface vlan
add interface=ether1 name=vlan835 vlan-id=835
add interface=bridge name=wifi-vlan1 vlan-id=101
add interface=bridge name=wifi-vlan2 vlan-id=102
add interface=bridge name=AP-vlan3 vlan-id=103
add interface=bridge name=Home-vlan11 vlan-id=11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk,wpa-eap,wpa2-eap mode=dynamic-keys name=profile1 supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=wifi-profile5 supplicant-identity=""
add authentication-types=wpa-psk,wpa2-psk group-ciphers=tkip,aes-ccm mode=dynamic-keys name=wifi-profile2 supplicant-identity="" unicast-ciphers=tkip,aes-ccm
/interface wireless
set [ find default-name=wlan1 ] country=italy ssid=MikroTik2 security-profile=wifi-profile2 mode=ap-bridge wireless-protocol=802.11 distance=indoors frequency=auto installation=indoor disabled=no
set [ find default-name=wlan2 ] country=italy ssid=MikroTik5 security-profile=wifi-profile5 mode=ap-bridge wireless-protocol=802.11 distance=indoors frequency=auto installation=indoor band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX 
/ip pool
add name=dhcp ranges=192.168.2.50-192.168.2.200
add name=dhcpWLAN1 ranges=192.168.10.50-192.168.10.200
add name=dhcpWLAN2 ranges=192.168.20.50-192.168.20.200
add name=dhcpAP ranges=192.168.30.50-192.168.30.200
/ip dhcp-server
add address-pool=dhcp interface=Home-vlan11 name=defconf
add address-pool=dhcpWLAN1 interface=wifi-vlan101 name=wlan1-server
add address-pool=dhcpWLAN2 interface=wifi-vlan102 name=wlan2-server
add address-pool=dhcpAP interface=wifi-vlan103 name=wlanAP-server
/interface bridge port
add bridge=bridge  interface=ether2 ingress-filtering=yes frame-types=admit-untagged-and priority pvid=11
add bridge=bridge  interface=ether3 ingress-filtering=yes frame-types=admit-untagged-and priority pvid=103 comment="connected to AP"
add bridge=bridge  interface=ether4 ingress-filtering=yes frame-types=admit-untagged-and priority pvid=11
add bridge=bridge  interface=ether5 ingress-filtering=yes frame-types=admit-untagged-and priority pvid=11
add bridge=bridge  interface=wlan1 ingress-filtering=yes frame-types=admit-untagged-and priority pvid=101
add bridge=bridge  interface=wlan2 ingress-filtering=yes frame-types=admit-untagged-and priority pvid=102
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether2,ether4,ether5  vlan-ids=11
add bridge=bridge tagged=bridge untagged=wlan1  vlan-ids=101
add bridge=bridge tagged=bridge untagged=wlan2  vlan-ids=102
add bridge=bridge tagged=bridge untagged=ether3  vlan-ids=103
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=Home-vlan11 list=LAN
add  interface=wifi-vlan1 list=LAN
add interface=wifi-vlan2 list=LAN
add interface=AP-vlan3 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan835 list=WAN
/ip address
add address=192.168.2.1/24 comment=defconf interface=Home-vlan11 network=192.168.2.0
add address=192.168.10.1/24  interface=wifi-vlan1  network=192.168.10.0
add address=192.168.20.1/24  interface=wifi-vlan2  network=192.168.20.0
add address=192.168.30.1/24  interface=Ap-vlan3  network=192.168.30.0
/ip dhcp-client
add comment=confv2 interface=vlan835
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf dns-server=192.168.2.1 gateway=192.168.2.1 
add address=192.168.10.0/24 dns-server=192.168.10.1  gateway=192.168.10.1 
add address=192.168.20.0/24 dns-server=192.168.20.1  gateway=192.168.20.1 
add address=192.168.30.0/24 dns-server=WG_DNS gateway=192.168.30.1 
/ip dns
set allow-remote-requests=yes  servers=1.1.1.1
/ip firewall address-list { using static dhcp leases }
add address=192.168.2.X  list=Authorized  comment="admin desktop wired"
add address=192.168.2.Y  list=Authorized  comment="admin laptop wired"
add address=192.168.10.A  list=Authorized  comment="admin laptop wifi wlan1"
add address=192.168.20.B   list=Authorized  comment="admin smarthone/ipad wlan2"
add address=admin-IP4  list=Authorized comment="admin remote via wireguard"  { if your server is capable of such???? }
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for Router functionality)" dst-address=127.0.0.1
add action=accept chain=input comment="admin access"  src-address-list=Authorized
add action=accept chain=input comment="user access to router services"  in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment="user access to router services"  in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="confv2: drop everything not permitted"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="confv2: allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward src-address=192.168.30.0/24  out-interface=wg0
add action=accept chain=forward comment="confv2: allow dst-nat from both WAN and LAN (including port forwarding)" connection-nat-state=dstnat
add action=drop chain=forward comment="confv2: drop everything else"
/ip firewall mangle
add action=set-priority chain=forward new-priority=0 out-interface=vlan835 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="configv2: masquerade" out-interface=vlan835
/routing table
add  fib name=useWG
/ip route
add dst-address=0.0.0.0/0 gateway=wg0  routing-table=useWG
/routing rule
add src-address=192.168.30.0/24  action=lookup table-useWG
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN

If your intention was to have the HOME subnet, that of the bridge to be the same subnet also available for wifi on the mikrotik for wlan1 and wlan2 then the following simplification could occur - Basically one would only need two lan subnets (vlans)

# model = RBD53iG-5HacD2HnD
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge  vlan-filtering=yes
/interface vlan
add interface=ether1 name=vlan835 vlan-id=835
add interface=bridge name=AP-vlan3 vlan-id=103
add interface=bridge name=Home-vlan11 vlan-id=11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk,wpa-eap,wpa2-eap mode=dynamic-keys name=profile1 supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=wifi-profile5 supplicant-identity=""
add authentication-types=wpa-psk,wpa2-psk group-ciphers=tkip,aes-ccm mode=dynamic-keys name=wifi-profile2 supplicant-identity="" unicast-ciphers=tkip,aes-ccm
/interface wireless
set [ find default-name=wlan1 ] country=italy ssid=MikroTik2 security-profile=wifi-profile2 mode=ap-bridge wireless-protocol=802.11 distance=indoors frequency=auto installation=indoor disabled=no
set [ find default-name=wlan2 ] country=italy ssid=MikroTik5 security-profile=wifi-profile5 mode=ap-bridge wireless-protocol=802.11 distance=indoors frequency=auto installation=indoor band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX 
/ip pool
add name=dhcp ranges=192.168.2.50-192.168.2.200
add name=dhcpAP ranges=192.168.30.50-192.168.30.200
/ip dhcp-server
add address-pool=dhcp interface=Home-vlan11 name=defconf
add address-pool=dhcpAP interface=wifi-vlan103 name=wlanAP-server
/interface bridge port
add bridge=bridge  interface=ether2 ingress-filtering=yes frame-types=admit-untagged-and priority pvid=11
add bridge=bridge  interface=ether3 ingress-filtering=yes frame-types=admit-untagged-and priority pvid=103 comment="connected to AP"
add bridge=bridge  interface=ether4 ingress-filtering=yes frame-types=admit-untagged-and priority pvid=11
add bridge=bridge  interface=ether5 ingress-filtering=yes frame-types=admit-untagged-and priority pvid=11
add bridge=bridge  interface=wlan1 ingress-filtering=yes frame-types=admit-untagged-and priority pvid=11
add bridge=bridge  interface=wlan2 ingress-filtering=yes frame-types=admit-untagged-and priority pvid=11
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether2,ether4,ether5,wlan1,wlan2  vlan-ids=11
add bridge=bridge tagged=bridge untagged=ether3  vlan-ids=103
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=Home-vlan11 list=LAN
add interface=AP-vlan3 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan835 list=WAN
/ip address
add address=192.168.2.1/24 comment=defconf interface=Home-vlan11 network=192.168.2.0
add address=192.168.30.1/24  interface=Ap-vlan3  network=192.168.30.0
/ip dhcp-client
add comment=confv2 interface=vlan835
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf dns-server=192.168.2.1 gateway=192.168.2.1 
add address=192.168.30.0/24 dns-server=WG_DNS gateway=192.168.30.1 
/ip dns
set allow-remote-requests=yes  servers=1.1.1.1
/ip firewall address-list { using static dhcp leases }
add address=192.168.2.X  list=Authorized  comment="admin desktop wired"
add address=192.168.2.Y  list=Authorized  comment="admin laptop wired"
add address=192.168.2.A  list=Authorized  comment="admin laptop wifi wlan1"
add address=192.168.2.B   list=Authorized  comment="admin smarthone/ipad wlan2"
add address=admin-IP4  list=Authorized comment="admin remote via wireguard"  { if your server is capable of such???? }
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for Router functionality)" dst-address=127.0.0.1
add action=accept chain=input comment="admin access"  src-address-list=Authorized
add action=accept chain=input comment="user access to router services"  in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment="user access to router services"  in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="confv2: drop everything not permitted"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="confv2: allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward src-address=192.168.30.0/24  out-interface=wg0
add action=accept chain=forward comment="confv2: allow dst-nat from both WAN and LAN (including port forwarding)" connection-nat-state=dstnat
add action=drop chain=forward comment="confv2: drop everything else"
/ip firewall mangle
add action=set-priority chain=forward new-priority=0 out-interface=vlan835 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="configv2: masquerade" out-interface=vlan835
/routing table
add  fib name=useWG
/ip route
add dst-address=0.0.0.0/0 gateway=wg0  routing-table=useWG
/routing rule
add src-address=192.168.30.0/24  action=lookup table-useWG
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN

