RB1100 with Wireguard Roadwarrior VPN

NetworqAndy · February 26, 2025, 9:19pm

Hi all,

I’m trying to move over to a Wireguard VPN for remote access to the management VLAN (VLAN10) with a client in the 10.10.0.0/16 subnet. I currently have an L2TP connection which only allows me to access the gateway/VPN router.

I’ve set up the Wireguard Server with public key, and created a peer with all the necessary details, and I can connect/handshake from the Wireguard client running on Win11, however there’s no downstream traffic received at the client (0 B received). Really oddly, if I change the firewall rule for WG UDP traffic on port 13231 to DROP rather than accept, the connection is still established.

Router config as follows:

# 2025-02-26 21:04:20 by RouterOS 7.18
# software id = E75X-80RJ
#
# model = RB1100Dx4
# serial number = XXXXX
/interface bridge
add arp=proxy-arp ingress-filtering=no name=bridge1 port-cost-mode=short \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] name=OffBridge-5
set [ find default-name=ether1 ] name=WAN1-WF900
set [ find default-name=ether2 ] name=WAN2
set [ find default-name=ether3 ] name="WAN3 - not in use"
set [ find default-name=ether4 ] name=WAN4-Future
set [ find default-name=ether6 ] comment=TRNK-REC-18
set [ find default-name=ether7 ] comment=TRNK-REC-21
set [ find default-name=ether8 ] comment=TRNK-REC-34
set [ find default-name=ether9 ] comment=TRNK-SPARE
set [ find default-name=ether10 ] comment=TRNK-REC-SWITCH
set [ find default-name=ether11 ] name=ether11-StaffMGMT
set [ find default-name=ether12 ] name=ether12-StaffMGMT
set [ find default-name=ether13 ] comment=\
    "Legacy Interface for Lower Park far end M5 Link. VLAN20." name=\
    ether13-Guest
/interface l2tp-server
add name=l2tp-in-VPN user=XXXXX
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge1 name=vlan10_MGMT vlan-id=10
add interface=bridge1 name=vlan20_Guest vlan-id=20
add interface=bridge1 name=vlan30_Staff vlan-id=30
add interface=bridge1 name=vlan40_CCTV vlan-id=40
add comment="WAN3 - WF 300/300 Fibre Connection" interface=bridge1 name=\
    vlan90_WAN3 vlan-id=90
/caps-man datapath
add bridge=bridge1 name=datapath_MGMT vlan-id=10 vlan-mode=use-tag
add bridge=bridge1 name=datapath_Guest vlan-id=20 vlan-mode=use-tag
add bridge=bridge1 name=datapath_Staff vlan-id=30 vlan-mode=use-tag
/interface pppoe-client
add disabled=no interface=WAN2 name=WAN2GradwellSoGEA use-peer-dns=yes user=\
    oldmill-Gradwell@surfdsluk
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security_Staff
add authentication-types=wpa2-psk encryption=aes-ccm name=security_Guest
add authentication-types=wpa2-psk encryption=aes-ccm name=security_MGMT
add authentication-types=wpa2-psk encryption=aes-ccm name=security_OMHP
/caps-man configuration
add country="united kingdom" datapath=datapath_Guest \
    datapath.client-to-client-forwarding=no .vlan-id=20 .vlan-mode=use-tag \
    installation=indoor mode=ap name=cfg_GuestWifi security=security_Guest \
    ssid=OldMill_GuestWiFi
add country="united kingdom" datapath=datapath_Staff datapath.bridge=bridge1 \
    installation=indoor mode=ap name=cfg_Staff security=security_Staff ssid=\
    OldMill_Staff
add country="united kingdom" datapath=datapath_MGMT datapath.bridge=bridge1 \
    hide-ssid=yes installation=indoor mode=ap name=cfg_MGMT security=\
    security_MGMT ssid=OldMill_MGMT
add country="united kingdom" datapath=datapath_Staff datapath.bridge=bridge1 \
    installation=indoor mode=ap name=cfg_OMHP security=security_OMHP ssid=\
    OMHP
/disk
add parent=sata1 partition-number=1 partition-offset=512 partition-size=\
    "55 021 510 144" slot=disk1 type=partition
/interface list
add name=WAN
add name=LAN
add name=MGMT
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_MGMT ranges=10.10.100.1-10.10.100.254
add name=dhcp_Guest ranges=10.20.100.1-10.20.199.254
add name=dhcp_staff ranges=10.30.100.1-10.30.199.254
add name=dhcp_CCTV ranges=10.40.100.1-10.40.199.254
add name=dhcp_VPN ranges=10.10.200.1-10.10.200.254
/ip dhcp-server
add address-pool=dhcp_MGMT interface=vlan10_MGMT lease-time=4w2d name=\
    dhcpMGMT
