[Newbie] Wireguard & routing, FW, ...

APMOadmin · December 15, 2022, 1:37am

Am relatively new to RB/RouterOS/Wireguard and have it mostly running - just a few bits and pieces that I don’t get to work…

Setup:

2 Sites with one RB5009 at each connected locally to the Internet.
Site1: local network 10.10.4.0/24, router at 10.10.4.1
Site2: local network 10.0.4.0/24, router at 10.0.4.1
Site2SiteVPN WireGuard following the RouterOS manual at https://help.mikrotik.com/docs/display/ROS/WireGuard#WireGuard-Applicationexamples
RoadWarrior VPN on Site2 following RouterOS manual at https://help.mikrotik.com/docs/display/ROS/WireGuard#WireGuard-RoadWarriorWireGuardtunnel

configuration details see below <<

So far everything works fine:

clients on 10.10.4.0/24 network (Site1) can access clients on 10.0.4.0/24 network (Site2) including router on 10.0.4.1
clients on 10.0.4.0/24 network (Site2) can access clients on 10.10.4.0/24 network (Site1) including router on 10.10.4.1
RoadWarriors can access connect Site2 network 10.0.4.0/24

Problem1:

Site1 router (10.10.4.1) can not access Site2 router (10.0.4.1), but can access rest of 10.0.4.0/24 network and vice-versa
Problem2:
RoadWarriors can not get to 10.10.4.0/24 network (via S2S tunnel)
am sure there is some piece of configuration missing here - just not clear what’s missing
Question3:
are my firewalls solid ? are there any obvious vulnerabilities ?

Configuration details
Site1:

/interface bridge
add name=bridge-local
/interface wireguard
add listen-port=13231 mtu=1420 name=wguard-s2s
/interface list
add name=listBridge
add comment="all interfaces considered to be LAN (incl s2s VPN)" name=iflist-LAN
add name=iflist-WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge-local interface=ether1
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6
add bridge=bridge-local interface=ether7
/interface list member
add interface=bridge-local list=iflist-LAN
add interface=wguard-s2s list=iflist-LAN
add interface=pppoe-bell list=iflist-WAN
/interface wireguard peers
add allowed-address=10.0.4.0/24 endpoint-address=XXXXXXXX.sn.mynetname.net endpoint-port=13231 interface=wguard-s2s public-key="XXXXXXXXXXXXXXXXX"

/ip address
add address=10.10.4.1/24 interface=bridge-local network=10.10.4.0
add address=10.255.255.1/30 interface=wguard-s2s network=10.255.255.0

/ip firewall address-list
add address=XXXXXXXXXX.sn.mynetname.net list=excalibur
/ip firewall filter
add action=accept chain=input comment="accept established, related, untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept WireGuard VPN form excalibur" dst-port=13231 in-interface-list=iflist-WAN protocol=udp src-address-list=excalibur
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!iflist-LAN
add action=fasttrack-connection chain=forward comment="fast-track for established,related" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established, related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="accept forward from/to s2s VPN" dst-address=10.0.4.0/24 src-address=10.10.4.0/24
add action=accept chain=forward dst-address=10.10.4.0/24 src-address=10.0.4.0/24
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=iflist-WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-bell

/ip route
add dst-address=10.0.4.0/24 gateway=wguard-s2s

Site2:

/interface bridge
add name=bridge-local
/interface wireguard
add listen-port=13232 mtu=1420 name=wguard-rw
add listen-port=13231 mtu=1420 name=wguard-s2s
/interface list
add name=listBridge
add name=iflist-LAN
add name=iflist-WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6
add bridge=bridge-local interface=ether7
add bridge=bridge-local interface=ether1
/interface list member
add interface=bridge-local list=listBridge
add interface=ether1 list=listBridge
add interface=bridge-local list=iflist-LAN
add interface=wguard-s2s list=iflist-LAN
add interface=ether8-wan list=iflist-WAN
add interface=wguard-rw list=iflist-LAN
/interface wireguard peers
add allowed-address=10.10.4.0/24 endpoint-address=YYYYYYYYYYYY.sn.mynetname.net endpoint-port=13231 interface=wguard-s2s public-key=\
    "YYYYYYYYYYYYYYYYYYYYYYYYYYY"
add allowed-address=10.0.5.2/24 interface=wguard-rw public-key="ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ"

/ip address
add address=10.0.4.1/24 interface=bridge-local network=10.0.4.0
add address=10.255.255.2/30 interface=wguard-s2s network=10.255.255.0
add address=10.0.5.1/24 interface=wguard-rw network=10.0.5.0

/ip firewall address-list
add address=YYYYYYYYYYYYY.sn.mynetname.net list=titan
/ip firewall filter
add action=accept chain=input comment="accept established,related" connection-state=established,related
add action=accept chain=input comment="accept WireGuard VPN traffic from titan" dst-port=13231 protocol=udp src-address-list=titan
add action=accept chain=input comment="accept WireGuard traffic for road warrior clients" dst-port=13232 protocol=udp
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=drop chain=input comment="block everything else" in-interface=ether8-wan
add action=fasttrack-connection chain=forward comment="fast-track for established,related" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established,connected" connection-state=established,related
add action=accept chain=forward comment="accept traffic from/to site to site VPN" in-interface-list=iflist-LAN out-interface=wguard-s2s
add action=accept chain=forward in-interface=wguard-s2s out-interface-list=iflist-LAN
add action=accept chain=forward comment="accept traffic from/to RoadWarrior VPN" in-interface-list=iflist-LAN out-interface=wguard-rw
add action=accept chain=forward in-interface=wguard-rw out-interface-list=iflist-LAN
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop access to clients behind NAT from WAN" connection-nat-state=!dstnat connection-state=new in-interface=ether8-wan
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether8-wan

/ip route
add dst-address=10.10.4.0/24 gateway=wguard-s2s

Not sure if you need any additional configuration information… thanks to all for your help !!

anav · December 15, 2022, 4:50pm

Quick question, which end initiates the tunnel or do you want both to initiate the tunnel. If both I would change the listening port on one of them so its less confusing…
For example why not go directly from wireguard client on site2, instead from wireguard client direct to site1 ???
If site 2 is going to be a relay then that will affect some settings for sure…

Personally there is no reason to put the second client on a separate wireguard network on site 2, no real purpose that I can see…and its much easier if all on same wg network!!

