Hello,
i am trying to route all traffic from a mikrotik to use the wireguard interface, I almost succeeded but I have some errors.
I managed to connect everything.
I suspect is some problem with the routing.
(I have firewall rules for UDP port and for LAN - LAN ips)
WIREGUARD SERVER
# 2024-12-27 00:18:56 by RouterOS 7.16.2
# software id = IT3J-YRBI
#
# model = RB750Gr3
/interface bridge
add name=" LAN-bridge" port-cost-mode=short
add admin-mac=CC:2D:E0:CE:53:F4 auto-mac=no comment=defconf name=bridge \
port-cost-mode=short
add name="bridge mcast" port-cost-mode=short protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] mac-address=84:D8:1B:AB:B5:D5 name=\
"ether1 WAN"
set [ find default-name=ether2 ] name="ether2 Lan Switch"
set [ find default-name=ether3 ] name="ether3 FFMPEG"
set [ find default-name=ether4 ] mac-address=4C:6F:BC:70:10:8F name=\
"ether4 Mcast"
set [ find default-name=ether5 ] name="ether5 Encoder"
/interface wireguard
add listen-port=15121 mtu=1420 name=wireguard1_lan
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=\
"ether2 Lan Switch" internal-path-cost=10 path-cost=10
add bridge="bridge mcast" comment=defconf ingress-filtering=no \
interface="ether3 FFMPEG" internal-path-cost=10 path-cost=10
add bridge="bridge mcast" comment=defconf ingress-filtering=no \
interface="ether4 Mcast" internal-path-cost=10 path-cost=10
add bridge="bridge mcast" comment=defconf ingress-filtering=no \
interface="ether5 Encoder" internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface="ether1 WAN" list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-port=15121 interface=wireguard1_lan \
name=peer7 persistent-keepalive=30s public-key=\
"xxxxx_public_key_wireguard_client"
add allowed-address=0.0.0.0/0 endpoint-port=15121 interface=wireguard1_lan \
name=win_PC persistent-keepalive=30s public-key=\
"xxxxx_public_key_test_windows_pc_client"
/ip address
add address=192.168.1.1/24 comment=defconf interface="ether2 Lan Switch" \
network=192.168.1.0
add address=94.yy.xx.xxx/26 interface="ether1 WAN" network=94.xx.xx.xxx
add address=192.168.32.1/24 interface=wireguard1_lan network=192.168.32.0
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set servers=1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.1.1 name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=WAN
add action=accept chain=input disabled=yes dst-address=94.yy.xx.xxx \
dst-port=21 in-interface="ether1 WAN" log=yes log-prefix=testt port="" \
protocol=tcp
add action=accept chain=forward dst-port=15121 in-interface="ether1 WAN" \
protocol=udp
add action=accept chain=forward dst-address=192.168.20.0/24 dst-address-list=\
"" src-address=192.168.1.0/24 src-address-list=""
add action=accept chain=forward dst-address=192.168.1.0/24 dst-address-list=\
"" src-address=192.168.20.0/24 src-address-list=""
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=94.yy.xx.xxx dst-port=211 \
protocol=tcp to-addresses=192.168.1.254 to-ports=21
add action=dst-nat chain=dstnat dst-address=94.yy.xx.xxx dst-port=990 \
protocol=tcp to-addresses=192.168.1.254 to-ports=990
add action=dst-nat chain=dstnat dst-address=94.yy.xx.xxx dst-port=\
50000-51000 protocol=tcp to-addresses=192.168.1.254 to-ports=50000-51000
add action=dst-nat chain=dstnat dst-address=94.yy.xx.xxx dst-port=7000 \
protocol=tcp to-addresses=192.168.1.246 to-ports=7000
add action=dst-nat chain=dstnat dst-address=94.yy.xx.xxx dst-port=8787 \
protocol=udp to-addresses=192.168.1.254 to-ports=8989
add action=dst-nat chain=dstnat dst-address=94.yy.xx.xxx dst-port=9595 \
protocol=udp to-addresses=192.168.1.254 to-ports=9595
add action=dst-nat chain=dstnat dst-address=94.yy.xx.xxx dst-port=9696 \
protocol=udp to-addresses=192.168.1.254 to-ports=9696
