WG and FW Rules for bridging locations

RouterOS General
1

I have multiple locations that are all connected via WG.

Two locations are considered by me to both be central locations: 212 and 355 (because they provide services to the other locations).

I have WG on my iphone and laptop for mobile/remote operation.

I can establish a WG connection from my iphone to 212 and see all IP devices on the the 212 LAN (which uses an RB5009).

The relevant FW rules in effect are:

/ip firewall filter
add action=accept chain=input comment="Allow incoming WG connections" dst-port=51820 protocol=udp
add action=accept chain=forward comment="Allow WG to subnet" dst-address=192.168.2.0/24 in-interface=212-Wireguard
add action=accept chain=forward comment="Allow all traffic out WG iface" out-interface=212-Wireguard
add action=accept chain=forward comment="Allows cross peer subnet traffic" in-interface=212-Wireguard out-interface=212-Wireguard
add action=accept chain=forward comment="Allow LAN to WAN" disabled=yes in-interface-list=LAN log=yes out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

355 and 212 are connected via WG and can see everything on each other's IP network.

However, I cannot from the WG-connected iPhone see any devices at location 355 which has a 192.168.0.0/24 LAN address.

Here is my guess:

If I remove the dst-address=192.168.2.0/24 from the 2nd filter, I might be able to see everything everywhere (including 192.168.0.0/24).

But, even if that is true, it might be smarter to keep that dst-address in place and create an except to that limit for specific incoming WG connections such as from my iPhone and Laptop.

Does this make sense?

Thanks.

2

Well, does WG's allowed-addresses include those other subnets (or is it 0.0.0.0/0)? Otherwise, this will act like a firewall before the firewall.

4

  1. I have tried allowed-addresses on the iphone and laptop peers including: 192.168.0.0/16 as well as 192.168.2.0/24 – neither works

  2. I tried removing the dst-address=192.168.2.0/24 fw rule.

  3. I do not see where I block LAN to WANT or port forwarding or have an old rule.

Below are the RB5009 (212) and hEX (355) configs.