gattoade · November 1, 2023, 8:16pm

I am not sure, I think it was needed to force all traffic trough the Vlan 835 so it can reach the internet trough the FTTH connection.

Yes, I also have the IP of the DNS server, it is a private IP like 172.16.0.10. It should basically be an ad filtering service on the vpn server.

All I want basically is to have the ethernet and dumb AP clients reach the internet directly as it is now, and the clients connected to MT wifi to be routed through the vpn connection and use the vpn’s server dns service. This looked like a simple scenario that I would be able to implement, but I am clearly failing at this The four vlans solution is really a great upgrade.

anav · November 1, 2023, 10:43pm

Okay I had it a bit reversed. There is no reason for the mangle rule to force traffic anywhere.
You assigned the vlan properly to the the WAN interface and it should work without such a rule.

Therefore we take the second example and modify it such that the guest AP and regular ethernet uses home LAN, and the two MT wlans use VPN subnet.

This is the result.

# model = RBD53iG-5HacD2HnD
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge  vlan-filtering=yes
/interface vlan
add interface=ether1 name=vlan835 vlan-id=835
add interface=bridge name=wifi-vpn103 vlan-id=103
add interface=bridge name=Home-vlan11 vlan-id=11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk,wpa-eap,wpa2-eap mode=dynamic-keys name=profile1 supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=wifi-profile5 supplicant-identity=""
add authentication-types=wpa-psk,wpa2-psk group-ciphers=tkip,aes-ccm mode=dynamic-keys name=wifi-profile2 supplicant-identity="" unicast-ciphers=tkip,aes-ccm
/interface wireless
set [ find default-name=wlan1 ] country=italy ssid=MikroTik2 security-profile=wifi-profile2 mode=ap-bridge wireless-protocol=802.11 distance=indoors frequency=auto installation=indoor disabled=no
set [ find default-name=wlan2 ] country=italy ssid=MikroTik5 security-profile=wifi-profile5 mode=ap-bridge wireless-protocol=802.11 distance=indoors frequency=auto installation=indoor band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX 
/ip pool
add name=dhcp ranges=192.168.2.50-192.168.2.200
add name=dhcpvpn ranges=192.168.30.50-192.168.30.200
/ip dhcp-server
add address-pool=dhcp interface=Home-vlan11 name=defconf
add address-pool=dhcpvpn interface=wifi-vpn103 name=wlanvpn-server
/interface bridge port
add bridge=bridge  interface=ether2 ingress-filtering=yes frame-types=admit-untagged-and priority pvid=11
add bridge=bridge  interface=ether3 ingress-filtering=yes frame-types=admit-untagged-and priority pvid=11 comment="to dumb AP"
add bridge=bridge  interface=ether4 ingress-filtering=yes frame-types=admit-untagged-and priority pvid=11
add bridge=bridge  interface=ether5 ingress-filtering=yes frame-types=admit-untagged-and priority pvid=11
add bridge=bridge  interface=wlan1 ingress-filtering=yes frame-types=admit-untagged-and priority pvid=103 
add bridge=bridge  interface=wlan2 ingress-filtering=yes frame-types=admit-untagged-and priority pvid=103
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether2,ether3,ether4,ether5  vlan-ids=11
add bridge=bridge tagged=bridge untagged=wlan1,wlan2   vlan-ids=103
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=Home-vlan11 list=LAN
add interface=wifi-vpn103 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan835 list=WAN
/ip address
add address=192.168.2.1/24 comment=defconf interface=Home-vlan11 network=192.168.2.0
add address=192.168.30.1/24  interface=wifi-vpn103  network=192.168.30.0
/ip dhcp-client
add comment=confv2 interface=vlan835
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf dns-server=192.168.2.1 gateway=192.168.2.1 
add address=192.168.30.0/24 dns-server=172.16.?.? gateway=192.168.30.1  comment="use VPN dns server info"
/ip dns
set allow-remote-requests=yes  servers=1.1.1.1
/ip firewall address-list { using static dhcp leases }
add address=192.168.2.X  list=Authorized  comment="admin desktop wired"
add address=192.168.2.Y  list=Authorized  comment="admin laptop wired"
add address=192.168.2.A  list=Authorized  comment="admin laptop wifi wlan1"
add address=192.168.2.B   list=Authorized  comment="admin smarthone/ipad wlan2"
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for Router functionality)" dst-address=127.0.0.1
add action=accept chain=input comment="admin access"  src-address-list=Authorized
add action=accept chain=input comment="user access to router services"  in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment="user access to router services"  in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="confv2: drop everything not permitted"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="confv2: allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward src-address=192.168.30.0/24  out-interface=wg0
add action=accept chain=forward comment="confv2: allow dst-nat from both WAN and LAN (including port forwarding)" connection-nat-state=dstnat
add action=drop chain=forward comment="confv2: drop everything else"
/ip firewall mangle
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat comment="configv2: masquerade" out-interface=vlan835
add action=masquerade chain=srcnat  out-interface=wg0
/routing table
add  fib name=useWG
/ip route
add dst-address=0.0.0.0/0 gateway=wg0  routing-table=useWG
/routing rule
add src-address=192.168.30.0/24  action=lookup table=useWG
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN

NOTE1: I remove the vlan mangle rule and added one to ensure MTU is not a problem with 3rd party provider.
NOTE2: Added a sourcenat rule to ensure all local users going out WG will get assigned the IP address the vpn provider gave you and will be accepted at the other end.

gattoade · November 5, 2023, 11:47am

I still have issues, the MT wifi clients are still routed through the main connection and not through the VPN.
The MT connects to the vpn server, the MT wifi gets its own ip class.

There is something i’m still missing.

The current config is:

# nov/02/2023 22:00:43 by RouterOS 7.2.3
# software id = T9YC-IKJM
#
# model = RBD53iG-5HacD2HnD
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge vlan-filtering=yes

/interface wireguard 
add name=wg0 private-key="MYPRIVATEKEY" listen-port=51820 comment="configv3"

/ip address 
add address=10.49.0.6/32 interface=wg0 comment="configv3"

/interface vlan
add interface=bridge name=Home-vlan11 vlan-id=11
add interface=bridge name=wifi-vpn103 vlan-id=103
add interface=ether1 name=vlan835 vlan-id=835

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=wifi-profile5 supplicant-identity=""
add authentication-types=wpa-psk,wpa2-psk group-ciphers=tkip,aes-ccm mode=dynamic-keys name=wifi-profile2 supplicant-identity="" unicast-ciphers=tkip,aes-ccm

/interface wireless
set [ find default-name=wlan1 ] country=italy ssid=MikroTik2 security-profile=wifi-profile2 mode=ap-bridge wireless-protocol=802.11 distance=indoors frequency=auto installation=indoor disabled=no
set [ find default-name=wlan2 ] country=italy ssid=MikroTik5 security-profile=wifi-profile5 mode=ap-bridge wireless-protocol=802.11 distance=indoors frequency=auto installation=indoor disabled=no band=5ghz-a/n/ac channel-width=20mhz 

/ip pool
add name=dhcp ranges=192.168.2.50-192.168.2.200
add name=dhcpvpn ranges=192.168.3.50-192.168.3.200

/ip dhcp-server
add address-pool=dhcp interface=Home-vlan11 name=defconf
add address-pool=dhcpvpn interface=wifi-vpn103 name=wlanvpn-server

