When Wireguard is activated I am not able to access the internet from my remote device.
Ideally the best solution is that all traffic is routed without having to go over the Wireguard connection.
How can I do this please?
Hard to day without seeing what you are doing on your config.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, vpn keys etc. )
You’re right.
- My first clarification is that internet is not blocked but goes through the WireGuard interface. Is it possible to have internet trafic not route through Wireguard interface? (I am using tracert to determine how a request if being resolved.
- I enabled tcp and udp port 53 but cannot resolve the device names. I can access device by the IP address without problems. It would be a nice to have
- I would like to be able to access WinBox when connected via WireGuard. I originally had individual Wireguard IP addresses added to the AUTHORISED list but could not. I would like to add anyone on the 192.166.66.0/24 (Wireguard network) to this group. I added the following: add address=192.168.66.0/24 comment=“Wireguard Connection” list=AUTHORIZED but it did not work.
# 2024-12-10 18:17:12 by RouterOS 7.16.2
# software id = YYB5-JQXK
#
# model = C53UiG+5HPaxD2HPaxD
/interface bridge
add admin-mac=D4:01:C3:9E:58:7F auto-mac=no comment=defconf name=BR1 \
vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="Connected to ISP"
set [ find default-name=ether2 ] comment="Connected to Unifi AP"
set [ find default-name=ether3 ] comment="Connected to LAN Switch"
set [ find default-name=ether4 ] comment="Connected to SRV-TOR"
set [ find default-name=ether5 ] comment="Connected to Proxmox"
/interface wireguard
add listen-port=13231 mtu=1420 name=HOMENET-WireGuard
/interface vlan
add interface=BR1 name=GUEST_VLAN vlan-id=20
add arp=proxy-arp interface=BR1 name=SOHO_VLAN vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
add name=BASE
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=WIFI_SOHO
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=WIFI-GUEST
/interface wifi configuration
add country=Malta disabled=no mode=ap name=GUEST-Configuration security=\
WIFI-GUEST ssid=GUESTS-AP
add country=Malta disabled=no mode=ap name=SOHO-Configuration security=\
WIFI_SOHO ssid=AP-HOMENET
/interface wifi
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
10min-cac .width=20/40mhz configuration=SOHO-Configuration \
configuration.mode=ap disabled=no name=wlan-SOHO-2G \
security.authentication-types="" .ft=yes .ft-over-ds=yes
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
10min-cac .width=20/40/80mhz configuration=SOHO-Configuration \
configuration.mode=ap disabled=no name=wlan-SOHO-5G security=WIFI_SOHO \
security.authentication-types="" .ft=yes .ft-over-ds=yes
add channel.band=5ghz-ax .skip-dfs-channels=10min-cac .width=20/40/80mhz \
configuration=GUEST-Configuration configuration.mode=ap disabled=no \
mac-address=D4:01:C3:9E:58:83 master-interface=wlan-SOHO-2G name=\
wlan-GUEST-2G security.authentication-types="" .ft=yes .ft-over-ds=yes
add channel.band=2ghz-ax .skip-dfs-channels=10min-cac .width=20/40mhz \
configuration=GUEST-Configuration configuration.country=Malta .mode=ap \
disabled=no mac-address=D4:01:C3:9E:58:84 master-interface=wlan-SOHO-5G \
name=wlan-GUEST-5G security.authentication-types="" .ft=yes .ft-over-ds=\
yes
/ip pool
add name=GUEST_POOL ranges=10.0.20.2-10.0.20.254
add name=SOHO_POOL ranges=192.168.16.20-192.168.16.99
/ip dhcp-server
add address-pool=SOHO_POOL interface=SOHO_VLAN name=SOHO_DHCP
add address-pool=GUEST_POOL interface=GUEST_VLAN name=GUEST_DHCP
/ppp profile
set *0 use-upnp=no
set *FFFFFFFE use-upnp=no
/system logging action
add email-to=chribonn@gmail.com name=Email target=email
/disk settings
set auto-media-interface=BR1 auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=BR1 comment="hybrid port - UNIFI" interface=ether2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
ether3 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
ether4 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
ether5 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
wlan-SOHO-5G pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
wlan-SOHO-2G pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
wlan-GUEST-5G pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
wlan-GUEST-2G pvid=20
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=\
ether3,ether4,ether5,wlan-SOHO-5G,wlan-SOHO-2G,ether2 vlan-ids=10
add bridge=BR1 tagged=BR1,ether2 untagged=wlan-GUEST-5G,wlan-GUEST-2G \
vlan-ids=20
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=SOHO_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
add interface=SOHO_VLAN list=BASE
add interface=HOMENET-WireGuard list=VLAN
/interface wireguard peers
add allowed-address=192.168.66.2/32 interface=HOMENET-WireGuard name=\
XYZ-Laptop public-key="****Kc//jAOzw="
add allowed-address=192.168.66.3/32 interface=HOMENET-WireGuard name=\
XYZ-OnePlus public-key="****kk="
add allowed-address=192.168.66.4/32 interface=HOMENET-WireGuard name=\
XYZ-GalaxyTab public-key="****W8="
add allowed-address=192.168.66.5/32 interface=HOMENET-WireGuard name=\
"Galaxy Tab 9FE" public-key=\
"****l0="
add allowed-address=192.168.66.6/32 interface=HOMENET-WireGuard name=\
"Galaxy S23" public-key=\
"****EFU="
/ip address
add address=192.168.16.1/24 interface=SOHO_VLAN network=192.168.16.0
add address=10.0.20.1/24 interface=GUEST_VLAN network=10.0.20.0
add address=192.168.66.1/24 comment="Wireguard interface" interface=\
HOMENET-WireGuard network=192.168.66.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.16.157 comment="Huawei SUN2000-3KTL-L1" mac-address=\
C8:C4:65:7E:34:4D server=SOHO_DHCP
add address=192.168.16.155 client-id=1:c0:48:e6:4d:bb:3c comment=\
"Samsung TV - Kitchen" mac-address=C0:48:E6:4D:BB:3C server=SOHO_DHCP
add address=192.168.16.156 client-id=1:74:e6:b8:1:ca:fa comment="LG TV" \
mac-address=74:E6:B8:01:CA:FA server=SOHO_DHCP
add address=192.168.16.154 client-id=1:0:1e:8f:9:a0:2a comment=\
"Canon i-Sensys MF 4370dn" mac-address=00:1E:8F:09:A0:2A server=SOHO_DHCP
add address=192.168.16.108 client-id=1:74:15:75:42:c7:d comment="Xiami Redmi" \
mac-address=74:15:75:42:C7:0D server=SOHO_DHCP
add address=192.168.16.109 client-id=1:a0:ff:c:c2:a:e9 comment=\
"HikVision 2CD2387" mac-address=A0:FF:0C:C2:0A:E9 server=SOHO_DHCP
add address=192.168.16.252 client-id=1:80:2a:a8:46:cc:44 comment="Unifi AP" \
mac-address=80:2A:A8:46:CC:44 server=SOHO_DHCP
add address=192.168.16.153 client-id=1:6e:79:21:64:a7:e0 comment=\
"HP-Laptop (Viper Sticker - Homenet WiFi)" mac-address=6E:79:21:64:A7:E0 \
server=SOHO_DHCP
add address=192.168.16.152 client-id=1:4c:4f:ee:d7:5a:21 comment="XYZ One" \
mac-address=4C:4F:EE:D7:5A:21 server=SOHO_DHCP
/ip dhcp-server network
add address=10.0.20.0/24 comment="Guest Subnet" dns-server=10.0.20.1 gateway=\
10.0.20.1
add address=192.168.16.0/24 comment="SOHO Subnet" dns-server=192.168.16.1 \
gateway=192.168.16.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8,9.9.9.9,8.8.4.4
/ip dns static
add address=192.168.16.7 comment="Points to Postiz Debian Server" name=\
postiz.homenet.lan type=A
/ip firewall address-list
add address=192.168.16.3 comment=XYZ-LAPTOP list=AUTHORIZED
add address=192.168.16.152 comment="XYZ-OnePlus (Wifi Homenet)" list=\
AUTHORIZED
add address=192.168.66.2 comment="XYZ-DESKTOP (WireGuard)\r\
\n" list=AUTHORIZED
add address=192.168.66.5 comment="XYZ-LAPTOP (WireGuard)" list=AUTHORIZED
add address=192.168.16.2 comment="XYZ-LAPTOP (WiFi Homenet)" \
list=AUTHORIZED
add address=192.168.66.3 comment="XYZ-OnePlus (Wireguard)" list=AUTHORIZED
add address=192.168.66.4 comment="XYZ-Galaxy Tab (WireGuard)" list=AUTHORIZED
add address=192.168.66.0/24 comment="Wireguard Connection" list=AUTHORIZED
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add chain=input comment="Allow all ICMP" protocol=icmp
add action=accept chain=input comment="Wireguard dst-port=13231" dst-port=\
13231 protocol=udp
add action=accept chain=input comment="admin access" src-address-list=\
AUTHORIZED
add action=accept chain=input comment="users to services" dst-port=53,123 \
in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="users to services" dst-address-list="" \
dst-port=53 in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="{ default rules to keep\
\_} (https://forum.mikrotik.com/viewtopic.php\?t=212669)" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="{ default rules to keep } (https://fo\
rum.mikrotik.com/viewtopic.php\?t=212669)" connection-state=\
established,related,untracked
add action=drop chain=forward comment="{ default rules to keep } (https://foru\
m.mikrotik.com/viewtopic.php\?t=212669)" connection-state=invalid
add action=accept chain=forward comment="VLAN Internet" in-interface-list=\
VLAN out-interface-list=WAN
add action=accept chain=forward comment="wg to soho" dst-address=\
