Hi,
I am trying to configure the Wireguard tunnel between the Mikrotik router and Windows PC. It seems that there is no connectivity or traffic on the Wireguard. I have multiple VLANs on the Mikrotik and I want to have access to this VLAN via Wireguard. Is there a need to do port-forwarding with my ISP router? Is there something missing from my configuration? Thank you.
Mikrotik_Config.rsc (18.4 KB)
wg config looks sane. not sure about the vlans. but you should be able to establish a connection at least. do you have a public IP and if so you can do a portscan from outside to see if wg port is really open.
First, would need to see config of router
/export file=anynameyouwish ( minus router serial #, any public WANIP information, keys etc.)
Second, would need to know if FOR SURE your wanip Is public! ( also good to know if static or dynamic ).
Observations thus far:
-
Assuming WG address on MT routers is something like: 10.0.50.1/24 interface=wireguard1 network=10.0.50.0
-
Curious, what do you think an IP address of 0.0.0.0/0 means??
It means ALL possible addresses.
So if you have inserted ALL possible addresses in the first entry, dont you think the next two entries are rather redundant???
0.0.0.0/0 is normally used when any type of internet address at the remote site ( in this case the MT) is required.
If not, then the other insertions would be appropriate
10.0.50.0/24,RemoteSubnetA,RemoteSubnetB, etc..
The first entry is the wireguard subnet,…
Hi,
So, I managed to establish the connectivity between the laptop and the MT router network. My public IP is dynamic, so I enable DDNS and do port forward on my ISP router. Here is my updated config. Any suggestion on this config?
Mikrotik-WIreguard.rsc (8.44 KB)
Thank you.
-
Why do you have this rule, its an advance usage functionality that should be avoided if not required.
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes -
Modify bridge ports as such.
/interface bridge port
add bridge=BR1 ingress-filtering=yes frame-type=admit-only-vlan-tagged interface=ether2-Trunk
add bridge=BR1 ingress-filtering=yes frame-type=admit-only-vlan-tagged interface=ether3-Trunk
add bridge=BR1 ingress-filtering=yes frame-type=admit-only-vlan-tagged interface=ether4-Trunk int
add bridge=BR1ingress-filtering=yes frame-type=admit-only-vlan-tagged interface=sfp1
-
Missing WAN2 on interface list ???
-
So Cakes is not a home vlan entity..
-
Slight reordering of firewall rules… and modifying off interface lists for efficiency and security.
I removed the HOME VLAN rule allowing LAN-VLAN, AP-VLAN, Camera-VLAN to have full access to each other.
Why? Vlans are to separate users from each other, otherwise call them just HOME-VLAN. In others words you created functional vlans for no reason??
The only difference or reason was that they all go out internet while Cakes does not.
In other words, you only needed two vlans ??? In any case an entire interface list for one firewall rule for one subnet is better done otherways.
/interface list member
add interface=ether1-WAN1 list=WAN
add interface=ether5-WAN2 list=WAN
add interface=LAN-VLAN list=LAN
add interface=AP-VLAN list=LAN
add interface=Camera-VLAN list=LAN
add interface=Cakes-VLAN list=LAN
add interface=wireguard list=LAN
add interface=LAN-VLAN list=MANAGED
add interface=AP-VLAN list=MANAGED
add interface=wireguard list=MANAGED
/ip firewall list addition
…
add address=10.0.50.101 list=Authorized
/ip firewall filter
{ default rules to keep }
add action=accept chain=input connection-state=established,related,new,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
{ admin rules }
add action=accept chain=input comment=“WG handshake” dst-port=13231 protocol=udp
add action=accept chain=input in-interface-list=MANAGED comment="admin to router src-address-list=Authorized
add action=accept chain=input comment=“Allow LAN DNS queries-UDP” dst-port=53
in-interface-list=LAN protocol=udp
add action=accept chain=input comment=“Allow LAN DNS queries - TCP” dst-port=
53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment=“drop all else”
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
{ default rules to keep }
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
{ admin rules }
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN src-address=!10.0.30.0/24
add action=accept chain=forward comment=“ADGuard Access to Everyone”
dst-address=10.0.0.10 in-interface-list=LAN
add action=accept chain=forward comment=“Home Assistant Access to Everyone”
dst-address=10.0.0.20 in-interface-list=LAN
add action=drop chain=forward comment=“Drop all else”
- Whats the purpose of this rule… ???
add disabled=no distance=10 dst-address=192.33.4.12/32 gateway=192.168.1.1
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no
target-scope=10
(7) What is the purpose of the masquerade rules???
Hi,
Thank you for your input.
All VLANs are going out to the internet. I made the HOME VLAN rule allowing LAN-VLAN, AP-VLAN, and Camera-VLAN to have full access to each other. Cakes-VLAN can’t access HOME VLAN but is still able to access the internet.
So WAN2 is only used as a failover. The purpose of this rule (item 6) add disabled=no distance=10 dst-address=192.33.4.12/32 gateway=192.168.1.1 \ is to monitor if there is internet connectivity on ISP WAN if not I have a script to disable the primary route.
For the masquerade rule, I just want to see which interface the internet is using, so I have 2 masquerades.
Here is my updated config.
Mikrotik-Config.rsc (8.82 KB)
I’m still learning to configure the Mikrotik. This help is much appreciated.
Thank you.