# 2025-12-21 09:55:49 by RouterOS 7.19.3
# software id = Y57S-QRMU
#
# model = RB760iGS
# serial number = HF40
/interface bridge
add admin-mac=18:FD:74:2A:93:3E auto-mac=no comment="Emergency Access" name=\
    bridge port-cost-mode=short
/interface ethernet
set [ find default-name=ether5 ] comment=OffBridge
set [ find default-name=sfp1 ] advertise="10M-baseT-half,10M-baseT-full,100M-b\
    aseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full"
/interface eoip
add allow-fast-path=no disabled=yes mac-address=02:81:6B:D5:CD:BB name=\
    eoip-tunnel-to-212 remote-address=XXXXXX.mynetname.net tunnel-id=\
    355
add allow-fast-path=no disabled=yes mac-address=02:46:7F:0A:8E:B8 name=\
    eoip-tunnel-to-371 remote-address=XXXXXX15.sn.mynetname.net \
    tunnel-id=37135
/interface wireguard
add listen-port=51833 mtu=1420 name=355-WGhEX
add disabled=yes listen-port=13231 mtu=1420 name=TEST-WG
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=DHCPdisabled
add name=WG
/ip pool
add name=default-dhcp ranges=192.168.0.110-192.168.0.254
add comment=offbridge-dhcp-server name=offbridge-dhcp-server ranges=\
    192.168.55.100-192.168.55.200
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-script="/system\
    \n:local cdate [clock get date] \
    \n:local yyyy  [:pick \$cdate 0  4]\
    \n:local MM    [:pick \$cdate 5  7]\
    \n:local dd    [:pick \$cdate 8 10]\
    \n\
    \n:local thistime [/system clock get time]\
    \n:local thishour [:pick \$thistime 0 2]\
    \n:local thisminute [:pick \$thistime 3 5]\
    \n:local thissecond [:pick \$thistime 6 8]\
    \n:local identitydatetime \"\$[identity get name]_\$yyyy-\$MM-\$dd_\$thish\
    our:\$thisminute:\$thissecond\"\
    \n:local datetime \"\$yyyy-\$MM-\$dd_\$thishour:\$thisminute:\$thissecond\
    \"\
    \n:local systemname \"\$[identity get name]\"\
    \n\
    \n#:if (\$leaseBound=1) do={\
    \n\
    \n#  :log info \"testing after condition BOUND\" \
    \n#}\
    \n\
    \n#:if  ([/ip dhcp-server lease find where dynamic mac-address=\$leaseActM\
    AC]!=\"\") do={\
    \n\
    \n#  :log info \"testing after condition DYNAMIC\"\
    \n#}\
    \n\
    \n#:local recipient \"jXXXXX@domain.com\"\
    \n\
    \n:if  ((\$leaseBound=1)  && ([/ip dhcp-server lease find where dynamic ma\
    c-address=\$leaseActMAC]!=\"\")) do={\
    \n\
    \n#    :log info \"testing after conditions BOUND and DYNAMIC\" \
    \n\
    \n#    :tool e-mail send to=\$recipient subject=\"\$systemname DHCP Lease \
    Assigned to \$leaseActMAC\" body=\"MAC address \$leaseActMAC received IP a\
    ddress \$leaseActIP with a hostname of \$[/ip/dhcp-server/lease/get value-\
    name=host-name [find where mac-address=\$leaseActMAC]] from DHCP Server \$\
    leaseServerName on \$datetime from \$systemname\"\
    \n\
    \n #   :log info \"\$leaseServerName on \$datetime assigned \$leaseActIP t\
    o \$leaseActMAC hostname \$[/ip/dhcp-server/lease/get value-name=host-name\
    \_[find where mac-address=\$leaseActMAC]] from \$systemname\"\
    \n\
    \n}\
    \n\
    \n" lease-time=2d name=defconf
add address-pool=offbridge-dhcp-server comment=offbridge-dhcp-server \
    interface=ether5 name=offbridge-dhcp-server
/system logging action
set 1 disk-lines-per-file=5000
set 3 remote=192.168.0.13
add name=Netwatch target=memory
add disk-file-name=flash/netwatchlog name=disknetwatch target=disk
add disk-file-name=UPSLOG name=diskups target=disk
/interface bridge filter
add action=drop chain=forward comment="DHCP Drop " disabled=yes dst-port=\
    67-68 in-interface-list=DHCPdisabled ip-protocol=udp log-prefix=\
    Bridge-Filter-Forward mac-protocol=ip out-interface-list=DHCPdisabled \
    src-port=67-68
add action=drop chain=input comment="DHCP Drop " disabled=yes dst-port=67-68 \
    in-interface-list=DHCPdisabled ip-protocol=udp log-prefix=\
    Bridge-Filter-Input mac-protocol=ip src-port=67-68
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 \
    internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridge disabled=yes interface=eoip-tunnel-to-212 \
    unknown-unicast-flood=no
add bridge=bridge disabled=yes interface=eoip-tunnel-to-371
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=355-WGhEX list=LAN
add interface=eoip-tunnel-to-371 list=DHCPdisabled
add interface=eoip-tunnel-to-212 list=DHCPdisabled
add interface=355-WGhEX list=WG
add interface=355-WGhEX list=DHCPdisabled
add interface=lo list=LAN
add comment=OffBridge interface=ether5 list=LAN
/interface ovpn-server server
add mac-address=FE:F5:C7:08:44:AC name=ovpn-server1
/interface wireguard peers
add allowed-address=10.10.100.1/32,192.168.2.0/24 comment=212 \
    endpoint-address=XXXXX.dyndns.org endpoint-port=51820 interface=\
    355-WGhEX name=212 persistent-keepalive=40s public-key=\
    "xx27cpfZFjhs2emAFLH7btR1YlEYPUo/op1OqXrW4Ds="
add allowed-address=10.10.90.0/24,192.168.88.0/24 comment=\
    "WG client on BI PC" disabled=yes endpoint-address=XXXXX.dyndns.org \
    interface=355-WGhEX name=peer2 public-key=\
    "R5SjZucQPhyu5CQyXLvxf/RFr9FogUr5iBSC0jt9TV4="
add allowed-address=10.10.100.8/32 comment=Laptop interface=355-WGhEX name=\
    peer3 public-key=XXXXX33NNDzI/u10SkE="
add allowed-address=192.168.40.1/24,10.10.100.40/32 comment=371 \
    endpoint-address=XXXXX.dyndns.org endpoint-port=52820 interface=355-WGhEX \
    name=371 persistent-keepalive=40s public-key=\
    "zoZtiesrYWKeodSUVuivHBEBjCn9YLAxn4pMzU5lohI="
add allowed-address=10.10.100.12/32,192.168.20.1/24 comment=629 \
    endpoint-address=XXXXX.dyndns.org endpoint-port=51821 interface=355-WGhEX \
    name=629 persistent-keepalive=40s public-key=\
    "q28DzC8N0YbnLJJovQHJT9o5tU0z2LKmLmg9oG4CfXo="
add allowed-address=10.10.100.60/32,192.168.1.1/24 comment=255 \
    endpoint-address=XXXXX.dyndns.org endpoint-port=51835 interface=\
    355-WGhEX name=255 persistent-keepalive=40s public-key=\
    "6E3qiHNBwSCzRKUjEPt3Qcs1c+r9bzZ0aWPK0PMwbRc="
add allowed-address=10.10.100.30/32,192.168.30.1/24 comment=76 \
    endpoint-address=XXXXX.dyndns.org endpoint-port=51830 interface=\
    355-WGhEX name=76 persistent-keepalive=40s public-key=\
    "EJu69lCmgQUBsiVng8xWu3x2t1k0omNOLVY6scNgUic="
add allowed-address=10.10.100.1/24,192.168.2.0/24 comment="Do Not Use - 212" \
    disabled=yes endpoint-address=XXXXX.dyndns.org endpoint-port=13231 \
    interface=TEST-WG name=peer8 persistent-keepalive=40s public-key=\
    "tT+2eUoDbV9k2zyN437+iZFX91ml6hvj1JrXk8YISDs="
add allowed-address=10.10.100.70/32,192.168.70.0/24 comment=125 \
    endpoint-address=XXXXX.dyndns.org endpoint-port=51870 interface=\
    355-WGhEX name=125 persistent-keepalive=40s public-key=\
    "Otp5S5pvkk1i1souKLXctvG3PEr6Rk4GF8HbwayGqT8="
add allowed-address=10.10.100.90/32,192.168.20.1/24 comment=630 disabled=yes \
    endpoint-address=630braden.dyndns.org endpoint-port=51890 interface=\
    355-WGhEX name=630 persistent-keepalive=40s public-key=\
    "S+MoBqRgsljLbnV3v7X26EnxM65a+vknHHhSM2qQdww="
