Hey! So I have a CRS 125 configured with Wireguard. The CRS125 is behind an AT&T NAT device. The network defined for the Wireguard peers is 192.168.5.0/24, with the CRS125 being 192.168.5.1 for Wireguard (and 192.168.6.1 internally), and the laptop peer being 192.168.5.3

But what I’m working on isn’t connection from the Internet to the Wireguard service. What I want to be able to do is have a laptop on the inside connect to Wireguard, and be able to connect to other internal networks and the internet.

The other internal networks I have working, having figured out the allowed Address wasn’t 0.0.0.0/0. So the laptop running the windows Wireguard client can connect to all of the internal resources. I’ve got the laptop able to connect to the internet outbound, with:

chain=srcnat action=masquerade src-address=192.168.5.0/24 out-interface=wan1 log=no log-prefix=“”

First, that appears to work. Is there any need for any other NAT or Mangle rules for laptop > Internet?


Second, when I get to connecting from the internet (inbound), I’ll need to at up the AT&T router for port forwarding (no problem).
Will this resolve config get the Wireguard connectivity working on the Mikrotik?
chain=dstnat action=dst-nat to-addresses=192.168.6.1 protocol=udp in-interface=wan1 dst-port=13231 log=no
log-prefix=“”

Thanks!!

Draw a diagram, your explanation is more confusing than helpful.
and post complete config
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )

Basic:

Laptop A <> CRS 125 <> AT&T Router <> Internet <> Laptop B
192.168.6.0/24 is the internal network
192.168.5.0/24 is the network defined for Wireguard peers

I had Laptop A able to connect to the Internal network, I added this to the CRS:
chain=srcnat action=masquerade src-address=192.168.5.0/24 out-interface=wan1 log=no log-prefix=“”

to connect to the Internet. Anything else?

I want Laptop B to connect to the Internal Network. Except for the setup on the AT&T router, do I need anything else on the CRS but:
chain=dstnat action=dst-nat to-addresses=192.168.6.1 protocol=udp in-interface=wan1 dst-port=13231 log=no
log-prefix=“”

