Hi. I’m trying to set up hAP router so ether2-4 ports and all wifi networks works as usual, but ether5 should route traffic via WireGuard (to connect device, not capable of using VPN by itself). I thought about something like this
- Creating separate bridge (I named it
bridge-wg); - Connect
ether5port to this pridge; - Route traffic from this bridge to WireGuard connection.
So basically something like ether5 → bridge-wg → wireguard-connection → WAN. I also connected to ISP via WiFi (so wlan1 is set to station mode, but that is probably irrelevant).
After reading multiple articles and forum threads I was able to set it up, so simple request to service which return IP address give me this
My configuration:
$ curl --interface enp87s0u1 2ip.ru
65.109.XXX.YYY # IP address of my WireGuard server in Hetzner
$ curl --interface wlp0s20f3 2ip.ru
78.109.72.75 # Same as connected directly to ISP router
But beside that most of the requests fails with timeout (both via curl and browser). After a long time some of them loads, but mostly not. If I disable routing table, created to force traffic into WireGuard connection (so it become ether5 → bridge-wg → WAN), everything works fine.
VPN server itself works fine, I use it with multiple devices and no problem.
Another interesting thing - if I additionally enable same WireGuard connection on my laptop (on top of everything above), everything works perfectly.
Unfortunately I was not able to understand what could be wrong and how to debug this.
# jul/02/2023 19:06:04 by RouterOS 7.1.1
# software id = BVAZ-T5VF
#
# model = RBD52G-5HacD2HnD
# serial number = D7160C140BE1
/interface bridge
add admin-mac=48:8F:5A:80:1E:16 auto-mac=no comment=defconf name=bridge
add comment="Internet through remote WireGuard server" name=bridge-wg
/interface wireguard
add comment="Internet through remote WireGuard server" listen-port=13231 mtu=\
1420 name=flowneee-wg
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk comment="Internet through WiFi" mode=\
dynamic-keys name=wifi_in supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=internal \
supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n comment=\
"Internet through WiFi (set as station, WiFi client)" country=armenia \
disabled=no distance=indoors installation=indoor security-profile=\
wifi_in ssid=<ISP_wifi_name> wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX country=armenia disabled=no distance=indoors frequency=\
auto installation=indoor mode=ap-bridge security-profile=internal ssid=\
mtk-5 wireless-protocol=802.11
add disabled=no mac-address=4A:8F:5A:80:1E:1A master-interface=wlan1 name=\
wlan3 security-profile=internal ssid=mtk-2.4 wds-default-bridge=bridge \
wps-mode=disabled
/interface wireless nstreme
set wlan1 comment="Internet through WiFi (set as station, WiFi client)"
/interface wireless manual-tx-power-table
set wlan1 comment="Internet through WiFi (set as station, WiFi client)"
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add comment="Internet through remote WireGuard server" name=dhcp-wg-pool \
ranges=192.168.90.10-192.168.90.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=dhcp-wg-pool comment=\
"Internet through remote WireGuard server" interface=bridge-wg name=\
dhcp-wg
/routing table
add comment="Internet through remote WireGuard server" disabled=yes fib name=\
wg
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge-wg comment="Internet through remote WireGuard server" \
interface=ether5
add bridge=bridge comment=\
"Internet through WiFi (disable due to used as WiFi client)" disabled=yes \
interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment="Internet through remote WireGuard server" interface=bridge-wg \
list=LAN
add comment="Internet throught WiFi" interface=wlan1 list=WAN
add comment="Internet through remote WireGuard server" interface=flowneee-wg \
list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0,::/0 endpoint-address=65.109.XXX.YYY \
endpoint-port=1750 interface=flowneee-wg persistent-keepalive=40s \
public-key="<public-key>"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=192.168.90.1/24 interface=bridge-wg network=192.168.90.0
add address=10.200.200.8 comment="Internet through remote WireGuard server" \
interface=flowneee-wg network=10.200.200.0
add comment=defconf interface=ether1
add comment="Internet through WiFi" interface=wlan1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
add address=192.168.90.0/24 dns-server=192.168.90.1 gateway=192.168.90.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment=\
"Internet through remote WireGuard server" in-interface=bridge-wg \
out-interface=flowneee-wg
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add comment="Internet through remote WireGuard server" dst-address=0.0.0.0/0 \
gateway=flowneee-wg routing-table=wg
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/routing rule
add action=lookup comment="Internet throught remote WireGuard server" \
disabled=no dst-address=0.0.0.0/0 src-address=192.168.90.0/24 table=wg
/system clock
set time-zone-name=Asia/Yerevan
/system routerboard settings
set cpu-frequency=auto
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN