No internet via VLAN Wireguard Client

tofumcguyver · December 24, 2023, 12:07am

Hope I get some assistance and I appreciate those who take time from their busy schedules to lend a hand. This mikrotik is my home router and I am the furthest from an IT professional. I’m trying to get this wireguard client to work without impacting the entire home network so I went the VLAN route.

I’ve read multiple posts, even the stickies concerning VLAN and unfortunately I’m not in a position to completely restructure the configuration due to family visiting with numerous kiddos and my wife hating to lose access to the internet. I wish I could get her out of the house to redo this all but I’m stuck having to continue with my slightly hobbled configuration and hoping to get it working as intended.

So, I’m able to connect to the VLAN and ping the router and the DNS used for the home network, however, it’s unable to access the internet nor ping the wireguard DNS and server. The wireguard client PEER looks to have a connection but I’m unable to confirm. I believe I have a firewall rule that is missing or misdirected that is causing all my issues and I’m struggling to figure it out.

Also, if anyone can recommend changes to clean up the config (especially the firewall section), I would greatly appreciate it! Configuring this and getting it work as I wish has been enjoyable, and even though I get stuck from time to time, I’m usually able to figure it out but this time I’m stumped.

Thank you

# dec/23/2023 15:32:22 by RouterOS 7.8
# software id = GN4Y-UV2W
#
# model = RB750Gr3
# serial number = D5030F11F667
/interface bridge
add admin-mac=DC:2C:6E:BD:86:06 auto-mac=no comment=defconf name=bridge
/interface l2tp-server
add name=l2tp-in1 user=ber
add name=l2tp-test user=vpn
/interface wireguard
add listen-port=57775 mtu=1420 name=mullvad-upstream
/interface vlan
add interface=bridge name=mullvad vlan-id=60
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.21-192.168.88.254
add name=Cameras ranges=192.168.88.15-192.168.88.20
add name=VPNpool ranges=192.168.89.2-192.168.89.255
add name=Wireguard-in ranges=10.0.60.2-10.0.60.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=6h name=defconf
add address-pool=Wireguard-in interface=mullvad name=dhcp1
/port
set 0 name=serial0
/ppp profile
add change-tcp-mss=yes dns-server=1.1.1.1,8.8.8.8 interface-list=LAN \
    local-address=192.168.89.1 name=VPNProfile remote-address=VPNpool \
    use-encryption=yes
/routing table
add fib name=mullvad
/system logging action
add email-start-tls=yes email-to=ber*** name=VPNorLogin \
    target=email
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge vlan-ids=60
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/interface wireguard peers
add allowed-address=0.0.0.0/0,::/0 endpoint-address=198.54.134.162 \
    endpoint-port=51820 interface=mullvad-upstream persistent-keepalive=35s \
    public-key="Vim/OUBT3Bogv+FF623pAHXc/vmRwur2JKcNsLHQH1o="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.1.100/24 interface=ether5 network=192.168.1.0
add address=10.65.2.109 interface=mullvad-upstream network=10.124.0.70
add address=10.0.60.1/24 interface=mullvad network=10.0.60.0
/ip arp
add address=192.168.88.255 interface=bridge
add address=192.168.88.5 interface=bridge mac-address=00:D8:61:4E:2A:0A
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1 script=":if ( [/ping 8.8.8.8 interface= \
    \"ether1\" count=6 ] = 0) do={/ip dhcp-client release numbers=0}"
/ip dhcp-server network
add address=10.0.60.0/24 dns-server=100.64.0.7 gateway=10.0.60.1
add address=192.168.1.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 \
    gateway=192.168.88.1
add address=192.168.88.0/24 comment=defconf dns-server=\
    1.1.1.1,8.8.8.8,1.0.0.1,8.8.4.4 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.88.14-192.168.88.19 list=Cameras
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=output comment=\
    "Wireguard allow destination access via port" dst-address=198.54.134.162 \
    dst-port=51820 protocol=udp
add action=accept chain=input comment="Allow L2TP VPN ipsec" protocol=\
    ipsec-esp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment=\
    "Allow L2TP VPN ispec (udp 500,1701,4500)" dst-port=500,1701,4500 \
    protocol=udp
add action=accept chain=input comment="allow pptp" disabled=yes dst-port=1723 \
    protocol=tcp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
    protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="Allow Port Forwarding - DSTNAT" \
    connection-nat-state=dstnat in-interface-list=WAN
add action=drop chain=forward comment="Camer IP blocked from internet" \
    out-interface=ether1 src-address-list=Cameras
/ip firewall mangle
add action=mark-routing chain=prerouting in-interface=mullvad-upstream \
    new-routing-mark=mullvad
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=mullvad-upstream
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=dst-nat chain=dstnat comment=Plex dst-port=32400 in-interface=\
    ether1 protocol=tcp to-addresses=192.168.88.3
add action=dst-nat chain=dstnat comment="Plex UDP" disabled=yes dst-port=\
    32400 in-interface=ether1 protocol=udp to-addresses=192.168.88.3 \
    to-ports=32400
/ip firewall service-port
set ftp disabled=yes
/ip route
add dst-address=0.0.0.0/0 gateway=10.124.0.70 routing-table=mullvad
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=*4
/ppp secret
add name=ber profile=VPNProfile
add name=vpn profile=VPNProfile
/routing rule
add action=lookup-only-in-table routing-mark=mullvad table=mullvad
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=RouterOS
/system logging
add action=VPNorLogin topics=l2tp,ppp,info,account
/tool e-mail
set address=smtp.zoho.com from=fub** port=587 tls=starttls user=\
    fub**
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

rplant · December 24, 2023, 3:45am

In winbox in wireguard peers, there is Rx, Tx and LastHandshake.

