Hey guys. I need help setting up a wireguard vpn on my rb750.
My use case is simple. I only need to connect to the VPN when I am outside my network to access my internal devices and also direct all device browsing through my network.
I use two balanced providers via PCC. Both receive IP addresses from providers via DHCP. The VPN must only work on ether1 (which has the DMZ active).
It turns out that my user can connect but cannot access the internal network or the internet. Can anyone give help?
Thanks.
Here’s my config.
# 2023-12-20 15:55:34 by RouterOS 7.13
# software id = XXXXXXX
#
# model = RB750Gr3
# serial number = XXXXXXX
/interface bridge
add name=bridge-lan
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool0 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge-lan name=dhcp1
/port
set 0 name=serial0
/routing table
add disabled=no fib name=ISP1
add disabled=no fib name=ISP2
add comment="LB PCC by buananet.com" fib name=to-ether1
add comment="LB PCC by buananet.com" fib name=to-ether2
/interface bridge port
add bridge=bridge-lan interface=ether3
add bridge=bridge-lan interface=ether4
add bridge=bridge-lan interface=ether5
/ip settings
set allow-fast-path=no
/interface list member
add interface=bridge-lan list=LAN
add interface=ether1 list=WAN
add interface=ether2 list=WAN
/interface wireguard peers
add allowed-address=192.168.100.2/32 interface=wireguard1 public-key=\
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
/ip address
add address=192.168.10.1/24 interface=bridge-lan network=192.168.10.0
add address=192.168.100.1 interface=wireguard1 network=192.168.100.0
/ip dhcp-client
add add-default-route=no interface=ether1 use-peer-dns=no use-peer-ntp=no
add add-default-route=no interface=ether2 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=192.168.10.0/24 list=local
/ip firewall filter
add action=accept chain=forward in-interface=bridge-lan out-interface=ether1
add action=accept chain=input comment="allow Wireguard" dst-port=13231 \
log-prefix=filter_allow_wireguard protocol=udp src-port=""
add action=accept chain=input comment="allow Wireguard traffic" log=yes \
log-prefix=filter_allow_wireguard_traffic src-address-list=\
192.168.100.0/24
add action=accept chain=forward comment="WG access" in-interface=wireguard1 \
out-interface-list=LAN
/ip firewall mangle
add action=accept chain=prerouting comment="bridge access" dst-address-list=\
local in-interface=bridge-lan
add action=accept chain=prerouting comment="LB PCC by buananet.com" \
dst-address-list=LOCAL-IP src-address-list=LOCAL-IP
add action=accept chain=postrouting comment="LB PCC by buananet.com" \
dst-address-list=LOCAL-IP src-address-list=LOCAL-IP
add action=accept chain=forward comment="LB PCC by buananet.com" \
dst-address-list=LOCAL-IP src-address-list=LOCAL-IP
add action=accept chain=input comment="LB PCC by buananet.com" \
dst-address-list=LOCAL-IP src-address-list=LOCAL-IP
add action=accept chain=output comment="LB PCC by buananet.com" \
dst-address-list=LOCAL-IP src-address-list=LOCAL-IP
add action=mark-connection chain=input comment="LB PCC by buananet.com" \
in-interface=ether1 new-connection-mark=cm-ether1 passthrough=yes
add action=mark-connection chain=input comment="LB PCC by buananet.com" \
in-interface=ether2 new-connection-mark=cm-ether2 passthrough=yes
add action=mark-routing chain=output comment="LB PCC by buananet.com" \
connection-mark=cm-ether1 new-routing-mark=to-ether1 passthrough=yes
add action=mark-routing chain=output comment="LB PCC by buananet.com" \
connection-mark=cm-ether2 new-routing-mark=to-ether2 passthrough=yes
add action=mark-connection chain=prerouting comment="LB PCC by buananet.com" \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=\
cm-ether1 passthrough=yes per-connection-classifier=\
both-addresses-and-ports:5/0
add action=mark-connection chain=prerouting comment="LB PCC by buananet.com" \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=\
cm-ether1 passthrough=yes per-connection-classifier=\
both-addresses-and-ports:5/1
add action=mark-connection chain=prerouting comment="LB PCC by buananet.com" \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=\
cm-ether2 passthrough=yes per-connection-classifier=\
both-addresses-and-ports:5/2
add action=mark-connection chain=prerouting comment="LB PCC by buananet.com" \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=\
cm-ether2 passthrough=yes per-connection-classifier=\
both-addresses-and-ports:5/3
add action=mark-connection chain=prerouting comment="LB PCC by buananet.com" \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=\
cm-ether2 passthrough=yes per-connection-classifier=\
both-addresses-and-ports:5/4
add action=mark-routing chain=prerouting comment="LB PCC by buananet.com" \
connection-mark=cm-ether1 in-interface=bridge-lan new-routing-mark=\
to-ether1 passthrough=yes
add action=mark-routing chain=prerouting comment="LB PCC by buananet.com" \
connection-mark=cm-ether2 in-interface=bridge-lan new-routing-mark=\
to-ether2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes ipsec-policy=out,none \
out-interface-list=WAN
add action=masquerade chain=srcnat comment="LB PCC by buananet.com" \
out-interface=ether1
add action=masquerade chain=srcnat comment="LB PCC by buananet.com" \
out-interface=ether2
add action=src-nat chain=srcnat disabled=yes src-address=192.168.100.0/24 \
to-addresses=192.168.10.1
/ip route
add check-gateway=ping comment="LB PCC by buananet.com" distance=1 gateway=\
10.10.10.1%ether1 routing-table=to-ether1
add check-gateway=ping comment="LB PCC by buananet.com" distance=1 gateway=\
10.0.20.1%ether2 routing-table=to-ether2
add check-gateway=ping comment="LB PCC by buananet.com" distance=1 gateway=\
10.10.10.1%ether1
add check-gateway=ping comment="LB PCC by buananet.com" distance=2 gateway=\
10.0.20.1%ether2
add check-gateway=ping comment=ISP-1 distance=1 dst-address=0.0.0.0/0 \
gateway=1.1.1.1 scope=30 target-scope=30
add check-gateway=ping comment=ISP-2 distance=2 dst-address=0.0.0.0/0 \
gateway=1.0.0.1 scope=30 target-scope=30
add check-gateway=ping comment=ISP-1-Check distance=1 dst-address=1.1.1.1 \
gateway=10.10.10.1 scope=30 target-scope=10
add check-gateway=ping comment=ISP-2-Check distance=1 dst-address=1.0.0.1 \
gateway=10.0.20.1 scope=30 target-scope=10
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge-lan type=internal
/system clock
set time-zone-name=America/Fortaleza
/system note
set show-at-login=no
anav
December 20, 2023, 10:52pm
2
Do not quite understand.
