„Transparent“ WireGuard VPN on some Eth ports only

WIFT · August 15, 2023, 9:15pm

Hello, I want to create something like “transparent WireGuard VPN”.

I have MikroTik at home connected “indirectly” to fixed public IP address (I mean that the MikroTik has an address like 10.3.x.x/24 from my provider and he forwards all from my public IP 188.x.x.x to this address - this works, I already have some rules that forwards traffic to several home devices that I want to reach at my public address). Let’s call this “home” MT.

Then I have some “mobile” Mikrotik (actually it’s hEX lite - RB750r2). It has 5 ports, port 1 for “internet” by default. I’ve created WireGuard1 link between this “mobile” and “home” MikroTik in a way that when “mobile” MikroTik connects to the internet on port 1 (for testing purposes I use T-Mobile external router, but in a final configuration it can be anything that “provides internet”, like StarLink or any other provider), then the “mobile” MT connects to the public IP addres 188.x.x.x and it goes into the “home” MT. The connection is established and it works. It does not have IP addresses on the Wireguard1 interfaces since I’ve read on this forum that it’s not really necessary. I’d like to keep it that way, if possible.

Then I created two bridges: bridge_2,3 for ports 2 and 3 and bridge_4,5 for ports 4 and 5. The Idea is that bridge_4,5, which has “default” IP address 192.168.88.1/24 and provides DHCP server in that range, would behave like the default bridge created in default configuration on all four ports (2-5). That means anything that connects to theese ports will go to the internet as normal - the internet, that connects to the port 1. This works now.

For the second bridge bridge_2,3 I want anything that connects to the ports 2 and 3 will go to the internet through the WireGuard connection “transparently”. Internal “LAN” network on the “home” MT has IP address 192.168.22.88/24 (88 is the MikroTik itself and works as one of my “default” gateways, primarily for the devices needed to be reachable on the public IP address) and I want that ports 2 and 3 on the “mobile” MikroTik will use this “home” MikroTik as default gateway. Whether the “mobile” MT will have another subnet (like 192.168.104.0/24) on the bridge_2,3 and routing will be possible between “home” MT and “mobile” MT, or clients on bridge_2,3 will also have IP address in range of 192.168.22.xx/24, doesn’t matter (for me). The only thing what is needed is that all devices at home (192.168.22.xx) can communicate with all devices at “mobile” at ports 2,3 (and the “mobile” MT as well) - and of course to the internet through my home provider. Somehow I think that the solution with the extra subnet at bridge_2,3 will be better - I already have this bridge configured in that way and DHCP server (in “mobile” MT) provides addresses in that range to clients connected to ports 2 and 3.

Anyway I don’t have a clue how to configure that . So I’d like some kind soul to help me, please.

PS: I apologize for my English, it’s not my primary language, still learning.

anav · August 15, 2023, 10:05pm

Sounds all very doable, a network diagram would help to unravel the spaghetti network you described.

To find common ground.
You have an MT router with where the upstream device provides a private IP but forwards all ports to your MT router.
This is good and is all you need for the MT to be a SERVER from any INCOMING connections.
By incoming I mean external connections.

This means externals users perhaps only yourself as the admin, can
a. access the home router for configuration purposes
b. access the home lan devices.

Can you be clearer on what requirements you have, it was all jumbled up.
There is no option for local users to go out wireguard for internet, unless you have another wireguard MT or cloud MT somewhere else>>
Remote users coming into your router could use your WAN for internet if that is what you mean, as opposed to where the remote user is actually located.

WIFT · August 16, 2023, 7:54am

I tried to draw the diagram:

What is already working, is WireGuard1 connection, both sides communicate without problem. There are already the bridges on the “Mobile” MT.
All devices connected to the ports assigned to the bridge_2,3 (ports 2 and 3) should go to the internet through the “Home” MT via the WireGuard1 and also communicate with all the devices in Home LAN (they all have addresses like 192.168.22.x/24).
All devices connected to the ports assigned to the bridge_4,5 (ports 4 and 5) should go to the internet directly connected to the port 1 at “Mobile” MT. They do not need to (not necessarily “must not”) communicate with the devices at bridge_2,3 and all devices at Home LAN.
I hope I made it clearer a bit now .

anav · August 16, 2023, 5:30pm

ONE BRIDGE!!!

You only have five ports, so you cannot have a separate address for ether2 as that is already part of the bridge…so drop that idea for now. The alternative solution is to connect ether3 to an un-managed 5 port switch (cheap) which will give you 4 useable ports vice one on the MT, ether2 can then remain off the bridge as a separate entity. The config below does not include that nice to have. Also you need to be clearer on communications between the two subnet on Mobile Router.
Answer the four questions:
Do the users going through wireguard (vlan23) need to be able to reach other local subnet users or devices (v45) that use the local WAN.
Do the users going through the local WAN (v45) need to reach any users or devices on the wg associated other subnet (v23).
Do you want users from v45 to be able to reach the Main router subnet 192.168.22.0/24 but just not use the internet from main?
Are any users from MAIN router going to visit either v23 or v45 on the Mobile router.

