Following guides here and elsewhere I’ve successfully set up my RB4011 to do quite a few things.
Earlier this month, I thought I had wireguard completely sorted . Every time after that when I tested it though, it wasn’t working.
I went through the guide from anav (https://forum.mikrotik.com/viewtopic.php?t=182340) and then checked through this post (http://forum.mikrotik.com/t/isolate-and-route-vlan-through-gateway-wireguard-only/158046/1).
my setup is a VPN to a private server in the US where I want all traffic going over port 3 of an RB4011 to go through that. All other ports go over a DS-Lite connection.
I’ve simplified my config down a bit here:
# 2023-12-26 15:41:38 by RouterOS 7.11.2
# software id = ZZZ
# model = RB4011iGS+
/interface bridge
add name=BR2 protocol-mode=none vlan-filtering=yes
add admin-mac=78:9A:18:27:3E:03 auto-mac=no comment=defconf name=bridge
add name=bridge-flets protocol-mode=none
/interface wireguard
add listen-port=13231 mtu=1420 name=XUS
/interface ipipv6
add dscp=0 !keepalive local-address=2409:13:xxxx:xxxx:1 mtu=1460 name=\
ipipv6-dslite remote-address=2404:8e00::feed:100
/interface vlan
add interface=BR2 name=AWIF vlan-id=50
add interface=BR2 name=USA vlan-id=255
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
add name=BASE
add name=VLAN2
add name=WANv4
add name=WANv6
add include=WANv4,WANv6 name=WAN2
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=AWIF_POOL ranges=10.50.0.2-10.50.0.254
add name=USA_POOL ranges=10.255.0.2,10.255.0.255
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=AWIF_POOL interface=AWIF name=AWIF_DHCP
add address-pool=USA_POOL interface=USA name=USA_DHCP
/routing table
add comment="Table for WireGuard - XUS" disabled=no fib name=wg-xus
/interface bridge port
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=ether10
add bridge=BR2 frame-types=admit-only-untagged-and-priority-tagged interface=\
ether7 pvid=50
add bridge=BR2 frame-types=admit-only-untagged-and-priority-tagged interface=\
ether3 pvid=255
add bridge=bridge-flets interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set accept-redirects=no accept-router-advertisements=yes
/interface bridge vlan
add bridge=bridge
add bridge=BR2 tagged=BR2 vlan-ids=255
add bridge=BR2 tagged=BR2 vlan-ids=50
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=BR2 list=VLAN
add interface=AWIF list=VLAN
add interface=ipipv6-dslite list=WAN
add interface=bridge-flets list=WAN
add interface=AWIF list=LAN
add interface=bridge list=WAN
add interface=ipipv6-dslite list=WANv4
add interface=bridge-flets list=WANv6
add interface=USA list=VLAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=183.183.183.183 endpoint-port=\
51820 interface=XUS persistent-keepalive=25s public-key=\
"nopers="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=10.50.0.1/24 interface=AWIF network=10.50.0.0
add address=10.255.0.1/24 interface=USA network=10.255.0.0
add address=192.0.0.2/29 interface=ipipv6-dslite network=192.0.0.0
add address=10.0.0.200/24 interface=XUS network=10.0.0.0
/ip dhcp-server network
add address=10.50.0.0/24 dns-server=192.168.88.1 gateway=10.50.0.1
add address=10.255.0.0/24 dns-server=10.0.0.1 gateway=10.255.0.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!VLAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward in-interface=USA out-interface=XUS
add action=accept chain=forward comment="Allow VLAN" dst-address=10.0.0.0/24
add action=accept chain=input comment="Allow VLAN" dst-address=10.0.0.0/24
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=forward comment="Allow Estab & Related" \
connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
connection-state=new in-interface-list=VLAN out-interface-list=WANv4
add action=accept chain=forward comment="VLAN Internet Access only" \
connection-state=new in-interface-list=LAN out-interface-list=WANv4
add action=accept chain=forward in-interface-list=F2 out-interface-list=F2
add action=drop chain=forward comment=Drop disabled=yes
add action=accept chain=forward comment="Allow Estab & Related" \
connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
connection-state=new in-interface-list=VLAN out-interface-list=WANv4
add action=drop chain=forward comment=Drop disabled=yes
/ip firewall mangle
add action=change-mss chain=postrouting new-mss=clamp-to-pmtu \
out-interface-list=WAN protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat out-interface=XUS
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="Default masquerade" \
out-interface-list=WAN
add action=src-nat chain=srcnat out-interface=ipipv6-dslite to-addresses=\
192.0.0.1
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=ipipv6-dslite \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=XUS pref-src="" \
routing-table=wg-xus scope=30 suppress-hw-offload=no target-scope=10
/routing rule
add action=lookup-only-in-table disabled=no src-address=10.255.0.0/24 table=\
wg-xus
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=ether3 memory-limit=1000KiB
This led to the item getting plugged into port 3 getting 10.255.0.255 via DHCP … and being completely unable to access the internet over that connection. (DS-Lite works fine for everything else).
somehow shrinking the DHCP range 10.255.0.3 - 10.255.0.128 fixed this …
Any ideas?