Wireguard from MT to client (win10) with several users to several VLAN's

korg · March 18, 2024, 1:41pm

Hello MT community,

i am setting up a config for a MT router which is behind NAT, has multiple subnets devided in VLANs. What i need is to setup Wireguard connectivity for different user to their own subnet/VLAN. Attached config is from my EVE lab and not online.

Example

10.99.99.0/24 is mgmt subnet with vlan999
10.30.30.0/24 is camera subnet with vlan300
10.20.20.0/24 is home automation subnet with vlan200

So, now .. i need to setup WG connectivity to this site with dynamic public IP for different users/different VLANS.

Although i have setup this config with the help of different YT videos, I still have few questions:

.can i use dyndns.com address in order to connect to the site? (in the config is missing script for dyndns.com or i could use cloud address)
.in the firewall i have taken from another config those lines (172.0.. is my WG subnet and the 192.168… is the subnet of.. what?) do i need to enter all VLANs subnets here?

add action=accept chain=forward comment=“fwd LAN to WG” disabled=yes dst-address=172.16.0.0/24 src-address=192.168.88.0/24
add action=accept chain=forward comment=“fwd WG to LAN” disabled=yes dst-address=192.168.88.0/24 dst-address-list=“” src-address=172.16.0.0/24
.Is this the right way to enable different WG users only to their subnet/vlan:
/interface wireguard peers
add allowed-address=10.200.200.0/24 endpoint-address=address.dyndns.com interface=wg1 public-key=“public-key1”
add allowed-address=10.30.30.0/24 endpoint-address=address.dyndns.com interface=wg1 public-key=“public-key2”
add allowed-address=10.99.99.0/24 endpoint-address=address.dyndns.com interface=wg1 public-key=“public-key”

My script:

# mar/18/2024 13:28:58 by RouterOS 7.9.1
# software id = 
#
/interface bridge
add ingress-filtering=no name=bridge1 pvid=999 vlan-filtering=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1
/interface wireguard
add comment="WG connection to main site" listen-port=13299 mtu=1420 name=wg1 \
    private-key="private-key="
/interface vlan
add interface=bridge1 name=vlan100-corp vlan-id=100
add interface=bridge1 name=vlan200-guest vlan-id=200
add interface=bridge1 name=vlan300-camera vlan-id=300
add interface=bridge1 name=vlan999-mgmt vlan-id=999
/interface list
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.100.100.1-10.100.100.253
add name=dhcp_pool1 ranges=10.200.200.1-10.200.200.253
add name=dhcp_pool2 ranges=10.30.30.1-10.30.30.253
add name=dhcp_pool3 ranges=10.99.99.1-10.99.99.253
/ip dhcp-server
add address-pool=dhcp_pool0 interface=vlan100-corp name=dhcp1
add address-pool=dhcp_pool1 interface=vlan200-guest name=dhcp2
add address-pool=dhcp_pool2 interface=vlan300-camera name=dhcp3
add address-pool=dhcp_pool3 interface=vlan999-mgmt name=dhcp4
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=ether3 pvid=200
add bridge=bridge1 interface=ether2 pvid=999
add bridge=bridge1 interface=ether4 pvid=999
add bridge=bridge1 interface=ether8 pvid=999
add bridge=bridge1 interface=ether7 pvid=200
add bridge=bridge1 interface=ether5 pvid=999
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether2,ether4,ether5 vlan-ids=200
add bridge=bridge1 tagged=bridge1,ether2,ether4,ether5 vlan-ids=100
add bridge=bridge1 tagged=bridge1,ether2,ether4,ether5 vlan-ids=300
add bridge=bridge1 tagged=bridge1 untagged=ether4,ether2,ether5 vlan-ids=999
/interface list member
add interface=vlan100-corp list=LAN
add interface=vlan200-guest list=LAN
add interface=vlan300-camera list=LAN
add interface=vlan999-mgmt list=LAN
/interface wireguard peers
add allowed-address=10.200.200.0/24 endpoint-address=address.dyndns.com \
    interface=wg1 public-key="public-key1"
add allowed-address=10.30.30.0/24 endpoint-address=address.dyndns.com \
    interface=wg1 public-key="public-key2"
add allowed-address=10.99.99.0/24 endpoint-address=address.dyndns.com \
    interface=wg1 public-key="public-key"
/ip address
add address=10.0.0.20/24 interface=ether1 network=10.0.0.0
add address=10.100.100.254/24 interface=vlan100-corp network=10.100.100.0
add address=10.200.200.254/24 interface=vlan200-guest network=10.200.200.0
add address=10.30.30.254/24 interface=vlan300-camera network=10.30.30.0
add address=10.99.99.254/24 interface=vlan999-mgmt network=10.99.99.0
add address=172.16.0.1/24 interface=wg1 network=172.16.0.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.30.30.0/24 gateway=10.30.30.254
add address=10.99.99.0/24 gateway=10.99.99.254
add address=10.100.100.0/24 gateway=10.100.100.254
add address=10.200.200.0/24 gateway=10.200.200.254
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=10.99.99.0/24 list=LAN
add address=10.200.200.0/24 list=LAN
add address=10.30.30.0/24 list=LAN
add address=10.100.100.0/24 list=LAN
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="allow wireguard" dst-port=13299 log=\
    yes log-prefix=wg protocol=udp
add action=accept chain=input comment="allow wireguard Handshake" dst-port=\
    13299 log=yes log-prefix=wg protocol=udp
add action=accept chain=input comment="allow wireguard to other networks" \
    in-interface=wg1 log=yes log-prefix=wg
add action=accept chain=forward comment="allow wireguard to LAN" \
    in-interface=wg1 out-interface-list=LAN
add action=accept chain=forward comment="allow wireguard to WAN" \
    in-interface=wg1 out-interface=ether1
add action=accept chain=forward comment=\
    "accept established,related,new,untracked" connection-state=\
    established,related,new,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=input comment="Allow ICMP ping" protocol=icmp
add action=accept chain=forward comment="fwd LAN to WG" disabled=yes \
    dst-address=172.16.0.0/24 src-address=192.168.88.0/24
add action=accept chain=forward comment="fwd WG to LAN" disabled=yes \
    dst-address=192.168.88.0/24 dst-address-list="" src-address=172.16.0.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat comment="masw. wireguard" out-interface=\
    ether1
/system identity
set name="Mikrotik Spine"
/system note
set show-at-login=no

