I have a very stable setup. I connect to my local LAN using WireGuard available on ROS7.
I would like one particular remote computer that currently connects using WireGuard to be able to view all the resources on the network. These could be shares, other computers - likewise any shares on it would be visible on other computers.
The need is to treat the remote computer as if it where on the local LAN.
Can I do this. My router is the hAP ax³
Yes of course.
It depends on your firewall rules.
If its the only remote device and you dont have others the shouldnt have access
ALLOW INCOMING WG INTERFACE TO LAN INTERFACE LIST
ALLOW LAN INTERFACE LIST OUT WG INTERFACE
If you have several other remote devices that should not have such access then
ALLOW INCOMING WG INTERFACE SRC-ADD=REMOTE WG IP TO LAN INTERFACE LIST
ALLOW LAN INTERFACE LIST OUT WG INTERFACE DST-ADD=REMOTE DEVICE WG IP
I tried adding the following but got an error: “Couldn’t add New Firewall Rule - outgoing interface matching not possible in input and prerouting chains (6)”
My local lan is 192.168.16.0/24 (SOHO_VLAN) VLAN_ID=10
The WireGuard remote devices are assigned 192.168.66.0/24 IP addresses.
Today from a remote device I can ping a device on my local LAN, but pinging the 192.168.66.x IP address of the remote device does not work.
More than happy to share the router config if it helps.
Yes the config is necessary to see
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys, dhcp lease lists )
ax3.rsc (12.8 KB)
I’ve been doing some research on the topic and I’m going to parrot some information I gathered.
In order to be able to see network neighbourhood one needs to operate at Layer 2. Wireguard operates at Layer 3. To operate a Layer 2 one would have to use OpenVPN.
I know that Mikrotik supports OpenVPN because I used it two mikrotik routers back.
While I would prefer to have one solution (WireGuard), would OpenVPN take me in the desired direction of having a remote computer appear to be on the lan described in this configuration?
Furthermore can WireGuard and OpenVPN co-exist. Also could I configure OpenVPN on Mikrotik to forward traffic on VLAN 10?
Thanks
Dont need ovpn, all can be done with wg and firewall rules and a good config.
Should be:
/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether2,ether3,ether4,ether5,wlan-SOHO-5G,\
wlan-SOHO-2G,ether2 vlan-ids=10
add bridge=BR1 tagged=BR1,ether2 untagged=wlan-GUEST-5G,\
wlan-GUEST-2G vlan-ids=20
This rule often causes issues and should be set to NONE.
/interface detect-internet
set detect-interface-list=all
If you want your wireguard connection, when accessing the router as admin, to be able to access the router, for config purposes, you need to add the wireguard interface to the BASE interface list!! Assuming you have at least some wireguard users that do not need access to the router for config purposes, we will deal with that in the input chain rules with a firewall address list.
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=SOHO_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
add interface=HOMENET-WireGuard list=VLAN
+++++++++++++++++++++++++++++++++
add interface=SOHO_VLAN list=BASE
add interface=HOMENET-WireGuard list=BASE
Remove the persistent keep alive on the client peer settings for ROAMING
add allowed-address=192.168.66.7/32 comment="Roaming Profile"
interface=HOMENET-WireGuard name=Roaming persistent-keepalive=25s
public-key="BHm2Gk="
Looking at your current firewall address list, are you stating all the wireguard devices connecting are admin devices??
Firewall Review changes only shown:
/ip firewall filter
....
add action=accept chain=input comment="admin access" in-interface=list=BASE \
src-address-list=AUTHORIZED
....
add action=accept chain=forward comment="authorized to all" in-interface-list=BASE \
src-address-list=Authorized dst-address=192.168.16.0/24
The last rule there, replaces the one currently you have
and all the rule should NOT Show dst-address=aa.bb.cc.dd
BUT should show dst-address**-list**=MyWAN
The way you have put it so far, indicates you have a static fixed WANIP, but clearly via the fact you have IP DHCP Client selected and no ip address line for wan, the WANIP seems to be a dynamic one.
You need to be consistent. If using the router SSH service then get rid of dstnat rules, but if you are running SSH on your own LAN server then get rid of IP services for SSH.
SAME for WWW. I suspect this is the case because WWW on the router is not a secure access method and generally not recommended.
For winbox access I recommend just stating the subnets, the granularity is only needed on input chain rules.
If IVP6 is not needed, disable it in IPV6 settings and then get rid of all IPV6 address lists and firewall rules save two.
add chain=input action=drop
add chain=forward action=drop
++++++++++++++++++++++++++++++++++++++++++++++++++
In summary cannot see anyone thing that is clearly the problem, the rules although not what I would put dont necessarily prevent the connectivity you are looking for. Lets clean up what you have, give it another go, and then we can proceed from there.
ax3-v2.rsc (13.8 KB)
I implemented the changes you suggested - thank you.
