Routing a VLAN through Wireguard

kali · January 5, 2024, 6:16am

Im having an insane amount of trouble routing my VLAN40 through my Wireguard tunnel. I have been going back and forth in these forums but cant seem to get it right. I only want this VLAN40 to go through Wireguard and the rest going through my main provider gateway like a split tunnel.This is my new config. I want to get the routing setup with WG right before I polish this off with all the firewall rules, ZT and etc. I just started this config so don’t think this is going to be my full 100% production setup bc its not. there is still a good amount of features and preferences id like to add with the VLANS and security rules.

Please tell me what I’m doing wrong. I tried using mangle rules, route tables and the list goes on and I just cant seem to get it right.

Config Export:

/interface bridge
add mtu=1510 name="BR - VLAN10 - General LAN" vlan-filtering=yes
add name="BR - VLAN20 - iOT" vlan-filtering=yes
add mtu=1510 name="BR - VLAN30 - Guest LAN" vlan-filtering=yes
add mtu=1510 name="BR - VLAN40 - VPNLAN" vlan-filtering=yes
add admin-mac=78:9A:18:62:5E:5F auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name="ether1 WAN"
set [ find default-name=ether2 ] name="ether2 MDF"
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface wireguard
add listen-port=13231 mtu=1420 name="xxxxxxxxxxxxxxxxxxxxxx"
/interface vlan
add interface="ether2 MDF" name="VLAN10 - General " vlan-id=10
add interface="ether2 MDF" name="VLAN20 - iOT" vlan-id=20
add interface="ether2 MDF" name="VLAN30 - Guest " vlan-id=1
add interface="ether2 MDF" name="VLAN40 - VPN" vlan-id=40
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool2 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool3 ranges=192.168.30.2-192.168.30.254
add name=dhcp_pool4 ranges=192.168.40.2-192.168.40.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
add address-pool=dhcp_pool1 interface="BR - VLAN10 - General LAN" name=dhcp1
add address-pool=dhcp_pool2 interface="BR - VLAN20 - iOT" name=dhcp2
add address-pool=dhcp_pool3 interface="BR - VLAN30 - Guest LAN" name=dhcp3
add address-pool=dhcp_pool4 interface="BR - VLAN40 - VPNLAN" name=dhcp4
/routing table
add disabled=no fib name=VPN1
add disabled=no name="VPN Failover"
/interface bridge port
add bridge=bridge comment=defconf interface="ether2 MDF"
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge="BR - VLAN10 - General LAN" interface="VLAN10 - General "
add bridge="BR - VLAN20 - iOT" interface="VLAN20 - iOT"
add bridge="BR - VLAN30 - Guest LAN" interface="VLAN30 - Guest " tag-stacking=yes
add bridge="BR - VLAN40 - VPNLAN" interface="VLAN40 - VPN"