# 2024-09-01 12:06:48 by RouterOS 7.15.3
# software id = AKR0-XXXX
#
# model = CRS125-24G-1S-2HnD
# serial number = XXXXXXXXXXX
/caps-man channel
add band=2ghz-g/n comment="Was 12 TX power" control-channel-width=20mhz \
    extension-channel=XX frequency=2437,2462 name="Channel 2" tx-power=12
add band=2ghz-g/n comment="Was 12 TX power" control-channel-width=20mhz \
    extension-channel=XX frequency=2462 name="Channel 2462" tx-power=12
add band=2ghz-g/n comment="Was 12 TX power" control-channel-width=20mhz \
    extension-channel=XX frequency=2437 name="Channel 2437" tx-power=12
add band=2ghz-g/n comment="Forced channel for the CRS as it's next to ATT. Als\
    o higher power for 2nd floor. Was 30" control-channel-width=20mhz \
    extension-channel=XX frequency=2412 name="Channel 2412" tx-power=30
add band=5ghz-a/n/ac comment="Was 12 TX power" control-channel-width=20mhz \
    extension-channel=XX frequency=5500,5310 name="Channel 5" tx-power=12
/interface bridge
add name=bridgeVLAN port-cost-mode=short
/interface wireless
# managed by CAPsMAN
# channel: 2412/20-Ce/gn(26dBm), SSID: Ireland4, local forwarding
set [ find default-name=wlan1 ] disabled=no ssid=MikroTik
/interface ethernet
set [ find default-name=ether1 ] comment=Avarice
set [ find default-name=ether2 ] comment=Glutton
set [ find default-name=ether3 ] comment=garage
set [ find default-name=ether4 ] comment=MH
set [ find default-name=ether5 ] comment="HD Homerun"
set [ find default-name=ether7 ] comment="Dell 3100cn Printer"
set [ find default-name=ether15 ] comment="Linda's Laptop wired"
set [ find default-name=ether17 ] comment=GUEST
set [ find default-name=ether18 ] comment=GUEST
set [ find default-name=ether19 ] comment=TH
set [ find default-name=ether20 ] comment=TH
set [ find default-name=ether21 ] comment=Management
set [ find default-name=ether22 ] comment=DMZ-Downstairs
set [ find default-name=ether24 ] comment=TRUNK
set [ find default-name=sfp1 ] comment=GBIC
set [ find default-name=ether23 ] comment="WAN uplink to AT&T" name=wan1
/interface ovpn-client
add connect-to=192.168.x.x disabled=yes mac-address=xx:xx:xx:xx \
    name=OVPN-client1 user=user
/interface ovpn-server
add name=ovpn-interface user=User
/interface l2tp-server
add disabled=yes name=L2TPVPN user=User
/interface wireguard
add listen-port=13231 mtu=1420 name=Wireguard1
/interface vlan
add interface=bridgeVLAN name=vlanDMZ vlan-id=6
add interface=bridgeVLAN name=vlanGUEST vlan-id=4
add interface=bridgeVLAN name=vlanLAN vlan-id=2
add interface=bridgeVLAN name=vlanTH vlan-id=33
/caps-man datapath
add bridge=bridgeVLAN local-forwarding=yes name="Datapath LAN" vlan-id=2 \
    vlan-mode=use-tag
add bridge=bridgeVLAN local-forwarding=yes name="Datapath DMZ" vlan-id=6 \
    vlan-mode=use-tag
add bridge=bridgeVLAN local-forwarding=yes name="Datapath GUEST" vlan-id=4 \
    vlan-mode=use-tag
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=\
    "Security LAN"
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=\
    "Security GUEST"
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=\
    "Security DMZ"
/caps-man configuration
add channel="Channel 2437" country="united states" datapath="Datapath LAN" \
    hide-ssid=no name="Config LAN 2" security="Security LAN" ssid=Ireland2
add channel="Channel 5" country="united states" datapath="Datapath LAN" \
    hide-ssid=no name="Config LAN 5" security="Security LAN" ssid=Ireland2
add channel="Channel 5" country="united states" datapath="Datapath DMZ" \
    hide-ssid=no name="Config DMZ 5" security="Security DMZ" ssid=Ireland6
add channel="Channel 2" country="united states" datapath="Datapath DMZ" \
    hide-ssid=no name="Config DMZ 2" security="Security DMZ" ssid=Ireland6
add channel="Channel 2" country="united states" datapath="Datapath GUEST" \
    hide-ssid=no name="Config GUEST 2" security="Security GUEST" ssid=\
    Ireland4
add channel="Channel 5" country="united states" datapath="Datapath GUEST" \
    hide-ssid=no name="Config GUEST 5" security="Security GUEST" ssid=\
    Ireland4
add channel="Channel 2412" country="united states" datapath="Datapath LAN" \
    hide-ssid=no name="Master CRS LAN" security="Security LAN" ssid=Ireland2
add channel="Channel 2412" country="united states" datapath="Datapath GUEST" \
    hide-ssid=no name="Master CRS GUEST" security="Security GUEST" ssid=\
    Ireland4
/interface list
add name=TestList
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=rgsWireless
add authentication-types=wpa2-psk comment="Wireless LAN" eap-methods="" mode=\
    dynamic-keys name=wlanLAN supplicant-identity=""
add authentication-types=wpa2-psk comment="Wireless GUEST" eap-methods="" \
    mode=dynamic-keys name=wlanGUEST supplicant-identity=""
/ip pool
add name=poolLAN ranges=192.168.x.100-192.168.x.199
add name=poolGUEST ranges=192.168.x.100-192.168.x.199
add name=poolL2TP ranges=10.1.1.50-10.1.1.99
add name=poolDMZ ranges=192.168.x.100-192.168.x.199
add name=poolOpenVPN ranges=10.1.2.50-10.1.2.99
/ip dhcp-server
add address-pool=poolLAN interface=vlanLAN lease-time=2h name=dhcpLAN
add address-pool=poolGUEST interface=vlanGUEST lease-time=2h name=dhcpGUEST
add address-pool=poolDMZ interface=vlanDMZ lease-time=2h name=dhcpDMZ
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8,1.1.1.1 local-address=10.1.1.1 \
    name=ProfileL2TP remote-address=poolL2TP use-encryption=yes
add local-address=10.1.2.1 name=ProfileOpenVPN remote-address=poolOpenVPN
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/system logging action
add email-to=xxx@xxx.net name=email target=email
/caps-man access-list
add action=accept allow-signal-out-of-range=10s disabled=no signal-range=\
    -78..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=no signal-range=\
    -120..-77 ssid-regexp=""
add allow-signal-out-of-range=10s comment="Galaxy S8" disabled=no \
    mac-address=xx:xx:xx:xx:xx:xx ssid-regexp=""
add allow-signal-out-of-range=10s comment=T60 disabled=no mac-address=\
    xx:xx:xx:xx:xx:xx ssid-regexp=""
add allow-signal-out-of-range=10s comment=Chrome1 disabled=no mac-address=\
    xx:xx:xx:xx:xx:xx ssid-regexp=""
add allow-signal-out-of-range=10s comment=Luxuria disabled=no mac-address=\
    xx:xx:xx:xx:xx:xx ssid-regexp=""
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled comment=\
    "CRS125. Force channel as it's next to ATT. Only 2.4" hw-supported-modes=\
    gn ip-address-ranges=192.168.x.1 master-configuration="Master CRS GUEST" \
    name-format=prefix-identity radio-mac=xx:xx:xx:xx:xx:xx \
    slave-configurations="Config DMZ 2"
add action=create-dynamic-enabled comment="hAPac 5" disabled=yes \
    hw-supported-modes=ac,an master-configuration="Config LAN 5" name-format=\
    prefix-identity radio-mac=xx:xx:xx:xx:xx:xx slave-configurations=\
    "Config DMZ 5,Config GUEST 5"
add action=create-dynamic-enabled comment="Lite 5" disabled=yes \
    hw-supported-modes=ac,an master-configuration="Config LAN 5" name-format=\
    prefix-identity radio-mac=xx:xx:xx:xx:xx:xx slave-configurations=\
    "Config DMZ 5,Config GUEST 5"
add action=create-dynamic-enabled comment="Lite 2" disabled=yes \
    hw-supported-modes=g,gn master-configuration="Config LAN 2" name-format=\
    prefix-identity radio-mac=xx:xx:xx:xx:xx:xx slave-configurations=\
    "Config DMZ 2,Config GUEST 2"
add action=create-dynamic-enabled comment="hAPac 2" disabled=yes \
    hw-supported-modes=g,gn master-configuration="Config LAN 2" name-format=\
    prefix-identity radio-mac=xx:xx:xx:xx:xx:xx slave-configurations=\
    "Config DMZ 2,Config GUEST 2"
add action=create-dynamic-enabled comment="Default 5. ac in order to match 5" \
    hw-supported-modes=ac master-configuration="Config GUEST 5" name-format=\
    prefix-identity slave-configurations="Config DMZ 5"
add action=create-dynamic-enabled comment=\
    "Default 2. gn in order to match 2.4ghz" hw-supported-modes=gn \
    master-configuration="Config GUEST 2" name-format=prefix-identity \
    slave-configurations="Config DMZ 2"
/interface bridge port
add bridge=bridgeVLAN ingress-filtering=no interface=ether24 \