Can you please review whether I understood your point 6
Firewall Review changes only shown:
/ip firewall filter
....
add action=accept chain=input comment="admin access" in-interface=list=BASE \
src-address-list=AUTHORIZED
....
add action=accept chain=forward comment="authorized to all" in-interface-list=BASE \
src-address-list=Authorized dst-address=192.168.16.0/24
The last rule there, replaces the one currently you have
I would appreciate if you could have a look at the IPV6 rules. I disabled everything except the last two.
Regarding points 8 and 9 I completely lost you. Can you please elaborate.
Thanks
Good morning.
Reviewing the new config.......
What are you attempting to do here, as those do not look like default settings???
So far so good, if you have added the actual Wireguard IPs, that belong to the admin, who would be configuring the router itself, you no longer need the first entry in the firewall address list as it is too encompassing.......
Remove add address=192.168.66.0/24 comment="Wireguard Connection" list=AUTHORIZED
Please confirm that aa.bb.cc.dd is not a fixed WANIP but simply representing an URL that points to an IP. For example when I use ipcloud url, I put mynetname.net list=WANIP to make it clear to the reader.
You only need the first rule not the second one!!
add action=accept chain=input comment="admin access" in-interface-list=BASE src-address-list=AUTHORIZED
add action=accept chain=input comment="admin access" src-address-list=
AUTHORIZED
ensure you remove the unnecessary bit on this rule!!!
add action=accept chain=input comment="users to services" dst-address-list=""
dst-port=53 in-interface-list=VLAN protocol=tcp
Missing one default rule, that I would put in on the input chain, after the ICMP rule......
add chain=input action=accept dst-address=127.0.0.1
I am not sure why you keep two rules when I explicitly state to replace, in any case YOU Pick which rule you want to keep.
If you want ALL the wireguard users to be able to access the LAN on your router, which I believe is the intent, then use:
add action=accept chain=forward comment="wg to soho" dst-address=\
192.168.16.0/24 in-interface=HOMENET-WireGuard
If you want only the wireguard folks on your authorized list to access the LAN then
add action=accept chain=forward comment="wg to soho" dst-address=\
192.168.16.0/24 in-interface=HOMENET-WireGuard src-address-list=AUTHORIZED
Also the drop rule should be the last rule in the chain!!
++++++++++++++++++++++++++++++++++++++++++++
In reply to didnt understand........
The router can also provide/host services like www and SSH.
If you choose to use such services, then you would put ACCEPT rules in the INPUT chain (which is too the router). If you have such services on LAN devices on the router, then you would use port forwarding rules.
What I see is that you have attempted to do both, hence a conflict.
a. you have port forwarding rules for ports 22 and
b. you have SSH enabled on IP Services ( aka the router )
Which is the true case.......... I suspect you are running an SSH server on your LAN and if so just disable SSH on the router. If you wanted to do both change the default SSH port on the ROUTER to 22,202 etc and ensure you have an input chain rule for it.
As an aside I see you have www enabled as well for the router which means you have opened your router potentially to be hacked. One should not have any services, in general, enabled that are not encrypted.
ax3.rsc (14.1 KB)
I had to redo the last session. I made a change and I could not access any website. I had a backup so I could recover.
I really appreciate your interest.
I believe that I covered all the points you listed. I setup a Wireguard device. How could I access it from my local LAN please.
What is the point of adding arp-proxy-arp to vlan10. I ask because I dont know and because its different from what I do and wireguard works LOL.
You still havent explained why we are seeing the *0 and *FFFFFFFFFE in the ppp profile. On my routers this doesnt even come up as a default setting???
Why is a warning about iPV6 and rebooting still on your config............and why is it smack dab in the middle of the iP neigbhours discover??
/ip neighbor discovery-settings
# ipv6 neighbor configuration has changed, please restart the device in order to apply the new settings
set discover-interface-list=BASE
Suggest your reboot to get rid of it and also it may just kick the router into working properly!!!
Summary: I dont see anything preventing success... .hopefully the system reboot works.
It is difficult to manage other’s configuration. Like playing chess against multiple people at the same time 
Router rebooted.
I can access devices from a Wireguard device without problems. Would I need a /IP Firewall entry to allow traffic from local devices to the remote Wireguard device (192.168.66.7)? My reasoning is that this will allow me to see resources on the remote device.
ax3v4.rsc (11.3 KB)
Thanks