add action=dst-nat chain=dstnat dst-address=94.yy.xx.xxx dst-port=5555 \
protocol=tcp to-addresses=192.168.1.254 to-ports=5555
add action=dst-nat chain=dstnat dst-address=94.yy.xx.xxx dst-port=8088 log=\
yes log-prefix=8088 protocol=tcp to-addresses=192.168.1.254 to-ports=8088
add action=dst-nat chain=dstnat comment="" \
dst-address=94.yy.xx.xxx dst-port=17788 log=yes port="" protocol=tcp \
to-addresses=192.168.1.253 to-ports=80
add action=dst-nat chain=dstnat comment="" dst-address=\
94.yy.xx.xxx dst-port=11101 log=yes log-prefix=emisie_vnc protocol=tcp \
to-addresses=192.168.1.253 to-ports=5900
add action=dst-nat chain=dstnat comment="" dst-address=94.yy.xx.xxx \
dst-port=11102 log-prefix=vmix_vnc protocol=tcp to-addresses=\
192.168.1.254 to-ports=5900
add action=dst-nat chain=dstnat comment="" dst-address=\
94.yy.xx.xxx dst-port=11103 log=yes log-prefix=vmix_vnc protocol=tcp \
to-addresses=192.168.1.246 to-ports=5900
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=94.yy.zz.zzz
add disabled=no distance=1 dst-address=192.168.20.0/24 gateway=wireguard1_lan \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=XXXX
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Bucharest
/system identity
set name=mikrotik
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
WIREGUARD CLIENT
# 2024-12-27 00:13:33 by RouterOS 7.16.2
# software id = ZRE7-477Q
#
# model = RB941-2nD
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge ssid=MikroTik \
wireless-protocol=802.11
/interface wireguard
add listen-port=15121 mtu=1420 name=wireguard1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool1 ranges=192.168.20.10-192.168.20.254
/ip dhcp-server
add address-pool=pool1 interface=bridge1 name=server1
/interface bridge port
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=wireguard1 list=WAN
add interface=bridge1 list=LAN
add interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=94.yy.xx.xxx endpoint-port=\
15121 interface=wireguard1 name=peer1 persistent-keepalive=30s \
public-key="xxxxx_public_key_wireguard_server"
/ip address
add address=192.168.20.1/24 interface=bridge1 network=192.168.20.0
add address=192.168.32.2/24 interface=wireguard1 network=192.168.32.0
add address=192.168.100.60/24 interface=ether1 network=192.168.100.0
/ip dhcp-client
add disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1 \
netmask=24
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=forward dst-address=192.168.20.0/24 src-address=\
192.168.1.0/24
add action=accept chain=forward dst-address=192.168.1.0/24 src-address=\
192.168.20.0/24
add action=accept chain=forward dst-port=15121 in-interface=ether1 protocol=\
udp
add action=accept chain=input connection-state=established disabled=yes
add action=accept chain=input connection-state=related disabled=yes
add action=drop chain=input disabled=yes in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wireguard1
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.100.1 \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=wireguard1 \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard1 \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/system clock
set time-zone-name=Europe/Bucharest
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
anav
December 26, 2024, 7:14pm
2
Post both configs full
anav
December 27, 2024, 2:22am
4
You should really prescribe to vlan filtering but will focus on other things for now.
You have three bridges but only use two, so get rid of LAN-Bridge!
The second MCAST bridge has no structure, IP address, pool etc…but will ignore that as well.
You do not understand how wireguard works and what is the purpose of allowed IPs. Its to identify:
Attach address to bridge and not ether2, since you added ether2 to the bridge…
Remove static dns setting.