First you ONLY wanted to use the Wireugard so you as a remote user could come in and lets say config the router or access LAN devices.
What Makes not sense to me is the second part.and also direct all device browsing through my network ???
anav
December 20, 2023, 10:57pm
3
Are you behind another router?
Do not undestand all the mangle rules prior to the PCC ones…
Something like this./ip firewall mangleadd action=accept chain=prerouting in-interface=wgireguard1 dst-address=192.168.10.0/24
IP Routes look a bit funny, like too many routes but will have a look. It seems like you have too many main table routes mixing up normal routing and recursive routing.
/ip route
add check-gateway=ping comment=ISP1 distance=2 dst-address=0.0.0.0/0 buananet.com ” gateway=10.10.10.1 routing-table=to-ether1buananet.com ” gateway=10.0.20.1 routing-table=to-ether2
In your case WAN1 is primary and for all traffic heading to WAN1, if it fails, the router will find WAN2 and route the traffic there.
Wireguard traffic, if WAN1 fails, then assuming your DOMAIN NAME will flip to WAN2IP, the cllent will search and find it and restablish connection on WAN2.
Do not quite understand.
First you ONLY wanted to use the Wireugard so you as a remote user could come in and lets say config the router or access LAN devices.
What Makes not sense to me is the second part.and also direct all device browsing through my network ???
Hello, anav! Thanks for your help!
The second part means i want to connect my phone to vpn when i’m outside and do 2 things:
1-remote user could come in and lets say config the router or access LAN devices. - as you said.
2-Pass my phone internet traffic through vpn. I travel a lot and do make use of public networks. I want a vpn to encrypt my traffic until my router and then goes to internet.
anav
December 21, 2023, 12:35am
6
Okay, its becoming clearer.
(2) No the only reason to put the output chain is traffic to the router.
In this case, the output chain rules are not required.
(3) Dont recommend DMZ at any time, ONLY if you can forward the single needed wireguard port to the MT router. Since you have hardly any firewall rules its a bad practice especially!!! Will suggest default firewall rule setup after you post your latest config.
(4) For the mangles it was not an order change it was an addition of two new ones at the top and getting rid of the Output chain one and all the useless ones…add action=accept chain=prerouting comment=“bridge access” dst-address-list=buananet.com ” buananet.com ” buananet.com ” buananet.com ” buananet.com ”
The rest were okay I think
Please post your config after more changes…
Okay, its becoming clearer.
(2) No the only reason to put the output chain is traffic to the router.
In this case, the output chain rules are not required.
(3) Dont recommend DMZ at any time, ONLY if you can forward the single needed wireguard port to the MT router. Since you have hardly any firewall rules its a bad practice especially!!! Will suggest default firewall rule setup after you post your latest config.
(4) For the mangles it was not an order change it was an addition of two new ones at the top and getting rid of the Output chain one and all the useless ones…add action=accept chain=prerouting comment=“bridge access” dst-address-list=buananet.com ” buananet.com ” buananet.com ” buananet.com ” buananet.com ”
The rest were okay I think
Please post your config after more changes…
Hello, Anav!!
I’ve done the changes you’ve recommended.
Here’s my new config after that.
# 2023-12-21 15:26:25 by RouterOS 7.13
# software id = AAAAAA
# model = RB750Gr3
# serial number = AAAAAAA
/interface bridge
add name=bridge-lan
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool0 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge-lan name=dhcp1
/port
set 0 name=serial0
/routing table
add disabled=no fib name=ISP1
add disabled=no fib name=ISP2
add comment="LB PCC by buananet.com" fib name=to-ether1
add comment="LB PCC by buananet.com" fib name=to-ether2
/interface bridge port
add bridge=bridge-lan interface=ether3
add bridge=bridge-lan interface=ether4
add bridge=bridge-lan interface=ether5
/ip settings
set allow-fast-path=no
/interface list member
add interface=bridge-lan list=LAN
add interface=ether1 list=WAN
add interface=ether2 list=WAN
add interface=*7 list=LAN
/interface wireguard peers
add allowed-address=192.168.100.2/32 interface=wireguard1 public-key=\
"XXXXXXXXX"
/ip address
add address=192.168.10.1/24 interface=bridge-lan network=192.168.10.0
add address=192.168.100.1 interface=wireguard1 network=192.168.100.0
/ip dhcp-client
add add-default-route=no interface=ether1 use-peer-dns=no use-peer-ntp=no
add add-default-route=no interface=ether2 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.10.252 comment="Home Assistant" mac-address=\
08:00:27:85:04:35
add address=192.168.10.104 comment="Camera - Sala de Estar" mac-address=\
5C:A6:E6:48:15:5E
add address=192.168.10.114 comment="Ar Condicionado - Davi" mac-address=\
94:3C:C6:43:3D:68
add address=192.168.10.116 comment="Tv Samsung - Sala de Estar" mac-address=\
80:8A:BD:19:8E:B2 server=dhcp1
add address=192.168.10.119 comment="Camera - Quarto de Davi" mac-address=\
6C:5A:B0:D4:10:EF
add address=192.168.10.120 comment=Impressora mac-address=48:9E:BD:AB:2F:38 \
server=dhcp1
