VPN - device routing

darkside9009 · April 26, 2024, 8:06am

Hell All,

I’m new here and also a MikroTik newbie. I need your help with following problem:
I have setup a Wireguard with a HEX s and a fritzbox (site to site) This is working very well. Now I would like to pass my Apple TV(192.168.2.115) thru the VPN (my fritzbox has 192.168.178.1 this is also the DNS to internet). I would like to use the location of fritzbox. How can I setup the route or gateway? I have tried several things but it was not working. Is there also a possibility to change the route/gateway by SSH (would like to switch it by my smarthome system)
Thanks for your help.

TheCat12 · April 28, 2024, 9:24am

If I understand correctly and the Wireguard addresses are from the 192.168.178.0/x subnet, then the following should be done:

Add a new routing table
Create a default route to WG gateway in that table
Add a routing rule to lookup traffic from 192.168.2.115 only in that table

/routing table add fib name=thr_WG

/ip route add dst-address=0.0.0.0/0 gateway=192.168.178.1 routing-table=thr_WG

/routing rule add action=lookup-only-in-table src-address=192.168.2.115 table=thr_WG

darkside9009 · April 29, 2024, 11:01am

Hello,

thank you for your reply. I have trieb, but it didn’t work.
But there is also a question how to setup the gateway and DNS in Apple TV?
My IPs are:
My Internet modem 162.168.2.1 (here in Germany)
Apple TV has the IP: 192.168.2.115
My fritzbox in other country has: 192.168.178.1
My Mikotik Hex S, where the wireguard is running has: 192.168.2.5

Which IP should I change in Apple TV for the gateway and DNS?
And do I need to setup something special in the wireguard config/peer?

TheCat12 · April 29, 2024, 11:05am

Maybe it would be best if you exported your config and posted it here to see what is going on:

/export file=anynameyouwish (minus sensitive information)

darkside9009 · April 29, 2024, 4:42pm

Hello,

here is my config:

# 2024-04-29 18:34:20 by RouterOS 7.12.1
# software id = 5A7M-MRJ4
#
# model = RB760iGS
# serial number = xxxxxx
/interface bridge
add name=bridge1
/interface wireguard
add listen-port=13231 mtu=1420 name=WG-COMP
add listen-port=56460 mtu=1420 name=WG-PL-FritzBox
add listen-port=13232 mtu=1420 name=WG-PRV-SERVER
add listen-port=21520 mtu=1420 name=wg1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/port
set 0 name=serial0
/routing table
add disabled=no fib name=thr_WG
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=sfp1 list=LAN
/interface wireguard peers
add allowed-address=192.168.5.2/32 comment="MacMini" interface=\
    WG-PRV-SERVER public-key="xxxxxxxxx"
add allowed-address=192.168.5.3/32 comment="DS Phone" interface=\
    WG-PRV-SERVER public-key="xxxxxxxx"
add allowed-address=192.168.5.4/32 comment=MacBook interface=WG-PRV-SERVER \
    public-key="xxxxxxxx"
add allowed-address=192.168.111.0/24 comment=WG-COMP endpoint-address=\
    11.11.11.11 endpoint-port=13231 interface=WG-COMP persistent-keepalive=25s \
    public-key="xxxxxxxxxxx"
add allowed-address=192.168.178.0/24 client-dns=192.168.178.1 comment=\
    "WG PL Fritz!Box" endpoint-address=homffff.ddns.net endpoint-port=55014 \
    interface=WG-PL-FritzBox persistent-keepalive=25s preshared-key=\
    "xxxxxxxx" private-key=\
    "xxxxxxxxx=" public-key=\
    "r/eX/xxxxxxxxxxxxx"
/ip address
add address=192.168.2.5/24 interface=ether2 network=192.168.2.0
add address=192.168.5.1/24 interface=WG-PRV-SERVER network=192.168.5.0
add address=192.168.113.60 interface=WG-COMP network=192.168.113.0
add address=192.168.178.0/24 interface=WG-PL-FritzBox network=192.168.178.0
/ip dns
set servers=192.168.2.1
/ip firewall filter
add action=accept chain=forward disabled=yes dst-address=192.168.111.0/24 \
    src-address=192.168.2.0/24
add action=accept chain=forward disabled=yes dst-address=192.168.2.0/24 \
    src-address=192.168.111.0/24
add action=accept chain=output disabled=yes dst-port=13231 protocol=udp
add action=accept chain=input disabled=yes dst-port=13231 protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.5.0/24
add action=masquerade chain=srcnat dst-address=192.168.111.0/24
add action=masquerade chain=srcnat dst-address=192.168.178.0/24 src-address=\
    192.168.178.0/24
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=192.168.111.0/24 gateway=WG-COMP \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=192.168.178.0/24 gateway=\
    WG-PL-FritzBox pref-src="" routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.178.1 \
    pref-src="" routing-table=thr_WG suppress-hw-offload=no
/routing rule
add action=lookup-only-in-table disabled=no src-address=192.168.2.115 table=\
    thr_WG
/system clock
set time-zone-name=Europe/Berlin
/system note
set show-at-login=no