add address-pool=dhcp_Guest interface=vlan20_Guest lease-time=1d name=\
    dhcpGuest
add address-pool=dhcp_staff interface=vlan30_Staff lease-time=4w2d10m name=\
    dhcpStaff
add address-pool=dhcp_staff interface=vlan40_CCTV lease-time=4w2d10m name=\
    dhcpCCTV
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
set *0 interface-list=LAN
add address-list=VPN bridge=bridge1 local-address=dhcp_MGMT name=SquibbyVPN \
    remote-address=dhcp_VPN
/queue type
add kind=pcq name=pcq-download-guest pcq-classifier=dst-address pcq-rate=10M
add kind=pcq name=pcq-upload-guest pcq-classifier=src-address pcq-rate=5M
/queue simple
add disabled=yes max-limit=900M/900M name=Global queue=\
    ethernet-default/ethernet-default target=\
    10.10.0.0/16,10.20.0.0/16,10.30.0.0/16,10.40.0.0/16
add limit-at=700M/500M max-limit=700M/500M name=Guest queue=\
    pcq-upload-guest/pcq-download-guest target=10.20.0.0/16
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add fib name=useWAN1
add fib name=useWAN2
/caps-man manager
set enabled=yes package-path=/ upgrade-policy=suggest-same-version
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge1
add disabled=no interface=vlan10_MGMT
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg_Staff name-format=\
    identity slave-configurations=cfg_GuestWifi,cfg_MGMT,cfg_OMHP
/dude
set data-directory=/dude/dude enabled=yes
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether6 \
    internal-path-cost=10 path-cost=10
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether7 \
    internal-path-cost=10 path-cost=10
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether8 \
    internal-path-cost=10 path-cost=10
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether9 \
    internal-path-cost=10 path-cost=10
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether10 \
    internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether11-StaffMGMT internal-path-cost=10 \
    path-cost=10 pvid=10
add bridge=bridge1 interface=ether12-StaffMGMT internal-path-cost=10 \
    path-cost=10 pvid=10
add bridge=bridge1 interface=ether13-Guest internal-path-cost=10 path-cost=10 \
    pvid=20
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192 soft-max-neighbor-entries=8191
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether6,ether7,ether8,ether9,ether10 \
    untagged=ether11-StaffMGMT,ether12-StaffMGMT,ether13-Guest vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether6,ether7,ether8,ether9,ether10 \
    vlan-ids=20,30,40
# vlan90_WAN3 not a bridge port
add bridge=bridge1 tagged=bridge1,ether6,vlan90_WAN3 vlan-ids=90
/interface l2tp-server server
set default-profile=SquibbyVPN enabled=yes use-ipsec=yes
/interface list member
add interface=WAN1-WF900 list=WAN
add interface=vlan10_MGMT list=LAN
add interface=vlan20_Guest list=LAN
add interface=vlan30_Staff list=LAN
add interface=vlan40_CCTV list=LAN
add interface=vlan10_MGMT list=MGMT
add interface=OffBridge-5 list=MGMT
add interface=WAN2GradwellSoGEA list=WAN
add interface=vlan90_WAN3 list=WAN
add interface=l2tp-in-VPN list=LAN
add interface=l2tp-in-VPN list=MGMT
add interface=wireguard1 list=LAN
add interface=wireguard1 list=MGMT
/interface pppoe-server server
add default-profile=SquibbyVPN disabled=no interface=<l2tp> service-name=\
    service1
/interface wireguard peers
add allowed-address=10.10.201.11/32 comment=Laptop interface=\
    wireguard1 name=peer1 persistent-keepalive=35s public-key=\
    XXXXX
/ip address
add address=10.30.0.1/16 interface=vlan30_Staff network=10.30.0.0
add address=10.40.0.1/16 interface=vlan40_CCTV network=10.40.0.0
add address=10.10.0.1/16 interface=vlan10_MGMT network=10.10.0.0
add address=10.20.0.1/16 interface=vlan20_Guest network=10.20.0.0
add address=192.168.55.1/24 interface=OffBridge-5 network=192.168.55.0
add address=10.10.201.1/16 comment=WireguardServer interface=wireguard1 \
    network=10.10.0.0
/ip dhcp-client
add default-route-distance=2 interface=vlan90_WAN3 use-peer-dns=no
add interface=WAN1-WF900 use-peer-dns=no
/ip dhcp-server network
add address=10.10.0.0/16 dns-server=8.8.8.8,8.8.4.4 gateway=10.10.0.1