add allowed-address=10.0.0.1/24,10.10.100.15/32 comment=355-AX3 disabled=yes \
    endpoint-address=10.0.0.1 endpoint-port=51860 interface=355-WGhEX name=\
    355-ax3 persistent-keepalive=40s public-key=\
    "C6fhu5+A4TMkzMPFBO/OH756yD08OtpEw54Qql3LZ04="
add allowed-address=10.10.100.10/32 comment="T Laptop" interface=355-WGhEX \
    name=t-laptop public-key=XXXXXvjrp81mL+itsBc="
add allowed-address=10.10.100.9/32 comment="JRS iPhone" interface=355-WGhEX \
    name=JRS-iPhone public-key=XXXXX2Kk4+Qfxpy61F8="
add allowed-address=10.10.100.80/32,192.168.80.1/24,10.72.0.0/16 comment=729 \
    endpoint-address=xxxx.dyndns.org endpoint-port=51880 interface=\
    355-WGhEX name=729 persistent-keepalive=40s public-key=\
    "hpOdNYSsIdXj4RM8WOGSXbhH/bPjjza3+DzjqQ4t0CQ="
add allowed-address=10.10.100.212/32,192.168.2.0/24 comment=RB5009-212-new \
    disabled=yes endpoint-address=hj30a31xb3x.sn.mynetname.net endpoint-port=\
    53212 interface=355-WGhEX name=peer16 persistent-keepalive=40s \
    public-key=XXXXXrYRvTNiOZhiMys="
/ip address
add address=192.168.0.11/24 comment=defconf interface=bridge network=\
    192.168.0.0
add address=192.168.77.1/24 interface=ether5 network=192.168.77.0
add address=10.10.100.50/24 interface=355-WGhEX network=10.10.100.0
add address=192.168.0.10/24 disabled=yes interface=ether1 network=192.168.0.0
add address=192.168.88.66/24 disabled=yes interface=bridge network=\
    192.168.88.0
add address=192.168.55.1/24 comment="Management 192.168.55.1" interface=\
    ether5 network=192.168.55.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server alert
add interface=ether1
add interface=ether4
add alert-timeout=12h disabled=no interface=bridge on-alert="/system script ad\
    d name=rogue-dhcp source=\94:log warning message=\\\94Rogue DHCP server de\
    tected!\\\94\94"
/ip dhcp-server config
set accounting=no
/ip dhcp-server lease
add address=192.168.0.176 comment=PearceTV mac-address=10:3D:0A:5E:4F:C2 \
    server=defconf
add address=192.168.0.151 comment=TankUtility mac-address=84:F3:EB:A1:39:FC \
    server=defconf
add address=192.168.0.193 comment=355BlueMBR mac-address=1C:1E:E3:8C:87:71 \
    server=defconf
add address=192.168.0.125 comment=355BlueLR mac-address=34:F1:50:6F:33:D0 \
    server=defconf
add address=192.168.0.123 client-id=1:98:f4:ab:21:19:f8 comment="Emporia Vue" \
    mac-address=98:F4:AB:21:19:F8 server=defconf
add address=192.168.0.122 client-id=ff:32:eb:34:4:0:3:0:1:44:61:32:eb:34:4 \
    comment="Shop Ecobee" mac-address=44:61:32:EB:34:04 server=defconf
add address=192.168.0.158 comment=TCLRoku mac-address=DC:72:23:0B:65:33 \
    server=defconf
add address=192.168.0.117 comment=WeatherFlow mac-address=B0:38:29:9D:1A:CF \
    server=defconf
add address=192.168.0.114 client-id=1:a8:48:fa:9f:95:6c comment="Emporia Vue" \
    mac-address=A8:48:FA:9F:95:6C server=defconf
add address=192.168.0.194 comment=MyQ-E37 mac-address=64:52:99:50:DA:84 \
    server=defconf
add address=192.168.0.195 comment="Shop Lights" mac-address=00:07:A6:28:60:02 \
    server=defconf
add address=192.168.0.110 comment="Emporia Vue" mac-address=84:0D:8E:39:DD:B8 \
    server=defconf
add address=192.168.0.156 comment="Emporia Vue" mac-address=84:0D:8E:38:C0:64 \
    server=defconf
add address=192.168.0.175 client-id=1:86:ea:da:77:d1:d1 comment=\
    "Jose's Chevy" mac-address=86:EA:DA:77:D1:D1 server=defconf
add address=192.168.0.165 comment="Blue Alexa" mac-address=F4:03:2A:EB:E7:0C \
    server=defconf
add address=192.168.0.127 client-id=1:f0:f0:a4:89:d4:72 comment=\
    amazon-a64ef0567 mac-address=F0:F0:A4:89:D4:72 server=defconf
add address=192.168.0.184 comment="Blue Vue" mac-address=3C:71:BF:05:88:14 \
    server=defconf
add address=192.168.0.128 comment="Shop rear floor" mac-address=\
    C4:5B:BE:DE:D0:DB server=defconf
add address=192.168.0.129 comment="TH10 Blue" mac-address=3C:61:05:E2:57:52 \
    server=defconf
add address=192.168.0.166 comment="Attic light" mac-address=C4:5B:BE:DF:1A:E8 \
    server=defconf
add address=192.168.0.130 client-id=1:c0:49:ef:60:86:68 comment=\
    "TH316 Blue LR" mac-address=C0:49:EF:60:86:68 server=defconf
add address=192.168.0.131 comment="TH10 Purple Water" mac-address=\
    3C:61:05:E2:A5:9C server=defconf
add address=192.168.0.132 comment="White TH10" mac-address=3C:61:05:E1:B5:D7 \
    server=defconf
add address=192.168.0.134 comment="Shop Amazon" mac-address=24:4C:E3:D5:D6:08 \
    server=defconf
add address=192.168.0.135 comment="Shop Light Center West" mac-address=\
    00:07:A6:28:5F:E4 server=defconf
add address=192.168.0.136 comment="Shop Lights North West" mac-address=\
    00:07:A6:28:60:11 server=defconf
add address=192.168.0.138 comment="Purple TH10" mac-address=3C:61:05:E1:8B:CA \
    server=defconf
add address=192.168.0.203 client-id=1:a8:b1:3b:fb:ce:9 comment="HP Printer" \
    mac-address=A8:B1:3B:FB:CE:09 server=defconf
add address=192.168.0.143 comment="Shop Lights" mac-address=00:07:A6:27:06:FB \
    server=defconf
add address=192.168.0.178 comment="Emporia Vue" mac-address=3C:71:BF:05:59:F0 \
    server=defconf
add address=192.168.0.139 client-id=1:c0:49:ef:f7:96:5c comment="TH316 Green" \
    mac-address=C0:49:EF:F7:96:5C server=defconf
add address=192.168.0.140 comment="TH10 White Water" mac-address=\
    E8:DB:84:9C:F4:BC server=defconf
add address=192.168.0.141 comment="Shop lights" mac-address=00:07:A6:27:06:FD \
    server=defconf
add address=192.168.0.218 comment="Flume 355" mac-address=48:55:19:65:B7:0E \
    server=defconf
add address=192.168.0.142 comment="Shop light xxx LEVDS-Switch-53B4" \
    mac-address=00:07:A6:28:60:F2 server=defconf
add address=192.168.0.149 client-id=1:40:f5:20:6a:26:ec comment="Emporia Vue" \
    mac-address=40:F5:20:6A:26:EC server=defconf
add address=192.168.0.111 comment="TH10R Greenhouse" mac-address=\
    E8:DB:84:9D:BD:BE server=defconf
add address=192.168.0.197 client-id=ff:32:36:a5:f6:0:3:0:1:44:61:32:36:a5:f6 \
    comment="Blue LR Ecobee" mac-address=44:61:32:36:A5:F6 server=defconf
add address=192.168.0.159 comment="355 Blue LR TV" mac-address=\
    A8:16:9D:24:3B:05 server=defconf
add address=192.168.0.217 comment="S31TPB Blue Dining Plug" mac-address=\
    C8:C9:A3:35:FE:5F server=defconf
add address=192.168.0.137 client-id=1:bc:75:36:d9:9b:ba comment=\
    "Suburban 2020" mac-address=BC:75:36:D9:9B:BA server=defconf
add address=192.168.0.160 client-id=1:3c:e9:e:89:e4:e4 comment=\
    "355 Blue Water" mac-address=3C:E9:0E:89:E4:E4 server=defconf
add address=192.168.0.162 client-id=1:2:7c:a1:e1:d6:36 comment=\
    "Home Assistant" mac-address=02:7C:A1:E1:D6:36 server=defconf
add address=192.168.0.169 comment="Emporia Vue" mac-address=10:52:1C:41:FA:A0 \
    server=defconf
add address=192.168.0.196 mac-address=B8:AB:62:1F:2F:BF server=defconf
add address=192.168.0.120 comment="Blue Bathroom Tasmota Ded2db-4827" \
    mac-address=C4:5B:BE:DE:D2:DB server=defconf
add address=192.168.0.115 client-id=1:3c:e9:e:89:f4:78 comment=\
