My objective is to configure my hex S as a switch behind my main router and route only specific traffic through a Wireguard client connection.
Until now I obtained half a result: port 1 is connected to the router, routing traffic from port 2 via the VPN, while the remaining ports are bridged together port 1 and outside the routing table, so the devices are served by the main router DHCP. Port 2 is isolated, IP is given by hexS DHCP and only exit to internet through the remote Wireguard server.
My goal is to redirect traffic selectively from every port, e.g. requests to 8.8.8.8 via VPN, leaving the devices on the local subnet and served via home router for any other request.
I don’t know if I must start from here to obtain my goal or if I can start from scratch, maybe using a clean bridge mode and only filter traffic and redirect it using VLANs.
Its clear that in fact you dont want the hex to be a switch you want it to be a router.
Thus set it up as so and it will be much clearer.
One bridge all vlans, no DHCP for bridge for starters.
Is the hex going to be a wireguard client or server PEER for handshake of wireguard?? If server, then you will have to forward a port from the upstream router (assuming it has access to a public IP)
Next decide if any of the ports on your hex will be transparent to the hex ( not part of its routing ) but simply a port that is used for an upstream router Subnet.
It was my main router and it was much simpler to configure as I desire. With the new ISP I have to use a custom device and put the hex in a drawer, until now.
One bridge all vlans, no DHCP for bridge for starters.
I want the devices connected to the hex to be part of the subnet generated from the ISP router, so I can use easily their management software (nas, tv, ip nvr, ecc. ecc.) without subnatting.
Is the hex going to be a wireguard client or server PEER for handshake of wireguard?? If server, then you will have to forward a port from the upstream router (assuming it has access to a public IP)
The hex is a wg client, this part is just working for the device connected to ETH2; I would like to send traffic selectively and via the not natted ports.
Next decide if any of the ports on your hex will be transparent to the hex ( not part of its routing ) but simply a port that is used for an upstream router Subnet.
Sorry, I don’t understand this part. I can obtain this without putting them in a separate bridge? But would then be able to send certain traffic through the vpn?
I just read again and maybe understand better: I can set hex as router, all ports under main bridge, no dhcp, just rules to redirect traffic through vpn?
I need to maintain separated routing tables for traffic via tunnel and via lan?
Draw a diagram.
I envisage
a. getting a private WANIP from the ISP router on its subnet ( assuming its a single subnet capable device not vlans ).
This is also the LANIP of the HEX on the ISP LAN.
b. So what we will do is capture the incoming traffic and vlan it, tag it and
(i) terminate the vlan in a WAN connection for the hex
(ii) pass the vlan transparently to any ports where you want devices connected to the ISP LAN.
The rest of the hex ports will be for whatever hex lan subnet you create.
Only the hex subnets will be under your control regarding traffic, firewall rules routing etc.
The ISP subnets you will not have any control over using the hex, they are transparent, using the hex like a switch only, coming in thru ether 1 and getting moved to whatever etherport or WLAN if you were using a wifi router etc… Of course if your pc is connected to one of these ports you have direct access to any devices the ISP router allows to that ISP lan IP address etc..
HOp;e that makes it clearer
ONe bridge, with vlans. So yes the subnet behind the MT router would be a vlan as well.
Now as far as wireguard, did you say it was going to be a peer CLIENT or SERVER for handshake.
If a client peer for handshake, Will it connect to another router that is server for handshake, or to a third party VPN provider???
Now you can allow local subnet users to wireguard, but you have no way to router ISP users through this wireugard connection, they only have access out the ISP LAN gateway.
The hex users can either go out the ISP wan, or the wireguard tunnel if that is the purpose.
For users coming in firewall rules play into whether or not
a. the user can config the hex router, connect to the local subnet, connect to the ISP subnet via the normal gateway.. ( in which case the ISP router will need static routes for any subnets that connect to ISP users, that the ISP doesnt know about )
Now you can allow local subnet users to wireguard, but you have no way to router ISP users through this wireugard connection, they only have access out the ISP LAN gateway.
The hex users can either go out the ISP wan, or the wireguard tunnel if that is the purpose.
For users coming in firewall rules play into whether or not
I don’t want other users on the ISP subnet to access the VPN, exept for those directly connected to MT ports. But I’d like them to access VPN while staying in the ISP subnet
a. the user can config the hex router, connect to the local subnet, connect to the ISP subnet via the normal gateway.. ( in which case the ISP router will need static routes for any subnets that connect to ISP users, that the ISP doesnt know about )
If I figured correctly the devices connected to MT on a port towards which I passed the vlan transparently are NOT allowed to reach the VPN tunnel, because they are ignored by MT router who acts as a switch for them.