    internal-path-cost=10 path-cost=10
add bridge=bridgeVLAN ingress-filtering=no interface=ether1 \
    internal-path-cost=10 path-cost=10
add bridge=bridgeVLAN ingress-filtering=no interface=ether2 \
    internal-path-cost=10 path-cost=10
add bridge=bridgeVLAN ingress-filtering=no interface=ether3 \
    internal-path-cost=10 path-cost=10
add bridge=bridgeVLAN ingress-filtering=no interface=ether4 \
    internal-path-cost=10 path-cost=10
add bridge=bridgeVLAN ingress-filtering=no interface=ether5 \
    internal-path-cost=10 path-cost=10
add bridge=bridgeVLAN ingress-filtering=no interface=ether6 \
    internal-path-cost=10 path-cost=10
add bridge=bridgeVLAN ingress-filtering=no interface=ether7 \
    internal-path-cost=10 path-cost=10
add bridge=bridgeVLAN ingress-filtering=no interface=ether8 \
    internal-path-cost=10 path-cost=10
add bridge=bridgeVLAN ingress-filtering=no interface=ether9 \
    internal-path-cost=10 path-cost=10
add bridge=bridgeVLAN ingress-filtering=no interface=ether10 \
    internal-path-cost=10 path-cost=10
add bridge=bridgeVLAN ingress-filtering=no interface=ether11 \
    internal-path-cost=10 path-cost=10
add bridge=bridgeVLAN ingress-filtering=no interface=ether12 \
    internal-path-cost=10 path-cost=10
add bridge=bridgeVLAN ingress-filtering=no interface=ether13 \
    internal-path-cost=10 path-cost=10
add bridge=bridgeVLAN ingress-filtering=no interface=ether14 \
    internal-path-cost=10 path-cost=10
add bridge=bridgeVLAN ingress-filtering=no interface=ether15 \
    internal-path-cost=10 path-cost=10
add bridge=bridgeVLAN ingress-filtering=no interface=ether16 \
    internal-path-cost=10 path-cost=10
add bridge=bridgeVLAN ingress-filtering=no interface=ether17 \
    internal-path-cost=10 path-cost=10
add bridge=bridgeVLAN ingress-filtering=no interface=ether18 \
    internal-path-cost=10 path-cost=10
add bridge=bridgeVLAN ingress-filtering=no interface=ether19 \
    internal-path-cost=10 path-cost=10
add bridge=bridgeVLAN ingress-filtering=no interface=ether20 \
    internal-path-cost=10 path-cost=10
add bridge=bridgeVLAN ingress-filtering=no interface=ether22 \
    internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set enabled=yes udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set max-neighbor-entries=8192 rp-filter=strict
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface ethernet switch egress-vlan-tag
add comment=LAN tagged-ports=ether24,switch1-cpu vlan-id=2
add comment=GUEST tagged-ports=ether24,switch1-cpu vlan-id=4
add comment=DMZ tagged-ports=ether24,switch1-cpu vlan-id=6
add comment=TH tagged-ports=ether24,switch1-cpu vlan-id=33
/interface ethernet switch ingress-vlan-translation
add comment=:LAN customer-vid=0 new-customer-vid=2 ports="ether1,ether2,ether3\
    ,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13\
    ,ether14" service-dei=0
add comment=GUEST customer-vid=0 new-customer-vid=4 ports=ether17,ether18
add comment=DMZ customer-vid=0 new-customer-vid=6 ports=\
    ether15,ether16,ether21,ether22
add comment=TH customer-vid=0 new-customer-vid=33 ports=ether19,ether20
/interface ethernet switch vlan
add comment=LAN ports="ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8\
    ,ether9,ether10,ether11,ether12,ether13,ether14,ether24,switch1-cpu" \
    vlan-id=2
add comment=GUEST ports=ether17,ether18,ether24,switch1-cpu vlan-id=4
add comment=DMZ ports=ether15,ether16,ether22,ether24,switch1-cpu vlan-id=6
add comment=TH ports=ether19,ether20,switch1-cpu vlan-id=33
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=ProfileL2TP use-ipsec=\
    required
/interface ovpn-server server
set auth=sha1 certificate=OpenVPNServer cipher=aes128-cbc,aes256-cbc enabled=\
    yes port=11194 redirect-gateway=def1 require-client-certificate=yes
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment="Galaxy S8" endpoint-address=\
    192.168.x.1 interface=Wireguard1 name="Galaxy S8" preshared-key=\
    "x=" public-key=\
    "x="
add allowed-address=0.0.0.0/0 endpoint-address=192.168.x.1 interface=\
    Wireguard1 name=Luxuria public-key=\
    "x="
/interface wireless cap
# 
set bridge=bridgeVLAN caps-man-addresses=192.168.x.1 certificate=request \
    discovery-interfaces=vlanLAN enabled=yes interfaces=wlan1
/ip address
add address=192.168.x.1/24 interface=vlanLAN network=192.168.x.0
add address=192.168.x.1/24 interface=vlanGUEST network=192.168.x.0
add address=192.168.x.103/24 interface=wan1 network=192.168.x.0
add address=192.168.x.1/24 interface=vlanDMZ network=192.168.x.0
add address=10.x.0.1/16 interface=vlanTH network=10.x.0.0
add address=192.168.5.1/24 interface=Wireguard1 network=192.168.5.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server alert
add alert-timeout=none disabled=no interface=bridgeVLAN on-alert=rogue-dhcp \
    valid-server=xx:xx:xx:xx:xx:xx
add alert-timeout=none disabled=no interface=vlanDMZ on-alert=rogue-dhcp \
    valid-server=xx:xx:xx:xx:xx:xx
add alert-timeout=none disabled=no interface=vlanGUEST on-alert=rogue-dhcp \
    valid-server=xx:xx:xx:xx:xx:xx
add alert-timeout=none disabled=no interface=vlanLAN on-alert=rogue-dhcp \
    valid-server=xx:xx:xx:xx:xx:xx
/ip dhcp-server lease
add address=192.168.x.35 comment=Avarice mac-address=xx:xx:xx:xx:xx:xx \
    server=dhcpLAN
add address=192.168.x.36 comment=Glutton mac-address=xx:xx:xx:xx:xx:xx \
    server=dhcpLAN
add address=192.168.x.29 comment="HD Homerun" mac-address=xx:xx:xx:xx:xx:xx \
    server=dhcpLAN
add address=192.168.x.22 comment="wrath (T40)" mac-address=xx:xx:xx:xx:xx:xx \
    server=dhcpLAN
add address=192.168.x.37 comment="MH eee PC" mac-address=xx:xx:xx:xx:xx:xx \
    server=dhcpLAN
add address=192.168.x.43 comment="greed Pi 3b LAN" mac-address=\
    xx:xx:xx:xx:xx:xx server=dhcpLAN
add address=192.168.x.44 comment="greed Pi 3b WLAN" mac-address=\
    xx:xx:xx:xx:xx:xx server=dhcpLAN
add address=192.168.x.41 comment="hubris Pi 3b WLAN (Plex)" mac-address=\
    xx:xx:xx:xx:xx:xx server=dhcpLAN
add address=192.168.x.39 comment=Greed7 mac-address=00:1F:3A:49:F6:13 server=\
    dhcpLAN
add address=192.168.x.59 client-id=xx:xx:xx:xx:xx:xx comment=\
    "Dell 3100 printer" mac-address=xx:xx:xx:xx:xx:xx server=dhcpLAN
add address=192.168.x.50 client-id=xx:xx:xx:xx:xx:xx comment=Roku \
    mac-address=B8:A1:75:48:CE:6D server=dhcpGUEST
add address=192.168.x.38 client-id=xx:xx:xx:xx:xx:xx comment="Galaxy S8" \
    mac-address=xx:xx:xx:xx:xx:xx server=dhcpGUEST
add address=192.168.x.16 client-id=xx:xx:xx:xx:xx:xx comment=T60 \
    mac-address=00:15:58:2B:E1:88 server=dhcpLAN
add address=192.168.x.38 client-id=xx:xx:xx:xx:xx:xx comment="Galaxy S8" \
    mac-address=xx:xx:xx:xx:xx:xx server=dhcpDMZ
add address=192.168.x.16 client-id=xx:xx:xx:xx:xx:xx comment=T60 \
    mac-address=xx:xx:xx:xx:xx:xx server=dhcpGUEST
add address=192.168.x.155 client-id=xx:xx:xx:xx:xx:xx comment="Vizio 55" \
    mac-address=xx:xx:xx:xx:xx:xx server=dhcpGUEST
add address=192.168.x.38 client-id=xx:xx:xx:xx:xx:xx comment="Galaxy S8" \
    mac-address=xx:xx:xx:xx:xx:xx server=dhcpLAN
add address=192.168.x.18 client-idxx:xx:xx:xx:xx:xx comment=Luxuria \
    mac-address=0C:8B:FD:3B:E7:D2xx:xx:xx:xx:xx:xx server=dhcpDMZ
add address=192.168.x.16 client-id=xx:xx:xx:xx:xx:xx comment=T60 \
    mac-address=xx:xx:xx:xx:xx:xx server=dhcpDMZ
add address=192.168.x.41 client-id=xx:xx:xx:xx:xx:xx comment=\
    "hubris Pi 3b WLAN (Plex)" mac-address=xx:xx:xx:xx:xx:xx server=dhcpDMZ
add address=192.168.x.51 comment=Roku4k mac-address=xx:xx:xx:xx:xx:xx server=\
    dhcpDMZ
add address=192.168.x.42 client-id=xx:xx:xx:xx:xx:xx comment=\
    "hubris Pi 3b LAN (Plex)" mac-address=xx:xx:xx:xx:xx:xx server=dhcpDMZ
add address=192.168.x.147 client-id=xx:xx:xx:xx:xx:xx comment="Vizio 47" \
    mac-address=00:19:9D:01:D1:DA server=dhcpDMZ
add address=192.168.x.45 comment="Pi 4b" mac-address=xx:xx:xx:xx:xx:xx \
    server=dhcpDMZ
add address=192.168.x.45 client-id=xx:xx:xx:xx:xx:xx comment="Pi 4b WLAN" \
    mac-address=D8:3A:DD:58:65:FF server=dhcpGUEST
add address=192.168.x.50 client-id=xx:xx:xx:xx:xx:xx comment=Roku \