    "Shop THR316 boiler" mac-address=3C:E9:0E:89:F4:78 server=defconf
add address=192.168.0.133 client-id=1:bc:24:11:75:96:4f comment=\
    "Proxmox on HA Server Windows 11" mac-address=BC:24:11:75:96:4F server=\
    defconf
add address=192.168.0.207 client-id=1:bc:24:11:e7:50:d5 mac-address=\
    BC:24:11:E7:50:D5 server=defconf
add address=192.168.0.155 client-id=1:e8:c8:29:11:bb:d8 comment=\
    355-Dining-Table mac-address=E8:C8:29:11:BB:D8 server=defconf
add address=192.168.0.157 mac-address=40:22:D8:93:4D:DD server=defconf
add address=192.168.0.126 client-id=ff:32:3d:a4:4a:0:3:0:1:44:61:32:3d:a4:4a \
    mac-address=44:61:32:3D:A4:4A server=defconf
add address=192.168.0.118 client-id=1:c0:49:ef:60:7b:78 mac-address=\
    C0:49:EF:60:7B:78 server=defconf
add address=192.168.0.112 client-id=\
    ff:11:62:91:c7:0:1:0:1:2d:56:2d:36:bc:24:11:62:91:c7 mac-address=\
    BC:24:11:62:91:C7 server=defconf
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=\
    192.168.0.11,1.1.1.1,9.9.9.9,8.8.8.8 gateway=192.168.0.1
add address=192.168.88.0/24 dns-server=1.1.1.1 gateway=192.168.88.1 netmask=\
    24
/ip dns
set allow-remote-requests=yes cache-max-ttl=4d cache-size=10000KiB servers=\
    8.8.4.4,8.8.8.8,9.9.9.9,1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=hEX.355.local type=A
add address=10.10.100.50 name=355.10.10.100.50 type=A
add address=192.168.0.1 disabled=yes name=XXXXX.dyndns.org type=A
add comment=.internal forward-to=192.168.2.2 regexp=".*\\.internal" type=FWD
/ip firewall address-list
add address=XXXXX.dyndns.org list=XXXXX
add address=XXXXX.dyndns.org list=212
add address=255.dyndns.org list=255
add address=XXXXX.dyndns.org list=dynamic-WANIP
add address=192.168.0.0/16 list=admin
add address=10.10.0.0/16 list=admin
add address=XXXXX.dyndns.org list=locations
add address=XXXXX.dyndns.org list=locations
add address=XXXXX.dyndns.org list=locations
add address=XXXXX.dyndns.org list=locations
add address=630braden.dyndns.org list=locations
add address=XXXXX.dyndns.org list=locations
add address=beelink1.dyndns.org list=locations
add address=XXXXX.dyndns.org list=locations
add address=XXXXX.dyndns.org list=locations
add address=acme-v02.api.letsencrypt.org list=lets-encrypt
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=lets-encrypt dst-address-list=\
    acme-client dst-port=80 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="Wireguard handshake" dst-port=51833 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" log-prefix=\
    FI_A_ICMP protocol=icmp
add action=accept chain=input comment=\
    "5678 Neighbor Discovery from 127.0.0.1" protocol=udp src-address=\
    127.0.0.1 src-port=5678
add action=drop chain=input comment="DROP DHCP ACROSS DHCPdisabled" disabled=\
    yes dst-port=67-68 in-interface-list=DHCPdisabled log=yes log-prefix=\
    "FIREWALL-67-68 " protocol=udp src-port=67-68
add action=accept chain=input in-interface-list=LAN src-address-list=admin
add action=accept chain=input comment="access to dns and ntp services" \
    dst-port=53,123 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="access to dns services" dst-port=53 \
    in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="access to DHCP server" dst-port=67,68 \
    in-interface-list=LAN protocol=udp
add action=drop chain=input comment="drop all else" log=yes log-prefix=\
    FI_D_drop_all_else
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="Supports road warrior coming in direc\
    tly and relay back thru tunnel to other WG" in-interface=355-WGhEX \
    out-interface=bridge
add action=accept chain=forward comment=\
    "supports local LAN users to access remote LAN subnets" dst-address=\
    192.168.0.0/16 out-interface=355-WGhEX src-address=192.168.0.0/16
add action=accept chain=forward comment=\
    "allows wg traffic to exit WAN for UDM subnets or internet" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="supports inter-WG traffic" \
    dst-address=10.10.0.0/16 out-interface=355-WGhEX src-address=10.10.0.0/16
/ip firewall mangle
add action=add-src-to-address-list address-list=acme-client \
    address-list-timeout=1m chain=postrouting dst-address-list=lets-encrypt \
    log=yes src-address-type=local
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface-list=WAN
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip kid-control
add fri=0s-1d mon=0s-1d name=Monitor sat=0s-1d sun=0s-1d thu=0s-1d tue=0s-1d \
    wed=0s-1d
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.0.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no dst-address=192.168.2.0/24 gateway=355-WGhEX routing-table=\
    main suppress-hw-offload=no
add disabled=yes distance=1 dst-address=192.168.88.0/24 gateway=355-WGhEX \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no dst-address=192.168.20.1/24 gateway=355-WGhEX routing-table=\
    main suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=355-WGhEX \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no dst-address=192.168.66.0/24 gateway=355-WGhEX routing-table=\
    main suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.5.0/24 gateway=192.168.0.101 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no dst-address=192.168.30.0/24 gateway=355-WGhEX routing-table=\
    main suppress-hw-offload=no
add disabled=no dst-address=192.168.40.0/24 gateway=355-WGhEX routing-table=\
    main suppress-hw-offload=no
add disabled=no dst-address=192.168.70.0/24 gateway=355-WGhEX routing-table=\
    main suppress-hw-offload=no
add disabled=no dst-address=192.168.4.1/24 gateway=355-WGhEX routing-table=\
    main suppress-hw-offload=no
add disabled=no dst-address=10.0.0.0/8 gateway=355-WGhEX routing-table=main \
    suppress-hw-offload=no
/ip service
set ftp disabled=yes
set telnet disabled=yes
set www disabled=yes
set www-ssl disabled=no
set api disabled=yes
/ip smb shares
set [ find default=yes ] directory=pub
/snmp
set enabled=yes trap-version=2
/system clock
set time-zone-name=America/New_York
/system identity
set name=355hEX
/system logging
set 0 disabled=yes
add disabled=yes topics=ssh
add topics=account
add topics=event
add topics=firewall
add disabled=yes topics=interface
add disabled=yes topics=mqtt
add disabled=yes topics=wireguard
add disabled=yes topics=dhcp
add disabled=yes topics=debug
add topics=watchdog
add topics=info,!wireguard,!dhcp
add action=remote disabled=yes prefix="192.168.0.11 " topics=info
add action=remote disabled=yes prefix=192.168.0.11 topics=system
add action=remote disabled=yes prefix=192.168.0.11 topics=critical
add action=Netwatch disabled=yes topics=netwatch
add action=disknetwatch regex=^Netwatch topics=script
add action=diskups regex="^\\[UPS\\]:" topics=script
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=3.us.pool.ntp.org
add address=0.pool.ntp.org
/tool romon
set enabled=yes
/tool sniffer
set file-limit=10000KiB filter-interface=355-WGhEX filter-ip-protocol=icmp \
    memory-limit=1000KiB
5

And the RB5009:

# 2025-12-21 09:56:12 by RouterOS 7.19.3
# software id = 2KBD-7ZZB
#
# model = RB5009UPr+S+
# serial number = HDA0
/interface bridge
add admin-mac=18:FD:74:CF:7F:5D auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] comment=WAN poe-out=off
set [ find default-name=ether2 ] comment=hAPax3-Downstairs poe-out=off
set [ find default-name=ether3 ] comment="JRS PC port 3" poe-out=off
set [ find default-name=ether4 ] comment=hAPax3-Upstairs poe-out=off
set [ find default-name=ether5 ] comment=<empty> poe-out=off
set [ find default-name=ether6 ] comment="MOCA adapter" poe-out=off
set [ find default-name=ether7 ] comment=OffBridge poe-out=off
set [ find default-name=ether8 ] comment=BI-Server poe-out=off
set [ find default-name=sfp-sfpplus1 ] comment=CSS326
/interface wireguard
add listen-port=51820 mtu=1420 name=212-Wireguard
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MANAGE
add name=DHCPdisabled
add name=TRUSTED
add name=IoT-Cameras
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/iot lora servers
add address=eu.mikrotik.thethings.industries name=TTN-EU protocol=UDP
add address=us.mikrotik.thethings.industries name=TTN-US protocol=UDP
add address=eu1.cloud.thethings.industries name="TTS Cloud (eu1)" protocol=\
    UDP
add address=nam1.cloud.thethings.industries name="TTS Cloud (nam1)" protocol=\
    UDP
add address=au1.cloud.thethings.industries name="TTS Cloud (au1)" protocol=\
    UDP
add address=eu1.cloud.thethings.network name="TTN V3 (eu1)" protocol=UDP
add address=nam1.cloud.thethings.network name="TTN V3 (nam1)" protocol=UDP
add address=au1.cloud.thethings.network name="TTN V3 (au1)" protocol=UDP
/iot mqtt brokers
add address=192.168.0.103 client-id=192.168.2.2 name=HA username=mqtt
add address=192.168.0.162 auto-connect=yes name="Home Assistant" username=\
    mqtt
/ip pool
add name=192.168.2.100-200 ranges=192.168.2.100-192.168.2.200
add comment=offbridge-dhcp-server name=offbridge-dhcp-server ranges=\
    192.168.55.101-192.168.55.200
/ip dhcp-server
add address-pool=192.168.2.100-200 interface=bridge lease-time=3d name=defconf
add address-pool=offbridge-dhcp-server comment=offbridge-dhcp-server \
    interface=ether7 name=offbridge-dhcp-server
/ip smb users
set [ find default=yes ] disabled=yes
/system logging action
set 3 remote=192.168.2.22
add name=logserver remote=192.168.0.112 remote-port=51400 target=remote
add email-to=jXXXXX@domain.com name=email target=email
add disk-file-name=UPSLOG name=diskups target=disk
/container config
set registry-url=https://registry-1.docker.io tmpdir=disk1/pull
/interface bridge filter
add action=drop chain=forward disabled=yes dst-port=67-68 in-interface-list=\
    DHCPdisabled ip-protocol=udp log-prefix=Bridge-Filter-Forward \
    mac-protocol=ip out-interface-list=DHCPdisabled src-port=67-68
add action=drop chain=input disabled=yes dst-port=67-68 in-interface-list=\
    DHCPdisabled ip-protocol=udp log-prefix=Bridge-Filter-Input mac-protocol=\
    ip src-port=67-68
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 \
    internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether8 internal-path-cost=10 path-cost=10
add bridge=bridge interface=sfp-sfpplus1
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no disable-ipv6=yes \
    forward=no max-neighbor-entries=8192 soft-max-neighbor-entries=8191
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add disabled=yes interface=bridge list=MANAGE
add disabled=yes interface=ether1 list=MANAGE
add interface=212-Wireguard list=LAN
add disabled=yes interface=212-Wireguard list=MANAGE
add interface=212-Wireguard list=DHCPdisabled
add comment=OffBridge interface=ether7 list=LAN
add disabled=yes interface=ether7 list=MANAGE
add interface=bridge list=TRUSTED
add interface=ether7 list=TRUSTED
add interface=212-Wireguard list=TRUSTED
/interface ovpn-server server
add mac-address=FE:B2:B3:FE:59:72 name=ovpn-server1
/interface wireguard peers
add allowed-address=10.10.100.8/32 comment="JRS Laptop" interface=\
    212-Wireguard name=jrs-laptop public-key=\
    "b9iyIPXw9MQIGo852yC/Xd9Ds2VQoOKASosTxjRpJX8="
add allowed-address=\
    10.10.100.2/32,192.168.88.0/24,10.10.100.40/32,192.168.40.0/24 comment=\
    371 endpoint-address=XXXXX.dyndns.org endpoint-port=52820 interface=\
    212-Wireguard name=371 persistent-keepalive=40s public-key=\
    "zoZtiesrYWKeodSUVuivHBEBjCn9YLAxn4pMzU5lohI="
add allowed-address=10.10.100.9/32 comment="JRS iPhone" interface=\
    212-Wireguard name=jrs-iphone public-key=\
    "PypzufC5QJLUMgJCHEmbjQYbmC+ZS2Kk4+Qfxpy61F8="
add allowed-address=10.10.100.12/32,192.168.20.0/24 comment=629 \
    endpoint-address=XXXXX.dyndns.org endpoint-port=51821 interface=\
    212-Wireguard name=629 persistent-keepalive=40s public-key=\
    "q28DzC8N0YbnLJJovQHJT9o5tU0z2LKmLmg9oG4CfXo="
add allowed-address=10.10.100.60/32,192.168.1.0/24 comment=255 \
    endpoint-address=XXXXX.dyndns.org endpoint-port=51835 interface=\
    212-Wireguard name=255 persistent-keepalive=40s public-key=\
    "6E3qiHNBwSCzRKUjEPt3Qcs1c+r9bzZ0aWPK0PMwbRc="
add allowed-address=10.10.100.30/32,192.168.30.1/24 comment=76 \
    endpoint-address=XXXXX.dyndns.org endpoint-port=51830 interface=\
    212-Wireguard name=76 persistent-keepalive=40s public-key=\
    "EJu69lCmgQUBsiVng8xWu3x2t1k0omNOLVY6scNgUic="
add allowed-address=10.10.90.0/24 comment="BI PC WG APP" endpoint-port=51820 \
    interface=212-Wireguard name=peer8 public-key=\
    "R5SjZucQPhyu5CQyXLvxf/RFr9FogUr5iBSC0jt9TV4="
add allowed-address=10.10.100.1/32,192.168.2.2/24 comment=\
    "212 (local, just for reference);   192.168.2.2" disabled=yes \
    endpoint-address=XXXXX.dyndns.org endpoint-port=51820 interface=\
    212-Wireguard name=peer9 public-key=\
    "xx27cpfZFjhs2emAFLH7btR1YlEYPUo/op1OqXrW4Ds="
add allowed-address=10.10.100.100/32 comment="JRS Laptop 201" disabled=yes \
    interface=212-Wireguard name=peer10 public-key=\
    "QJCXZaf5K/qCPQbo7QpXYkBgg4BClqVAI75udeqsSFk="
add allowed-address=10.10.100.101/32 endpoint-port=51840 interface=\
    212-Wireguard name=peer11 public-key=\
    "N/t6/86S/qTZ9c2HAZVFCtLJs3y1T9QSAAo2GQQZsW8="
add allowed-address=10.10.100.70/32,192.168.70.0/24 comment=125 \
    endpoint-address=XXXXX.dyndns.org endpoint-port=51870 interface=\
    212-Wireguard name=125 persistent-keepalive=40s public-key=\
    "Otp5S5pvkk1i1souKLXctvG3PEr6Rk4GF8HbwayGqT8="
add allowed-address=10.10.100.99/32,192.168.2.0/24 comment="JRS Laptop 2023" \
    interface=212-Wireguard name=peer13 private-key=\
    "ED8Ig6UntTB7Kg+FECyVc3oEhPhrzMyBZH//vOc9p2Q=" public-key=\
    "w9XFUjODaOIOQbCeMVJ+Sfvmch8atfrdFMDWMndCHiU="
add allowed-address=10.10.100.53/32,192.168.0.0/24 client-listen-port=51840 \
    comment="WG Proxmox Win11" endpoint-address=XXXXX.dyndns.org \
    endpoint-port=51844 interface=*12 name=peer15 public-key=\
    "Wut4NWWjMvqM+8BNw0IP+ZO1fOBknGI5MjEdOXDGRDk="
add allowed-address=10.10.100.15/32 comment=355-AX3 disabled=yes \
    endpoint-address=10.0.0.1 endpoint-port=51860 interface=212-Wireguard \
    name=355-ax3 persistent-keepalive=40s public-key=\
    "C6fhu5+A4TMkzMPFBO/OH756yD08OtpEw54Qql3LZ04="
add allowed-address=10.10.100.10/32 comment="T Laptop" interface=\
    212-Wireguard name=t-laptop public-key=\
    "MbtVSiQVL3NwLVd0IJtwgyf5JdvP+vjrp81mL+itsBc="
add allowed-address=10.10.100.80/32,192.168.80.1/24,10.72.0.0/16 comment=729 \
    endpoint-address=xxxx.dyndns.org endpoint-port=51880 interface=\
    212-Wireguard name=729 persistent-keepalive=40s public-key=\
    "hpOdNYSsIdXj4RM8WOGSXbhH/bPjjza3+DzjqQ4t0CQ="
add allowed-address=10.10.100.81/32 comment=hex-lab endpoint-address=\
    192.168.2.192 endpoint-port=51881 interface=212-Wireguard name=peer19 \
    persistent-keepalive=40s public-key=\
    "U/TxIdbpK23ntyR799TQ/+aYh3KVHdyY1upfjmj4/y0="
add allowed-address=10.10.100.50/32,192.168.0.0/24,192.168.5.0/24 comment=355 \
    endpoint-address=XXXXX.dyndns.org endpoint-port=51833 interface=\
    212-Wireguard name=355 persistent-keepalive=40s public-key=\
    "Q8CPJm+/UBOSQy1AjNPOBDFxZmbbJrycOWg5omLZq3g="
add allowed-address=10.10.100.101/32 comment=Aurora-laptop interface=\
    212-Wireguard name=Aurora-laptop private-key=\
    "KDUXHH41OjPNFGjXkf22myM60jGw4B97/Oh6nx+EmWE=" public-key=\
    "rKKCAbPpbj2hlEgkMo1FDdGyqF6Qj9hr4kL0OmyM8C4="
/ip address
add address=192.168.2.2/24 comment=defconf interface=bridge network=\
    192.168.2.0
add address=10.10.100.1/24 interface=212-Wireguard network=10.10.100.0
add address=192.168.55.1/24 interface=ether7 network=192.168.55.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server alert
add alert-timeout=12h disabled=no interface=bridge on-alert="/system script ad\
    d name=rogue-dhcp source=\94:log warning message=\\\94Rogue DHCP server de\
    tected!\\\94\94"
add alert-timeout=30m interface=bridge on-alert=rogue-dhcp