add address=10.20.0.0/16 dns-server=8.8.8.8,8.8.4.4 gateway=10.20.0.1
add address=10.30.0.0/16 dns-server=8.8.8.8,8.8.4.4 gateway=10.30.0.1
add address=10.40.0.0/16 dns-server=8.8.8.8,8.8.4.4 gateway=10.40.0.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=10.20.100.1-10.20.199.254 list=Guest
add address=10.10.100.0/24 list=local
add address=10.20.100.0/24 list=local
add address=10.30.100.0/24 list=local
add address=10.40.100.0/24 list=local
add address=10.10.0.1-10.10.199.254 list=localLAN
add address=10.10.200.1-10.10.200.254 list=VPN
/ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
    in-interface-list=WAN log=yes protocol=udp
add action=accept chain=input comment="Allow establics, related, untracked" \
    connection-state=established,related,untracked
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="WAN2 L2TP allow" in-interface=\
    WAN2GradwellSoGEA protocol=ipsec-esp
add action=accept chain=input comment="WAN2 L2TP allow" dst-port=\
    500,1701,4500 in-interface=WAN2GradwellSoGEA protocol=udp
add action=accept chain=input comment="Allow all VPN traffic" \
    src-address-list=VPN
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface-list=MGMT
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input in-interface=wireguard1
add action=accept chain=input comment="accept PPP" in-interface=all-ppp
add action=drop chain=input comment="Drop all else"
add action=fasttrack-connection chain=forward comment=\
    "fasttrack - disabled to allow queue function" connection-state=\
    established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=related-establ-untracked \
    connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat disabled=yes
add action=accept chain=forward comment="MGMT to all vlans" \
    in-interface-list=MGMT out-interface-list=LAN
add action=drop chain=forward comment="drop all else"
/ip firewall mangle
add action=mark-connection chain=forward comment=\
    "Disabled as currently set for DUAL WAN not PCC Load Balancing" \
    connection-mark=no-mark disabled=yes dst-address-type=!local \
    in-interface-list=LAN new-connection-mark=viaWAN1 \
    per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=forward comment=\
    "Disabled as currently set for DUAL WAN not PCC Load Balancing" \
    connection-mark=no-mark disabled=yes dst-address-type=!local \
    in-interface-list=LAN new-connection-mark=viaWAN2 \
    per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting comment=\
    "Disabled as currently set for DUAL WAN not PCC Load Balancing" \
    connection-mark=viaWAN1 disabled=yes new-routing-mark=useWAN1 \
    passthrough=no
add action=mark-routing chain=prerouting comment=\
    "Disabled as currently set for DUAL WAN not PCC Load Balancing" \
    connection-mark=viaWAN2 disabled=yes new-routing-mark=useWAN2 \
    passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no distance=3 dst-address=0.0.0.0/0 gateway=WAN2GradwellSoGEA
add comment="Disabled as not load balancing" disabled=yes dst-address=\
    0.0.0.0/0 gateway=192.168.2.1 routing-table=useWAN1
add comment="Disabled as not load balancing" disabled=yes dst-address=\
    0.0.0.0/0 gateway=WAN2GradwellSoGEA routing-table=useWAN2
/ip service
set telnet address=10.10.0.0/16
set www disabled=yes
set ssh disabled=yes
set api address=10.10.0.0/16
/ip smb shares
set [ find default=yes ] directory=/pub
/ppp secret
add name=squibby profile=SquibbyVPN
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/London
/system identity
set name=RB1100-Reception
/system note
set show-at-login=no
/tool graphing interface
add allow-address=10.10.0.0/16 interface=WAN1-WF900
add allow-address=10.10.0.0/16 interface=WAN2GradwellSoGEA
add allow-address=10.30.0.0/16 interface=WAN1-WF900
add allow-address=10.30.0.0/16 interface=WAN2GradwellSoGEA
add allow-address=10.10.0.0/16 interface=vlan90_WAN3
add allow-address=10.30.0.0/16 interface=vlan90_WAN3
/tool graphing queue
add allow-address=10.10.0.0/16 simple-queue=Guest
add allow-address=10.30.0.0/16 simple-queue=Guest
/tool graphing resource
add allow-address=10.10.0.0/16
add allow-address=10.30.0.0/16
/tool sniffer
set filter-ip-protocol=icmp