/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge
add bridge="BR - VLAN10 - General LAN" tagged="ether2 MDF" vlan-ids=10
add bridge="BR - VLAN20 - iOT" tagged="ether2 MDF" vlan-ids=20
add bridge="BR - VLAN30 - Guest LAN" tagged="ether2 MDF" vlan-ids=30
add bridge="BR - VLAN40 - VPNLAN" tagged="ether2 MDF" vlan-ids=40
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface="ether1 WAN" list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=xxxxxxxx endpoint-port=51820 interface=" WG interface " \
    persistent-keepalive=25s public-key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.10.0/24 interface="VLAN10 - General " network=192.168.10.0
add address=192.168.10.1/24 interface="BR - VLAN10 - General LAN" network=192.168.10.0
add address=192.168.30.1/24 interface="BR - VLAN30 - Guest LAN" network=192.168.30.0
add address=192.168.30.0/24 interface="VLAN30 - Guest " network=192.168.30.0
add address=192.168.20.0/24 interface="VLAN20 - iOT" network=192.168.20.0
add address=192.168.20.1/24 interface="BR - VLAN20 - iOT" network=192.168.20.0
add address=192.168.40.0/24 interface="VLAN40 - VPN" network=192.168.40.0
add address=192.168.40.1/24 interface="BR - VLAN40 - VPNLAN" network=192.168.40.0
add address=10.2.0.2 interface="WG interface" network=10.2.0.0
/ip dhcp-client
add comment=defconf interface="ether1 WAN" use-peer-dns=no
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1,8.8.8.8,1.1.1.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.20.1,8.8.8.8,1.1.1.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1,8.8.8.8,1.1.1.1 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=192.168.40.1,8.8.8.8,1.1.1.1 gateway=192.168.40.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=10.2.0.1,8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related \
    hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting connection-type="" new-routing-mark=VPN1 passthrough=no src-address=\
    192.168.40.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=" WG interface " src-address=192.168.40.0/24
/ip route
add disabled=no distance=1 dst-address=128.0.0.0/1 gateway=10.2.0.1 pref-src="" routing-table=VPN1 scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/1 gateway=10.2.0.1 pref-src="" routing-table=VPN1 scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no dst-address=xxxxxxxxxx/32 gateway=xxxxxxxxxxxxxx routing-table=VPN1 suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=" WG interface " pref-src="" routing-table=VPN1 \
    scope=30 suppress-hw-offload=no target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
    src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=America/Phoenix
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] > export
# 2024-01-04 22:58:39 by RouterOS 7.11.2
# software id = GIXV-EJ2I
#
# model = RB5009UG+S+
# serial number = 
/interface bridge
add mtu=1510 name="BR - VLAN10 - General LAN" vlan-filtering=yes
add name="BR - VLAN20 - iOT" vlan-filtering=yes
add mtu=1510 name="BR - VLAN30 - Guest LAN" vlan-filtering=yes
add mtu=1510 name="BR - VLAN40 - VPNLAN" vlan-filtering=yes
add admin-mac=78:9A:18:62:5E:5F auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name="ether1 WAN"
set [ find default-name=ether2 ] name="ether2 MDF"
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface wireguard
add listen-port=13231 mtu=1420 name="xxxxxxxxxxxxxx"
/interface vlan
add interface="ether2 MDF" name="VLAN10 - General " vlan-id=10
add interface="ether2 MDF" name="VLAN20 - iOT" vlan-id=20
add interface="ether2 MDF" name="VLAN30 - Guest " vlan-id=1
add interface="ether2 MDF" name="VLAN40 - VPN" vlan-id=40
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool2 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool3 ranges=192.168.30.2-192.168.30.254
add name=dhcp_pool4 ranges=192.168.40.2-192.168.40.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
add address-pool=dhcp_pool1 interface="BR - VLAN10 - General LAN" name=dhcp1
add address-pool=dhcp_pool2 interface="BR - VLAN20 - iOT" name=dhcp2
add address-pool=dhcp_pool3 interface="BR - VLAN30 - Guest LAN" name=dhcp3
add address-pool=dhcp_pool4 interface="BR - VLAN40 - VPNLAN" name=dhcp4
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" disabled=yes disabled=yes name=zt1 port=9993
/interface bridge port
add bridge=bridge comment=defconf interface="ether2 MDF"
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge="BR - VLAN10 - General LAN" interface="VLAN10 - General "
add bridge="BR - VLAN20 - iOT" interface="VLAN20 - iOT"
add bridge="BR - VLAN30 - Guest LAN" interface="VLAN30 - Guest " tag-stacking=yes
add bridge="BR - VLAN40 - VPNLAN" interface="VLAN40 - VPN"
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge
add bridge="BR - VLAN10 - General LAN" tagged="ether2 MDF" vlan-ids=10
add bridge="BR - VLAN20 - iOT" tagged="ether2 MDF" vlan-ids=20
add bridge="BR - VLAN30 - Guest LAN" tagged="ether2 MDF" vlan-ids=30
add bridge="BR - VLAN40 - VPNLAN" tagged="ether2 MDF" vlan-ids=40
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface="ether1 WAN" list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address xxxxxxxxx endpoint-port=51820 interface=" WG interface xxxxxxxxx " \
    persistent-keepalive=25s public-key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.10.0/24 interface="VLAN10 - General " network=192.168.10.0
add address=192.168.10.1/24 interface="BR - VLAN10 - General LAN" network=192.168.10.0
add address=192.168.30.1/24 interface="BR - VLAN30 - Guest LAN" network=192.168.30.0
add address=192.168.30.0/24 interface="VLAN30 - Guest " network=192.168.30.0
add address=192.168.20.0/24 interface="VLAN20 - iOT" network=192.168.20.0
add address=192.168.20.1/24 interface="BR - VLAN20 - iOT" network=192.168.20.0
add address=192.168.40.0/24 interface="VLAN40 - VPN" network=192.168.40.0
add address=192.168.40.1/24 interface="BR - VLAN40 - VPNLAN" network=192.168.40.0
add address=10.2.0.2 interface=" WG interface " network=10.2.0.0
/ip dhcp-client
add comment=defconf interface="ether1 WAN" use-peer-dns=no
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1,8.8.8.8,1.1.1.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.20.1,8.8.8.8,1.1.1.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1,8.8.8.8,1.1.1.1 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=192.168.40.1,8.8.8.8,1.1.1.1 gateway=192.168.40.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=10.2.0.1,8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related \
    hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=" WG interface " src-address=192.168.40.0/24
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
    src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=America/Phoenix
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

PS: Sometimes I want to order a UDM . but I’m not gonna be a little bitch so plz help me out so I can continue loving my tikbox bc she does very well (sometimes).

rplant · January 5, 2024, 12:36pm

Hi,

I think you should seriously consider using a single bridge, and vlan filtering.

But anyway.