/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf dns-server=192.168.2.2 gateway=\
    192.168.2.2 netmask=24
add address=192.168.55.0/24 dns-server=1.1.1.1 gateway=192.168.55.1 netmask=\
    24
/ip dns
set allow-remote-requests=yes cache-max-ttl=3d cache-size=10000KiB servers=\
    9.9.9.9,1.1.1.1,8.8.4.4
/ip dns static
add address=192.168.2.8 name=212-rb5009.212.local type=A
add address=192.168.2.2 name=RB5009.212.local ttl=9w6d10h40m type=A
add address=10.10.100.1 name=212.10.10.100.1.local ttl=9w6d10h40m type=A
add address=192.168.2.100 comment="automatic-from-comment (magic comment)" \
    name=TV15.212.local ttl=1h type=A
add address=192.168.2.121 comment="automatic-from-comment (magic comment)" \
    name="Ipad SRN.212.local" ttl=9w6d10h40m type=A
add address=192.168.2.138 comment="automatic-from-comment (magic comment)" \
    name=MFCL3770CDW.212.local ttl=9w6d10h40m type=A
add address=192.168.2.141 comment="automatic-from-comment (magic comment)" \
    name="JRS iPhone.212.local" ttl=9w6d10h40m type=A
add address=192.168.2.109 comment="automatic-from-comment (magic comment)" \
    name="Vizio on 15.212.local" ttl=9w6d10h40m type=A
add address=192.168.2.122 comment="automatic-from-comment (magic comment)" \
    name=Homepod.212.local ttl=9w6d10h40m type=A
add address=192.168.2.199 comment="automatic-from-comment (magic comment)" \
    name=Playstation.212.local ttl=9w6d10h40m type=A
add address=192.168.2.142 comment="automatic-from-comment (magic comment)" \
    name=SRNAppleWatch.212.local ttl=9w6d10h40m type=A
add address=192.168.2.22 name=JRS-PC.212.local type=A
add address=192.168.2.102 comment="automatic-from-dhcp (magic comment)" name=\
    Master-Bedroom.212.local ttl=1h40m type=A
add address=192.168.2.103 comment="automatic-from-dhcp (magic comment)" name=\
    Family-Room.212.local ttl=1h40m type=A
add address=192.168.2.138 comment="automatic-from-dhcp (magic comment)" name=\
    MFC-L3770.212.local ttl=1h40m type=A
add address=192.168.2.147 comment="automatic-from-dhcp (magic comment)" name=\
    212LR.212.local ttl=1h40m type=A
add address=192.168.2.191 comment="automatic-from-dhcp (magic comment)" name=\
    SRNOffice.212.local ttl=1h40m type=A
add address=192.168.2.128 comment="automatic-from-dhcp (magic comment)" name=\
    212MBR.212.local ttl=1h40m type=A
add address=192.168.2.200 comment="automatic-from-dhcp (magic comment)" name=\
    HarmonyHub.212.local ttl=1h40m type=A
add address=192.168.2.124 comment="automatic-from-dhcp (magic comment)" name=\
    BRW2C6FC95FBCEB.212.local ttl=1h40m type=A
add address=192.168.2.173 comment="automatic-from-dhcp (magic comment)" name=\
    NC-LT-SN20.212.local ttl=1h40m type=A
add address=192.168.2.137 comment="automatic-from-dhcp (magic comment)" name=\
    tasmota-E37677-5751.212.local ttl=1h40m type=A
add address=192.168.2.117 comment="automatic-from-dhcp (magic comment)" name=\
    BRNB4220095598A.212.local ttl=1h40m type=A
add address=192.168.2.127 comment="automatic-from-dhcp (magic comment)" name=\
    Debian.212.local ttl=1h40m type=A
add address=192.168.2.110 comment="automatic-from-dhcp (magic comment)" name=\
    JRS-Laptop-2023.212.local ttl=1h40m type=A
add address=192.168.2.108 comment="automatic-from-dhcp (magic comment)" name=\
    0005CD193C07.212.local ttl=1h40m type=A
add address=69.202.199.148 name=XXXXX.dyndns.org type=A
add address=192.168.2.2 comment=router.212.internal name=router.212.internal \
    type=A
add address=10.10.100.80 comment=729router.internal name=729router.internal \
    type=A
add address=192.168.2.22 comment=jrspc name=jrspc.212.internal type=A
/ip firewall address-list
add address=XXXXX.dyndns.org list=dynamic-WANIP
add address=192.168.0.0/16 list=Authorized
add address=10.10.100.0/24 list=Authorized
add address=XXXXX.dyndns.org list=XXXXX
add address=hda08a4mazh.sn.mynetname.net list=PublicIP
/ip firewall filter
add action=log chain=input comment="Port 53 Log" connection-state=new \
    disabled=yes dst-port=53 log=yes log-prefix=TCP-53 protocol=tcp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Loopback allow" dst-address=127.0.0.1
add action=accept chain=input comment="Allow incoming WG connections" \
    dst-port=51820 protocol=udp
add action=drop chain=input comment="DROP DHCP on DHCPdisabled" disabled=yes \
    dst-port=67-68 in-interface-list=DHCPdisabled log=yes protocol=udp \
    src-port=67-68
add action=accept chain=input comment="Allow GRE for EoIP" disabled=yes log=\
    yes protocol=gre
add action=accept chain=input comment="Allow Authorized" src-address-list=\
    Authorized
add action=accept chain=input comment="Allow LAN" in-interface-list=LAN
add action=drop chain=input comment="drop all else" log-prefix=drop-all-else
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf:  drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="Allow WG to subnet" dst-address=\
    192.168.2.0/24 in-interface=212-Wireguard
add action=accept chain=forward comment="Allow all traffic out WG iface" \
    out-interface=212-Wireguard
add action=accept chain=forward comment="Allows cross peer subnet traffic" \
    in-interface=212-Wireguard out-interface=212-Wireguard
add action=accept chain=forward comment="Allow LAN to WAN" disabled=yes \
    in-interface-list=LAN log=yes out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="drop all else" disabled=yes
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
    "Mark connection for hairpin" disabled=yes dst-address-list=dynamic-WANIP \
    log=yes new-connection-mark="Hairpin NAT" src-address=192.168.2.0/24
add action=mark-connection chain=prerouting comment=\
    "Mark connection for hairpin" disabled=yes dst-address-list=dynamic-WANIP \
    log=yes new-connection-mark="Hairpin NAT" src-address=192.168.2.0/24
add action=mark-connection chain=prerouting comment=\
    "Mark connection for hairpin" disabled=yes dst-address-list=dynamic-WANIP \
    log=yes new-connection-mark="Hairpin NAT" src-address=192.168.2.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
    "Hairpin NAT" dst-address=192.168.2.0/24 src-address=192.168.2.0/24
add action=dst-nat chain=dstnat comment=XXXXX.dyndns.org:81 \
    dst-address-list=XXXXX dst-port=81 log-prefix=\
    "NAT FW destination XXXXX port 81" protocol=tcp to-addresses=\
    192.168.0.101 to-ports=81
add action=dst-nat chain=dstnat comment=XXXXX.dyndns.org:8123 \
    dst-address-list=XXXXX dst-port=8123 protocol=tcp to-addresses=\
    192.168.0.162 to-ports=8123
add action=masquerade chain=srcnat comment="NEW defconf: masquerade" \
    out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=dynamic-WANIP dst-port=8123 \
    protocol=tcp to-addresses=192.168.2.176
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
    "Hairpin NAT" disabled=yes dst-address=192.168.2.0/24 src-address=\
    192.168.2.0/24
add action=masquerade chain=srcnat comment="NEW defconf: masquerade" \
    disabled=yes out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-address-list=dynamic-WANIP \
    dst-port=8123 protocol=tcp to-addresses=192.168.2.176
add action=dst-nat chain=dstnat disabled=yes dst-address-list=dynamic-WANIP \
    dst-port=5911 log=yes protocol=tcp to-addresses=192.168.2.139
add action=dst-nat chain=dstnat disabled=yes dst-port=51833 protocol=udp \
    to-addresses=192.168.2.50
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
    "Hairpin NAT" disabled=yes dst-address=192.168.2.0/24 src-address=\
    192.168.2.0/24
add action=masquerade chain=srcnat comment="NEW defconf: masquerade" \
    disabled=yes out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-address-list=dynamic-WANIP \
    dst-port=8123 protocol=tcp to-addresses=192.168.2.176
add action=dst-nat chain=dstnat disabled=yes dst-address-list=dynamic-WANIP \
    dst-port=5911 log=yes protocol=tcp to-addresses=192.168.2.139
add action=dst-nat chain=dstnat disabled=yes dst-port=51833 protocol=udp \
    to-addresses=192.168.2.50
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip kid-control
add fri=0s-1d mon=0s-1d name=Monitor sat=0s-1d sun=0s-1d thu=0s-1d tue=0s-1d \
    wed=0s-1d
/ip route
add disabled=yes distance=1 dst-address=192.168.5.0/24 gateway=212-Wireguard \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.2 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=355 disabled=no distance=1 dst-address=192.168.0.0/24 gateway=\
    212-Wireguard pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment=255 disabled=no distance=1 dst-address=192.168.1.0/24 gateway=\
    212-Wireguard pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment=355-Cameras disabled=no distance=1 dst-address=192.168.5.0/24 \
    gateway=212-Wireguard pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment=629 disabled=no distance=1 dst-address=192.168.20.0/24 gateway=\
    212-Wireguard pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.60.0/24 gateway=192.168.2.8 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=76 disabled=no distance=1 dst-address=192.168.30.0/24 gateway=\
    212-Wireguard pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment=371 disabled=no distance=1 dst-address=192.168.40.0/24 gateway=\
    212-Wireguard pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment=125 disabled=no distance=1 dst-address=192.168.70.0/24 gateway=\
    212-Wireguard pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=10.0.0.0/24 gateway=192.168.2.5 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment="TEMP -- REMOVE THIS WHEN 729 AX3 is moved" disabled=yes \
    distance=1 dst-address=172.16.0.0/16 gateway=192.168.2.192 routing-table=\
    main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.0.0.0/8 gateway=212-Wireguard \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=192.168.4.0/24 gateway=10.10.100.80 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=729 disabled=no distance=1 dst-address=192.168.80.0/24 gateway=\
    212-Wireguard routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=yes distance=1 dst-address=10.21.0.0/16 gateway=ether5 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set ftp disabled=yes
set telnet disabled=yes
set www disabled=yes
set www-ssl disabled=no
set api disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ip ssh
set always-allow-password-login=yes forwarding-enabled=both
/snmp
set enabled=yes trap-version=2
/system clock
set time-zone-name=America/New_York
/system identity
set name=212-RB5009
/system logging
set 0 topics=info,!wireguard,!dhcp
add topics=account
add topics=watchdog
add action=logserver prefix="XXXXXH MikroTik" topics=hotspot
add action=logserver prefix="XXXXXH MikroTik" topics=\
    !debug,!packet,!snmp
add action=remote disabled=yes prefix=192.168.2.2 topics=info
add action=remote disabled=yes topics=ups
add topics=ups
add disabled=yes topics=dns
add topics=firewall
add action=diskups regex="^\\[UPS\\]:" topics=script
add action=disk topics=watchdog
add disabled=yes topics=netwatch
add disabled=yes topics=wireguard
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=216.239.35.4
add address=104.16.132.229
/system ups
add name=ups1 port=usbhid1
/system watchdog
set auto-send-supout=yes ping-start-after-boot=10m ping-timeout=10m \
    send-email-to=jXXXXX@domain.com watch-address=1.1.1.1
/tool bandwidth-server
set authenticate=no
/tool e-mail
set from=jXXXXX@domain.com port=587 server=smtp.gmail.com tls=starttls \
    user=xxxx@gmail.com
/tool graphing interface
add interface=bridge
add
/tool graphing queue
add
/tool graphing resource
add
add
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