… and WG config as follows:

[Interface]
PrivateKey = hidden
Address = 10.10.201.11/32
DNS = 8.8.8.8

[Peer]
PublicKey = XXXXXX
AllowedIPs = 0.0.0.0/0
Endpoint = <publicIP>:13231

Grateful of any suggestions!

anav · February 26, 2025, 9:40pm

If WAN3 is not in use, to make it clear …your entries got me real confused…

ensure you DISABLE the associated /interface vlan entry,
ensure you DISABLE the associated /interface bridge vlan entry
ensure you DISABLE the IP DHCP client entry.

If it is in use you have to be very clear in what its supposed to do. as its not working in the config.
Also what the heck your plan is with all three WANs for that matter.

The peer settings on the router identifying your remote laptop etc, are incorrect, persistent-keep-alive is used by the client peer for handshake, not the server peer (aka router).
It needs to be removed.
MAIN PROBLEM is the following discrepancy
add address=10.10.201.1/16 comment=WireguardServer interface=wireguard1 network=10.10.0.0

should be:
add address=10.10.201.1/16 comment=WireguardServer interface=wireguard1 network=10.10.201.0

You have far too many input chain rules…
For example if you allow MGMT interface list, doesnt that cover, wireguard1, VLAN10, l2tp-in-VPN ???

Thinking probably dont need
add action=accept chain=input comment=“Allow all VPN traffic”
src-address-list=VPN
AND
add action=accept chain=input in-interface=wireguard1

NetworqAndy · March 1, 2025, 8:51pm

Hi Anav,

Noted on this - WAN3 is in use, but comes in over a VLAN. It’s a redundant internet connection that comes in elsewhere on site via a completely different cabinet to allow for some resilience on site. There was initially a local port on the router that was going to be WAN3 however that connection locally was scrapped in favour of keeping the port that pops up elsewhere on site, and is transferred across the network. WAN2 is a connection used for VoIP with a service-level agreement, but it’s a slower speed connection, so only used for VoIP data (and VPN access),
Thanks for that - I’ve removed that - that was just something I tried in desperation.
All of the networks are /16 addresses, however sadly this fix by changing the 3rd octet to .201 didn’t work. There’s still 0 bytes received at the client end, and pinging the router IP of 10.10.201.1 fails.
Input chain rules were again something I should have cleaned up. I wondered if there was a rule preventing the WS VPN traffic being received (hence no reply to pings, etc).

The client log shows the handshake never takes place - (handshake for peer 1 did not complete after 5 seconds) - and just repeats ‘sending intiation’… ‘did not complete’ every 5 seconds. I’ve had a dig around and found that some people have found this is related to the default WG port of 13231 - I’ve tried a random port (firewall rule and listen port changed) but still no luck. It feels firewall related, but I just can’t work out what. There’s no entries in the log on the RB1100 to suggest Wireguard ever attempts to connect.

That said, thee firewall rule for incoming WG traffic increases on counts for bytes received / packet count, making me think that traffic is at least arriving and getting past the firewall

Thanks for your assistance as always Anav! Always much appreciated.

NetworqAndy · March 1, 2025, 10:14pm

So I’ve been experimenting… I’ve used WAN1 (the primary WAN) to access the router, and the handshake is successful. I’m guessing this is an issue with SRCNAT, where outbound WG packets from the router back to the remote client are going out via the WAN1 interface rather than the receiving interface (with a bit of help from Torch I can see this).

