Hello,
I am a beginner to RouterOS and I have a MikroTik hAP ax3 router.
I’d like to route my Mullvad VPN, connected through a WireGuard interface, as a separate WiFi network.
I have the interface up and running but I don’t know how to set it up so that all traffic from WiFi Network ‘wgwifi’ connects via the WireGuard VPN/tunnel.
Please let me know if you would need any more information/specifics. Thank you in advance!
Yes, just to confirm did mulvad give you a private key to use or did they request your public key generated by MT…
to force all wifi users one needs four things…
table, route, routing rule and ensure users are sourcenatted out tunnel.
/routing table add fib name=wifiUsers
/ip route
add dst=0.0.0.0/0 gwy=wireguard1 table=wifiUsers
/routing rule add src-address=wifisubnet action=lookup table=wifiUsers
Note1: If you never want wifi users to have access to local internet, in the case of wireguard tunnel not working… then
change action to action=lookup-only-in-table
Note2: If the wifi users are supposed to be able to connect to other local lan subnets then you will need an additional routing rule BEFORE the other, order counts!
/routing rule add **dst-address=**otherlocalsubnet action=lookup-only-in-table table=main
/routing rule add src-address=wifisubnet action=lookup table=wifiUsers
Finally since mulvad is expecting one iP address,
add chain=srcnat action=masquerade out-interface=wireguard1
When all is done you should post your complete config for review.
/export file=anynameyouwish ( minus router serial # and any public WANIP information keys etc…)
Hi, thank you for your reply.
I’m going through the commands now.
However, I’m struggling with the wifisubnet one.
The WiFi network ‘sufband-pl’ would be the one to go through Mullvad/WireGuard. I originally set it up with subnet 192.168.10.2-192.168.10.254/24 in an address pool, then setting up a DHCP server. I’ve now found that when connecting to this WiFi network, the subnet is 192.168.88.— (the default one that all devices go by). In Winbox/WebFig, Mikrotik is telling me that the DHCP server can not run on the slave interface.
I’ve attached the export of data so far.
wg-pl1 is the WireGuard interface
sufband-pl is the WiFi network (interface: wifi3)
Also, to clarify, Mullvad has a public and private key for me to follow. The public key is in the ‘peers’ section.
I’ve also attached the Wireguard config file that I’ve used to input data into MT - please let me know if I’ve redacted something I shouldn’t have
Many thanks for your help.
red_pl-waw-wg-101.conf.txt (190 Bytes)
1501a.rsc (8.45 KB)
Yes that makes sense, in terms of keys…
Okay normally I would use vlans for multiple wlans as it makes life simple for me.
However, I will try something without vlans first to see what works…
By putting wlan3 on its own subnet… Changes will be obvious below.
Also no clue about facepalm so removed it altogether… just confusing the picture for now.
/interface bridge
add admin-mac=18:FD:74:FD:88:BC auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] advertise=100M-full,1000M-half,1000M-full
speed=1Gbps
/interface wifiwave2
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac
configuration.country=“United Kingdom” .mode=ap .ssid=sufband disabled=no
security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac
configuration.country=“United Kingdom” .mode=ap .ssid=sufband disabled=no
security.authentication-types=wpa2-psk,wpa3-psk
add configuration.country=“United Kingdom” .hide-ssid=yes .mode=ap .ssid=
sufband-pl disabled=no mac-address=1A:FD:74:FD:88:C0 master-interface=
wifi1 name=wifi3 security.authentication-types=wpa2-psk,wpa3-psk
/interface wireguard
add listen-port=13231 mtu=1420 name=wg-pl1
/interface vlan
add interface=ether1 name=vlan911 vlan-id=911
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan911 name=pppoe-out1
use-peer-dns=yes user=GN*****@giga.net.uk
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_wifipool ranges=192.168.11.2-192.168.11.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=dhcp-lan
add address-pool=dhcp_wifipool interface=wifi3 name=dhcpwifi
/port
set 0 name=serial0
/routing table
add fib name=wifiUsers
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2 {removed from bridge was wifi3 }
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=wifi3 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=10.65.192.76/24 interface=wg-pl1 network=10.65.192.0
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=192.168.11.1/24 interface=wifi3 network=192.168.11.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1 dns-server=192.168.88.1*
add address=192.168.11.0/24 gateway=192.168.11.1 dns-server=10.64.0.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=accept chain=forward comment=“allow port forwardiing” connection-nat-state=dstnat
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface=wifi3 out-interface=wg-pl1
add action=drop chain=forward comment=“drop all else”
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wg-pl1
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wg-pl1 pref-src=“” * { good rule just wanted to emphasize it }
routing-table=wifiUsers suppress-hw-offload=no
_/ip service
set www-ssl disabled=no
/ip smb
set enabled=yes
/ip smb shares
set [ find default=yes ] disabled=yes
add directory=/usb1 name=usb1
/ip smb users
add name=admin read-only=no
/system clock
set time-zone-name=Europe/London
/tool e-mail
set address=smtp.office365.com from=mikrotik@.net port=857 tls=
starttls user=mikrotik@**.net_
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN
These two rules were removed as their purpose is unknown and doubtful in terms of practicality or security.
add action=accept chain=output dst-address=45.134.212.6 dst-port=51820
protocol=udp
add action=accept chain=input protocol=udp src-address=45.134.212.66
src-port=51820
Note you can remove all IPV6 rules if not using IPV6 ISP…
Hi,
I’ve followed your instructions and commands - and I think I’ve followed as best as I could, I’ve attached the new config.
The WiFi network is now connectable (i.e. phone/device can connect to it) as earlier it was unable to do so due to the problems with the DHCP server.