anav · April 29, 2024, 5:05pm

Without looking at your config, the problem I see is that your modem is giving you a private IP as a WAN address to the HEX, but then why do your LAN subnet devices have the same LAN structure???

modem=192.168.**2.**1
Hex WAN IP provided by modem is 192.168.2.5 makes sense!
AppleTV=192.168.2.115 wrong!

So before anything you need to have an actual LAN subnet and not use the WAN subnet.
The other mystery is that you have multiple wireguard interfaces not mentioned, I hate hidden facts.
Do you also host wireguard on your device ??
If so does that mean your upstream modem/router ( NOT actually a modem, another hidden fact ) can port forward Ports to your hex ??? Assuming it gets a public IP ???

darkside9009 · May 7, 2024, 8:21am

sorry, I don’t want to hide any facts. The problem is how to tell all details, and which informations are really needed.
So I can create another subnet for my devices, but how should I route them? The question is also who is then my gateway/DNS? And how to setup the rules routes?

darkside9009 · May 18, 2024, 11:40am

some any idea how I can do this?

anav · May 18, 2024, 1:56pm

YOu failed to answer my questions about the subnet structure etc.. ???
You should provide a network diagram!!

darkside9009 · May 18, 2024, 5:23pm

Hi,

I did a drawing of my network, but how can I upload here a jpeg or png?

darkside9009 · May 18, 2024, 5:28pm

I hope you can see my setup and it is more or less understandable.
My wish is to pass the Apple-TV device thru the second wireguard to get the internet IP from there (fritzbox modem)

networksetup:
https://files.fm/u/2s866hwe3v

anav · May 18, 2024, 7:35pm

Okay that was helpful.
So basically the HEX is acting as a Switch Type device (not a router) and is assigned an IP of 192.168.2.5 on the FLAN LAN of the USG device.
You want the apple TV device to ignore the USG WAN and only go out the HEX wireguard connected to Fritz…

Well thats a problem, its the USG then that decides the routing, not the HEX.
In addition if any remote subnets come out of the hex wireguard interfaces heading for USG subnets, the USG will have to be able to route the return traffic back to the hex.

I have to think about this one, very complex. The solution may be to treat the HEX as a router, and just give it its own subnet that really does nothing but allows us to direct traffic as needed.
This is easier for me to do…

darkside9009 · May 18, 2024, 7:49pm

Hi,

thanks for your prompt reply. Is it maybe better to remove the USG and use the mikrotik as router? Maybe this will help and make it possible?
I was using the USG before I got the mikrotik. In future I want to use only mikrotik, and I think I don’t need the USG anymore.

anav · May 18, 2024, 9:04pm

It depends, what throughput is your ISP, if its 1gig, the HEX is underpowered for that and better to stick with USG.
As long as you can forward ports and set manual routes on the USG, it should work !!!

I can provide a hex setup AS a router that will work, not as a basic switch though.
Your IP address, on the hex, for the fritz Wireguard is INCORRECT on your config should be 192.168.178.X NOT 0
I will assume 2.

In terms of Sourcenat, It would appear you want to sourcenat all traffic going out the tunnel to WORK or to FRITZ and give that traffic the IP address of the HEX on the applicable wireguard interface.
Thats fine, as it makes it easier at those devices to return traffic without having to create any routes. The way tis done though is incorrect.’

model = RB760iGS

/interface list
add name=WAN
add name=LAN
add name**=MANAGE**

/routing table
add fib name=thr_WG

/interface bridge port
add bridge=bridge1 interface=ether1 disabled =yes
add bridge=bridge1 interface=ether3 disabled=yes
add bridge=bridge1 interface=ether4 disabled=yes
add bridge=bridge1 interface=sfp1 disabled=yes

