Isolating one ethernet port from Wireguard VPN

RouterOS Beginner Basics
1

Hello,
I have a working wireguard configuration with the settings:

(wireguard1 interface created with my specific keys)
ip routes add dest:0.0.0.0/0 gateway:%wireguard1
ip routes add dest:VPN Endpoint IP, gateway: ISP Gateway IP
firewall NAT add Out.interface:wireguard1 action:masquerade
DHCP client defconf > add default route NO

All traffic from wlan and ether2-5 go through the VPN tunnel to ether1 (cable to ISP) and it works fine, but I want to isolate one port (for example ether5) so that anything plugged into that port will NOT use the VPN but access the internet normally through the ISP, and I want to be able to port forward a small http server onto that computer on ether5. I can use a static IP for that computer. I understand what my current configuration does except for the masquerade, and I don’t understand how I’d modify that for my needs. I know how to do the port forward starting from default settings and I know I can host the server because I have a static IP from my ISP. Is this a stupid idea or somehow a fundamentally flawed idea?

Thank you

2

First

  • Are you connecting to a third party VPN provider??
  • does ISP provide a public WANIP on WAN2 ( static or dynamic )

Second require config:
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys etc..)

3

Thanks for the reply
I am using a paid Wireguard VPN service and it currently works
I have a public static IP from my ISP and I know from previous testing I can host a server and it can be accessed by other people (after I do the port forwarding)

Here is the config exported

# jun/03/2024 19:29:37 by RouterOS 7.9.2
# model = RB952Ui-5ac2nD
/interface bridge
add admin-mac=48:8F:5A:15:F7:1B auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=finland disabled=no distance=indoors frequency=auto installation=\
    indoor mode=ap-bridge ssid=____ wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=finland disabled=no distance=indoors frequency=\
    auto installation=indoor mode=ap-bridge ssid=__ wireless-protocol=\
    802.11
/interface wireguard
add listen-port=_____ mtu=____ name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment=wg2 endpoint-address=__.__.__.__ \
    endpoint-port=____ interface=wireguard1 public-key=\
    "_______"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.65.135.144 comment=wg1 interface=wireguard1 network=\
    10.65.135.144
/ip dhcp-client
add add-default-route=no comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=__.__.__.__
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wireguard1
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard1 pref-src=\
    "" routing-table=main suppress-hw-offload=no
add disabled=no dst-address=___VPN ENDPOINT___ gateway=___ISP Gateway___ routing-table=\
    main suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Helsinki
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
4

-The easiest way to accomplish what you wish is to separate etheport5 from the rest of the subnets.
-There are two ways to accomplish this.
one bridge and ethport 5 off the bridge with its own address.
one bridge and two vlans
We will do the first one........

-Remove default IP DNS STATIC entry
-Remove the last rule in forward chain and will replace with appropriate rules. "defconf: drop all from WAN not DSTNATed"

  • I am assuming there is NO local traffic between ether5 users and bridge LAN users. PLEASE CONFIRM!!!
    ( those going out wireguard dont need to talk to ether5 users and similarly ether5 users to do not need to reach wireguard users)

-wireguard route out table main is not required, it is created automatically when creating the IP address for wireguard, you are missing other items.
-missing IP route for local WAN ???

-Did the 3rd party VPN provider give you a DNS address to use???? Please confirm.

jun/03/2024 19:29:37 by RouterOS 7.9.2

model = RB952Ui-5ac2nD

/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp-local ranges=192.168.99.10-192.168.99.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=dhcp interface=ether5 name=port5

/interface list member
add comment=defconf interface=bridge list=LAN
add interface=ether5 list=LAN
add comment=defconf interface=ether1 list=WAN

/interface wireguard peers
add allowed-address=0.0.0.0/0 comment=wg2 endpoint-address=...
endpoint-port=____ interface=wireguard1 public-key=
"_______" persistent-keep-alive=35s

/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=192.168.99.1/24 comment="ether5 local traffic" network=192.168.99.0
add address=10.65.135.144**/24** comment=wg1 interface=wireguard1 network=
10.65.135.0

/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=
192.168.88.1
add address=192.168.99.0/24 comment=defconf dns-server=192.168.99.1 gateway=
192.168.99.1

/ip firewall filter
.............
.............
.............
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="users out wireguard" src-address=192.168.88.0/24 out-interface=wireguard1
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"

/routing table
add fib name=use-WG

/ip route
add dst-address=0.0.0.0/0 gateway=ISP-gatewayIP routing-table=main
add dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=use-WG

/routing rule
add src-address=192.168.88.0/24 action=lookup table=use-WG.
NOTE: if you never want the bridge users to be able to access the local WAN, IF the wireguard tunnel is broken, then change action to action=lookup-only-in-table

5

Thank you for the very comprehensive reply
There is no need for traffic between ether5 and other bridge users, correct.
VPN provider config did give a DNS server to use.


missing IP route for local WAN

Sorry I don’t understand, how?

I tried applying those steps you described and after that I couldn’t connect to the router webfig to configure it anymore, and ether5 didn’t work, I think I mistyped something, I’ll retry

Also I don’t think I need a DHCP server for ether5, I will only connect one PC to it and it will have a static IP address, is it required?

Also when adding the “ether5 local traffic”, interface needs to be specified to ether5 right?

6

Thank you so much!

I was just bad at reading instructions. I followed them line by line and now all bridge users still go through VPN, ether5 doesn’t and the web server on it IS accessible from outside my network after adding the proper port forward rule. Only oddity is now I have to configure the mikrotik through 10.65.135.144, but it works.