Forward chain firewall rules are not the place for port forwarding rules, those belong under NAT.
why are all your firewall rules disabled…
MISSING, input chain rule for wireguard hanshake.
Added relay rule so you as admin can reach router B for config purposes after connecting to router A via wg.
/interface list members incomplete
Need to segregate client router users from remote ADMIN device coming on wireguard so only admin can access router.
# model = RB750Gr3
/interface bridge
add admin-mac=CC:2D:E0:CE:53:F4 auto-mac=no comment=defconf name=bridge \
port-cost-mode=short
add name="bridge mcast" port-cost-mode=short protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] mac-address=84:D8:1B:AB:B5:D5 name=\
"ether1 WAN"
set [ find default-name=ether2 ] name="ether2 Lan Switch"
set [ find default-name=ether3 ] name="ether3 FFMPEG"
set [ find default-name=ether4 ] mac-address=4C:6F:BC:70:10:8F name=\
"ether4 Mcast"
set [ find default-name=ether5 ] name="ether5 Encoder"
/interface wireguard
add listen-port=15121 mtu=1420 name=wireguard1_lan
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=\
"ether2 Lan Switch" internal-path-cost=10 path-cost=10
add bridge="bridge mcast" comment=defconf ingress-filtering=no \
interface="ether3 FFMPEG" internal-path-cost=10 path-cost=10
add bridge="bridge mcast" comment=defconf ingress-filtering=no \
interface="ether4 Mcast" internal-path-cost=10 path-cost=10
add bridge="bridge mcast" comment=defconf ingress-filtering=no \
interface="ether5 Encoder" internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=wireguard1_lan list=LAN
add comment=defconf interface="ether1 WAN" list=WAN
/interface wireguard peers
add allowed-address=192.168.32.2/32,192.168.20.0/24 interface=wireguard1_lan name=MT Client Router public-key="xxxxx"
add allowed-address=192.168.32.3/32 interface=wireguard1_lan name=PC Client1" public-key="yyyyy"
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=192.168.1.0
add address=94.yy.xx.xxx/26 interface="ether1 WAN" network=94.xx.xx.xxx
add address=192.168.32.1/24 interface=wireguard1_lan network=192.168.32.0
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
/ip dns
set servers=1.1.1.1,8.8.8.8
/ip firewall address-list { use dhcp static leases where applicable }
add address=192.168.1.X list=AUTHORIZED comment="local admin PC"
add address=192.168.1.Y list=AUTHORIZED comment="local admin device #2"
add address=192.168.32.3 list=AUTHORIZED comment="remote admin wireguard laptop"
add address=192.168.32.A list=AUTHORIZED comment="remote admin wireguard smartphone/ipad"
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" \
protocol=icmp
add action=accept chain=input comment="wireguard handshake" dst-port=15121 protocol=udp
add action=accept chain=input comment="admin access" src-address-list=AUTHORIZED
add action=accept chain=input comment="users to services" in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment="users to services" in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="Drop all else" { install this rule last after above rules and firewall address list }