/tool romon
set enabled=yes
/tool sniffer
set file-limit=10000KiB filter-ip-address=10.10.100.101/32 \
    filter-ip-protocol=icmp memory-limit=10000KiB streaming-server=\
    192.168.2.22
/tool traffic-monitor
add disabled=yes interface=ether1 name=tmon1
add disabled=yes interface=ether3 name=tmon2 traffic=received trigger=always
6

Guilty. And I bet I could guess what province you're from............. :slight_smile: Now even with config, I'd still be guessing....

Still not sure what path is working/not-working either, IP addresses involved, nor ping/traceroutes or other troubleshooting steps already taken. And winbox/webfig show stuff like firewall counters, connections list, and firewall logging can be enabled to narrow down what rule is broken – which is something we cannot see/do on forum. Plus with multiple customer sites, OP should do a little more homework than dumping config like a home user.

8

I was scolded for not providing the config and then again for providing them.

Got it.

My goal is to connect iPhone or laptop by WG to the RB5009 and be able to have ip connectivity to the other sites at 192.168.x.0/24 (instead of just 192.168.2.0/24 which is local to the RB5009).

And there are no customers — just me

9

I was not trying to scold. More encouraging you to do some digging to provide a more complete picture of what going wrong. And, no one is going to complain if you provide config, and you've posted enough on the forum to know it "best" to start with config. And when you start talking about many routers/devices in a network, diagrams start becoming important tools to aid understanding.

My 1st point was more RouterOS has many tools to look at if firewall and WG are working, like ping, fw counters/conntrack, and logging that be good to know to help with these kinds of issue. And, your issue may, or may not be, a RouterOS config issue. For example, I still would don't rule out a WG config, not RouterOS, configuration issue. Thus my initial comment to ensure allowed-address is correct everywhere – not "I tried that" when something like allowed-address has to be right (or a broad 0.0.0.0/0) for things to work as you want.

And my 2nd point was any "config review" by forum certainly be helped by saying this "IP from X to this IP on Y does not work", not vague references to your own internal terminology. For example, saying "phone cannot reach '355'", does not clarify whether it's router or device beyond the on the router connected to "355"...so whether it's a forward or input rules should be looked at is unknown.

Anyway, I was not trying to be insulting/whatever. But you've said you want to learn more before, and being able to troubleshoot and narrow-down issues is a critical task to know. RouterOS has a lots of tools to help, but not utilized.

10

Do you ever use the same phone and laptop to connect directly to WG355 using the same keys and assigned IP addresses (for example 10.10.100.8 and 10.10.100.9, etc)? It looks like that based on your peers list on both routers. In that case your problem is that your WG network is forming a mesh, not a star network with a central node (the 212 router).

  • Currently, when you use your "JRS iPhone" to connect to the RB5009 (the WG212 router) that phone has the IP address 10.10.100.9 inside Wireguard. If you use it to access 192.168.0.15 for example, the RB5009 will look at its route table and see that the 212-Wireguard interface should be used as gateway to forward the packet. This is fine.

  • Next, WG will look in the peer list of 212-Wireguard to see which peer can receive packets destined to 192.168.10.15, and find this peer entry:

    /interface wireguard peers
add allowed-address=10.10.100.50/32,192.168.0.0/24,192.168.5.0/24 comment=355 \
    endpoint-address=XXXXX.dyndns.org endpoint-port=51833 interface=\
    212-Wireguard name=355 persistent-keepalive=40s public-key=\
    "Q8CPJm+/UBOSQy1AjNPOBDFxZmbbJrycOWg5omLZq3g="

    The packet will be sent through the WG tunnel established between 212 (RB5009) and 355 (hEX S). This is also correct and will work up to this step. Note that the packet has the source IP address 10.10.100.9 of the "JRS iPhone".

  • Next the packet arrive through the tunnel to the 355 (hEX S) router. Here is where it no longer work: This is the peer associated with 212 on the hEX S:

    /interface wireguard peers
add allowed-address=10.10.100.1/32,192.168.2.0/24 comment=212 \
    endpoint-address=XXXXX.dyndns.org endpoint-port=51820 interface=\
    355-WGhEX name=212 persistent-keepalive=40s public-key=\
    "xx27cpfZFjhs2emAFLH7btR1YlEYPUo/op1OqXrW4Ds="

    Look at the content of allowed-address, do you see anything that will allow a packet with the source address 10.10.100.9 to pass through? The answer is NO. The packet will simply be dropped at the gate on the 355 router. Packets with the source IP address 10.10.100.9 will only be accepted when it arrives through the direct tunnel established between the hEX S and this peer:

    /interface wireguard peers
add allowed-address=10.10.100.9/32 comment="JRS iPhone" interface=355-WGhEX \
    name=JRS-iPhone public-key=XXXXX2Kk4+Qfxpy61F8="

    But your phone is not connected to the hEX S, but to the RB5009.

To make it work, you have two alternatives:

  1. The simplest would be to add a masquerade rule to the RB5009, for src-address=10.10.100.0/24 dst-address=10.10.100.0/24 out-interface=212-Wireguard. Downside is that you lose the information about the source device's IP address.

  2. You no longer let the phone & laptop devices use the same WG config to connect to the 355 server. Then you can remove the peers of those devices from the peer list of the 355 server, and add 10.10.100.8, 10.10.100.9, etc... to the allowed-address list of the peer with the name "212" on the 355 server.

    /interface wireguard peers
add allowed-address=10.10.100.1/32,10.10.100.8/32,10.10.100.9/32,192.168.2.0/24 comment=212 \
    endpoint-address=XXXXX.dyndns.org endpoint-port=51820 interface=\
    355-WGhEX name=212 persistent-keepalive=40s public-key=\
    "xx27cpfZFjhs2emAFLH7btR1YlEYPUo/op1OqXrW4Ds="
11

My apologies Amm0! I overreacted, and I should have prepared my question more thoroughly. Just super pressed for time, and was fantasizing that this was a simple fix that could be provided without much digging.

13

Wow, thank you so much for the great explanation.

I followed (I think) until the section: “To make it work, you have two alternatives.”