/ip neighbor discovery-settings
set discover-interface-list=MANAGE

/interface list member
add interface=ether2 list=WAN
add interface=bridge1 list=LAN
add interface=ether5 list=LAN
add interface=WG-PRV-SERVER list=LAN
add interface=ether2 list=MANAGE comment=“so can access config from USG subnet”
add interface=ether5 list=MANAGE comment=“so can access config from ether5”
add interface=WG-PRV-SERVER list=MANAGE comment=“so can access config from wireguard”

/interface wireguard peers
add allowed-address=192.168.5.2/32 comment=“MacMini” interface=
WG-PRV-SERVER public-key=“xxxxxxxxx”
add allowed-address=192.168.5.3/32 comment=“DS Phone” interface=
WG-PRV-SERVER public-key=“xxxxxxxx”
add allowed-address=192.168.5.4/32 comment=MacBook interface=WG-PRV-SERVER
public-key=“xxxxxxxx”
add allowed-address=192.168.111.0/24 comment=WG-COMP endpoint-address=
11.11.11.11 endpoint-port=13231 interface=WG-COMP persistent-keepalive=25s
public-key=“xxxxxxxxxxx”
add allowed-address=0.0.0.0/0 client-dns=192.168.178.1 comment=
“WG PL Fritz!Box” endpoint-address=homffff.ddns.net endpoint-port=55014
interface=WG-PL-FritzBox persistent-keepalive=25s preshared-key=
“xxxxxxxx” private-key=
“xxxxxxxxx=” public-key=
“r/eX/xxxxxxxxxxxxx”

/ip address
add address=192.168.2.5/24 interface=ether2 network=192.168.2.0 comment=“WAN PORT”
add address=192.168.5.1/24 interface=WG-PRV-SERVER network=192.168.5.0
add address=192.168.113.60**/24** interface=WG-COMP network=192.168.113.0
add address=192.168.178.2/24 interface=WG-PL-FritzBox network=192.168.178.0
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0 comment=“unused LAN on HEX”
add address=192.68.55.1/24 interface=ether5 network=192.168.55.0 comment=“local off bridge access to router”
/ip dns
set servers=192.168.2.1

/ip firewall address-list
add address=192.168.5.0/24 list=Authorized comment=“Remote private wg access”
add address=192.168.2.X list=Authorized comment=“admin PC on USG LAN”
add address=192.168.55.0/24 list=Authorized comment=“off bridge local access”

/ip firewall filter
{default rules to keep}
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
{admin rules}
add action=accept chain=input dst-port=13232 protocol=udp comment=“private server handshake”
add action=accept chain=input comment=“admin access” in-interface-list=MANAGE src-address=Authorized
add action=accept chain=input dst-port=53 protocol=udp in-interface-list=LAN
add action=accept chain=input dst-port=53 protocol=tcp in-interface-list=LAN
add action=drop chain=input comment=“Drop all Else” { ensure you put this rule in LAST }
+++++++++++++++++++++++++++++++++++++++++++
{default rules to keep}
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
{admin rules}
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward src-address=192.168.2.115 out-interface=WG-PL-FritzBox
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether2
add action=masquerade chain=srcnat out-interface=WG-COMP
add action=masquerade chain=srcnat out-interface=WG-PL-FritzBox

/ip route
add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-table=main
add dst-address=0.0.0.0/0 gateway=192.168.178.1 routing-table=thr_WG

/routing rule
add action=lookup-only-in-table src-address=192.168.2.115 table=
thr_WG

WHAT IS MISSING ( not clearly stated in your requirements thus far )

traffic accounted for FROM USG LAN that needs to go out COMPANY WIREGUARD SERVER ???
Any traffic originating from company wireguard heading to USG LAN ???
Any traffic originating from fritzbox wireguard heading to USG LAN ???
Any traffic originating from private wg heading to USG LAN ??? ( I already assumed at least to HEX for config purposes )
Any traffic originating from private wg heading to either company or fritzbox WG

darkside9009 · May 18, 2024, 11:23pm

Hello,

THANK YOU SO MUCH. Its working.
Last question: is it possible to change the table in the rule thru an ssh command? (from main to thr_WG) Then I can decide when I want to use the internet thru main or wireguard.

darkside9009 · May 18, 2024, 11:49pm

Hello,

I got it:

/routing rule set 0 table=main

Now I can control it thru my smarthome.
I LOVE MIKROTIK, and thanks again for your support

anav · May 18, 2024, 11:50pm

You will have to explain the request in more detail
Which users,
Where are they coming from
Where are they going to.