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list-LAN out-interface-list=WAN
add action=accept chain=forward comment="wireguard to local LAN" in-interface=wireguard1_lan dst-address=192.168.1.0/24
add action=accept chain=forward comment="local LAN to remote LAN" out-interface=wireguard1_lan src-address=192.168.1.0/24 dst-address=192.168.20.0/24
add action=accept chain=forward comment="wg remote relay" in-interface=wireguard1_lan out-interface=wireguard1_lan
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=94.yy.xx.xxx dst-port=211 \
protocol=tcp to-addresses=192.168.1.254 to-ports=21
add action=dst-nat chain=dstnat dst-address=94.yy.xx.xxx dst-port=990 \
protocol=tcp to-addresses=192.168.1.254 to-ports=990
add action=dst-nat chain=dstnat dst-address=94.yy.xx.xxx dst-port=\
50000-51000 protocol=tcp to-addresses=192.168.1.254 to-ports=50000-51000
add action=dst-nat chain=dstnat dst-address=94.yy.xx.xxx dst-port=7000 \
protocol=tcp to-addresses=192.168.1.246 to-ports=7000
add action=dst-nat chain=dstnat dst-address=94.yy.xx.xxx dst-port=8787 \
protocol=udp to-addresses=192.168.1.254 to-ports=8989
add action=dst-nat chain=dstnat dst-address=94.yy.xx.xxx dst-port=9595 \
protocol=udp to-addresses=192.168.1.254 to-ports=9595
add action=dst-nat chain=dstnat dst-address=94.yy.xx.xxx dst-port=9696 \
protocol=udp to-addresses=192.168.1.254 to-ports=9696
add action=dst-nat chain=dstnat dst-address=94.yy.xx.xxx dst-port=5555 \
protocol=tcp to-addresses=192.168.1.254 to-ports=5555
add action=dst-nat chain=dstnat dst-address=94.yy.xx.xxx dst-port=8088 log=\
yes log-prefix=8088 protocol=tcp to-addresses=192.168.1.254 to-ports=8088
add action=dst-nat chain=dstnat comment="" \
dst-address=94.yy.xx.xxx dst-port=17788 log=yes port="" protocol=tcp \
to-addresses=192.168.1.253 to-ports=80
add action=dst-nat chain=dstnat comment="" dst-address=\
94.yy.xx.xxx dst-port=11101 log=yes log-prefix=emisie_vnc protocol=tcp \
to-addresses=192.168.1.253 to-ports=5900
add action=dst-nat chain=dstnat comment="" dst-address=94.yy.xx.xxx \
dst-port=11102 log-prefix=vmix_vnc protocol=tcp to-addresses=\
192.168.1.254 to-ports=5900
add action=dst-nat chain=dstnat comment="" dst-address=\
94.yy.xx.xxx dst-port=11103 log=yes log-prefix=vmix_vnc protocol=tcp \
to-addresses=192.168.1.246 to-ports=5900
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=94.yy.zz.zzz
add disabled=no distance=1 dst-address=192.168.20.0/24 gateway=wireguard1_lan \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=XXXX
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Bucharest
/system identity
set name=mikrotik
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
…
Router2
No need to make wireguard a WAN list item as the other end is mikrotik and programmed to allow 192.168.20.0/24 traffic.
Do not add netmask manually in dhcp-server settings
For DNS set dhcp-server settings to wireguard of routerA, will also use dstnat rules to reinforce.
MISSING, the part to force traffic to wireguard, a. table, b. routing rule c. modify existing route.
Do not depend on ISp router for firewall rules…so many missing.