    mac-address=xx:xx:xx:xx:xx:xx server=dhcpDMZ
add address=192.168.x.18 client-id=xx:xx:xx:xx:xx:xx comment=Luxuria \
    mac-address=xx:xx:xx:xx:xx:xx server=dhcpLAN
add address=192.168.x.155 client-id=xx:xx:xx:xx:xx:xx comment="Vizio 55" \
    mac-address=xx:xx:xx:xx:xx:xx server=dhcpDMZ
add address=192.168.x.147 client-id=xx:xx:xx:xx:xx:xx comment="Vizio 47" \
    mac-address=xx:xx:xx:xx:xx:xx server=dhcpGUEST
add address=192.168.x.22 comment="wrath (T40)" mac-address=xx:xx:xx:xx:xx:xx \
    server=dhcpGUEST
add address=192.168.x.22 comment="wrath (T40)" mac-address=xx:xx:xx:xx:xx:xx \
    server=dhcpDMZ
add address=192.168.x.18 client-id=1:c:8b:fd:3b:e7:d2 comment=Luxuria \
    mac-address=0C:8B:FD:3B:E7:D2 server=dhcpGUEST
add address=192.168.x.52 comment="Roku Basic" mac-address=xx:xx:xx:xx:xx:xx \
    server=dhcpDMZ
add address=192.168.x.19 client-id=xx:xx:xx:xx:xx:xx comment=greed \
    mac-address=00:1C:23:34:2C:A2 server=dhcpDMZ
add address=192.168.x.20 client-id=xx:xx:xx:xx:xx:xx comment=greed2 \
    mac-address=00:1C:23:2F:22:9B server=dhcpDMZ
add address=192.168.x.21 client-id=xx:xx:xx:xx:xx:xx comment=wrath \
    mac-address=00:0D:60:2E:D2:89 server=dhcpDMZ
add address=192.168.x.23 client-id=xx:xx:xx:xx:xx:xx comment=\
    "Gateway laptop (red)" mac-address=xx:xx:xx:xx:xx:xx server=dhcpDMZ
add address=192.168.x.34 client-id=xx:xx:xx:xx:xx:xx comment=\
    "Thrift Virtual PC VM" mac-address=00:03:FF:1A:A9:CB server=dhcpLAN
add address=192.168.x.61 client-id=xx:xx:xx:xx:xx:xx comment=\
    "Linda Epson DX640" mac-address=xx:xx:xx:xx:xx:xx server=dhcpGUEST
add address=192.168.x.46 client-id=xx:xx:xx:xx:xx:xx comment=\
    "Linda's Laptop Wifi" mac-address=xx:xx:xx:xx:xx:xx server=dhcpDMZ
add address=192.168.x.47 client-id=xx:xx:xx:xx:xx:xx comment=\
    "Linda's Laptop Ethernet" mac-address=xx:xx:xx:xx:xx:xx server=dhcpDMZ
add address=192.168.x.33 comment="Discord Wireless" mac-address=\
    xx:xx:xx:xx:xx:xx server=dhcpLAN
add address=192.168.x.33 client-id=xx:xx:xx:xx:xx:xx comment=\
    "Discord Wireless" mac-address=xx:xx:xx:xx:xx:xx server=dhcpDMZ
/ip dhcp-server network
add address=192.168.x.0/24 caps-manager=192.168.x.1 dns-server=192.168.x.1 \
    domain=home.crs.net gateway=192.168.x.1 netmask=24
add address=192.168.x.0/24 caps-manager=192.168.x.1 dns-server=\
    8.8.8.8,8.8.4.4 domain=guest.crs.net gateway=192.168.x.1 netmask=24
add address=192.168.x.0/24 caps-manager=192.168.x.1 dns-server=\
    192.168.x.1,8.8.8.8,1.1.1.1 domain=dmz.crs.net gateway=192.168.x.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes use-doh-server=\
    https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=104.16.248.249 name=cloudflare-dns.com
add address=104.16.249.249 name=cloudflare-dns.com
add address=192.168.x.35 name=avarice.home.crs.net
add address=192.168.x.36 name=glutton.home.crs.net
add address=192.168.x.29 name=homerun.home.crs.net
add address=10.x.x.33 name=totalhost.home.crs.net
add address=192.168.x.37 name=mh.home.crs.net
add address=192.168.x.41 name=hubris.home.crs.net
add address=192.168.x.40 name=pride.home.crs.net
add address=192.168.x.1 name=firewall.home.crs.net
add address=8.8.8.8 name=dns.google
add address=8.8.4.4 name=dns.google
add cname=mh.home.crs.net name=misterhouse.home.crs.net type=CNAME
add address=127.0.0.1 name=www.msftncsi.com
add address=127.0.0.1 name=dns.msftncsi.com
add address=192.168.x.36 name=glutton.dmz.crs.net
add address=10.x.x.33 name=totalhost.crs.net
add address=192.168.x.33 comment=Wireless name=discord.home.crs.net
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
    d this subnet before enable it" disabled=yes list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
    need this subnet before enable it" list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
    bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    disabled=yes list=bogons
add address=192.168.x.0-192.168.x.254 list=allowed_to_router
add address=192.0.0.0/24 comment=RFC6890 list=bogons
add address=100.64.0.0/10 comment=RFC6890 list=bogons
add address=240.0.0.0/4 comment=RFC6890 list=bogons
add address=192.168.0.0/16 list=internal
add address=172.16.0.0/12 list=internal
add address=10.0.0.0/8 list=internal
add address=8.8.8.8 list=ExternalDNS
add address=8.8.4.4 list=ExternalDNS
add address=192.168.x.4 list=wan15
add address=192.168.x.103 list=wan15
add address=192.168.x.35 list=Avarice
add address=10.x.x.33 list=TotalHost
add address=192.168.x.1 list=Mikrotiks
add address=192.168.x.3 list=Mikrotiks
add address=192.168.x.4 list=Mikrotiks
add address=192.168.x.0/24 disabled=yes list=allowed_to_router
add address=192.168.x.0/24 disabled=yes list=allowed_to_router
add address=192.168.x.11-192.168.x.63 comment="Static IPs for the most part" \
    list="DMZ > Internal"
add address=192.168.x.48/29 list="DMZ  Roku > Internal"
add address=192.168.x.38 list="DMZ  Roku > Internal"
add address=2.16.20.0/23 comment="Russian Federation" list=IP2Location
<etc>
add address=162.142.125.0/24 comment="Censys scanner" list=IP2Location
<etc>
add address=45.x.2.193 comment=internet-census.org list=IP2Location
<etc>
add address=198.143.158.0/24 comment=internet-census.org list=IP2Location
add comment="Black List (Port Scanner WAN)" list=\
    "Black List (Port Scanner WAN)"
add address=192.168.x.46 comment="Linda Wireless" list=Linda
add address=192.168.x.47 comment="Linda Wired" list=Linda
/ip firewall filter
add action=accept chain=input comment=ICMP in-interface=!wan1 protocol=icmp
add action=accept chain=output comment=ICMP disabled=yes protocol=icmp
add action=accept chain=forward comment=ICMP in-interface=!wan1 protocol=icmp
add action=accept chain=input comment="Accept established related input" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop input: invalid" connection-state=\
    invalid
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    bogons log=yes log-prefix="DROP BOGON:"
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="Port Scanner Detect" \
    protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Port Scanner Drop" log=yes log-prefix=\
    "Drop Input Port Scan:" src-address-list=Port_Scanner
add action=add-src-to-address-list address-list=Syn_Flooder \
    address-list-timeout=30m chain=input comment="Syn Flood IP Detect" \
    connection-limit=30,32 protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Syn Flood List Drop" log=yes log-prefix=\
    "Drop Input SynFlood:" src-address-list=Syn_Flooder
add action=accept chain=input comment="permit DNS" in-interface=!wan1
add action=accept chain=input comment="permit NTP" dst-port=123 in-interface=\
    !wan1 port="" protocol=udp src-address-list=internal
add action=accept chain=input comment="Permit DHCP from AT&T" dst-port=67,68 \
    protocol=udp src-address=192.168.x.1 src-port=67,68
add action=accept chain=input comment="Permit DHCP" dst-port=67 in-interface=\
    !wan1 protocol=udp
add action=accept chain=input comment=Wireguard dst-port=13231 log=yes \
    log-prefix=WG: protocol=udp
add action=accept chain=input comment="Don't log the DHCP traffic" \
    dst-address=255.255.255.255 dst-port=67 in-interface=vlanLAN protocol=udp \
    src-port=68
add action=jump chain=input comment="Jump for icmp input flow" disabled=yes \
    jump-target=ICMP protocol=icmp
add action=accept chain=input comment="Allowed Input Management" \
    src-address-list=allowed_to_router
add action=accept chain=input comment="Mikrotik Discovery" dst-port=5678 \
    protocol=udp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=OpenVPN dst-port=11194 in-interface=\
    wan1 log=yes log-prefix=Open: protocol=tcp
# ovpn-interface not ready
add action=accept chain=input comment="OpenVPN Mikrotik" dst-address=\
    192.168.x.1 dst-port=8291 in-interface=ovpn-interface protocol=tcp \
    src-address=192.168.x.0/24
add action=drop chain=input comment="drop multicast from ATT Router (no log)" \
    dst-address=224.0.0.1 log-prefix="DroP Input:"
add action=drop chain=input comment="SMB (no log)" dst-port=137,138 \
    log-prefix="DROP Input: " protocol=udp