add address=192.168.10.144 comment="Tomada - Ventilador - Escritorio" \
mac-address=A8:80:55:24:43:9F server=dhcp1
add address=192.168.10.124 mac-address=1C:90:FF:B3:BC:70 server=dhcp1
add address=192.168.10.135 comment="Hub - Infravermelho" mac-address=\
A8:80:55:22:34:B6 server=dhcp1
add address=192.168.10.105 comment="Spots da Sala de Jantar" mac-address=\
A8:80:55:0D:F6:E2 server=dhcp1
add address=192.168.10.107 comment="Spots da Sala de Estar" mac-address=\
A8:80:55:0D:FA:4C server=dhcp1
add address=192.168.10.108 comment="Luzes do Lavabo" mac-address=\
A8:80:55:0E:00:13 server=dhcp1
add address=192.168.10.110 comment="Spots da Cozinha" mac-address=\
A8:80:55:0E:03:75 server=dhcp1
add address=192.168.10.113 comment="Auxiliar - Luzes da sala de estar" \
mac-address=A8:80:55:65:DC:18 server=dhcp1
add address=192.168.10.115 comment="Luzes do Quarto de Davi" mac-address=\
A8:80:55:65:DB:59
add address=192.168.10.118 comment="Luzes da sala de estar" mac-address=\
A8:80:55:65:E0:54 server=dhcp1
add address=192.168.10.122 mac-address=B4:E8:42:C1:C4:54 server=dhcp1
add address=192.168.10.123 comment="Luzes suite master" mac-address=\
A8:80:55:65:DB:12 server=dhcp1
add address=192.168.10.143 mac-address=C4:4F:33:D3:66:C7 server=dhcp1
add address=192.168.10.136 comment="Macbook Pro - Daniel" mac-address=\
9C:3E:53:85:BD:ED server=dhcp1
add address=192.168.10.100 comment="Luz do Escritorio" mac-address=\
A8:80:55:0D:FE:93 server=dhcp1
add address=192.168.10.139 comment="Luzes do banheiro de Davi" mac-address=\
A8:80:55:0E:0C:E6 server=dhcp1
add address=192.168.10.103 comment="Luz do banheiro do escritorio" \
mac-address=A8:80:55:0D:FA:C8 server=dhcp1
add address=192.168.10.111 comment="Luzes da cozinha" mac-address=\
A8:80:55:0D:F7:C6 server=dhcp1
add address=192.168.10.146 comment="Luzes da Sala de Estar" mac-address=\
A8:80:55:0E:04:DF server=dhcp1
add address=192.168.10.112 comment="Luzes da Suite Master" mac-address=\
A8:80:55:0D:FC:FB server=dhcp1
add address=192.168.10.121 comment="Hub Zigbee - ICA 1001" mac-address=\
38:1F:8D:00:98:ED server=dhcp1
add address=192.168.10.102 comment=\
"Sensor de Presenca - Banheiro - Suite Master" mac-address=\
1C:90:FF:AF:C1:81 server=dhcp1
add address=192.168.10.156 comment="Hub Zigbee - Sonoff" mac-address=\
80:64:6F:C2:86:A0 server=dhcp1
add address=192.168.10.134 comment=ESP_557D0D mac-address=24:62:AB:55:7D:0D \
server=dhcp1
add address=192.168.10.142 mac-address=C0:95:6D:71:9B:44 server=dhcp1
add address=192.168.10.147 mac-address=7C:B9:4C:9A:41:9F server=dhcp1
add address=192.168.10.199 mac-address=1C:90:FF:C9:5F:03 server=dhcp1
add address=192.168.10.106 comment="Sensor de Presenca - Escritorio" \
mac-address=1C:90:FF:10:9A:1C server=dhcp1
add address=192.168.10.132 mac-address=7C:B9:4C:99:98:49 server=dhcp1
add address=192.168.10.145 mac-address=7C:B9:4C:9A:37:65 server=dhcp1
add address=192.168.10.138 mac-address=7C:B9:4C:99:A5:DB server=dhcp1
add address=192.168.10.133 comment=beelink mac-address=7C:83:34:BC:7B:CD \
server=dhcp1
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=192.168.10.0/24 list=local
add address=192.168.10.0-192.168.10.254 list=allowed_to_router
add address=192.168.100.0-192.168.100.54 list=allowed_to_router
/ip firewall filter
add action=accept chain=forward in-interface=bridge-lan out-interface=ether1
add action=accept chain=input comment="allow Wireguard" dst-port=13231 \
log-prefix=filter_allow_wireguard protocol=udp src-port=""
add action=accept chain=input comment="allow Wireguard traffic" in-interface=\
wireguard1 log-prefix=filter_allow_wireguard_traffic
add action=accept chain=output comment="allow Wireguard" disabled=yes \
dst-port=13231 log-prefix=filter_allow_wireguard protocol=udp src-port=""
add action=accept chain=forward comment=WG connection-state=\
established,related disabled=yes
add action=accept chain=forward comment=WG connection-state=new disabled=yes \
in-interface=ether1
add action=accept chain=forward comment=WG connection-state=new disabled=yes \
out-interface=ether1
add action=accept chain=forward comment="WG access" in-interface=wireguard1 \
out-interface-list=LAN
add action=drop chain=input disabled=yes log=yes log-prefix=DROP
add action=accept chain=input comment="default configuration" \
connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input comment="Drop geral"
/ip firewall mangle
add action=passthrough chain=forward comment="Forward wg traffic" disabled=\
yes dst-address=0.0.0.0 in-interface=*7
add action=accept chain=prerouting comment="bridge access - wireguard 1" \
disabled=yes dst-address=192.168.10.0/24 in-interface=wireguard1
add action=accept chain=prerouting comment="bridge access - backup" disabled=\
yes dst-address-list=local in-interface=bridge-lan
add action=accept chain=prerouting comment="bridge access - backup" disabled=\
yes dst-address=192.168.100.0/24 src-address=192.168.10.0/24 \
src-address-list=""
add action=accept chain=prerouting comment="LB PCC by buananet.com" disabled=\
yes dst-address-list=local src-address-list=local
add action=accept chain=postrouting comment="LB PCC by buananet.com" \
disabled=yes dst-address-list=local src-address-list=local
add action=accept chain=forward comment="LB PCC by buananet.com" disabled=yes \
dst-address-list=local src-address-list=local