This isn’t the end of the world moving forward (although would be great to solve), however on connecting I still can’t ping any devices on VLAN10 (10.10.0.0 addresses), only the wireguard1 interface address of 10.10.201.1 (which is on the same subnet)

anav · March 1, 2025, 11:13pm

As always post the latest config for review

NetworqAndy · March 11, 2025, 7:24pm

Sorry anav - my bad! Also, apologies for the delay in replying - been away working on another project.

New config:

# 2025-03-11 19:18:14 by RouterOS 7.18
# software id = E75X-80RJ
#
# model = RB1100Dx4
# serial number = <<hidden>>
/interface bridge
add arp=proxy-arp ingress-filtering=no name=bridge1 port-cost-mode=short \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] name=OffBridge-5
set [ find default-name=ether1 ] name=WAN1-WF900
set [ find default-name=ether2 ] name=WAN2
set [ find default-name=ether3 ] name="WAN3 - not in use"
set [ find default-name=ether4 ] name=WAN4-Future
set [ find default-name=ether6 ] comment=TRNK-REC-18
set [ find default-name=ether7 ] comment=TRNK-REC-21
set [ find default-name=ether8 ] comment=TRNK-REC-34
set [ find default-name=ether9 ] comment=TRNK-SPARE
set [ find default-name=ether10 ] comment=TRNK-REC-SWITCH
set [ find default-name=ether11 ] name=ether11-StaffMGMT
set [ find default-name=ether12 ] name=ether12-StaffMGMT
set [ find default-name=ether13 ] comment=\
    "Legacy Interface for Lower Park far end M5 Link. VLAN20." name=\
    ether13-Guest
/interface l2tp-server
add name=l2tp-in-VPN user=squibby
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge1 name=vlan10_MGMT vlan-id=10
add interface=bridge1 name=vlan20_Guest vlan-id=20
add interface=bridge1 name=vlan30_Staff vlan-id=30
add interface=bridge1 name=vlan40_CCTV vlan-id=40
add comment="WAN3 - WF 300/300 Fibre Connection" interface=bridge1 name=\
    vlan90_WAN3 vlan-id=90
/caps-man datapath
add bridge=bridge1 name=datapath_MGMT vlan-id=10 vlan-mode=use-tag
add bridge=bridge1 name=datapath_Guest vlan-id=20 vlan-mode=use-tag
add bridge=bridge1 name=datapath_Staff vlan-id=30 vlan-mode=use-tag
/interface pppoe-client
add disabled=no interface=WAN2 name=WAN2GradwellSoGEA use-peer-dns=yes user=\
    oldmill-Gradwell@surfdsluk
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security_Staff
add authentication-types=wpa2-psk encryption=aes-ccm name=security_Guest
add authentication-types=wpa2-psk encryption=aes-ccm name=security_MGMT
add authentication-types=wpa2-psk encryption=aes-ccm name=security_OMHP
/caps-man configuration
add country="united kingdom" datapath=datapath_Guest \
    datapath.client-to-client-forwarding=no .vlan-id=20 .vlan-mode=use-tag \
    installation=indoor mode=ap name=cfg_GuestWifi security=security_Guest \
    ssid=OldMill_GuestWiFi
add country="united kingdom" datapath=datapath_Staff datapath.bridge=bridge1 \
    installation=indoor mode=ap name=cfg_Staff security=security_Staff ssid=\
    OldMill_Staff
add country="united kingdom" datapath=datapath_MGMT datapath.bridge=bridge1 \
    hide-ssid=yes installation=indoor mode=ap name=cfg_MGMT security=\
    security_MGMT ssid=OldMill_MGMT
add country="united kingdom" datapath=datapath_Staff datapath.bridge=bridge1 \
    installation=indoor mode=ap name=cfg_OMHP security=security_OMHP ssid=\
    OMHP
/disk
add parent=sata1 partition-number=1 partition-offset=512 partition-size=\
    "55 021 510 144" slot=disk1 type=partition
/interface list
add name=WAN
add name=LAN
add name=MGMT
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_MGMT ranges=10.10.100.1-10.10.100.254
add name=dhcp_Guest ranges=10.20.100.1-10.20.199.254
add name=dhcp_staff ranges=10.30.100.1-10.30.199.254
add name=dhcp_CCTV ranges=10.40.100.1-10.40.199.254
add name=dhcp_VPN ranges=10.10.200.1-10.10.200.254
/ip dhcp-server
add address-pool=dhcp_MGMT interface=vlan10_MGMT lease-time=4w2d name=\
    dhcpMGMT
add address-pool=dhcp_Guest interface=vlan20_Guest lease-time=1d name=\
    dhcpGuest
add address-pool=dhcp_staff interface=vlan30_Staff lease-time=4w2d10m name=\
    dhcpStaff
