isolate and route vlan through gateway-wireguard only

anav · April 4, 2023, 2:32pm

(1) Comment doesnt match the config line?? You are confused!! Make up your mind,
/interface bridge port
add bridge=bridge comment=“Trunk all VLANs to RB4011” frame-types=
admit-only-vlan-tagged interface=ether2 pvid=89

PVID is used for an access port going to a dumb device or a hybrid port.
Admit only vlan tagged means a trunk port only going to a smart device all tagged.
PVID is also use for a hybrid port scenario one untagged and one or more tagged but in this case frame types is ADMIT ALL.

So based on the diagram it should be as follows.
/interface bridge port
add bridge=bridge comment=“Trunk all VLANs to RB4011” frame-types=
admit-only-vlan-tagged ingress-filtering=yes interface=ether2

(2) Would add ingress-filtering=yes for all except ether5.

(3) Diagram missing wifi2

(4) Missing wifi2 here…
add bridge=bridge comment=“tag eth2, untag eth4, eth5, wifi1” tagged=
bridge,ether2 untagged=ether4,ether5,wifi1,wifi2 vlan-ids=89

(5) Wireguard IP address structure wrong.
From:
add address=10.120.30.55 comment=“wireguard50 interface address” interface=
wireguard50 network=10.120.30**.55**
add address=10.140.35.150 comment=“wireguard51 interface address” interface=
wireguard51 network=10.140.35.1.50
TO:
add address=10.120.30.55**/24** comment=“wireguard50 interface address” interface=
wireguard50 network=10.120.30.0
add address=10.140.35.150**/24** comment=“wireguard51 interface address” interface=
wireguard51 network=10.140.35.0

(6) Still require a server so that the initial query to doh can be found by router…
_/ip dns
set allow-remote-requests=yes server=1.1.1.2 use-doh-server=https://1.1.1.1/dns-query
verify-doh-cert=ye_s

(7) Could consider
/interface list
LOCAL-WAN

/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=homeVLAN89 list=LAN
add interface=wgVLAN50 list=LAN
add interface=wgVLAN51 list=LAN
add interface=IoTVLAN90 list=LAN
add interface=homeVLAN89 list=LOCAL-WAN
add interface=IoTVLAN90 list=LOCAL-WAN

FROM:
add action=accept chain=forward comment=“allow all from Home LAN to WAN”
in-interface=homeVLAN89 out-interface-list=WAN
add action=accept chain=forward comment=“allow all from IoT LAN to WAN”
in-interface=IoTVLAN90 out-interface-list=WAN
TO:
add action=accept chain=forward comment=“traffic through local wan”
in-interface-list=LOCAL-WAN out-interface-list=WAN

(8) You keep forgetting to remove this rule… NOT required.
you have a proper port forwarding rule two rules above this one and you have the drop rule right after. GET RID OF IT!!!

add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed (DISABLED)”
connection-nat-state=!dstnat connection-state=new disabled=yes
in-interface-list=WAN

Frederick88 · April 5, 2023, 12:33am

yeah you’re right, I noticed I can ping all vlan gateways… Understood, thanks for explanation and reassurance.
.

interesting - the RouterOS export doesn’t show parameters ingress-filtering= and frame-types=, when they’re set to yes and admit-all respectively.. maybe this has changed in recent RouterOS version?..

For example, i tested with interface=wifi2:

[admin@MikroTik] /interface/bridge/port> add bridge=bridge comment="wifi 2.4GHz radio disabled" frame-types=admit-all ingress-filtering=yes interface=wifi2 pvid=89

[admin@MikroTik] /interface/bridge/port> export
# RouterOS 7.8
/interface bridge port
add bridge=bridge comment="Trunk all VLANs to RB4011" frame-types=admit-only-vlan-tagged interface=ether2 pvid=89
add bridge=bridge comment="access port for VLAN50" frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=50
add bridge=bridge comment="access port for VLAN89 Home" frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=89
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=wifi1 pvid=89
add bridge=bridge comment="Hybrid, native VLAN89, tagged VLAN51" ingress-filtering=no interface=ether5 pvid=89
add bridge=bridge comment="wifi3 for VLAN50" frame-types=admit-only-untagged-and-priority-tagged interface=wifi3-wgLAN50 pvid=50
add bridge=bridge comment="wifi4 for IoT devices VLAN90" frame-types=admit-only-untagged-and-priority-tagged interface=wifi4-IoTLAN90 pvid=90
add bridge=bridge comment="wifi 2.4GHz radio disabled" interface=wifi2 pvid=89

Regarding ether2 trunk port with PVID 89, does it matter since frame-types=admit-only-vlan-tagged ? I also noticed if PVID isn’t defined, RouterOS sets it to PVID 1 by default anyway… Thinking I might set the PVID to a random VLAN ID that doesn’t exist at all…?
.

(2) Would add ingress-filtering=yes for all except ether5.

as shown above, ingress-filtering= is defaulted yes, but have now turned it off for ether5 hybrid port as you suggested thanks.
.

(3) Diagram missing wifi2

(4) Missing wifi2 here…
add bridge=bridge comment=“tag eth2, untag eth4, eth5, wifi1” tagged=
bridge,ether2 untagged=ether4,ether5,wifi1,> wifi2 > vlan-ids=89

Had disabled the 2.4GHz wifi2 radio interface, will remove altogether to keep things tidy
.

(5) Wireguard IP address structure wrong.
From:
add address=10.120.30.> 55 > comment=“wireguard50 interface address” interface=
wireguard50 network=10.120.30> .55
add address=10.140.35.> 150 > comment=“wireguard51 interface address” interface=
wireguard51 network=10.140.35.1.> 150
TO:
add address=10.120.30.55> /24 > comment=“wireguard50 interface address” interface=
wireguard50 network=10.120.30.> 0
add address=10.140.35.150> /24 > comment=“wireguard51 interface address” interface=
wireguard51 network=10.140.35.> 0

the single /32 IP address for each wireguard peer address seems to be working okay - is there any benefit to assigning a wider network, best practice etc?
.

(6) Still require a server so that the initial query to doh can be found by router…
/ip dns
set allow-remote-requests=yes > server=1.1.1.2 > use-doh-server=> https://1.1.1.1/dns-query >
verify-doh-cert=ye> s

Had a play with this and seems to work okay using 1.1.1.1 DoH server without any additional lookup… i guess because the address is an IP already? plus the certificate includes 1.1.1.1 as a legit address.
.

(8) You keep forgetting to remove this rule… NOT required.
you have a proper port forwarding rule two rules above this one and you have the drop rule right after. GET RID OF IT!!!

add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed (DISABLED)”
connection-nat-state=!dstnat connection-state=new disabled=yes
in-interface-list=WAN

Had it disabled, but have now deleted it altogether to tidy things up