add action=accept chain=input comment="LB PCC by buananet.com" disabled=yes \
dst-address-list=local src-address-list=local
add action=accept chain=output comment="LB PCC by buananet.com" disabled=yes \
dst-address-list=local src-address-list=local
add action=mark-connection chain=input comment="LB PCC by buananet.com" \
in-interface=ether1 new-connection-mark=cm-ether1 passthrough=yes
add action=mark-connection chain=input comment="LB PCC by buananet.com" \
in-interface=ether2 new-connection-mark=cm-ether2 passthrough=yes
add action=mark-routing chain=output comment="LB PCC by buananet.com" \
connection-mark=cm-ether1 disabled=yes new-routing-mark=to-ether1 \
passthrough=yes
add action=mark-routing chain=output comment="LB PCC by buananet.com" \
connection-mark=cm-ether2 disabled=yes new-routing-mark=to-ether2 \
passthrough=yes
add action=mark-connection chain=prerouting comment="PCC - 5/0 - Wan1" \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=\
cm-ether1 passthrough=yes per-connection-classifier=\
both-addresses-and-ports:5/0
add action=mark-connection chain=prerouting comment="PCC - 5/1 - Wan1" \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=\
cm-ether1 passthrough=yes per-connection-classifier=\
both-addresses-and-ports:5/1
add action=mark-connection chain=prerouting comment="PCC - 5/2 - Wan2" \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=\
cm-ether2 passthrough=yes per-connection-classifier=\
both-addresses-and-ports:5/2
add action=mark-connection chain=prerouting comment="PCC - 5/3 - Wan2" \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=\
cm-ether2 passthrough=yes per-connection-classifier=\
both-addresses-and-ports:5/3
add action=mark-connection chain=prerouting comment="PCC - 5/4 - Wan2" \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=\
cm-ether2 passthrough=yes per-connection-classifier=\
both-addresses-and-ports:5/4
add action=mark-routing chain=prerouting comment="LB PCC by buananet.com" \
connection-mark=cm-ether1 in-interface=bridge-lan new-routing-mark=\
to-ether1 passthrough=yes
add action=mark-routing chain=prerouting comment="Wireguard - Mark Routing" \
connection-mark=cm-ether1 disabled=yes in-interface=*7 new-routing-mark=\
to-ether1 passthrough=yes
add action=mark-routing chain=prerouting comment="LB PCC by buananet.com" \
connection-mark=cm-ether2 in-interface=bridge-lan new-routing-mark=\
to-ether2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes ipsec-policy=out,none \
out-interface-list=WAN
add action=masquerade chain=srcnat comment="LB PCC by buananet.com" \
out-interface=ether1
add action=masquerade chain=srcnat comment="LB PCC by buananet.com" \
out-interface=ether2
/ip route
add check-gateway=ping comment="LB PCC by buananet.com" disabled=no distance=\
1 dst-address=0.0.0.0/0 gateway=10.10.10.1 pref-src="" routing-table=\
to-ether1 scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment="LB PCC by buananet.com" disabled=no distance=\
1 dst-address=0.0.0.0/0 gateway=10.0.20.1 pref-src="" routing-table=\
to-ether2 scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment="LB PCC by buananet.com" disabled=no distance=\
1 dst-address=0.0.0.0/0 gateway=10.10.10.1 pref-src="" routing-table=main \
scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment="LB PCC by buananet.com" disabled=no distance=\
2 dst-address=0.0.0.0/0 gateway=10.0.20.1 pref-src="" routing-table=main \
scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment=ISP-1 distance=1 dst-address=0.0.0.0/0 \
gateway=1.1.1.1 scope=30 target-scope=30
add check-gateway=ping comment=ISP-2 distance=2 dst-address=0.0.0.0/0 \
gateway=1.0.0.1 scope=30 target-scope=30
add check-gateway=ping comment=ISP-1-Check distance=1 dst-address=1.1.1.1 \
gateway=10.10.10.1 scope=30 target-scope=10
add check-gateway=ping comment=ISP-2-Check distance=1 dst-address=1.0.0.1 \
gateway=10.0.20.1 scope=30 target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=*7 pref-src="" \
routing-table=to-ether1 scope=30 suppress-hw-offload=no target-scope=10
/ip service
set www address=192.168.10.0/24,192.168.100.0/24
set api address=192.168.10.252/32,192.168.100.0/24
set winbox address=192.168.10.0/24
set api-ssl address=192.168.10.252/32,192.168.100.0/24
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge-lan type=internal
/routing rule
add action=lookup-only-in-table disabled=no src-address=192.168.100.1/32 \
table=to-ether1
/system clock
set time-zone-name=America/Fortaleza
/system note
set show-at-login=no
That’s a weird behavior here. I’m receiving push notification in my cell phone from slack and whatsapp. But doesnt navigation on the internet or accessing devices in my local network.
(1) Not sure why you are getting a weird outcome for ethernet7add interface=7 list=LAN ??erface=7
(2) Dont get your rules the chains are mixed up and thus not as easy to read. Will ahve to look at them later, but they need work.
(3) Dont see the first two rules as requested and you still have so many disabled rules. when you clean up the config I will have another look.
(4) Are you sure you even tried on routes… It seems you did nothing…
(1) Not sure why you are getting a weird outcome for ethernet7add interface=7 list=LAN ??erface=7
(2) Dont get your rules the chains are mixed up and thus not as easy to read. Will ahve to look at them later, but they need work.