add address-pool=dhcp_staff interface=vlan40_CCTV lease-time=4w2d10m name=\
    dhcpCCTV
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
set *0 interface-list=LAN
add address-list=VPN bridge=bridge1 local-address=dhcp_MGMT name=SquibbyVPN \
    remote-address=dhcp_VPN
/queue type
add kind=pcq name=pcq-download-guest pcq-classifier=dst-address pcq-rate=10M
add kind=pcq name=pcq-upload-guest pcq-classifier=src-address pcq-rate=5M
/queue simple
add disabled=yes max-limit=900M/900M name=Global queue=\
    ethernet-default/ethernet-default target=\
    10.10.0.0/16,10.20.0.0/16,10.30.0.0/16,10.40.0.0/16
add limit-at=700M/500M max-limit=700M/500M name=Guest queue=\
    pcq-upload-guest/pcq-download-guest target=10.20.0.0/16
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add fib name=useWAN1
add fib name=useWAN2
/caps-man manager
set enabled=yes package-path=/ upgrade-policy=suggest-same-version
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge1
add disabled=no interface=vlan10_MGMT
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg_Staff name-format=\
    identity slave-configurations=cfg_GuestWifi,cfg_MGMT,cfg_OMHP
/dude
set data-directory=/dude/dude enabled=yes
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether6 \
    internal-path-cost=10 path-cost=10
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether7 \
    internal-path-cost=10 path-cost=10
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether8 \
    internal-path-cost=10 path-cost=10
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether9 \
    internal-path-cost=10 path-cost=10
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether10 \
    internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether11-StaffMGMT internal-path-cost=10 \
    path-cost=10 pvid=10
add bridge=bridge1 interface=ether12-StaffMGMT internal-path-cost=10 \
    path-cost=10 pvid=10
add bridge=bridge1 interface=ether13-Guest internal-path-cost=10 path-cost=10 \
    pvid=20
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192 soft-max-neighbor-entries=8191
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether6,ether7,ether8,ether9,ether10 \
    untagged=ether11-StaffMGMT,ether12-StaffMGMT,ether13-Guest vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether6,ether7,ether8,ether9,ether10 \
    vlan-ids=20,30,40
# vlan90_WAN3 not a bridge port
add bridge=bridge1 tagged=bridge1,ether6,vlan90_WAN3 vlan-ids=90
/interface l2tp-server server
set default-profile=SquibbyVPN enabled=yes use-ipsec=yes
/interface list member
add interface=WAN1-WF900 list=WAN
add interface=vlan10_MGMT list=LAN
add interface=vlan20_Guest list=LAN
add interface=vlan30_Staff list=LAN
add interface=vlan40_CCTV list=LAN
add interface=vlan10_MGMT list=MGMT
add interface=OffBridge-5 list=MGMT
add interface=WAN2GradwellSoGEA list=WAN
add interface=vlan90_WAN3 list=WAN
add interface=l2tp-in-VPN list=LAN
add interface=l2tp-in-VPN list=MGMT
add interface=wireguard1 list=MGMT
/interface ovpn-server server
add auth=sha1,md5 mac-address=FE:2E:D3:C7:90:DE name=ovpn-server1
/interface pppoe-server server
add default-profile=SquibbyVPN disabled=no interface=<l2tp> service-name=\
    service1
/interface wireguard peers
add allowed-address=10.10.201.11/32 comment=SquibbyLaptop interface=\
    wireguard1 name=peer1 public-key=\
    "<<hidden>>"
add allowed-address=10.10.201.12/16 comment=peer2 interface=wireguard1 name=\
    peer8 public-key="<<hidden>>"
/ip address
add address=10.30.0.1/16 interface=vlan30_Staff network=10.30.0.0
add address=10.40.0.1/16 interface=vlan40_CCTV network=10.40.0.0
add address=10.10.0.1/16 interface=vlan10_MGMT network=10.10.0.0
add address=10.20.0.1/16 interface=vlan20_Guest network=10.20.0.0
add address=192.168.55.1/24 interface=OffBridge-5 network=192.168.55.0
add address=10.10.201.1/16 comment=WireguardServer interface=wireguard1 \
    network=10.10.0.0
/ip dhcp-client
add default-route-distance=2 interface=vlan90_WAN3 use-peer-dns=no
add interface=WAN1-WF900 use-peer-dns=no
/ip dhcp-server network
add address=10.10.0.0/16 dns-server=8.8.8.8,8.8.4.4 gateway=10.10.0.1