192.168.16.0/24 in-interface=HOMENET-WireGuard
add action=accept chain=forward comment=\
"(admin rules) https://forum.mikrotik.com/viewtopic.php\?t=212669" \
connection-nat-state=dstnat
add action=drop chain=forward comment=\
"Drop https://forum.mikrotik.com/viewtopic.php\?t=212669"
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
192.168.16.0/24 src-address=192.168.16.0/24
add action=masquerade chain=srcnat comment="Hairpin NAT" ipsec-policy=\
out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.16.0/24
set ssh address=192.168.16.0/24
set api disabled=yes
set winbox address=192.168.16.0/24
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Malta
/system logging
add action=Email topics=update,critical,error,warning
/system note
set show-at-login=no
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system routerboard wps-button
set enabled=yes on-event=wps-accept
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="\r\
\n :if ([system leds settings get all-leds-off] = \"never\") do={\r\
\n /system leds settings set all-leds-off=immediate \r\
\n } else={\r\
\n /system leds settings set all-leds-off=never \r\
\n }\r\
\n "
add comment=defconf dont-require-permissions=no name=wps-accept owner=*sys \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="\r\
\n :foreach iface in=[/interface/wifi find where (configuration.mode=\"a\
p\" && disabled=no)] do={\r\
\n /interface/wifi wps-push-button \$iface;}\r\
\n "
/tool e-mail
set from="<Mikrotik ax3>" port=587 server=smtp.gmail.com tls=starttls user=\
xxx@gmail.com
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
- The MAIN issue for wireguard internet → Forward chain firewall rule should work but its not, good question!
Try this to see if it fixes it.
add action=accept chain=forward comment=“VLAN Internet” in-interface-list=VLAN out-interface-list=WAN { this should work as wg is part of vlan interface list }
add action=accept chain=forward comment=“wg to internet” in-interface=HOMENET-WireGuard out-interface-list=WAN
+++++++++++++++++++++++++++++++++++++
The rest are cleanup items!
-
Assume the switch on ether3 is a dumb switch correct??
-
To be clear. ALL YOUR Wireguard users are just different IPs for the admin??
The reason I ask is that you have redundancy, in that you define a bunch of single wireguard IPs,
and then the last entry is the whole subnet.
SO PICK ONE APPROACH or the other LOL
PS. I like the approach of identifying local LAN admin IPs and wireguard admin IPs, to be able to access the router config.
- On that vein, The error is not including wireguard as a trusted interface!!
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=SOHO_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
add interface=HOMENET-WireGuard list=VLAN
add interface=SOHO_VLAN list=BASE
??? wireguard interface = BASE ???
PS. Now you should notice that LAN interface list is not required ( as you use VLAN to replace it )
- Some questions…
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.16.0/24
set ssh address=192.168.16.0/24
set api disabled=yes
set winbox address=192.168.16.0/24
a. WHY www address THIS IS NOT a secure access method for the router, if you want to see webconfig, at least limit it to your admin IP, if not the intent then disable it!!!
Same with SSH limit access to only needed IPs.
b. Winbox, is not accurate it should be 192.168.16.0/24,192.168.66.0/24 You forgot wirequard admin access, Here its okay to have the subnets, as you LIMIT access properly on the input chain to specific IPs if required.
- This is why the unnecessary interface list creation of VLAN bites you, vice simply use the default LAN interface for all subnets.
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
So if mimicking the LAN you would normally use VLAN instead of LAN, as LAN means nothing in your config.
However both are wrong, and similar to neighbours discovery, this Should be:
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=BASE
Now you know why, the wireguard interface should be part of the interface list members for BASE.
Thanks to you I managed to use Winbox to connect over wireguard.
As you suggested, I added 192.168.66.0/24 as an approved endpoint for the services. I also limited to the individual approved IP’s that can access the services.
Under Firewall/Address Lists I have an AUTHORISED list. Can this list also be used for services? This would avoid having to enter the IP addresses and ranges repeatedly and manually.