(3) Dont see the first two rules as requested and you still have so many disabled rules. when you clean up the config I will have another look.
(4) Are you sure you even tried on routes… It seems you did nothing…
Firstly, thanks, llamajaja.
Second: i’ve cleaned up some garbage on my router config. But still no luck.
Here’s my new config.
# 2023-12-21 18:03:51 by RouterOS 7.13
# software id = XXXXXXXX
#
# model = RB750Gr3
# serial number = XXXXXXXXX
/interface bridge
add name=bridge-lan
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool0 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge-lan name=dhcp1
/port
set 0 name=serial0
/routing table
add comment="Table for Link 1" disabled=no fib name=to-ether1
add comment="Table for Link 2" disabled=no fib name=to-ether2
/interface bridge port
add bridge=bridge-lan interface=ether3
add bridge=bridge-lan interface=ether4
add bridge=bridge-lan interface=ether5
/ip settings
set allow-fast-path=no
/interface list member
add interface=bridge-lan list=LAN
add interface=ether1 list=WAN
add interface=ether2 list=WAN
add interface=*7 list=LAN
/interface wireguard peers
add allowed-address=192.168.100.2/32 interface=wireguard1 public-key=\
"XXXXXXXXX"
/ip address
add address=192.168.10.1/24 interface=bridge-lan network=192.168.10.0
add address=192.168.100.1 interface=wireguard1 network=192.168.100.0
/ip dhcp-client
add add-default-route=no interface=ether1 use-peer-dns=no use-peer-ntp=no
add add-default-route=no interface=ether2 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.10.252 comment="Home Assistant" mac-address=\
08:00:27:85:04:35
add address=192.168.10.104 comment="Camera - Sala de Estar" mac-address=\
5C:A6:E6:48:15:5E
add address=192.168.10.114 comment="Ar Condicionado - Davi" mac-address=\
94:3C:C6:43:3D:68
add address=192.168.10.116 comment="Tv Samsung - Sala de Estar" mac-address=\
80:8A:BD:19:8E:B2 server=dhcp1
add address=192.168.10.119 comment="Camera - Quarto de Davi" mac-address=\
6C:5A:B0:D4:10:EF
add address=192.168.10.120 comment=Impressora mac-address=48:9E:BD:AB:2F:38 \
server=dhcp1
add address=192.168.10.144 comment="Tomada - Ventilador - Escritorio" \
mac-address=A8:80:55:24:43:9F server=dhcp1
add address=192.168.10.124 mac-address=1C:90:FF:B3:BC:70 server=dhcp1
add address=192.168.10.135 comment="Hub - Infravermelho" mac-address=\
A8:80:55:22:34:B6 server=dhcp1
add address=192.168.10.105 comment="Spots da Sala de Jantar" mac-address=\
A8:80:55:0D:F6:E2 server=dhcp1
add address=192.168.10.107 comment="Spots da Sala de Estar" mac-address=\
A8:80:55:0D:FA:4C server=dhcp1
add address=192.168.10.108 comment="Luzes do Lavabo" mac-address=\
A8:80:55:0E:00:13 server=dhcp1
add address=192.168.10.110 comment="Spots da Cozinha" mac-address=\
A8:80:55:0E:03:75 server=dhcp1
add address=192.168.10.113 comment="Auxiliar - Luzes da sala de estar" \
mac-address=A8:80:55:65:DC:18 server=dhcp1
add address=192.168.10.115 comment="Luzes do Quarto de Davi" mac-address=\
A8:80:55:65:DB:59
add address=192.168.10.118 comment="Luzes da sala de estar" mac-address=\
A8:80:55:65:E0:54 server=dhcp1
add address=192.168.10.122 mac-address=B4:E8:42:C1:C4:54 server=dhcp1
add address=192.168.10.123 comment="Luzes suite master" mac-address=\
A8:80:55:65:DB:12 server=dhcp1
add address=192.168.10.143 mac-address=C4:4F:33:D3:66:C7 server=dhcp1
add address=192.168.10.136 comment="Macbook Pro - Daniel" mac-address=\
9C:3E:53:85:BD:ED server=dhcp1
add address=192.168.10.100 comment="Luz do Escritorio" mac-address=\
A8:80:55:0D:FE:93 server=dhcp1
add address=192.168.10.139 comment="Luzes do banheiro de Davi" mac-address=\
A8:80:55:0E:0C:E6 server=dhcp1
add address=192.168.10.103 comment="Luz do banheiro do escritorio" \
mac-address=A8:80:55:0D:FA:C8 server=dhcp1
add address=192.168.10.111 comment="Luzes da cozinha" mac-address=\
A8:80:55:0D:F7:C6 server=dhcp1
add address=192.168.10.146 comment="Luzes da Sala de Estar" mac-address=\
A8:80:55:0E:04:DF server=dhcp1
add address=192.168.10.112 comment="Luzes da Suite Master" mac-address=\
A8:80:55:0D:FC:FB server=dhcp1
add address=192.168.10.121 comment="Hub Zigbee - ICA 1001" mac-address=\
38:1F:8D:00:98:ED server=dhcp1
add address=192.168.10.102 comment=\
"Sensor de Presenca - Banheiro - Suite Master" mac-address=\
1C:90:FF:AF:C1:81 server=dhcp1
add address=192.168.10.156 comment="Hub Zigbee - Sonoff" mac-address=\
80:64:6F:C2:86:A0 server=dhcp1
add address=192.168.10.134 comment=ESP_557D0D mac-address=24:62:AB:55:7D:0D \
server=dhcp1
add address=192.168.10.142 mac-address=C0:95:6D:71:9B:44 server=dhcp1
add address=192.168.10.147 mac-address=7C:B9:4C:9A:41:9F server=dhcp1
add address=192.168.10.199 mac-address=1C:90:FF:C9:5F:03 server=dhcp1
add address=192.168.10.106 comment="Sensor de Presenca - Escritorio" \
mac-address=1C:90:FF:10:9A:1C server=dhcp1
add address=192.168.10.132 mac-address=7C:B9:4C:99:98:49 server=dhcp1
add address=192.168.10.145 mac-address=7C:B9:4C:9A:37:65 server=dhcp1
add address=192.168.10.138 mac-address=7C:B9:4C:99:A5:DB server=dhcp1
add address=192.168.10.133 comment=beelink mac-address=7C:83:34:BC:7B:CD \