You need to have stuff in them, if nothing you likely need to review the public keys, (and IP addresses)

You seem to be route marking packets coming from the wireguard interface mullvad-upstream
to make them leave via the wireguard interface.

You likely should be route marking packets coming in from the mullvad vlan interface instead.

However everything from the mullvad vlan will then go out via wireguard. (Other local networks will be inaccessible)

(Because of the priority of routing in V7, the routing rule won’t be looked at)

Assuming you also want access to local networks from this vlan I would recommend something like the following.
Note use of routing-mark rule-mullvad (which doesn’t exist in routing table entries) to force it to use rules table.

/routing table
add fib name=rule-mullvad

/ip firewall mangle
add action=mark-routing chain=prerouting in-interface=mullvad \
    new-routing-mark=rule-mullvad

/routing rule

#change and add as required.
add action=lookup disabled=no dst-address=192.168.0.0/16 table=main

add action=lookup-only-in-table routing-mark=rule-mullvad table=mullvad

tofumcguyver · December 24, 2023, 7:22am

Success! The recommended changes did work and I noticed “add action=lookup disabled=no dst-address=192.168.0.0/16 table=main” wasn’t needed. Thank you very much, rplant!

The VLAN is unable to connect to any device on the network which is fine and not really needed. I also noticed that the firewall output rule via port 51280 had no effect being on or off. Also, no idea why I experienced very slow speeds and zero upload speed while conducting tests and I’m unsure if some firewall rule is to blame or fastrack (just exploring this). DNS leak tests came out spotless.

anav · December 25, 2023, 2:08pm

Something wrong with your config and it centres around vlan60.

(1) Vlan filtering is not turned on for the bridge itself
(2) You mix apples and oranges, much cleaner if going vlans to go all vlans and have no dhcp associated with the bridge, personal preference.
(3) Its not clear in bridge ports which etheport vlan60 is associated with… is going over an access port (pvid?) or a trunk port
(4) THis is a nonsensical entry for bridge vlans which really muddies the waters …
/interface bridge vlan
add bridge=bridge vlan-ids=60

(5) Where did you get this rule from… what was your intention with this rule???
add action=accept chain=output comment=
“Wireguard allow destination access via port” dst-address=198.54.134.162
dst-port=51820 protocol=udp

Even if your MT was a server, it would be input chain not output chain!

(6) In forward chain, you have mixed up an old default rule with an attempt to add new rules.
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
add action=accept chain=forward comment=“Allow Port Forwarding - DSTNAT”
connection-nat-state=dstnat in-interface-list=WAN
add action=drop chain=forward comment=“Camer IP blocked from internet”
out-interface=ether1 src-address-list=Cameras

FIXED:
add action=drop chain=forward comment=“drop cameras” src-address-list=Cameras out-interface-list=WAN
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment='into wg tunnnel" src-address=10.0.60.0/24 out-interface=mullvad-upstream
add action=accept chain=forward comment=“Port Forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“Drop All Else”

(6) I would do the out the wireguard without mangling. IN fact your mangle rule makes no sense. If your traffic is originating in vlan60 why are you mangling traffic coming in on wireguard…
Get rid of it and the Route and the Routing rule and modify to the below! The table is okay!

Table, Route, Routing Rule
/routing table add fib name=mullvad
/ip route
add dst-address=0.0.0.0/0 gateway=mullvad-upstream routing-table=mullvad
/routing rule add src-address=10.0.60.0/24 action=lookup table=mullvad

If you dont want vlan60 to ever be able to use your local internet, if mullvad is down then change action to “lookup-only-in-table”

tofumcguyver · December 25, 2023, 5:23pm

Thanks for chiming in anav. Solved my main problem!

(1) Set VLAN filtering enabled in bridge. Ended up making the VLAN non functional (no DHCP, unable to ping anything) so I disabled this again. I suppose there are more steps for this?
(2) No preference here, just a simple home network aimed at speedy install (if its working don’t break it )
(3) Vlan60 isn’t an isolated ethernet port so I’m using a trunk port. I can’t muster the downtime to reconfigure everything and thought this was the quickest way to set this up for an isolated Wireguard client.
(4) Removed
(5) Picked up the rule from a random online guide or youtube when I set up the wireguard and thank you for clarifying. I removed the rule with no impact.
(6) Removed the old filter rules and updated with the new. Thank you for the improvements. With the updated filter configuration, would you say it’s in a correct order or do you recommend revision?

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="Allow L2TP VPN ipsec" protocol=ipsec-esp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="Allow L2TP VPN ispec (udp 500,1701,4500)" dst-port=500,1701,4500 protocol=\
    udp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related \
    hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop cameras" out-interface-list=WAN src-address-list=Cameras
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=\
    WAN
add action=accept chain=forward comment="into wg tunnnel" out-interface=mullvad-upstream \
    src-address=10.0.60.0/24
add action=accept chain=forward comment="Port Forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="Drop All Else"

(7) This completely fixed my speed issues and seems to be working flawlessly. Greatly appreciated the help here!

anav · December 26, 2023, 1:47pm

FW rules seem fine.
Easiest solution:
Lets say you wanted vlan60 going over ether5 as a trunk port ( meaning ether 5 is connected to a smart device that can read tags).
Then dont use bridge vlan filtering for this and remove ether5 from the bridge.
simply assign vlan60 to ether5 when defining the interface

If you want to use bridge vlan filtering just add a second vlan and not have the bridge do any dhcp.
In this case it would look like
vlan10 and vlan60 assigned to bridge interface.

/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=10 interface=ether2 { access port }
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=10 interface=ether3 { access port }
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=10 interface=ether4 { access port }
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether5 { trunk port }

/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether2,ether3,ether4 vlan-ids=10
add bridge=bridge tagged=bridge,ether5 vlan-ids=60