However, there is no internet/Wireguard connection. To make sure that this wasn’t the Wireguard key (which I doubted anyway), I created a new configuration to double-check (forgetting that this would reset keys and change an IP). I’ve attached the new WG conf (I won’t reset it again, sorry!).
re. previous set up - facepalm was to alleviate a bug in WebFig where thee was no option available to select under DHCP even though you had to in order to apply a configuration (I saw a forum post with a DHCP option on how to fix it and the example used ‘facepalm’ as the example name so I kept it).
ISP supports IPv6 so I’ve left the settings
Thank you so much for your help - we are slowly getting there!
r_pl-waw-wg-101 (1).txt (190 Bytes)
1501c -r.rsc.rsc (8.85 KB)
(1) Since you are the client, for wireguard you need to add keep alive in the PEER settings, lets say 30 seconds…
(2) You forgot to remove this address.… dont think it belongs
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=192.168.10.1/24 interface=bridge network=192.168.10.0
add address=10.67.223.84/24 interface=wg-pl1 network=10.67.223.0
add address=192.168.11.1/24 interface=wifi3 network=192.168.11.0
(3) I find it frustrating that you refuse to order your firewall rules. the input chain all together followed by the forward chain or vice versa as long as together. Much easier to read and better in detecting errors.
(4) This is problematic and needs to be removed… The Wireguard interface will make the necessary connection.
add action=accept chain=output dst-address=45.134.212.6 dst-port=51820
protocol=udp
(5) This is also ridiculous and problematic and needs to be removed…
add action=accept chain=input protocol=udp src-address=45.134.212.66
src-port=51820
The mullvad server is not connecting to you, you are connecting to it!!!
(6) This rule is an old default rule that should be removed, we have it covered by better rules
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
(7) You have this rule duplicated, remove one of them…
add action=accept chain=forward in-interface=wifi3 out-interface=wg-pl1
(8) You have an ip route doing nothing but getting in the way and needs to be removed.
/ip route
add dst-address=0.0.0.0
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wg-pl1 pref-src=“”
routing-table=wifiUsers suppress-hw-offload=no
(9) Finally MISSING necessary routing rule!!!
/routing rule add src-address=192.168.11.0/24 action=lookup table=wifiUsers
Note: If you never want the wifi users from this subnet to be able to access the local WAN, in case the wireguard tunnel is down for whatever reason,
the change the action to: action=lookup-only-in-table
(10) Make the necessary changes and it should work…
++++++++++++++++
PS if the address provided by mulvad for you has changed, then you need to do so in the IP address for wireguard on the MT.
Hi, thank you for your reply.
I’m really sorry about the firewall - I kept all the default settings and added the input/output for the Mullvad server just in case (now removed).
Unfortunately, I still cannot connect to the Internet (no packets being received). What information can I provide you with, please?
Thank you so much once again!
Post the lastest config with all the changes incorporated will attempt to see if I notice anything!
Hi, please find attached.
Thank you
1701a.rsc (8.51 KB)
(1) You can get rid of this static DNS entry that the default config comes with
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
(2) You still didnt get rid of this bogus entry ???
/ip route
add dst-address=0.0.0.0
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wg-pl1 pref-src=“”
routing-table=wifiUsers suppress-hw-offload=no
(3) Finally double check you have the right information loaded.
a. DNS server from vpn provider is correct. aka you are sure its dns-server=10.64.0.1
b. IP address that you should use is correct aka are your sute its add address=**10.67.223.84/**24
c. Endpoint address/port is endpoint-address=45.134.212.66 endpoint-port=
51820
As discussed they would have provided you a private key and a public key.
The private key you use in your Wireugard interface settings and dont let the MT router generate one. Since this generates a known public key they will already have that.
The public key you use on your peer settings for the vpn provider.
Hi,
I haven’t been able to remove the first/default entry because I don’t know how to (I don’t see it in Webfig/Winbox which is the only way I know how to).
I’ve updated records and removed the bogus entry, as well as triple-checked that everything is correct.
The issue (no internet access via WiFi) is still persisting. I can see MT is generating a public key despite me setting up a peer.
I think it might be that, but how can I prevent MT from generating its own public key?
Thank you
Hi there, Mullvand gave you two keys, one labelled private the other public.
The private key that Mullvad provided you, which you you need to use as input on your wireguard interface settings as the private key entry —> then based on the provided and entered private key, the router will generate a public key.
However you dont need to do anything with that key as mullvad already knows it.
You only need on the peer settings on the MT, to use the second ( public) key that Mullvad gave you.
I dont use wine so cannot help on how to get rid of that entry…
Do you have access to CLI ??
From CLI first try
/ip route print
my example.......
@capac-] > /ip route print
Flags: D - DYNAMIC; I, A - ACTIVE; c, s, y - COPY; H - HW-OFFLOADED
Columns: DST-ADDRESS, GATEWAY, DISTANCE
0 IsH................ 0.0.0.0/0 0.0.0.0 1
1 As .............0.0.0.0/0 192.168.0.1 1
DAc .........192.168.0.0/24 homeVlan 0
DIcH ......192.168.66.0/32 emergaccess 0
@capac-] >
you can see I added a route with just a destination address of 0.0.0.0/0
Note the far left column which shows a ZERO....... under the # symbol.
Then I typed the command
/ip route
then type the command
print
remove 0
result........ The bad entry is gone!!!
Flags: D - DYNAMIC; I, A - ACTIVE; c, s, y - COPY; H - HW-OFFLOADED
Columns: DST-ADDRESS, GATEWAY, DISTANCE
0 As 0.0.0.0/0 192.168.0.1 1
DAc 192.168.0.0/24 homeVlan 0
DIcH 192.168.66.0/32 emergaccess 0
@capac] /ip/route>