# 2024-12-27 00:13:33 by RouterOS 7.16.2
# software id = ZRE7-477Q
#
# model = RB941-2nD
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge ssid=MikroTik \
wireless-protocol=802.11
/interface wireguard
add listen-port=15121 mtu=1420 name=wireguard1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool1 ranges=192.168.20.10-192.168.20.254
/ip dhcp-server
add address-pool=pool1 interface=bridge1 name=server1
/interface bridge port
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=bridge1 list=LAN
add interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=94.yy.xx.xxx endpoint-port=\
15121 interface=wireguard1 name=peer1 persistent-keepalive=30s \
public-key="xxxxx_public_key_wireguard_server"
/ip address
add address=192.168.20.1/24 interface=bridge1 network=192.168.20.0
add address=192.168.32.2/24 interface=wireguard1 network=192.168.32.0
add address=192.168.100.60/24 interface=ether1 network=192.168.100.0
/ip dhcp-client
add disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.20.0/24 dns-server=192.168.32.1 gateway=192.168.20.1 \
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list { use dhcp static leases where applicable }
add address=192.168.1.X list=AUTHORIZED comment="remote admin PC from Router1"
add address=192.168.1.Y list=AUTHORIZED comment="remote admin device #2 from Router1"
add address=192.168.32.3 list=AUTHORIZED comment="remote admin wireguard laptop"
add address=192.168.32.A list=AUTHORIZED comment="remote admin wireguard smartphone/ipad"
add address=192.168.20.Z list=AUTHORIZED comment="local admin device"
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" \
protocol=icmp
add action=accept chain=input comment="admin access" src-address-list=AUTHORIZED
add action=accept chain=input comment="users to services" in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment="users to services" in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="Drop all else" { install this rule last after above rules and firewall address list }
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list-LAN out-interface-list=WAN
add action=accept chain=forward comment="wireguard to local LAN" in-interface=wireguard1 dst-address=192.168.20.0/24
add action=accept chain=forward comment="local LAN to remote LAN or Router1 internet" out-interface=wireguard1 src-address=192.168.20.0/24
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add chain=dstnat action=dst-nat in-interface-list=LAN dst-port=53 protocol=udp to-address=192.168.32.1
add chain=dstnat action=dst-nat in-interface-list=LAN dst-port=53 protocol=tcp to-address=192.168.32.1
/routing table
add fib name=use-WG
/routing rule
add action=lookup-only-in-table min-prefix=0 table=main
add action=lookup-only-in-table src-address=192.168.20.0/24 table=use-WG
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.100.1 routing-table=main
add dst-address=192.168.1.0/24 gateway=wireguard1 routing-table=main
add dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=use=WG
/system clock
set time-zone-name=Europe/Bucharest
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Hello,
Thank you for your reply.
I implemented the changes, I have some success.
edit
also I added a TCP port on the server side for remote managing because the firewall filtering blocked me.
please if you have time to review the code
SERVER SIDE
# 2024-12-27 22:03:06 by RouterOS 7.16.2
# software id = IT3J-YRBI
#
# model = RB750Gr3
# serial number = 8xxxxx
/interface bridge
add admin-mac=CC:2D:E0:CE:53:F4 auto-mac=no comment=defconf name=bridge \
port-cost-mode=short
add name="bridge mcast" port-cost-mode=short protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] mac-address=84:D8:1B:AB:B5:D5 name=\
"ether1 WAN"
set [ find default-name=ether2 ] name="ether2 Lan Switch"
set [ find default-name=ether3 ] name="ether3 FFMPEG"
set [ find default-name=ether4 ] mac-address=4C:6F:BC:70:10:8F name=\
"ether4 UPC Mcast"
set [ find default-name=ether5 ] name="ether5 Encoder"
/interface ovpn-client
add auth=null cipher=aes128-gcm connect-to=109.***.***.*** mac-address=\
02:A0:F7:63:**:** mode=ethernet name=A********_ovpn user=b*****
/interface wireguard
add listen-port=15121 mtu=1420 name=wireguard1_lan
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=\
"ether2 Lan Switch" internal-path-cost=10 path-cost=10
add bridge="bridge mcast" comment=defconf ingress-filtering=no \