/routing table
add fib name=useWG

/interface bridge port
# ether1 is WAN
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=11 comment="to dumb AP"
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=11 
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=11
# ether5 is for config
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wlan1 pvid=103 comment="vpn clients"
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wlan2 pvid=103

/ip neighbor discovery-settings
set discover-interface-list=LAN

/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether2,ether3,ether4 vlan-ids=11
add bridge=bridge tagged=bridge untagged=wlan1,wlan2 vlan-ids=103

/interface list member
add comment=defconf interface=Home-vlan11 list=LAN
add interface=wifi-vpn103 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan835 list=WAN

/interface wireguard peers 
add allowed-address=0.0.0.0/0 endpoint-address=XX.XX.XX.XX endpoint-port=51820 public-key="MYPUBLICKEY" preshared-key="MYPUBLICKEY" interface=wg0 persistent-keepalive=30m  comment="configv3"

/ip address
add address=192.168.2.1/24 interface=Home-vlan11 network=192.168.2.0 comment=defconf
add address=192.168.3.1/24 interface=wifi-vpn103 network=192.168.3.0
add address=10.49.0.6 interface=wg0 network=10.49.0.6 comment=configv3

/ip dhcp-client
add interface=vlan835 comment=confv2

/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1 comment=defconf
add address=192.168.3.0/24 dns-server=172.26.31.94 gateway=192.168.3.1 comment="use VPN dns server info"

/ip dns
set allow-remote-requests=yes servers=1.1.1.1

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for Router functionality)" dst-address=127.0.0.1
add action=accept chain=input comment="admin access" src-address-list=Authorized
add action=accept chain=input comment="user access to router services" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="user access to router services" dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="confv2: drop everything not permitted"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="confv2: allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="confv2: allow dst-nat from both WAN and LAN (including port forwarding)" connection-nat-state=dstnat
add action=accept chain=forward out-interface=wg0 src-address=192.168.3.0/24
add action=drop chain=forward comment="confv2: drop everything else"

/ip firewall mangle
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=wg0 passthrough=yes protocol=tcp tcp-flags=syn

/ip firewall nat
add action=masquerade chain=srcnat comment="configv2: masquerade" out-interface=vlan835
add action=masquerade chain=srcnat out-interface=wg0

/ip route
add dst-address=0.0.0.0/0 gateway=wg0 routing-table=useWG

/routing rule
add action=lookup src-address=192.168.3.0/24 table=useWG

/system clock
set time-zone-name=Europe/Rome

/tool mac-server mac-winbox
set allowed-interface-list=LAN

anav · November 5, 2023, 2:01pm

(1) /ip address
add address=10.49.0.6**/32** interface=wg0 comment=“configv3”
TO
/ip address
add address=10.49.0.6/24 interface=wg0 comment=“configv3”

(2) REMEMBER ALL WLAN1 and WLAN2 users will go out VPN as they are in the same subnet.

(3) Also should fix that IP address in the config… why you snip it out separately argg.
add address=10.49.0.6**/24** interface=wg0 network=10.49.0.6 comment=configv3

(4) Assuming this is the 3rd party DNS provided…
172.26.31.94

+++++++++++++++++++++++++++++++++++

Yup looks good just change the IP address of the wireguard and should work…
The only other thing is the keys double check those… I am assuming they gave you a private key you should have inserted into the wireguard interface when creating it and you properly inserted the public KEY they gave you into the peer settings…

anav · November 5, 2023, 2:16pm

Okay going over the post again I found this a potential issue…

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=XX.XX.XX.XX endpoint-port=51820 public-key=“MYPUBLICKEY” preshared-key=“MYPUBLICKEY” interface=wg0 persistent-keepalive=30m comment=“configv3”

We dont use preshared keys and I doubt very much the PROVIDER gave you one to use???

gattoade · November 5, 2023, 3:36pm

The issue was in this line, i’ve added the /24 in the address and modified the network to 10.49.0.0 as the others.

The preshared key may actually not be used, but it is present in the config file generated. I actually am the provider, i have a vps and an ansible script that does all the configuration needed to spin up a wireguard server and it generates the config files needed. I usually install the wireguard client on the pc/smartphone and import the configuration file.

Thank you very much for your time anav, I couldn’t have done this without your help!