You wouldn’t be able to assist with resolving the server names. I can access using IP (port 53) but I am never able to access using the computer name. It is not critical.
This is the updated configuration
Thanks again
# 2024-12-11 18:03:14 by RouterOS 7.16.2
# software id = YYB5-JQXK
#
# model = C53UiG+5HPaxD2HPaxD
/interface bridge
add admin-mac=xx:CC:yy:9E:58:7F auto-mac=no comment=defconf name=BR1 \
vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="Connected to ISP"
set [ find default-name=ether2 ] comment="Connected to Unifi AP"
set [ find default-name=ether3 ] comment="Connected to LAN Switch"
set [ find default-name=ether4 ] comment="Connected to "
set [ find default-name=ether5 ] comment="Connected to"
/interface wireguard
add listen-port=13231 mtu=1420 name=HOMENET-WireGuard
/interface vlan
add interface=BR1 name=GUEST_VLAN vlan-id=20
add arp=proxy-arp interface=BR1 name=SOHO_VLAN vlan-id=10
/interface list
add comment=defconf name=WAN
add name=VLAN
add name=BASE
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=WIFI_SOHO
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=WIFI-GUEST
/interface wifi configuration
add country=Malta disabled=no mode=ap name=GUEST-Configuration security=\
WIFI-GUEST ssid=GUESTS-AP
add country=Malta disabled=no mode=ap name=SOHO-Configuration security=\
WIFI_SOHO ssid=AP-HOMENET
/interface wifi
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
10min-cac .width=20/40mhz configuration=SOHO-Configuration \
configuration.mode=ap disabled=no name=wlan-SOHO-2G \
security.authentication-types="" .ft=yes .ft-over-ds=yes
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
10min-cac .width=20/40/80mhz configuration=SOHO-Configuration \
configuration.mode=ap disabled=no name=wlan-SOHO-5G security=WIFI_SOHO \
security.authentication-types="" .ft=yes .ft-over-ds=yes
add channel.band=5ghz-ax .skip-dfs-channels=10min-cac .width=20/40/80mhz \
configuration=GUEST-Configuration configuration.mode=ap disabled=no \
mac-address=BB:CC:C3:9E:58:83 master-interface=wlan-SOHO-2G name=\
wlan-GUEST-2G security.authentication-types="" .ft=yes .ft-over-ds=yes
add channel.band=2ghz-ax .skip-dfs-channels=10min-cac .width=20/40mhz \
configuration=GUEST-Configuration configuration.country=Malta .mode=ap \
disabled=no mac-address=BB:CC:C3:9E:58:84 master-interface=wlan-SOHO-5G \
name=wlan-GUEST-5G security.authentication-types="" .ft=yes .ft-over-ds=\
yes
/ip pool
add name=GUEST_POOL ranges=10.0.20.2-10.0.20.254
add name=SOHO_POOL ranges=192.168.16.20-192.168.16.99
/ip dhcp-server
add address-pool=SOHO_POOL interface=SOHO_VLAN name=SOHO_DHCP
add address-pool=GUEST_POOL interface=GUEST_VLAN name=GUEST_DHCP
/ppp profile
set *0 use-upnp=no
set *FFFFFFFE use-upnp=no
/system logging action
add email-to=chribonn@gmail.com name=Email target=email
/disk settings
set auto-media-interface=BR1 auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=BR1 comment="hybrid port - UNIFI" interface=ether2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
ether3 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
ether4 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
ether5 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
wlan-SOHO-5G pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
wlan-SOHO-2G pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
wlan-GUEST-5G pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
wlan-GUEST-2G pvid=20
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=\
ether3,ether4,ether5,wlan-SOHO-5G,wlan-SOHO-2G,ether2 vlan-ids=10
add bridge=BR1 tagged=BR1,ether2 untagged=wlan-GUEST-5G,wlan-GUEST-2G \
vlan-ids=20
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=SOHO_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
add interface=SOHO_VLAN list=BASE
add interface=HOMENET-WireGuard list=VLAN
/interface wireguard peers
add allowed-address=192.168.66.2/32 interface=HOMENET-WireGuard name=\
XYZ-Laptop public-key="***Ozw="
add allowed-address=192.168.66.3/32 interface=HOMENET-WireGuard name=\
XYZ-OnePlus public-key="***k="
add allowed-address=192.168.66.4/32 interface=HOMENET-WireGuard name=\
XYZ-GalaxyTab public-key="I***8="
add allowed-address=192.168.66.5/32 interface=HOMENET-WireGuard name=\
"xxxxxxx-Galaxy Tab 9FE" public-key=\
"***l0="
add allowed-address=192.168.66.6/32 interface=HOMENET-WireGuard name=\