add address=10.20.0.0/16 dns-server=8.8.8.8,8.8.4.4 gateway=10.20.0.1
add address=10.30.0.0/16 dns-server=8.8.8.8,8.8.4.4 gateway=10.30.0.1
add address=10.40.0.0/16 dns-server=8.8.8.8,8.8.4.4 gateway=10.40.0.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=10.20.100.1-10.20.199.254 list=Guest
add address=10.10.100.0/24 list=local
add address=10.20.100.0/24 list=local
add address=10.30.100.0/24 list=local
add address=10.40.100.0/24 list=local
add address=10.10.0.1-10.10.199.254 list=localLAN
add address=10.10.200.1-10.10.200.254 list=VPN
/ip firewall filter
add action=accept chain=input comment="Allow establised, related, untracked" \
    connection-state=established,related,untracked
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
    in-interface-list=WAN log=yes protocol=udp
add action=accept chain=input comment="WAN2 L2TP allow" in-interface=\
    WAN2GradwellSoGEA protocol=ipsec-esp
add action=accept chain=input comment="WAN2 L2TP allow" dst-port=\
    500,1701,4500 in-interface=WAN2GradwellSoGEA protocol=udp
add action=accept chain=input comment="Allow all VPN traffic" \
    src-address-list=VPN
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface-list=MGMT
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="accept PPP" in-interface=all-ppp
add action=drop chain=input comment="Drop all else"
add action=fasttrack-connection chain=forward comment=\
    "fasttrack - disabled to allow queue function" connection-state=\
    established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=related-establ-untracked \
    connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat disabled=yes
add action=accept chain=forward comment="MGMT to all vlans" \
    in-interface-list=MGMT out-interface-list=LAN
add action=drop chain=forward comment="drop all else"
/ip firewall mangle
add action=mark-connection chain=forward comment=\
    "Disabled as currently set for DUAL WAN not PCC Load Balancing" \
    connection-mark=no-mark disabled=yes dst-address-type=!local \
    in-interface-list=LAN new-connection-mark=viaWAN1 \
    per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=forward comment=\
    "Disabled as currently set for DUAL WAN not PCC Load Balancing" \
    connection-mark=no-mark disabled=yes dst-address-type=!local \
    in-interface-list=LAN new-connection-mark=viaWAN2 \
    per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting comment=\
    "Disabled as currently set for DUAL WAN not PCC Load Balancing" \
    connection-mark=viaWAN1 disabled=yes new-routing-mark=useWAN1 \
    passthrough=no
add action=mark-routing chain=prerouting comment=\
    "Disabled as currently set for DUAL WAN not PCC Load Balancing" \
    connection-mark=viaWAN2 disabled=yes new-routing-mark=useWAN2 \
    passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no distance=3 dst-address=0.0.0.0/0 gateway=WAN2GradwellSoGEA
add comment="Disabled as not load balancing" disabled=yes dst-address=\
    0.0.0.0/0 gateway=192.168.2.1 routing-table=useWAN1
add comment="Disabled as not load balancing" disabled=yes dst-address=\
    0.0.0.0/0 gateway=WAN2GradwellSoGEA routing-table=useWAN2
/ip service
set telnet address=10.10.0.0/16
set www disabled=yes
set ssh disabled=yes
set api address=10.10.0.0/16
/ip smb shares
set [ find default=yes ] directory=/pub
/ppp secret
add name=squibby profile=SquibbyVPN
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/London
/system identity
set name=RB1100-Reception
/system note
set show-at-login=no
/tool graphing interface
add allow-address=10.10.0.0/16 interface=WAN1-WF900
add allow-address=10.10.0.0/16 interface=WAN2GradwellSoGEA
add allow-address=10.30.0.0/16 interface=WAN1-WF900
add allow-address=10.30.0.0/16 interface=WAN2GradwellSoGEA
add allow-address=10.10.0.0/16 interface=vlan90_WAN3
add allow-address=10.30.0.0/16 interface=vlan90_WAN3
/tool graphing queue
add allow-address=10.10.0.0/16 simple-queue=Guest
add allow-address=10.30.0.0/16 simple-queue=Guest
/tool graphing resource
add allow-address=10.10.0.0/16
add allow-address=10.30.0.0/16
/tool sniffer
set filter-ip-protocol=icmp