interface="ether3 FFMPEG" internal-path-cost=10 path-cost=10
add bridge="bridge mcast" comment=defconf ingress-filtering=no \
interface="ether4 UPC Mcast" internal-path-cost=10 path-cost=10
add bridge="bridge mcast" comment=defconf ingress-filtering=no \
interface="ether5 Encoder" internal-path-cost=10 path-cost=10
add bridge="bridge mcast" ingress-filtering=no interface=\
A********_ovpn internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface="ether1 WAN" list=WAN
add interface=wireguard1_lan list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.32.2/32,192.168.20.0/24 endpoint-port=15121 \
interface=wireguard1_lan name=peer7 persistent-keepalive=30s public-key=\
"DP*****************************************"
add allowed-address=192.168.32.3/32,192.168.20.0/24 disabled=yes \
endpoint-port=15121 interface=wireguard1_lan name=win_PC \
persistent-keepalive=30s public-key=\
"5n*******************************************"
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
192.168.1.0
add address=94.***.***.***/26 interface="ether1 WAN" network=94.***.***.***
add address=192.168.32.1/24 interface=wireguard1_lan network=192.168.32.0
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1
/ip dns
set servers=1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.1.1 name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="wireguard handshake" dst-port=15121 \
protocol=udp
add action=accept chain=input comment="users to services" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="users to services" dst-port=53 \
in-interface-list=LAN protocol=tcp
add action=accept chain=input dst-port=X*** protocol=tcp
add action=drop chain=input comment="Drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=\
LAN out-interface-list=WAN
add action=accept chain=forward comment="wireguard to local LAN" dst-address=\
192.168.1.0/24 in-interface=wireguard1_lan
add action=accept chain=forward comment="local LAN to remote LAN" \
dst-address=192.168.20.0/24 out-interface=wireguard1_lan src-address=\
192.168.1.0/24
add action=accept chain=forward comment="wg remote relay" in-interface=\
wireguard1_lan out-interface=wireguard1_lan
add action=accept chain=forward comment="port forwarding" \
connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=94.***.***.*** dst-port=211 \
protocol=tcp to-addresses=192.168.1.254 to-ports=21
add action=dst-nat chain=dstnat dst-address=94.***.***.*** dst-port=990 \
protocol=tcp to-addresses=192.168.1.254 to-ports=990
add action=dst-nat chain=dstnat dst-address=94.***.***.*** dst-port=\
50000-51000 protocol=tcp to-addresses=192.168.1.254 to-ports=50000-51000
add action=dst-nat chain=dstnat dst-address=94.***.***.*** dst-port=7000 \
protocol=tcp to-addresses=192.168.1.246 to-ports=7000
add action=dst-nat chain=dstnat dst-address=94.***.***.*** dst-port=8787 \
protocol=udp to-addresses=192.168.1.254 to-ports=8989
add action=dst-nat chain=dstnat dst-address=94.***.***.*** dst-port=9595 \
protocol=udp to-addresses=192.168.1.254 to-ports=9595
add action=dst-nat chain=dstnat dst-address=94.***.***.*** dst-port=9696 \
protocol=udp to-addresses=192.168.1.254 to-ports=9696
add action=dst-nat chain=dstnat dst-address=94.***.***.*** dst-port=5555 \
protocol=tcp to-addresses=192.168.1.254 to-ports=5555
add action=dst-nat chain=dstnat dst-address=94.***.***.*** dst-port=8088 log=\
yes log-prefix=8088 protocol=tcp to-addresses=192.168.1.254 to-ports=8088
add action=dst-nat chain=dstnat comment="verificare PC" \
dst-address=94.***.***.*** dst-port=17788 log=yes port="" protocol=tcp \
to-addresses=192.168.1.253 to-ports=80
add action=dst-nat chain=dstnat comment="*" dst-address=\
94.***.***.*** dst-port=11101 log=yes log-prefix=emisie_vnc protocol=tcp \
to-addresses=192.168.1.253 to-ports=5900
add action=dst-nat chain=dstnat comment="*" dst-address=94.***.***.*** \
dst-port=11102 log-prefix=vmix_vnc protocol=tcp to-addresses=\
192.168.1.254 to-ports=5900
add action=dst-nat chain=dstnat comment="*" dst-address=\
94.***.***.*** dst-port=11103 log=yes log-prefix=vmix_vnc protocol=tcp \
to-addresses=192.168.1.246 to-ports=5900
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=94.***.***.***
add disabled=no distance=1 dst-address=192.168.20.0/24 gateway=wireguard1_lan \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=X***
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Bucharest
/system identity
set name=B*****