add action=drop chain=input comment="upnp drop (no log)" dst-port=1900 \
    log-prefix="drop Input:" protocol=udp
add action=drop chain=input comment="drop all input (log)" log-prefix=\
    "Drop Input6:"
add action=accept chain=forward comment="Accept established related forward" \
    connection-state=established,related
add action=jump chain=output comment="Jump for icmp output" disabled=yes \
    jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="drop forward: invalid" \
    connection-state=invalid log-prefix="DROP FORWARD Invalid:"
add action=accept chain=forward comment="L2TP RDP to Avarice" disabled=yes \
    dst-address=192.168.x.35 dst-port=3389 protocol=tcp
add action=accept chain=forward comment="permit internet" dst-address=\
    0.0.0.0/0 out-interface=wan1 src-address-list=internal
add action=jump chain=forward comment=EXTERNAL_in_201231 in-interface=wan1 \
    jump-target=wan1_in log-prefix=wan1_in:
add action=jump chain=forward comment=TH_in_200418.3 in-interface=vlanTH \
    jump-target=TH_in log-prefix="JUMP TH_in:"
add action=jump chain=forward comment="DMZ_in_180325 DMZ_in_200405" \
    in-interface=vlanDMZ jump-target=dmz_in log=yes log-prefix=dmz_in:
add action=jump chain=forward comment=DMZ_out_180312 jump-target=dmz_out log=\
    yes log-prefix=dmz_out: out-interface=vlanDMZ
add action=jump chain=forward comment=GUEST_in in-interface=vlanGUEST \
    jump-target=guest_in
add action=jump chain=forward comment=TH_out_200418 jump-target=TH_out \
    log-prefix="JUMP TH_out" out-interface=vlanTH
# ovpn-interface not ready
add action=jump chain=forward comment=OpenVPN in-interface=ovpn-interface \
    jump-target=ovpn_in log=yes log-prefix="OpenVPN: " out-interface=vlanLAN
add action=accept chain=forward comment=Wireguard in-interface=Wireguard1 \
    out-interface=vlanLAN src-address=192.168.5.0/24
add action=jump chain=forward comment="L2TP in" disabled=yes in-interface=\
    L2TPVPN jump-target=L2TP_in
add action=drop chain=forward comment="drop forward (log)" log-prefix=\
    "Drop FWD:"
add action=accept chain=TH_in comment="TH access to mail" dst-address=\
    192.168.x.36 dst-port=25 in-interface=vlanTH out-interface=vlanLAN \
    protocol=tcp src-address=10.x.x.33
add action=accept chain=TH_in comment="TH access to DNS" dst-address-list=\
    ExternalDNS dst-port=53 in-interface=vlanTH out-interface=wan1 protocol=\
    udp src-address=10.x.x.33
add action=accept chain=TH_in comment=NTP dst-port=123 in-interface=vlanTH \
    out-interface=wan1 port="" protocol=udp src-address=10.x.x.33 src-port=\
    123
add action=drop chain=TH_in comment="SMB Broadcast (no log)" dst-address=\
    10.x.255.255 dst-port=138 in-interface=vlanTH log-prefix="Drop TH_in:" \
    out-interface=vlanTH port="" protocol=udp src-address=10.x.x.33 \
    src-port=138
add action=drop chain=TH_in comment="TH_in drop all (log)" in-interface=\
    vlanTH log=yes log-prefix="Drop TH_in:"
add action=drop chain=TH_out comment="Drop Blacklist IPs" log=yes log-prefix=\
    IP2Location: src-address-list=IP2Location
add action=accept chain=TH_out comment=\
    "incoming access to Web Server. 9993 for https" dst-address=10.x.x.33 \
    dst-port=999,9993 out-interface=vlanTH protocol=tcp src-address-list=\
    !IP2Location
add action=accept chain=TH_out comment="incoming RDP" dst-address=10.x.x.33 \
    dst-port=3389 in-interface=vlanLAN out-interface=vlanTH protocol=tcp \
    src-address=192.168.x.0/24
add action=accept chain=TH_out comment=SMB dst-address=10.x.x.33 dst-port=\
    137,138 in-interface=vlanLAN out-interface=vlanTH protocol=udp \
    src-address=192.168.x.0/24
add action=accept chain=TH_out comment=SMB dst-address=10.x.x.33 dst-port=\
    139,445,80 in-interface=vlanLAN out-interface=vlanTH protocol=tcp \
    src-address=192.168.x.0/24
add action=drop chain=TH_out comment="th_out drop all (log)" log=yes \
    log-prefix="drop th_out:" out-interface=vlanTH
add action=accept chain=dmz_out comment="internal communication" dst-address=\
    192.168.x.0/24 src-address=192.168.x.0/24
add action=accept chain=dmz_out comment="incoming from LAN" dst-address=\
    192.168.x.0/24 src-address=192.168.x.0/24
add action=drop chain=dmz_out comment="dmz_out drop all (log)" log=yes \
    log-prefix="Drop DMZ_out:" out-interface=vlanDMZ
add action=accept chain=dmz_in comment="Glutton DNS" dst-address=192.168.x.1 \
    dst-port=53 protocol=udp src-address=192.168.x.0/24
add action=accept chain=dmz_in comment="Glutton DNS" dst-address=192.168.x.1 \
    dst-port=53 protocol=tcp src-address=192.168.x.0/24
add action=accept chain=dmz_in comment="permit Internet" out-interface=wan1 \
    src-address=192.168.x.0/24
add action=accept chain=dmz_in comment="Glutton Jellyfin" dst-address=\
    192.168.x.36 dst-port=8096 protocol=tcp src-address=192.168.x.0/24 \
    src-address-list="DMZ  Roku > Internal"
add action=accept chain=dmz_in comment="HD Homerun" dst-address=192.168.x.29 \
    src-address-list="DMZ  Roku > Internal"
add action=accept chain=dmz_in comment="Avarice RDP" dst-address=192.168.x.35 \
    dst-port=3389 protocol=tcp src-address-list="DMZ > Internal"
add action=accept chain=dmz_in comment="Glutton SSH" dst-address=192.168.x.36 \
    dst-port=22 log=yes log-prefix=FTP: protocol=tcp src-address-list=\
    "DMZ > Internal"
add action=accept chain=dmz_in comment="Glutton SMB" dst-address=192.168.x.36 \
    dst-port=137,138 protocol=udp src-address-list="DMZ > Internal"
add action=accept chain=dmz_in comment="Glutton SMB" dst-address=192.168.x.36 \
    dst-port=139,445,80 protocol=tcp src-address-list="DMZ > Internal"
add action=accept chain=dmz_in comment="Linda to Dell Printer" dst-address=\
    192.168.x.59 src-address-list=Linda
add action=accept chain=dmz_in comment=Wireguard dst-port=13231 protocol=udp \
    src-address=192.168.x.0/24
add action=drop chain=dmz_in comment="block other internal" dst-address-list=\
    internal log=yes log-prefix="dmz_in drop internal:" src-address=\
    192.168.x.0/24
add action=drop chain=dmz_in comment="dmz_in drop all (log)" log=yes \
    log-prefix="drop dmz_in final:"
add action=drop chain=wan1_in comment="Attempt on TH" src-address=\
    206.41.112.114
add action=accept chain=wan1_in comment="permit DNS" dst-port="" \
    in-interface=wan1 port=53 protocol=udp
add action=accept chain=wan1_in comment="sftp for a2hosting backup" dst-port=\
    22 in-interface=wan1 log=yes log-prefix="A2 SFTP:" protocol=tcp \
    src-address=70.32.23.76
add action=accept chain=wan1_in comment="port knocking" disabled=yes \
    dst-address-list=wan15 dst-port=904,905,2335,2336,13099 in-interface=wan1 \
    out-interface=vlanTH protocol=tcp
add action=accept chain=wan1_in comment=TotalHost disabled=yes dst-address=\
    10.x.x.33 dst-port=999,9993 in-interface=wan1 log=yes log-prefix=TH: \
    out-interface=vlanTH protocol=tcp
add action=accept chain=wan1_in comment=NTP dst-port=123 in-interface=wan1 \
    port="" protocol=udp src-port=123
add action=drop chain=wan1_in comment="DHCP to not log" dst-port=68 \
    in-interface=wan1 log=yes log-prefix=wan1in_drop: protocol=udp src-port=\
    67
add action=drop chain=wan1_in comment="wan1_in drop all (log)" in-interface=\
    wan1 log=yes log-prefix="wan1_in drop:"
add action=accept chain=guest_in comment="permit internet" in-interface=\
    vlanGUEST out-interface=wan1 src-address=192.168.x.0/24
add action=accept chain=guest_in comment="Manage Mikrotik" disabled=yes \
    dst-port=8291 in-interface=vlanGUEST log=yes log-prefix=MK: protocol=tcp \
    src-address=192.168.x.0/24
add action=drop chain=guest_in comment=\
    "VLAN Internet Access Only - GUEST (log)" connection-state=new \
    in-interface=vlanGUEST log=yes log-prefix="Drop guest_in_!wan" \
    out-interface=!wan1 src-address=192.168.x.0/24
add action=drop chain=guest_in comment="SMB (no log)" dst-address=\
    192.168.x.255 dst-port=137,138 in-interface=vlanGUEST log=yes log-prefix=\
    "Drop Guest IN:" protocol=udp src-address=192.168.x.0/24 src-port=""
add action=drop chain=guest_in comment="guest_in drop all (log)" log=yes \