server=dhcp1
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=192.168.10.0/24 list=local
add address=192.168.10.0-192.168.10.254 list=allowed_to_router
add address=192.168.100.0-192.168.100.54 list=allowed_to_router
/ip firewall filter
add action=accept chain=input comment="allow Wireguard" dst-port=13231 \
log-prefix=filter_allow_wireguard protocol=udp src-port=""
add action=accept chain=input comment="allow Wireguard traffic" log-prefix=\
filter_allow_wireguard_traffic src-address=192.168.100.0/24
add action=accept chain=input comment="default configuration" \
connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input comment="Drop geral"
/ip firewall mangle
add action=passthrough chain=forward comment="Forward wg traffic" \
dst-address=0.0.0.0 in-interface=wireguard1
add action=mark-connection chain=input comment="Mark Connection - Link 1" \
in-interface=ether1 new-connection-mark=cm-ether1 passthrough=yes
add action=mark-connection chain=input comment="Mark Connection - Link 2" \
in-interface=ether2 new-connection-mark=cm-ether2 passthrough=yes
add action=mark-connection chain=prerouting comment="PCC - 5/0 - Wan1" \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=\
cm-ether1 passthrough=yes per-connection-classifier=\
both-addresses-and-ports:5/0
add action=mark-connection chain=prerouting comment="PCC - 5/1 - Wan1" \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=\
cm-ether1 passthrough=yes per-connection-classifier=\
both-addresses-and-ports:5/1
add action=mark-connection chain=prerouting comment="PCC - 5/2 - Wan2" \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=\
cm-ether2 passthrough=yes per-connection-classifier=\
both-addresses-and-ports:5/2
add action=mark-connection chain=prerouting comment="PCC - 5/3 - Wan2" \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=\
cm-ether2 passthrough=yes per-connection-classifier=\
both-addresses-and-ports:5/3
add action=mark-connection chain=prerouting comment="PCC - 5/4 - Wan2" \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=\
cm-ether2 passthrough=yes per-connection-classifier=\
both-addresses-and-ports:5/4
add action=mark-routing chain=prerouting comment="Mark Routing to ether1" \
connection-mark=cm-ether1 in-interface=bridge-lan new-routing-mark=\
to-ether1 passthrough=yes
add action=mark-routing chain=prerouting comment="Mark Routing to ether2" \
connection-mark=cm-ether2 in-interface=bridge-lan new-routing-mark=\
to-ether2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="LB PCC by buananet.com" \
out-interface=ether1
add action=masquerade chain=srcnat comment="LB PCC by buananet.com" \
out-interface=ether2
/ip route
add comment="principal - default" disabled=no distance=1 dst-address=\
0.0.0.0/0 gateway=1.1.1.1 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=11
add comment="Check 1.1.1.1 - Link 1 - default" disabled=no distance=1 \
dst-address=1.1.1.1/32 gateway=10.10.10.1 pref-src="" routing-table=main \
scope=10 suppress-hw-offload=no target-scope=10
add comment="Check 1.1.1.1 - Link 1 " disabled=no distance=1 dst-address=\
1.1.1.1/32 gateway=10.10.10.1 pref-src="" routing-table=to-ether1 scope=\
10 suppress-hw-offload=no target-scope=10
add comment="secundaria - Link 2" disabled=no distance=1 dst-address=\
0.0.0.0/0 gateway=10.0.20.1 pref-src="" routing-table=to-ether2 scope=30 \
suppress-hw-offload=no target-scope=11
add comment="secundaria - default" disabled=no distance=2 dst-address=\
0.0.0.0/0 gateway=ether2 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=11
add comment="principal - Link 1" disabled=no distance=1 dst-address=0.0.0.0/0 \
gateway=1.1.1.1 pref-src="" routing-table=to-ether1 scope=30 \
suppress-hw-offload=no target-scope=11
/ip service
set www address=192.168.10.0/24,192.168.100.0/24
set api address=192.168.10.252/32,192.168.100.0/24
set winbox address=192.168.10.0/24
set api-ssl address=192.168.10.252/32,192.168.100.0/24
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge-lan type=internal
/system clock
set time-zone-name=America/Fortaleza
/system note
set show-at-login=no
/tool netwatch
add comment="Monitoring - Link 1" disabled=no down-script="/ip route disable [\
find comment=principal - default]\r\
\n/ip route disable [find comment=principal - Link 1]\r\
\n\r\
\n" host=1.1.1.1 http-codes="" interval=10s test-script="" timeout=1s \
type=simple up-script="/ip route enable [find comment=principal - default]\
\r\
\n/ip route enable [find comment=principal - Link 1]"
add comment="Monitoring - Link 2" disabled=yes down-script="/ip route disable \
[find comment=secundaria - default]\r\
\n/ip route disable [find comment=secundaria - Link 2]" host=1.0.0.1 \
http-codes="" interval=10s test-script="" timeout=1s type=simple \
up-script="/ip route enable [find secundaria - default]\r\
\n/ip route enable [find secundaria - Link 2]"
I’m sending my winbox view of traffic while conected to vpn. Note that’s the traffic is almost 0.
I solved 50% of problem. Now i can access internet from my phone through wireguard. But i cannot access lan devices.