/interface vlans
add interface=bridge1 name=vFourFive vlan-id=45
add interface=bridge1 name=vTwoThree vlan-ids=23
/interface bridge
add name=bridge1
/interface wireguard
add listen-port=13230 mtu=1420 name=wireguard1
/interface list
add name=WAN
add name=LAN
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge port
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether2 pvid=23
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether3 pvid=23
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether4 pvid=45
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether5 pvid=45
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether2,ether3 vlan-ids=23 comment=“useWG for internet”
add bridge=bridge1 tagged=bridge1 untagged=ether4,ether5 vlan-ids=45 comment=“use local WAN”
/interface list member
add interface=ether1 list=WAN
add interface=vFourFive list=LAN
add interface=vTwoThree list=LAN
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=10.252.1.2/32 endpoint-address=VPS_IP endpoint-port=51825 interface=wireguard1 persistent-keepalive=10s public-key=
“JgMJWdSc9y REDACTED=”
/ip dhcp client
add interface-ether1 add default route=yes
/ip address
add address=192.168.23.1/24 interface=vTwoThree network=192.168.23.0
add address=192.168.45.1/24 interface=vFourFive network=192.168.45.0
add address=10.252.1.2/24 interface=wireguard1 network=10.252.1.0 ( the client should not have the .1 address, leave that to the server side, personal preference )
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,192.168.90.1
/routing table
add fib name=TO-WG
/ip route
add dst-address=192.168.22.0/24 gateway=wireguard1 routing-table=main { may or may not need this depending upon answers above }
add dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=TO-WG { this includes all subnets, Wireguard IPs and access to internet at Main Router }
/routing rule
add dst-address=192.168.45.0/24 action=lookup-only-in-table table=main { to ensure originated traffic from, or return traffic to, the non WG subnet will work }
add src address=192.168.23.0/24 action=lookup table=TO-WG
/ip firewall filter
{Input Chain}
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment=“drop all else” *****
{forward chain}
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=forward comment=“allow internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“outbound wireguard” in-interface=vTwoThree out-interface=wireguard1
add action=accept chain=forward comment=“inbound wireguard” in-interface=wireguard1 [ out-interface=vTwoThree OR out-interface-list=LAN ]
add action=accept chain=forward comment=“allow port forwarding” connection-nat-state=dstnat { disable or remove if not required }
add action=drop chain=forward comment=“drop all else”
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” out-interface-list=WAN

Now we have setup a situation where traffic can reach the other end and thus use the firewall rules and allowed IPs at the main router to figure out what is permitted.
You will need a route at the main router to allow traffic to enter the tunnel for mobile subnets… as well as identify them in allowed IPs etc…
/ip route
add dst-address=subnet-at-Mobile router gateway=WG table=main

WIFT · August 16, 2023, 6:12pm

Not necessarily. Depends what’s easier to do. Preferably not.

Same as previous question/answer. Not necessarily, preferably not.

Users from v45 do not need to be able to reach the Main router subnet 192.168.22.0/24, they will use only internet on the local WAN, not the internet from Main router.

Yes, users from Main router needs to reach users at v23. Not necessarily users at v45 (preferably not). I’m aware of the necessity to set a route on the main router to be able to reach v23 users on remote router.

I just hope I did not made any mistakes understanding and answering your questions. Thanks a lot.

anav · August 16, 2023, 8:08pm

All good.
No cross subnet traffic required in Mobile RT.
V23 wireguard users om Mobile RT require access to Main router LAN and Main router WAN.
Main Router subnet users require access to V23.

/interface vlans
add interface=bridge1 name=vFourFive vlan-id=45
add interface=bridge1 name=vTwoThree vlan-ids=23
/interface bridge
add name=bridge1  vlan-filtering=yes
/interface wireguard
add listen-port=13230 mtu=1420 name=wireguard1
/interface list
add name=WAN
add name=LAN
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge port
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether2 pvid=23
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether3 pvid=23
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether4 pvid=45
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether5 pvid=45
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether2,ether3 vlan-ids=23 comment="useWG for internet"
add bridge=bridge1 tagged=bridge1 untagged=ether4,ether5 vlan-ids=45 comment="use local WAN"
/interface list member
add interface=ether1 list=WAN
add interface=vFourFive list=LAN
add interface=vTwoThree list=LAN
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=10.252.1.2/32 endpoint-address=VPS_IP endpoint-port=51825 interface=wireguard1 persistent-keepalive=10s public-key=\
"JgMJWdSc9y REDACTED="
/ip dhcp client
add interface-ether1 add default route=yes
/ip address
add address=192.168.23.1/24 interface=vTwoThree network=192.168.23.0
add address=192.168.45.1/24 interface=vFourFive network=192.168.45.0
add address=10.252.1.2/24 interface=wireguard1 network=10.252.1.0 ( the client should not have the .1 address, leave that to the server side, personal preference )
/ip dhcp-server network
add address=192.168.23.0/24  dns-server=192.168.23.1 gateway=192.168.23.1
add address=192.168.45.0/24  dns-server=192.168.45.1 gateway=192.168.45.1
/ip pool
add name=pool-wg ranges=192.168.23.10-192.168.23.254
add name=pool_local ranges=192.168.45.10-192.168.45.254
/ip dhcp-server
add address-pool=pool-wg interface=vTwoThree  lease-time=1d name=dhcp23
add address-pool=pool-wg interface=vFourFive  lease-time=1d name=dhcp45
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/routing table
add fib name=TO-WG
/ip route
add dst-address=192.168.22.0/24 gateway=wireguard1 routing-table=main  comment="Allow return traffic back to Main router"
add dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=TO-WG comment: " Route for all wireguard destination queries" 
/routing rule
add src address=192.168.23.0/24 action=lookup table=TO-WG
/ip firewall filter
{Input Chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else" *****
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="outbound wireguard" in-interface=vTwoThree out-interface=wireguard1
add action=accept chain=forward comment="inbound wireguard" in-interface=wireguard1  out-interface=vTwoThree
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat { disable or remove if not required }
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN

WIFT · August 17, 2023, 6:20pm

Thanks, looks like it’s working, I had to create similar firewall rules on my Home firewall for forwarding traffic from<->to wireguard<->local lan and create the route to be able to reach 192.168.23.0/24 from 192.168.22.0/24 and now it’s OK.