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
CLIENT_SIDE
# 2024-12-27 22:03:11 by RouterOS 7.16.2
# software id = ZRE7-477Q
#
# model = RB941-2nD
# serial number = H*********
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge ssid=MikroTik \
wireless-protocol=802.11
/interface wireguard
add listen-port=15121 mtu=1420 name=wireguard1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=pool1 ranges=192.168.20.10-192.168.20.254
/ip dhcp-server
add address-pool=pool1 interface=bridge1 name=server1
/routing table
add disabled=no fib name=use-WG
/interface bridge port
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=bridge1 list=LAN
add interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=94.***.***.*** endpoint-port=\
15121 interface=wireguard1 name=peer1 persistent-keepalive=30s \
public-key="PE*********************************************"
/ip address
add address=192.168.20.1/24 interface=bridge1 network=192.168.20.0
add address=192.168.32.2/24 interface=wireguard1 network=192.168.32.0
add address=192.168.100.60/24 interface=ether1 network=192.168.100.0
/ip dhcp-client
add disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.20.0/24 dns-server=192.168.32.1 gateway=192.168.20.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.1.254 comment="remote admin PC from Router1" list=\
AUTHORIZED
add address=192.168.1.253 comment="remote admin device #2 from Router1" list=\
AUTHORIZED
add address=192.168.32.3 comment="remote admin wireguard laptop" list=\
AUTHORIZED
add address=192.168.32.4 comment="remote admin wireguard smartphone/ipad" \
list=AUTHORIZED
add address=192.168.20.253 comment="local admin device" list=AUTHORIZED
add address=192.168.20.254 comment="local admin device" list=AUTHORIZED
add address=192.168.100.7 comment="MIHAI PC" list=AUTHORIZED
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="admin access" src-address-list=\
AUTHORIZED
add action=accept chain=input comment="users to services" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="users to services" dst-port=53 \
in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="Drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=\
LAN out-interface-list=WAN
add action=accept chain=forward comment="wireguard to local LAN" \
out-interface=wireguard1 src-address=192.168.20.0/24
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=53 in-interface-list=LAN protocol=\
udp to-addresses=192.168.32.1
add action=dst-nat chain=dstnat dst-port=53 in-interface-list=LAN protocol=\
tcp to-addresses=192.168.32.1
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.100.1 \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=wireguard1 \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard1 \
routing-table=use-WG scope=30 suppress-hw-offload=no target-scope=10
/routing rule
add action=lookup-only-in-table disabled=no min-prefix=0 table=main
add action=lookup-only-in-table disabled=no src-address=192.168.20.0/24 \
table=use-WG
/system clock
set time-zone-name=Europe/Bucharest
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
anav
December 28, 2024, 2:08am
6
Main Router:
Why do you keep putting full info on the wireguard settings??should be removed. interface wireguard peersendpoint-port=15121 * persistent-keepalive=30s public-key=192.168.20.0/24 endpoint-port=15121 interface=wireguard1_lan name=win_PC persistent-keepalive=30s public-key=
You completely botched access to the router.
Other Router: none all
I erred, my apologies, the rule for admin source address access in the input chain, I had forward chain instead.add action=accept chain=input comment=“admin access” src-address-list=AUTHORIZED
As per my original post, there should be two rules not the one regarding wireguard traffic, and of course a third one being admin access.
add action=accept chain=forward comment=“remote subnet to local LAN” in-interface=wireguard1 dst-address=192.168.20.0/24 src-address=192.168.1.0/24
yhfung
December 28, 2024, 2:28am
7
You may have a look at following site which demonstrated a successful configuration, which I use it daily without any problems.
Mainland China VPN Hong Kong via MikroTik and Wireguard
http://forum.mikrotik.com/t/mainland-china-vpn-hong-kong-via-mikrotik-and-wireguard/180468/1
thank you, simple straight to point worked first time!
anav
December 30, 2024, 11:19pm
9
Copying is not learning, but glad you have success.
, security and bla bla after .