The issue was my wireguard interface ip addres. It was 192.168.100.1 and the correct one is 192.168.100.1/24
Solved with:
/ip firewall nat
anav
December 21, 2023, 11:00pm
13
Indeed, it is 192.168.100.1/24 good catch!
The sourcenat thingy is NOT the correct solution for access between two subnets…
add chain=forward action=accept in-interface=wireguard1 dst-address=192.168.10.0/24
Here’s my full config if anyone get stucked on this.
Thanks anav and llamajaja!!!
# 2023-12-21 19:58:55 by RouterOS 7.13
# software id = AAAAAAA
#
# model = RB750Gr3
# serial number = AAAAA
/interface bridge
add name=bridge-lan
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool0 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge-lan name=dhcp1
/port
set 0 name=serial0
/routing table
add comment="Table for Link 1" disabled=no fib name=to-ether1
add comment="Table for Link 2" disabled=no fib name=to-ether2
/interface bridge port
add bridge=bridge-lan interface=ether3
add bridge=bridge-lan interface=ether4
add bridge=bridge-lan interface=ether5
/ip settings
set allow-fast-path=no
/interface list member
add interface=bridge-lan list=LAN
add interface=ether1 list=WAN
add interface=ether2 list=WAN
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=192.168.100.2/32 client-dns=8.8.8.8 interface=wireguard1 \
public-key="PUBLICKEY"
/ip address
add address=192.168.10.1/24 interface=bridge-lan network=192.168.10.0
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
/ip dhcp-client
add add-default-route=no interface=ether1 use-peer-dns=no use-peer-ntp=no
add add-default-route=no interface=ether2 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.10.252 comment="Home Assistant" mac-address=\
08:00:27:85:04:35
add address=192.168.10.104 comment="Camera - Sala de Estar" mac-address=\
5C:A6:E6:48:15:5E
add address=192.168.10.114 comment="Ar Condicionado - Davi" mac-address=\
94:3C:C6:43:3D:68
add address=192.168.10.116 comment="Tv Samsung - Sala de Estar" mac-address=\
80:8A:BD:19:8E:B2 server=dhcp1
add address=192.168.10.119 comment="Camera - Quarto de Davi" mac-address=\
6C:5A:B0:D4:10:EF
add address=192.168.10.120 comment=Impressora mac-address=48:9E:BD:AB:2F:38 \
server=dhcp1
add address=192.168.10.144 comment="Tomada - Ventilador - Escritorio" \
mac-address=A8:80:55:24:43:9F server=dhcp1
add address=192.168.10.124 mac-address=1C:90:FF:B3:BC:70 server=dhcp1
add address=192.168.10.135 comment="Hub - Infravermelho" mac-address=\
A8:80:55:22:34:B6 server=dhcp1
add address=192.168.10.105 comment="Spots da Sala de Jantar" mac-address=\
A8:80:55:0D:F6:E2 server=dhcp1
add address=192.168.10.107 comment="Spots da Sala de Estar" mac-address=\
A8:80:55:0D:FA:4C server=dhcp1
add address=192.168.10.108 comment="Luzes do Lavabo" mac-address=\
A8:80:55:0E:00:13 server=dhcp1
add address=192.168.10.110 comment="Spots da Cozinha" mac-address=\
A8:80:55:0E:03:75 server=dhcp1
add address=192.168.10.113 comment="Auxiliar - Luzes da sala de estar" \
mac-address=A8:80:55:65:DC:18 server=dhcp1
add address=192.168.10.115 comment="Luzes do Quarto de Davi" mac-address=\
A8:80:55:65:DB:59
add address=192.168.10.118 comment="Luzes da sala de estar" mac-address=\
A8:80:55:65:E0:54 server=dhcp1
add address=192.168.10.122 mac-address=B4:E8:42:C1:C4:54 server=dhcp1
add address=192.168.10.123 comment="Luzes suite master" mac-address=\
A8:80:55:65:DB:12 server=dhcp1
add address=192.168.10.143 mac-address=C4:4F:33:D3:66:C7 server=dhcp1
add address=192.168.10.136 comment="Macbook Pro - Daniel" mac-address=\
9C:3E:53:85:BD:ED server=dhcp1
add address=192.168.10.100 comment="Luz do Escritorio" mac-address=\
A8:80:55:0D:FE:93 server=dhcp1
add address=192.168.10.139 comment="Luzes do banheiro de Davi" mac-address=\
A8:80:55:0E:0C:E6 server=dhcp1
add address=192.168.10.103 comment="Luz do banheiro do escritorio" \
mac-address=A8:80:55:0D:FA:C8 server=dhcp1
add address=192.168.10.111 comment="Luzes da cozinha" mac-address=\
A8:80:55:0D:F7:C6 server=dhcp1
add address=192.168.10.146 comment="Luzes da Sala de Estar" mac-address=\
A8:80:55:0E:04:DF server=dhcp1
add address=192.168.10.112 comment="Luzes da Suite Master" mac-address=\
A8:80:55:0D:FC:FB server=dhcp1
add address=192.168.10.121 comment="Hub Zigbee - ICA 1001" mac-address=\
38:1F:8D:00:98:ED server=dhcp1
add address=192.168.10.102 comment=\
"Sensor de Presenca - Banheiro - Suite Master" mac-address=\
1C:90:FF:AF:C1:81 server=dhcp1
add address=192.168.10.156 comment="Hub Zigbee - Sonoff" mac-address=\
80:64:6F:C2:86:A0 server=dhcp1
add address=192.168.10.134 comment=ESP_557D0D mac-address=24:62:AB:55:7D:0D \
server=dhcp1
add address=192.168.10.142 mac-address=C0:95:6D:71:9B:44 server=dhcp1
add address=192.168.10.147 mac-address=7C:B9:4C:9A:41:9F server=dhcp1
add address=192.168.10.199 mac-address=1C:90:FF:C9:5F:03 server=dhcp1
add address=192.168.10.106 comment="Sensor de Presenca - Escritorio" \
mac-address=1C:90:FF:10:9A:1C server=dhcp1
add address=192.168.10.132 mac-address=7C:B9:4C:99:98:49 server=dhcp1
add address=192.168.10.145 mac-address=7C:B9:4C:9A:37:65 server=dhcp1
add address=192.168.10.138 mac-address=7C:B9:4C:99:A5:DB server=dhcp1
add address=192.168.10.133 comment=beelink mac-address=7C:83:34:BC:7B:CD \
server=dhcp1
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=192.168.10.0/24 list=local