  1. I don’t understand how a masq fule would overcome the WG allowed-address list.

  2. I’m not clear on what you mean by “no longer let the phone & laptop devices use the same WG config.” Do you mean set up a new WG interface on the RB5009 just for phone/laptop access? Focusin on the laptop (WG entry named Aurora-laptop), I only have the RB5009 configured to allow a WG connection. The Aurora-laptop is set to use 10.10.100.101, as shown in this:

add allowed-address=10.10.100.101/32 comment=Aurora-laptop interface=\
    212-Wireguard name=Aurora-laptop private-key=\
    "KDUXHH41OjPNFGjXkf22myM60jGw4B97/Oh6nx+EmWE=" public-key=\
    "rKKCAbPpbj2hlEgkMo1FDdGyqF6Qj9hr4kL0OmyM8C4="

When I establish a WG connection from the Aurora-laptop to the RB5009, I have full access to the LAN at the RB5009 location (192.168.2.x/24). Frames come in from the Aurora-laptop with src 10.10.100.101.

14

I like the way I have it now. I’m not saying it’s the best. I’m confortable with it.

Each site has a WG connection to each other site that it could possibly ever need to have such a connection to. Some sites don’t need to talk to other sites, but if they did, I’d know how to to configure it.

And, each site has a single WG interface.

I was just on vacation (Cancun, Mexico – highly recommend) and only then discovered that my (relatively new) Aurora linux laptop connected via WG to 212 was not able to see a video server at 355. I fiddled with it a bit, but then just RDP’d into a Windows machine at 212 and was able to get access to the server at 355 (that is, more time swimming, less time pulling hair out).

Now that I’m back, I thought I’d see if there was an easy fix (which was stupid of me because I’m somehow 3 weeks backlogged on work after taking 1 week off).

15

When you add the masquerade rule to the RB5009 router, the packets sent from the "JRS iPhone" to 192.168.0.15 will have the source address changed from 10.10.100.9 to 10.10.100.1 (address of the RB5009 on 212-Wireguard).

The packet will arrive through the tunnel to the hEX S router, and this time it matches allowed-address=10.10.100.1/32,192.168.2.0/24 and will be accepted to further be forwarded.

When 192.168.0.15 responds, it will send the packet with src-address=192.168.0.15 and dst-address=10.10.100.1. On the 355 router, the matching route is

/ip route
add disabled=no dst-address=10.0.0.0/8 gateway=355-WGhEX routing-table=main \
    suppress-hw-offload=no

So the interface 355-WGhEX will be used as gateway interface for the destination 10.10.100.1. WireGuard will take over and check among the peers of the 355-WGhEX interface to see which peer can receive the packet, it finds:

/interface wireguard peers
add allowed-address=10.10.100.1/32,192.168.2.0/24 comment=212 \
    endpoint-address=XXXXX.dyndns.org endpoint-port=51820 interface=\
    355-WGhEX name=212 persistent-keepalive=40s public-key=\
    "xx27cpfZFjhs2emAFLH7btR1YlEYPUo/op1OqXrW4Ds="

with matching allowed-address and send the packet through the tunnel to the 212 RB5009 router.

On the RB5009 the packet is accepted because it has src-address=192.168.0.15 and this matches allowed-address of this peer associated with the 355 router:

/interface wireguard peers
add allowed-address=10.10.100.50/32,192.168.0.0/24,192.168.5.0/24 comment=355 \
    endpoint-address=XXXXX.dyndns.org endpoint-port=51833 interface=\
    212-Wireguard name=355 persistent-keepalive=40s public-key=\
    "Q8CPJm+/UBOSQy1AjNPOBDFxZmbbJrycOWg5omLZq3g="

Once the packet is accepted by WG, connection tracking will find out that the packet belongs to a connection that has been SRCNAT'ed (by masquerade) and will undo the address translation, changing the destination address of the packet from 10.10.100.1 to 10.10.100.9. The packet will then further be forwarded correctly to the "JRS iPhone".

16

Currently devices such as "JRS iPhone" or "JRS Laptop" have the same IP addresses (in this example 10.10.100.9 and 10.10.100.8) in the WG configuration of both routers RB5009 and hEX S. I'm sure there are more devices like that but I used just those two as example.

Which means in the peer list of both 212-Wireguard on RB5009 and 355-WGhEX on hEX S you have individual entries for those devices, having those addresses listed in allowed-address.

Which means you cannot put 10.10.100.8/32 and 10.10.100.9/32 in allowed-address of the peer entry

/interface wireguard peers
add allowed-address=10.10.100.1/32,192.168.2.0/24 comment=212 \
    endpoint-address=XXXXX.dyndns.org endpoint-port=51820 interface=\
    355-WGhEX name=212 persistent-keepalive=40s public-key=\
    "xx27cpfZFjhs2emAFLH7btR1YlEYPUo/op1OqXrW4Ds="

on the hEX S (this peer is the peer associated with the RB5009 on the hEX S). because doing so will cause peers having overlapping address ranges in allowed-address (multiple peers say they are responsible for 10.10.100.9 and 10.10.100.8).

If you cannot put 10.10.100.8/32 and 10.10.100.9/32 in allowed-address of the "212" peer, then packets with those source addresses cannot arrive from that peer, hence the problem I described in the post above.

If you want to make this possible (so that you don't need masquerade on the RB5009) then you have to make the change, so that "JRS Laptop" and "JRS iPhone" do not have the IP address 10.10.100.8 and 10.10.100.9 when the use WG to directly connect to the 355 hEX S. This is required so that those peers can have something else in allowed-address than 10.10.100.8/32 and 10.10.100.9/32, so that 10.10.100.8/32 and 10.10.100.9/32 can be added to the "212" peer instead (no longer having overlapping address ranges).

Which however means that your WG network is no longer a mesh with multiple links between devices, because those "JRS Laptop" and "JRS iPhone" will have different addresses depending on whether they connects to WG on RB5009 or WG on hEX S. This means on those phone and laptop devices, you'll have two separate WireGuard profiles (because you need two separate addresses for [Interface]), instead of having only one profile with multiple [Peer] sections.

It's much easier and requires fewer changes if you use the masquerade rule instead.

17

If you want the laptop to be able to watch videos at 355 you have these choices:

  1. Keep current configuration unchanged, but if you want to access resources at 355, your laptop must connect to WG on 355 too, instead of only 212. On the WG profile on the laptop, you'll have one [Interface] section with one address 10.10.100.101, but two [Peer] sections. One with endpoint set to the 212 router, with Allowed-IPs set to something like 10.10.100.1/32, 192.168.2.0/24, .... And one [Peer] section with endpoint set to the 355 router, with Allowed-IPs set to 10.10.100.50/32, 192.168.0.0/24. When your laptop accesses 192.168.0.15, it will know to use the 212 endpoint and connect to the hEX S router (because of Allowed-IPs).

  2. Keep current configuration mostly unchanged, but add the masquerade rule to the 212 RB5009 router. After doing this, you can connect to WG on 212 and access resource on 355.

  3. Remove the laptop from the peer list of 355 router, so that you'll never connect the laptop directly to 355 anymore. Then you can add the WG address of the laptop to allowed-address of the "212" peer on the 355 router. After doing this, you can connect to WG on 212 and access resource on 355.

  4. Still keep the ability to connect the laptop to 355 through WG, but you'll have to add new WG profile on the Laptop used specifically to connect to 355, with a WG IP address other than 10.10.100.101. So that on the 355 router the peer associated with the laptop no longer has allowed-address=10.10.100.101/32 but something else, and you add 10.10.100.101/32 to allowed-address of the "212" peer instead. After doing this, you can connect to WG on 212 and access resource on 355.

18

@CGGXANNX: That was a fabulous, useful, real-world explanation of implementing WG. I will be rereading it several times to make sure I understand it as well as possible.

I took the easiest (for me) of your options and added a second peer on the laptop so that I now have 355 as one peer and 212 as another peer, and it works great.

But, I really want to understand better the other options (masqerade, connect to 212 and route via 212 to 355, separate WG profile (which I think means WG interface) on the laptop).

Thank you!

19

Yes, if the 355 router is reachable on the internet (has public IP address) then this is the option with the best performance, because the laptop connects directly to the router in front of the LAN resources it wants to access. The other solutions that go through the 212 router are only needed when 355 has no public IP addresses.

1 Like