BUT what if I create a subnet on Mikrotik on the same segment of the ISP router, with absolutely NO ROUTING AND FIREWALL RULES? Just a merely redirect of every packet from and to the two subnets… The DHCP server will be the ISP device, so any conflict will be avoided. But, this way, I can intercept packets (obv only from devices connected to MT) and redirect them as I wish. Could be possible??
Yes you can do this. (But I would probably leave the default config on it, with firewall rules, etc)
Make a subnet, eg. 192.168.10.160/28 (A range of 16), with router ip as .161 attach it to a new vlan on the bridge and some ports.
Mark the vlan as a lan interface.
Make an appropriate dhcp server. (/28)
Then on the original lan side (also marked as a lan interface) you can either
-enable proxy arp (which is a bit blunt)
Or make a bunch of published arp entries for each client IP address in the new subnet range (a bit more targeted)
192.168.10.162-192.168.10.174 I think. And attach each ARP entry to the bridge with 192.168.10.0/24 on it.
Then you should be able to ping from either side to the other side. (Assuming the end devices are prepared to answer pings)
Devices on your new segment know they are on a small /28 subnet, but the rest of the devices including the ISP router think they are in their /24 subnet.
Then you can use firewall rules to push traffic from the /28 subnet via wireguard as required.
You can likely do your original request, but it is kind of expensive (on a hex)
You need to have one or more bridge nat rules, that match your requirements that
redirect to the CPU which effectively kicks the packet to the routing engine, and then to wireguard as required.
If the routing engine just forwards the packet to the ISP router, you will likely need either reverse direction bridge nat rules
(or the outbound packet to be natted, so it comes back to the hex router and back to origin via routing engine)
You need to disable bridge hardware offloading on all ports that need this.
On something like a hap ac2, (for a small number of rules) you can have the bridge in hardware offloaded mode, (so bypassing
the bridge nat rules) with switch rules redirecting appropriate packets to the cpu through bridge nat rules and then routing engine.
In any case this is a very bad discussion in that you are talking config speak and not requirements speak.
Please describe the requirements by identifying users and their traffic requirements and not pretzel setups that may or may not work,
Is this a local wireguard on the hex ( its the server peer for handshake as the ISP router can forward ports to the hex?) Or is the wireguard a connection to a third party server.
In other words more accurately describe the users behind the MT,
how many subnets, will one subnet use WG for internet or all of them, what happens if wireguard is not available do you want them to be able to access the local WAN via the ISP router?
I followed some of your advice and ignored others because I didn’t understand them…
But I arrived at a working configuration, with the ability to set whitelist or blacklist rules for access to the VPN, keeping all devices on the same network as the main router. The only precaution is to set Mikrotik as the gateway on the devices that need to access the VPN, while the others rely on DHCP.
I’m publishing the configuration in case it might be useful to someone as a starting point, since I wasn’t able to find anything similar here or on other channels.
# 2025-02-27 22:25:42 by RouterOS 7.18
# software id = ET28-YGMR
#
# model = RB760iGS
# serial number = XXX
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=sfp1 ] advertise="10M-baseT-half,10M-baseT-full,100M-b\
aseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full"
/interface wireguard
add listen-port=XXX mtu=1420 name=wg1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/routing table
add comment="wg table" disabled=no fib name=wg-rtab
/disk settings
set auto-media-interface=*8 auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge1 comment=defconf interface=ether2
add bridge=bridge1 comment=defconf interface=ether3
add bridge=bridge1 comment=defconf interface=ether4
add bridge=bridge1 comment=defconf interface=ether5
add bridge=bridge1 comment=defconf disabled=yes interface=sfp1
add bridge=bridge1 interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge1 list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=192.168.178.0/24,0.0.0.0/0 endpoint-address=\
XXX endpoint-port=XXX interface=wg1 name=peer1 \
persistent-keepalive=25s preshared-key=\
"XXX" public-key=\
"XXX"
/ip address
add address=192.168.0.91/25 comment=defconf interface=bridge1 network=\
192.168.0.0
add address=192.168.178.201/24 interface=wg1 network=192.168.178.0
/ip dhcp-client
# DHCP client can not run on slave or passthrough interface!
add comment=defconf interface=ether1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-address-list="" dst-port=8291 protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN log-prefix="TEST - "
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wg1
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wg1 routing-table=\
wg-rtab scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=ether1 \
routing-table=*401 scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/routing rule
add action=lookup disabled=no dst-address=192.168.0.0/24 src-address=\
192.168.0.13/32 table=main
add action=lookup disabled=no src-address=192.168.0.13/32 table=wg-rtab
add action=lookup disabled=no dst-address=8.8.8.8/32 src-address=\
192.168.0.32/32 table=wg-rtab
add action=lookup disabled=no src-address=192.168.0.32/32 table=main
/system clock
set time-zone-name=Europe/Rome
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