The following don’t make any sense, the bridges are not attached to “ether2 MDF”

/interface bridge vlan
add bridge=“BR - VLAN10 - General LAN” tagged=“ether2 MDF” vlan-ids=10
add bridge=“BR - VLAN20 - iOT” tagged=“ether2 MDF” vlan-ids=20
add bridge=“BR - VLAN30 - Guest LAN” tagged=“ether2 MDF” vlan-ids=30
add bridge=“BR - VLAN40 - VPNLAN” tagged=“ether2 MDF” vlan-ids=40

You have connected them to the Assorted Vlans via the bridge port
eg.
/interface bridge port
add bridge=“BR - VLAN40 - VPNLAN” interface=“VLAN40 - VPN”

Data from this end of a vlan comes in untagged.

You could just have the whole “BR - VLAN40 - VPNLAN” bridge with no vlan information on it.
Then apply the IP address, and LAN interface list membership to the bridge. (I assume it is a LAN)
(Easiest)

Or you can have it with vlans on this bridge.

/interface bridge vlan
add bridge=“BR - VLAN40 - VPNLAN” tagged=bridge untagged=“VLAN40 - VPN” vlan-ids=40

/interface bridge port
add bridge=“BR - VLAN40 - VPNLAN” interface=“VLAN40 - VPN” pvid=40

In this case you would attach another vlan interface with vlan id=40 to this bridge to attach the
IP address too, (and mark it as LAN or WAN)

eg.
/interface vlan
add interface=“BR - VLAN40 - VPNLAN” name=“VLAN40” vlan-id=40

It is rapidly getting (more) ugly.
You would be better adding the above stuff (or very close to it) direct to the main bridge.
(And then you don’t need all the vlan interfaces attached to ether2, it can be split out the vlans in the bridge.)

eg.
/interface bridge vlan
add bridge=bridge tagged=bridge tagged=ether2 vlan-ids=10,20,30,40
add bridge=bridge untagged=bridge, ether2

And
/interface vlan
add interface=bridge name=“VLAN40 VPN” vlan-id=40

Continuing…

You should only have one 192.168.40.1/24 IP address.
It will be either on the associated VLAN, or bridge.

Routing and Wireguard

Is your WG peer entry getting rx and tx and last handshake.
(You need to get this working first)

Add the bridge, or vlan to the LAN interface list. ** (You can try without, but initially) **

Your wireguard addressing looks wrong. (It may not be, but some of your routes indicate otherwise)
Could it perhaps be 10.2.0.2/30 or 10.2.0.2 with network 10.2.0.1 (is the other end of the link actually 10.0.2.0)
Can you ping the other end from the router, eg 10.0.2.0 (10.0.2.1)

Why is your wireguard interface called " WG interface " with spaces around it?
Actually the whole quoted names with spaces in them seems likely to result in you spending lots of time fighting things you don’t need to.
(It may not, they may have got it right…)

The routing and mangle looks ok(ish)

You could in fact try

/ip route
add disabled=no dst-address=8.8.8.8 gateway=" WG interface "

And do a traceroute to 8.8.8.8 (from any interface, or from the router itself)

anav · January 5, 2024, 8:15pm

Only a fool thinks firewall rules need not be considered in wireguard traffic. I wont even look at the config until its one bridge and all vlans (bridge does no dhcp).
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

rplant · January 5, 2024, 10:21pm

Anav is worth listening to.

On further consideration, the routing is a bit broken.
Once a device on vlan40 gets an IP address it won’t be able to ping or otherwise connect to the router.
(Packets sent from it to the routers IP address are pushed out the wireguard interface)

My normal method would be to force route marked packets to go via routing rules.
Then handle cases there.

eg.

/ip firewall mangle
add action=mark-routing chain=prerouting connection-type="" new-routing-mark=RULE-VPN1 passthrough=no src-address=\
    192.168.40.0/24

#rules in order.
/routing rule
#all local traffic uses main table (assumes vlan40 can connect to other local networks)
add action=lookup disabled=no dst-address=192.168.0.0/16 table=main
#other traffic marked with RULE-VPN uses VPN table
add action=lookup disabled=no routing-mark=RULE-VPN1 dst-address=0.0.0.0/0 table=VPN1

Another option might be to drop the mangle rule entirely, and have 2nd routing rule entry changed to

add action=lookup disabled=no interface="VLAN40 - VPN" dst-address=0.0.0.0/0 table=VPN1

Yet another option might be to limit the packets you mark.
eg. dst-address=!192.168.40.0/24

kali · January 6, 2024, 1:27am

@rplant I like your method. I do have a couple of questions.

If I put all my VLANS onto the single LAN bridge how do I go abt setting up DHCP for the .10, .20 .30 .40 networks? It gives me a “interface is a slave” message when I do a DHCP config setup to the vlan itself. What do you recommend for DHCP?

kali · January 6, 2024, 1:38am

disregard that last post. i figured it out.

currently setting up a new config with you guys’s advice. ill let UK how it goes.