… and WG client config…

[Interface]
PrivateKey = <<hidden>>
Address = 10.10.201.11/32
DNS = 8.8.8.8

[Peer]
PublicKey = <<hidden>>
AllowedIPs = 10.10.0.0/0
Endpoint = <<hidden>>:13231

NetworqAndy · March 12, 2025, 4:10pm

So, something even more odd - I find myself now unable to log into the RB1100 locally on the network using the IP address - connecting through Winbox using MAC address works, and login using IP address remotely by VPN works.

I’ve compared the firewall rules with a version from prior to the upgrade to ROS7 and there’s nothing different in terms of firewall rules. Same result with Winbox v3.41 or v4beta.

anav · March 12, 2025, 4:13pm

To login by IP Address you need to enter two things.
IPADDRESS:WINBOX PORT …the advantage of mac, is you simply click on mac address…

Also your subnet mask usage is weird.
The management vpn pool is better suited to /24 setup.
The same for your wireguard setup change to /24

mgmt
In reality 10.10.100.1/16 means an expectation of IPs for 10.10.0.1 to 10.10.255.254
You only need 10.10.100.1/24 means an expectation of IPs 10.10.100.1 - 10.10.100.254
note your ip pool is ranges=10.10.100.1-10.10.100.254

wireguard
In reality 10.10.201.1/16 means an expectation of IPs for 10.10.0.1 to 10.10.255.254
You only need 10.10.201.1/24 means an expectation of IPs 10.10.201.1 - 10.10.201.254

anav · March 12, 2025, 4:35pm

Biggest problem I see is this warning…
# vlan90_WAN3 not a bridge port
add bridge=bridge1 tagged=bridge1,ether6,vlan90_WAN3 vlan-ids=90

Quite correctly the ether1 fiber connection should not be part of any bridge configuration to the best of my knowledge.
set [ find default-name=ether1 ] name=WAN1-WF900
add comment=“WAN3 - WF 300/300 Fibre Connection” interface=bridge1 name=
vlan90_WAN3 vlan-id=90

should be:
add comment=“WAN3 - WF 300/300 Fibre Connection” interface=WAN1-WF900 bridge1 name=
vlan90_WAN3 vlan-id=90

I do note that correctly you have no entry for ether1 on /interface bridge ports.

Then the offending entry in /interface bridge vlan needs to be removed.
I dont even understand what ether6 has to to with vlan90 either…
Just remove this vlan-id=90 entry line for now.

This begs the question HOW/WHERE DO you terminate the incoming WAN connection.
Found it, in ip dhcp client settings but there is something wrong here.
/ip dhcp-client
add default-route-distance=2 interface=vlan90_WAN3 use-peer-dns=no
add interface=WAN1-WF900 use-peer-dns=no

We already defined the vlan as having the interface WAN1-WF900.
We did this because the ISP provider is providing internet ON the VLAN.
So in ip dhcp settings we use THE VLAN as the interface. So remove the second line not needed!!!

NetworqAndy · March 12, 2025, 5:42pm

Hi Anav,

I did wonder about tidying up the subnet mask for the mgmt pool - however I do have the RB1100 sat at 10.10.0.1, so in order to close that subnet down to /24, I’d need to move it to 10.10.100.1

I have however spotted an issue in my firewall rules - the rule…

add action=accept chain=input comment="Allow all VPN traffic" \
    src-address-list=VPN

…relied on the address list of…

add address=10.10.200.1-10.10.200.254 list=VPN

… however the wireguard interface is using addresses in 10.10.201.0 - I’ve amended the list range for now (ultimately I’d like to sack off L2TP down the line once wireguard is playing ball.

THE RESULT? I can now ping the RB1100 using address 10.10.0.1 (rather than the wireguard interface address, so one step closer! I still can’t ping anything else on 10.10.100.x though