    log-prefix="Drop Guest_in:"
# ovpn-interface not ready
add action=accept chain=ovpn_in comment="OpenVPN icmp" dst-address=\
    192.168.x.0/24 in-interface=ovpn-interface out-interface=vlanLAN \
    protocol=icmp src-address=192.168.x.0/24
# ovpn-interface not ready
add action=accept chain=ovpn_in comment="OpenVPN to glutton (ssh)" \
    dst-address=192.168.x.36 dst-port=22 in-interface=ovpn-interface \
    out-interface=vlanLAN protocol=tcp src-address=192.168.x.0/24
# ovpn-interface not ready
add action=accept chain=ovpn_in comment="OpenVPN to glutton (smb tcp)" \
    dst-address=192.168.x.36 dst-port=139,445 in-interface=ovpn-interface \
    out-interface=vlanLAN protocol=tcp src-address=192.168.x.0/24
add action=accept chain=ovpn_in comment="OpenVPN to glutton (smb udp)" \
    disabled=yes dst-address=192.168.x.36 dst-port=137,138 in-interface=\
    ovpn-interface out-interface=vlanLAN protocol=udp src-address=\
    192.168.x.0/24
# ovpn-interface not ready
add action=accept chain=ovpn_in comment="OpenVPN to glutton (zm)" \
    dst-address=192.168.x.36 dst-port=80 in-interface=ovpn-interface \
    out-interface=vlanLAN protocol=tcp src-address=192.168.x.0/24
# ovpn-interface not ready
add action=accept chain=ovpn_in comment="OpenVPN to glutton (jellyfin)" \
    dst-address=192.168.x.36 dst-port=8096 in-interface=ovpn-interface \
    out-interface=vlanLAN protocol=tcp src-address=192.168.x.0/24
# ovpn-interface not ready
add action=accept chain=ovpn_in comment="OpenVPN to Avarice (rdp)" \
    dst-address=192.168.x.35 dst-port=3389 in-interface=ovpn-interface \
    out-interface=vlanLAN protocol=tcp src-address=192.168.x.0/24
# ovpn-interface not ready
add action=accept chain=ovpn_in comment="OpenVPN to Misterhouse (vnc)" \
    dst-address=192.168.x.37 dst-port=5900 in-interface=ovpn-interface \
    out-interface=vlanLAN protocol=tcp src-address=192.168.x.0/24
# ovpn-interface not ready
add action=drop chain=ovpn_in comment="OpenVpn Drop (log)" in-interface=\
    ovpn-interface log=yes log-prefix="OVPN drop"
add action=accept chain=L2TP_in disabled=yes in-interface=L2TPVPN protocol=\
    icmp
add action=accept chain=L2TP_in comment="RDP To Avarce" disabled=yes \
    dst-address=192.168.x.35 dst-port=3389 in-interface=L2TPVPN protocol=tcp \
    src-port=""
add action=accept chain=L2TP_in comment="L2TP drop all" disabled=yes \
    in-interface=L2TPVPN
add action=accept chain=input comment="L2TP Ports (log)" disabled=yes \
    dst-port=500,1701,4500 in-interface=wan1 log=yes log-prefix=L2: protocol=\
    udp
add action=accept chain=input comment="L2TP NAT-T (log)" disabled=yes \
    dst-port=!22,80,443,8291,21,53,123 in-interface=wan1 log=yes log-prefix=\
    NAT-T: protocol=udp src-port=500,1701,5500
add action=accept chain=input comment="L2TP ipsec-esp" disabled=yes \
    in-interface=wan1 protocol=ipsec-esp
add action=accept chain=input comment="L2TP ipsec-ah" disabled=yes \
    in-interface=wan1 protocol=ipsec-ah
add action=accept chain=input comment="openVPN Server" disabled=yes dst-port=\
    11194 in-interface=wan1 protocol=tcp
add action=accept chain=input comment="Allowed Input Management" disabled=yes \
    dst-port=8291 protocol=tcp src-address-list=internal
add action=accept chain=input comment="CAP to CAPsMAN" disabled=yes dst-port=\
    5246,5247 in-interface=bridgeVLAN protocol=udp
add action=accept chain=input comment="Wireguard test" disabled=yes dst-port=\
    3389 log=yes log-prefix=WG2: protocol=tcp
add action=accept chain=forward comment="Wireguard test" disabled=yes \
    dst-port=3389 log=yes log-prefix=WG3: protocol=tcp src-port=""
add action=accept chain=output comment="Wireguard test" disabled=yes log=yes \
    log-prefix=WG4: src-address=192.168.5.0/24
add action=accept chain=forward comment=Wireguard disabled=yes dst-address=\
    192.168.0.0/16 in-interface=Wireguard1 src-address=192.168.5.0/24
add action=accept chain=forward disabled=yes dst-address=192.168.x.36 \
    dst-port=22 protocol=tcp
add action=accept chain=forward disabled=yes protocol=tcp src-address=\
    192.168.x.36 src-port=22
add action=accept chain=input comment="Zoiper In" disabled=yes log=yes \
    log-prefix="Zoiper In: " src-address=52.90.161.138
add action=accept chain=input comment="Zoiper Out" disabled=yes dst-address=\
    52.90.161.138 log=yes log-prefix="Zoiper_O: "
add action=accept chain=forward comment="Zoiper Forward In" disabled=yes log=\
    yes log-prefix="Zoiper Forward In: " src-address=52.90.161.138
add action=accept chain=forward comment="Zoiper Forward Out: " disabled=yes \
    dst-address=52.90.161.138
add action=accept chain=TH_out comment="TH ICMP Out" disabled=yes protocol=\
    icmp
/ip firewall nat
add action=dst-nat chain=dstnat comment="NAT a2hosting backup to Glutton SSH" \
    dst-address-list=wan15 dst-port=22 in-interface=wan1 log-prefix=\
    "NAT Backup:" protocol=tcp src-address=70.32.23.76 src-port="" \
    to-addresses=192.168.x.36 to-ports=22
add action=dst-nat chain=dstnat comment="NAT TH Forward" dst-address-list=\
    wan15 dst-port=999 in-interface=wan1 log-prefix="TH DST:" protocol=tcp \
    to-addresses=10.x.x.33 to-ports=999
add action=dst-nat chain=dstnat dst-address-list=wan15 dst-port=9993 \
    in-interface=wan1 protocol=tcp to-addresses=10.x.x.33 to-ports=9993
add action=dst-nat chain=dstnat comment="Wireguard\?" disabled=yes \
    dst-address-list=wan15 dst-port=13231 in-interface=wan1 protocol=udp \
    to-addresses=192.168.x.1
add action=masquerade chain=srcnat comment="NAT LAN 192.168.x.0/24" \
    ipsec-policy=out,none out-interface=wan1 src-address=192.168.x.0/24
add action=masquerade chain=srcnat comment="NAT GUEST 192.168.x.0/24" \
    out-interface=wan1 src-address=192.168.x.0/24
add action=masquerade chain=srcnat comment="Wireguard\?" out-interface=wan1 \
    src-address=192.168.5.0/24
add action=masquerade chain=srcnat comment="NAT DMZ 192.168.x.0/24" \
    out-interface=wan1 src-address=192.168.x.0/24
add action=masquerade chain=srcnat comment="NAT TH 10.x.0.0/16" \
    out-interface=wan1 src-address=10.x.0.0/16
# OVPN-client1 not ready
add action=masquerade chain=srcnat out-interface=OVPN-client1
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set sip disabled=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.x.1
add disabled=yes dst-address=192.168.x.0/24 gateway=L2TPVPN
add disabled=yes dst-address=192.168.x.0/24 gateway=L2TPVPN
add disabled=no dst-address=192.168.x.35/32 gateway=OVPN-client1
add disabled=no dst-address=192.168.x.0/24 gateway=OVPN-client1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=222
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ip ssh
set strong-crypto=yes
/lcd
set enabled=no read-only-mode=yes time-interval=hour touch-screen=disabled
/ppp secret
add disabled=yes name=ERUUser profile=ProfileL2TP service=l2tp
add local-address=192.168.x.1 name=OpenUser profile=ProfileOpenVPN \
    remote-address=192.168.x.10 service=ovpn
/routing bfd configuration
add disabled=no interfaces=all min-rx=200us min-tx=200us multiplier=5
/system clock
set time-zone-name=America/New_York
/system identity
set name=Firewall
/system logging
add action=email prefix=CRS: topics=account
add action=email prefix=CRS: topics=critical
add action=email disabled=yes prefix=CRS: topics=script
/system note
set note="crs.net - Authorized administrators only. Access to this device\
    \_is monitored."
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes broadcast-addresses=192.168.x.1 enabled=yes manycast=yes \
    multicast=yes
/system ntp client servers
add address=69.164.198.192
/system script
add dont-require-permissions=no name=rogue-dhcp owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    ":log warning message=\"Rogue DHCP server detected!\""
/tool bandwidth-server
set enabled=no
/tool e-mail
set from=crs@removed.net server=192.168.x.36
/tool sniffer
set file-name=packets filter-dst-ip-address=192.168.x.1/32 filter-dst-port=\
    http filter-mac-address=xx:xx:xx:xx:xx:xx/FF:FF:FF:FF:FF:FF memory-limit=\
    1000KiB