7

Then you must be coming from an IP address on the bridge.
Try this routing rule in addition to the existing routing rule and it has to go FIRST in order.

/routing rule
add min-prefix=0 action=lookup-only-in-table table=main
add src-address=192.168.88.0/24 action=lookup table=use-WG.

You should be able to have more flexibility in accessing the mikrotik.

8

What I am not convinced of is that DNS is being done through the tunnel.
In other words, although traffic may go through the tunnel, DNS queries may still be done through local WAN.

I have a thought on how to ensure what we want.

/ip firewall nat
add chain=dstnat action=dst-nat src-address=192.168.88.0/24 dst-port=53 protocol=udp to-address=3rdparty-DNS-IP dst-address-list=!wireguardISdown
add chain=dstnat action=dst-nat src-address=192.168.88.0/24 dst-port=53 protocol=tcp to-address=3rdparty-DNS-IP dst-address-list=!wireguardISdown

SO we force all DNS queries to go use the DNS IP Provided.
We also need an IP route to ensure this happens

/ip route
add dst-address=3rdparty-DNS-IP gateway=wireguard routing-table=main

So now, if the wireguard tunnel is up, all bridge traffic will have their dns queries sent into the tunnel as required.
Since we do NOT have any firewall address list defined on the router, the list we have on the config line is virtually IGNORED.

Then we will use netwatch to monitor the tunnel by checking if we can ping that dst-address. If the tunnel is up all good,
If the tunnel goes down then netwatch will create the address list
/ip firewall address-list
add address=0.0.0.0/0 list=wireguardISdown comment=“DNS redirect”

Which means the list is all addresses…

Thus looking at the dstnat rule, the condition of the extra bit is now active and it states, if the dst-address is something other than all possible addresses execute the rule, but clearly that is not possible and thus the condition is NOT met and then the rule is not executed. With the rules not being executed subnet traffic is not forced into the tunnel for DNS and can use local LAN for DNS.
As an aside we could also get netwatch to disable and enable the two dstnat rules as another option.


Now for the netwatch part of the config. Assuming that 3rdparty DNS IP is 64.0.10.35 as an example.
tool/netwatch/add comment=VPN_NETWATCH disabled=no down-script=“/ip firewall address-list add address=0.0.0.0/0 comment=“DNS redirect” list=wireguardISdown” host=64.0.10.35
http-codes=“” packet-count=3 test-script=“” thr-avg=700ms thr-jitter=2s thr-loss-percent=100% thr-max=2s thr-stdev=700ms type=icmp up-script=
“/ip firewall address-list remove [find where comment=“DNS redirect””

9

Okay I tested for sure that DNS requests are indeed going through VPN tunnel (the VPN provider has a test page for that)

But now I have the problem that if I enable the port forward for the server, it starts working and everything else keeps working as intended, except I can no longer access the mikrotik web config on any IP on any port

add action=dst-nat chain=dstnat comment=example-http disabled=yes dst-port=80 \
    protocol=tcp to-addresses=192.168.99.25 to-ports=80

The full config:

# jun/04/2024 11:18:22 by RouterOS 7.9.2
# model = RB952Ui-5ac2nD
/interface bridge
add admin-mac=48:8F:5A:15:F7:1B auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=finland disabled=no distance=indoors frequency=auto installation=\
    indoor mode=ap-bridge ssid=___ wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=finland disabled=no distance=indoors frequency=\
    auto installation=indoor mode=ap-bridge ssid=____ wireless-protocol=\
    802.11
/interface wireguard
add listen-port=____ mtu=__ name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp-local ranges=192.168.99.10-192.168.99.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=dhcp interface=ether5 name=port5
/routing table
add disabled=no fib name=use-WG
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether5 list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment=wg2 endpoint-address=_._._._ \
    endpoint-port=_____ interface=wireguard1 public-key=\
    "___"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.65.135.144/24 comment=wg1 interface=wireguard1 network=\
    10.65.135.0
add address=192.168.99.1/24 comment="ether5 local traffic" interface=ether5 \
    network=192.168.99.0
/ip dhcp-client
add add-default-route=no comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
add address=192.168.99.0/24 comment=defconf2 dns-server=192.168.99.1 gateway=\
    192.168.99.1
/ip dns
set allow-remote-requests=yes servers=(VPN DNS IP)
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=vpn out-interface=wireguard1
add action=dst-nat chain=dstnat comment=dns-udp dst-port=53 protocol=udp \
    src-address=192.168.88.0/24 to-addresses=(VPN DNS IP)
add action=dst-nat chain=dstnat comment=dns-tcp dst-port=53 protocol=tcp \
    src-address=192.168.88.0/24 to-addresses=(VPN DNS IP)
add action=dst-nat chain=dstnat comment=example-http disabled=yes dst-port=80 \
    protocol=tcp to-addresses=192.168.99.25 to-ports=80
/ip route
add comment=use-WG disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    wireguard1 pref-src="" routing-table=use-WG suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=(ISP gateway) \
    pref-src="" routing-table=main suppress-hw-offload=no
add comment=VPN-DNS disabled=no distance=1 dst-address=(VPN DNS IP) \
    gateway=wireguard1 pref-src="" routing-table=main suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/routing rule
add action=lookup-only-in-table min-prefix=0 table=main
add action=lookup-only-in-table src-address=192.168.88.0/24 table=use-WG
/system clock
set time-zone-name=Europe/Helsinki
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
10

Okay I actually understood my own mistake, added in-interface-list=WAN to that portforward line and now it works and I can still access the webfig from LAN. Do you think this config is fine? It seems to work in all ways I want it to work

11

If its doing everything you need it to do…