add address=192.168.10.0-192.168.10.254 list=allowed_to_router
add address=192.168.100.0-192.168.100.54 list=allowed_to_router
/ip firewall filter
add action=accept chain=input comment="default configuration" \
connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input comment="Drop geral"
/ip firewall mangle
add action=mark-connection chain=input comment="Mark Connection - Link 1" \
in-interface=ether1 new-connection-mark=cm-ether1 passthrough=yes
add action=mark-connection chain=input comment="Mark Connection - Link 2" \
in-interface=ether2 new-connection-mark=cm-ether2 passthrough=yes
add action=mark-connection chain=prerouting comment="PCC - 5/0 - Wan1" \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=\
cm-ether1 passthrough=yes per-connection-classifier=\
both-addresses-and-ports:5/0
add action=mark-connection chain=prerouting comment="PCC - 5/1 - Wan1" \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=\
cm-ether1 passthrough=yes per-connection-classifier=\
both-addresses-and-ports:5/1
add action=mark-connection chain=prerouting comment="PCC - 5/2 - Wan2" \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=\
cm-ether2 passthrough=yes per-connection-classifier=\
both-addresses-and-ports:5/2
add action=mark-connection chain=prerouting comment="PCC - 5/3 - Wan2" \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=\
cm-ether2 passthrough=yes per-connection-classifier=\
both-addresses-and-ports:5/3
add action=mark-connection chain=prerouting comment="PCC - 5/4 - Wan2" \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=\
cm-ether2 passthrough=yes per-connection-classifier=\
both-addresses-and-ports:5/4
add action=mark-routing chain=prerouting comment="Mark Routing to ether1" \
connection-mark=cm-ether1 in-interface=bridge-lan new-routing-mark=\
to-ether1 passthrough=yes
add action=mark-routing chain=prerouting comment="Mark Routing to ether2" \
connection-mark=cm-ether2 in-interface=bridge-lan new-routing-mark=\
to-ether2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="Nat for Link 1" out-interface=\
ether1
add action=masquerade chain=srcnat comment="Nat for Link 2" out-interface=\
ether2
add action=src-nat chain=srcnat comment="wireguard srcnat for lan" \
src-address=192.168.100.0/24 to-addresses=192.168.10.1
/ip route
add comment="principal - default" disabled=no distance=1 dst-address=\
0.0.0.0/0 gateway=1.1.1.1 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=11
add comment="Check 1.1.1.1 - Link 1 - default" disabled=no distance=1 \
dst-address=1.1.1.1/32 gateway=10.10.10.1 pref-src="" routing-table=main \
scope=10 suppress-hw-offload=no target-scope=10
add comment="Check 1.1.1.1 - Link 1 " disabled=no distance=1 dst-address=\
1.1.1.1/32 gateway=10.10.10.1 pref-src="" routing-table=to-ether1 scope=\
10 suppress-hw-offload=no target-scope=10
add comment="secundaria - Link 2" disabled=no distance=1 dst-address=\
0.0.0.0/0 gateway=10.0.20.1 pref-src="" routing-table=to-ether2 scope=30 \
suppress-hw-offload=no target-scope=11
add comment="secundaria - default" disabled=no distance=2 dst-address=\
0.0.0.0/0 gateway=ether2 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=11
add comment="principal - Link 1" disabled=no distance=1 dst-address=0.0.0.0/0 \
gateway=1.1.1.1 pref-src="" routing-table=to-ether1 scope=30 \
suppress-hw-offload=no target-scope=11
/ip service
set www address=192.168.10.0/24,192.168.100.0/24
set api address=192.168.10.252/32,192.168.100.0/24
set winbox address=192.168.10.0/24
set api-ssl address=192.168.10.252/32,192.168.100.0/24
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge-lan type=internal
/system clock
set time-zone-name=America/Fortaleza
/system note
set show-at-login=no
/tool netwatch
add comment="Monitoring - Link 1" disabled=no down-script="/ip route disable [\
find comment=principal - default]\r\
\n/ip route disable [find comment=principal - Link 1]\r\
\n\r\
\n" host=1.1.1.1 http-codes="" interval=10s test-script="" timeout=1s \
type=simple up-script="/ip route enable [find comment=principal - default]\
\r\
\n/ip route enable [find comment=principal - Link 1]"
add comment="Monitoring - Link 2" disabled=yes down-script="/ip route disable \
[find comment=secundaria - default]\r\
\n/ip route disable [find comment=secundaria - Link 2]" host=1.0.0.1 \
http-codes="" interval=10s test-script="" timeout=1s type=simple \
up-script="/ip route enable [find secundaria - default]\r\
\n/ip route enable [find secundaria - Link 2]"
Indeed, it is 192.168.100.1/24 good catch!
The sourcenat thingy is NOT the correct solution for access between two subnets…
ohh. Could you tell me wich one is best? I can change it now and make some tests!
anav
December 21, 2023, 11:04pm
16
see above added the line,
Indeed, it is 192.168.100.1/24 good catch!
The sourcenat thingy is NOT the correct solution for access between two subnets…
add chain=forward action=accept in-interface=wireguard1 dst-address=192.168.10.0/24
Thats wierd. I can access my rb on 192.168.10.1 but i cannot access another host on 192.168.10.252 after changing like you said. Do you know what is this behavior?
Edited: 192.168.10.252 listen to port 8123. I’ve tried creating another rule and putting port but no success. It only works with Src nat.