"xxxxxxx-Galaxy S23" public-key=\
"***FU="
/ip address
add address=192.168.16.1/24 interface=SOHO_VLAN network=192.168.16.0
add address=10.0.20.1/24 interface=GUEST_VLAN network=10.0.20.0
add address=192.168.66.1/24 comment="Wireguard interface" interface=\
HOMENET-WireGuard network=192.168.66.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.16.152 client-id=1:cffffff:21 comment="XYZ One" \
mac-address=4C:4F:EE:D7:5A:21 server=SOHO_DHCP
/ip dhcp-server network
add address=10.0.20.0/24 comment="Guest Subnet" dns-server=10.0.20.1 gateway=\
10.0.20.1
add address=192.168.16.0/24 comment="SOHO Subnet" dns-server=192.168.16.1 \
gateway=192.168.16.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8,9.9.9.9,8.8.4.4
/ip dns static
add address=192.168.16.7 comment="Points to Postiz Debian Server" name=\
postiz.homenet.lan type=A
/ip firewall address-list
add address=192.168.66.0/24 comment="Wireguard Connection" list=AUTHORIZED
add address=192.168.16.2 list=AUTHORIZED
add address=192.168.16.12 list=AUTHORIZED
add address=192.168.16.152 list=AUTHORIZED
add address=192.168.16.153 list=AUTHORIZED
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add chain=input comment="Allow all ICMP" protocol=icmp
add action=accept chain=input comment="Wireguard dst-port=13231" dst-port=\
13231 protocol=udp
add action=accept chain=input comment="admin access" src-address-list=\
AUTHORIZED
add action=accept chain=input comment="users to services" dst-port=53,123 \
in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="users to services" dst-address-list="" \
dst-port=53 in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="{ default rules to keep\
\_} (https://forum.mikrotik.com/viewtopic.php\?t=212669)" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="{ default rules to keep } (https://fo\
rum.mikrotik.com/viewtopic.php\?t=212669)" connection-state=\
established,related,untracked
add action=drop chain=forward comment="{ default rules to keep } (https://foru\
m.mikrotik.com/viewtopic.php\?t=212669)" connection-state=invalid
add action=accept chain=forward comment="VLAN Internet" in-interface-list=\
VLAN out-interface-list=WAN
add action=accept chain=forward comment="wg to soho" dst-address=\
192.168.16.0/24 in-interface=HOMENET-WireGuard
add action=accept chain=forward comment=\
"(admin rules) https://forum.mikrotik.com/viewtopic.php\?t=212669" \
connection-nat-state=dstnat
add action=drop chain=forward comment=\
"Drop https://forum.mikrotik.com/viewtopic.php\?t=212669"
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
192.168.16.0/24 src-address=192.168.16.0/24
add action=masquerade chain=srcnat comment="Hairpin NAT" ipsec-policy=\
out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address="192.168.16.2/32,192.168.66.0/24,192.168.16.12/32,192.168.16.1\
52/32,192.168.16.153/32"
set ssh address="192.168.16.2/32,192.168.66.0/24,192.168.16.12/32,192.168.16.1\
52/32,192.168.16.153/32"
set api disabled=yes
set winbox address="192.168.16.2/32,192.168.66.0/24,192.168.16.12/32,192.168.1\
6.152/32,192.168.16.153/32"
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Malta
/system logging
add action=Email topics=update,critical,error,warning
/system note
set show-at-login=no
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system routerboard wps-button
set enabled=yes on-event=wps-accept
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="\r\
\n :if ([system leds settings get all-leds-off] = \"never\") do={\r\
\n /system leds settings set all-leds-off=immediate \r\
\n } else={\r\
\n /system leds settings set all-leds-off=never \r\
\n }\r\
\n "
add comment=defconf dont-require-permissions=no name=wps-accept owner=*sys \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="\r\
\n :foreach iface in=[/interface/wifi find where (configuration.mode=\"a\
p\" && disabled=no)] do={\r\
\n /interface/wifi wps-push-button \$iface;}\r\
\n "
/tool e-mail
set from="<Mikrotik ax3>" port=587 server=smtp.gmail.com tls=starttls user=\
dsdfsdfs@gmail.com
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=BASE
Just noticed a mistake in the script
The entry under
/ip firewall filter
add action=accept chain=input comment="drop all else"
should read
add action=drop chain=input comment="drop all else"
Correct, my mistake, too much copy and paste… Good eye!!