Overall, I would try to avoid the two lan subnets being so close in numbering much easier to make mistakes…

Site-1
(1) Add some allowed IPs to your peer setting for site2.
/interface wireguard peers
add allowed-address=10.0.4.0/24,10.255.255.2/32,10.0.5.2/32 endpoint-address=XXXXXXXX.sn.mynetname.net endpoint-port=13231 interface=wguard-s2s public-key=“XXXXXXXXXXXXXXXXX”

(2) Not Required but I like the rules to be precise and clear…

add action=accept chain=forward in-interface=wireguard-s2s dst-address=10.0.4.0/24 { traffic exiting the tunnel and allows both site2 subnet and road warrior access }
add action=accept chain=forward out-interface=wireguard-s2s src-address=10.0.4.0/24 dst-address=10.10.4.0/24 { local subnet entering the tunnel }

(3) I would also get rid of this default rule in the forward chain and replace it with more clear and powerful rules…
add action=drop chain=forward comment=“drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=iflist-WAN

add action=accept chain=forward in-interface-list=iflist-LAN out-interface-list=iflist-WAN
add action=accept chain=forward comment=“allow port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”

(4) On INPUT CHAIN From:
add action=drop chain=input comment=“drop all not coming from LAN” in-interface-list=!iflist-LAN
TO:
add action=accept chain=input in-interface-list=iflist-LAN
add action=drop chain=input comment=“drop all else”

Be aware that this rule and the one you had, allows ALL users from both local and remote subnets and the road warrior (since all traffic coming from wg tunnels is included) the ability to config the router and get DNS services…
I would consider massaging this later to look more like.

add action=accept chain=input in-interface-list=iflist-LAN source-address-list=Authorized.
add action=accept chain=input in-interface-list=iflist-LAN dst-port=53 protocol=udp
add action=accept chain=input in-interface-list=iflist-LAN dst-port=53 protocol=tcp
add action=drop chain=input comment=“drop all else”

Where the source address list is comprised of local admin IPs at site1, possbily remote admins at site2 and maybe the roadwarrior if an admin.

(5) The invalid rule in the forward chain I would move up the order, to right after the established rule…

(6) The route is good, add dst-address=10.10.4.0/24 gateway=wireguard-s2s table=main
BUT how will return traffic from the road warrior get back into the tunnel as its not a locally recognized address.
NEED TO ADD ROUTE.

add dst-address=10.0.5.2/32 gateway=wguard-s2s table=main

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Site-2

(6) Wireguard peers fix.
/interface wireguard peers
add allowed-address=10.10.4.0/24,10.255.255.255.1/32 endpoint-address=YYYYYYYYYYYY.sn.mynetname.net endpoint-port=13231 interface=wguard-s2s public-key=
“YYYYYYYYYYYYYYYYYYYYYYYYYYY”

add allowed-address=10.0.5.2**/32**interface=wguard-rw public-key=“ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ”

(7) Would change the input rule to something like I recommended for site 1
From
add action=drop chain=input comment=“block everything else” in-interface=ether8-wan
TO:
add action=accept chain=input in-interface-list=iflist-LAN
add action=drop chain=input comment=“drop all else”

(8) Some work needed on forward chain!!
FROM:
add action=fasttrack-connection chain=forward comment=“fast-track for established,related” connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=“accept established,connected” connection-state=established,related
add action=accept chain=forward comment=“accept traffic from/to site to site VPN” in-interface-list=iflist-LAN out-interface=wguard-s2s
add action=accept chain=forward in-interface=wguard-s2s out-interface-list=iflist-LAN
add action=accept chain=forward comment=“accept traffic from/to RoadWarrior VPN” in-interface-list=iflist-LAN out-interface=wguard-rw
add action=accept chain=forward in-interface=wguard-rw out-interface-list=iflist-LAN
add action=drop chain=forward comment=“drop invalid” connection-state=invalid
add action=drop chain=forward comment=“drop access to clients behind NAT from WAN” connection-nat-state=!dstnat connection-state=new in-interface=ether8-wan
TO:
add action=fasttrack-connection chain=forward comment=“fast-track for established,related” connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=“accept established,connected” connection-state=established,related
add action=drop chain=forward comment=“drop invalid” connection-state=invalid
add action=accept chain=forward in-interface-list=iflist-LAN out-interface-list=Iflist-LAN ( so any traffic from local subnet, or from both wireguards is allowed to reach the same )
add action=accept chain=forward in-interface-list=filist-LAN out-interface-list=iflist-WAN
add action=accept chain=forward comment=“allow port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"

APMOadmin · December 16, 2022, 3:24am

thanks @anav for the thorough response - through with almost everything except the last couple of firewall rules on site Site2.
++ can now access both sites from the RoadWarrior devices
– but can sill not ping the routers from the router of Site1 (can ping the router of Site1 from the router of Site2)
any ideas what causes this ?
…if not i’ll finish the FW implementation tomorrow and post the new config of both sites…