reviewing
Just to be clear
a. You are setting up this device as ROUTER not only a switch
b. The ATT router gets a public IP address ******
c. You can forward ports on the ATT device to the LANIP of the Mitkrotik device. ( on the lan subnet of the ATT )

****** your IP cloud setting shows the public IP address given to the ATT device

“This device” meaning the CRS? Yes, it’s set up as a router, and a NAT device to the AT&T private network. So the AT&T device forwards ports back to the “WAN” interface on the CRS.

So a system on the internal network (say 192.168.1.0/24) has a gateway of 192.168.1.1 which is the CRS. The CRS is configured for NAT which takes it to the AT&T private network, and then the AT&T device is nat’d to the Internet. In other words, a NAT firewall behind a NAT firewall.

The AT&T device has a public and private address.

Yes, I can forward ports from the AT&T device to what is treated as a WAN interface of the CRS (the CRS WAN interface is on the private network of the AT&T)

Prior to tinkering with Wireguard, the CRS setup has been up for years.

Sweet shouldnt take too long to fix up then..
Sadly capsman screws up my knowledge of vlans and how they are supposed to be configured but will attempt anyway

I find it strange that you do not have pool for vlan TH ??
I find it very strange that you do not have dhcp-server for TH ??

Why you are hiding private addresses is also strange, its private matters little.
Why do you have two wireguard entries, you only discussed a single remote laptop previously…

The config is a holy mess, especially the firewall rules, will only attempt to address the wireguard errors.

/interface wireguard peers
add allowed-address=192.168.5.2/32 interface=Wireguard1 preshared-key=“-----” public-key=“+++++” comment=“Galaxy S8”
add allowed-address=192.168.5.3/32 interface=Wireguard1 public-key=“–^^^^^-” comment=LaptopB comment=“Laptop B”

I’m not sure why we’re troubleshooting things I didn’t care about? I mean, I’ve got a complex setup here, so no need to go through everything.

Well I don’t have a pool for VlanTH because I don’t have a DHCP Server for TH. And I don’t have a DHCP server because I don’t use DHCP on that VLAN. How that relates here I have no idea.

I have two wireguard peers because I have 2 wireguard clients. You complained that the explanation was confusing. No point it making it more so! If I can get one to work, I can readily get the other to work.

As I wasn’t looking (and didn’t as for) a review of the entire config, I’m more than happy to just look at the wireguard config.

Both wireguard clients can connect to wireguard internally and appear to work just fine. So back to my questions. If it’s working internally, is the only thing I need to add
chain=srcnat action=masquerade src-address=192.168.5.0/24 out-interface=wan1 log=no log-prefix=“”
to have it working internal to internal > Internet.
That appears to be working. Want to be sure I didn’t miss something.

and the reverse, is the only thing I need to add
chain=dstnat action=dst-nat to-addresses=192.168.6.1 protocol=udp in-interface=wan1 dst-port=13231 log=no
log-prefix=“”
to get it working Internet to Internal?

Yes, the /interface wireguard peers output is:
[rick@Firewall] > /interface wireguard peers print
Columns: INTERFACE, PUBLIC-KEY, ENDPOINT-ADDRESS, ENDPOINT-PORT, ALLOWED-ADDRESS, PRESHARED-KEY

INTERFACE PUBLIC-KEY ENDPOINT-ADDRESS E ALLOWED-A PRESHARED-KEY

;;; Galaxy S8
0 Wireguard1 xxx= 192.168.6.1 0 0.0.0.0/0 xxx=
;;; Luxuria
1 Wireguard1 xxx= 192.168.6.1 0 0.0.0.0/0


Won’t 0.0.0.0/0 cover everything without adding 192.168.5.x/32?

Mind you, if you’re so gracious as to want to help improve the rest of the config, I won’t turn that down. Just trying to focus on my problem at hand

I did, your allowed IPs are wrong. I gave you an example of how to fix them.
The remote laptop and android phone, should now be able to reach any LAN subnet or your router for config purposes if your firewall rules permit that.
No special dstnat or sourcenat rules required at all for wireguard in this setup. IF you have them, remove them,
Same for iP routes, nothing extra need be added for wireguard. Same.

My allowed IPs are 0.0.0.0/0 which should cover all traffic, no?

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=192.168.x.1 interface=\
    Wireguard1 name=Luxuria public-key=\
    "x="

No need to narrow it down to 192.168.5.2/32 ?

The laptop, on the 192.168.6.0/24 network, can connect to the wireguard on the CRS. But that network is 100% on the inside.

I’m not sure how no nat rules would be required? The 192.168.6.0/24 network is wholly on the inside. It’s not accessible from the private AT&T network. The CRS is functioning as a NAT router, with only 1 IP address on the outside. It’s external IP is 192.168.15.x, where the private IP address of the AT&T router is 192.168.15.y.

In other words, the systems on the 192.168.6.0/24 network use NAT to get to 192.168.15.y, and then NAT again through the AT&T router to get to the internet. Punching a hole in the AT&T firewall still leaves a device on the outside arriving at the outside of the CRS.

So there’s absolutely no way to connect to 192.168.6.0/24 externally without NAT rules. I’ve got other rules in place for other incoming traffic (like the web server). I’m not going to need dst-nat for the inconing connection on the 13231 port?

A remote system will need a different endpoint IP (of course), but that endpoint IP (the public AT&T address) will then forward to the private external IP address on the CRS. Will that IP just permit a wireguard connection? Without passing through the firewall?

You clearly do not understand how wireguard works, Its a peer to peer connection.
That means you cannot on the server assign 0.0.0.0 …where is the peer to peer
Furthermore, ALL traffic from the router (be it originating outbound over the tunnel or return traffic, will NEVER hit the second entry because the first one covers all possible addresses and thus peer 2 will never get any traffic.

Suggest you do far more reading before using wireguard.

https://www.wireguard.com/
https://www.wireguard.com/papers/wireguard.pdf

Hmm. The allowed address is not the address. The address is set on the peer.

Are you sure you don’t have “Address” and “AllowedIPs” confused? Because as long as the peer has an address defined, the allowed-address on the server can certainly be 0.0.0.0/0 (I mean, it works )

I also have it all working, so I find your instructions a bit confusing myself! Regardless I’ll read more on the links - thanks.

In a nutshell, allowed IPs is the key to success,
The server router (for handshake) denotes each peer individually by its /32 address. DO NOT DEVIATE.
Each client typically for max flex denotes the server by the subnet address… especially true and germane for client routers for handshake.
As remote road warriors are then able to access the secondary ‘peer’ router after connecting to the server router.
Each connection is peer to peer.

Single devices may not for various reasons.
a. they are not going to have any remote users from other devices visiting an android phone for example LOL and thus just the wg IP of the server suffices.
b. they may only be visiting the server router and its subnets in which one would have to detail, wgIPserverIP,subnetA,subnetB
c. anytime a remote device wants to use the internet of the Server, only one entry is needed for allowed IPs, and covers all of the above 0.0.0.0/0

So a basic rule of thumb that works is for allowed IPs
SERVER
peer1 allowed-ips=/32 address (single peer device)
peer2 allowed-ips=/32 address, subnetA,subnetB (peer router for handshake)

Note: allowed IPs identifies
a. remote users coming in be it single devices or subnets comin in from other routers
b. remote addresses that local user need access to, typically subnets on remote routers.

In the example above lets look at the peers
Android Phone
AllowedIP=0.0.0.0/0 ( needs internet access out server router )

Other Router
Allowed IPs =wireguardsubnet, subnetC,SubnetD ( by stating wg subnet, vice wg address of server, remote warriors like the android can reach the other router assuming firewall rules on both server and this router allow the traffic)

+++++++++++++++++++++++++++
Note when you have remote subnets coming in, or local users need to reach remote subnets ( on two connected routers), one must add routes for this traffic.
Server Router
add dst-address=subnetA gatway=wg-interface table=main
add dst-address=subnetB gatway=wg-interface table=main

Other Router’
add dst-address=subnetC gatway=wg-interface table=main
add dst-address=subnetD gatway=wg-interface table=main

++++++++++++++++++++++++++++++++++++

From the first link above…
Check it out.

Simple Network Interface

WireGuard works by adding a network interface (or multiple), like eth0 or wlan0, called wg0 (or wg1, wg2, wg3, etc). This network interface can then be configured normally using ifconfig(8) or ip-address(8), with routes for it added and removed using route(8) or ip-route(8), and so on with all the ordinary networking utilities. The specific WireGuard aspects of the interface are configured using the wg(8) tool. This interface acts as a tunnel interface.

WireGuard associates tunnel IP addresses with public keys and remote endpoints. When the interface sends a packet to a peer, it does the following:
This packet is meant for 192.168.30.8. Which peer is that? Let me look… Okay, it’s for peer ABCDEFGH. (Or if it’s not for any configured peer, drop the packet.)

If you have at the Server (for handshake) Router two entries for two devices and each has 0.0.0.0/0
How does the Server identify the peer ???
Well it will go by ORDEr which is how pretty much everything works in RoS…
It will hit the first rule and say does the intented address match 0.0.0.0/0 and the answer is YES…
All traffic will go out the first peer and the second peer will never be visited…

If there is a legitimate need for a 0.0.0.0/0 address on a Server Router… thats fine, just be aware that one will need A SECOND and different wireguard interface for any other wireguard traffic etc..