Thank you for any help/info/tipp/guidance!

korg

erlinden · March 18, 2024, 1:52pm

Instead of using the DDNS address, you can just use the peers IP address.
Can you make an overview (diagram) of all devices involved?

korg · March 18, 2024, 2:12pm

Hi erlinden, tx for your answer. Here is a diagram of my config.

I hope, I’ve made it understandable.

korg

anav · March 18, 2024, 2:28pm

No…
/interface wireguard peers
add allowed-address= wireguardIP-X/32 interface=wg1 public-key=“public-key1” comment=Roadwarrior1
add allowed-address= wireguardIP-Y/32 interface=wg1 public-key=“public-key2” comment=Roadwarrior2
add allowed-address= wireguardIP-Z/32 interface=wg1 public-key=“public-key3” comment=Roadwarrior3
add allowed-address= wireguardIP-A/32 interface=wg1 public-key=“public-key4” comment=admin
/interface list members
add interface=wireguard1 list=LAN
/ip firewall filter
…
add input chain action=accept in-interface=wireguard1 src-address=wireguardIP-A/32
…
add chain=forward action=accept in-interface=wireguard1 src-address=wireguardIP-X/32 dst-address=192.168.100.0/24 comment=“RW1 to vlan100”
add chain=forward action=accept in-interface=wireguard1 src-address=wireguardIP-Y/32 dst-address=192.168.200.0/24 comment=“RW2 to vlan200”
add chain=forward action=accept in-interface=wireguard1 src-address=wireguardIP-Z/32 dst-address=192.168.300.0/24 comment=“RW2 to vlan300”
add chain=forward action=accept in-interface=wireguard1 src-address=wireguardIP-A/32 out-interface-list=LAN comment=“admin access to all vlans”
…
add chain=forward action=drop comment=“drop all else”

korg · March 18, 2024, 4:22pm

tx anav… i’ve edited my script upon your tipps and now it looks like this:

# mar/18/2024 16:34:44 by RouterOS 7.9.1
# software id = 
#
/interface bridge
add ingress-filtering=no name=bridge1 pvid=999 vlan-filtering=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1
/interface wireguard
add comment="WG connection to main site" listen-port=13299 mtu=1420 name=wg1 \
    private-key="private-key"
/interface vlan
add interface=bridge1 name=vlan100-corp vlan-id=100
add interface=bridge1 name=vlan200-guest vlan-id=200
add interface=bridge1 name=vlan300-camera vlan-id=300
add interface=bridge1 name=vlan999-mgmt vlan-id=999
/interface list
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.100.100.1-10.100.100.253
add name=dhcp_pool1 ranges=10.200.200.1-10.200.200.253
add name=dhcp_pool2 ranges=10.30.30.1-10.30.30.253
add name=dhcp_pool3 ranges=10.99.99.1-10.99.99.253
/ip dhcp-server
add address-pool=dhcp_pool0 interface=vlan100-corp name=dhcp1
add address-pool=dhcp_pool1 interface=vlan200-guest name=dhcp2
add address-pool=dhcp_pool2 interface=vlan300-camera name=dhcp3
add address-pool=dhcp_pool3 interface=vlan999-mgmt name=dhcp4
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=ether3 pvid=200
add bridge=bridge1 interface=ether2 pvid=999
add bridge=bridge1 interface=ether4 pvid=999
add bridge=bridge1 interface=ether8 pvid=999
add bridge=bridge1 interface=ether7 pvid=200
add bridge=bridge1 interface=ether5 pvid=999
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether2,ether4,ether5 vlan-ids=200
add bridge=bridge1 tagged=bridge1,ether2,ether4,ether5 vlan-ids=100
add bridge=bridge1 tagged=bridge1,ether2,ether4,ether5 vlan-ids=300
add bridge=bridge1 tagged=bridge1 untagged=ether4,ether2,ether5 vlan-ids=999
/interface list member
add interface=vlan100-corp list=LAN
add interface=vlan200-guest list=LAN
add interface=vlan300-camera list=LAN
add interface=vlan999-mgmt list=LAN
add interface=wg1 list=LAN
/interface wireguard peers
add allowed-address=10.200.200.100/32 comment=Roadwarrior1 interface=wg1 \
    public-key="public-key1"
add allowed-address=10.30.30.100/32 comment=Roadwarrior2 interface=wg1 \
    public-key="public-key2"
add allowed-address=10.99.99.0/24 comment="Roadwarrior admin" interface=wg1 \
    public-key="public-key3
/ip address
add address=10.0.0.20/24 interface=ether1 network=10.0.0.0
add address=10.100.100.254/24 interface=vlan100-corp network=10.100.100.0
add address=10.200.200.254/24 interface=vlan200-guest network=10.200.200.0
add address=10.30.30.254/24 interface=vlan300-camera network=10.30.30.0
add address=10.99.99.254/24 interface=vlan999-mgmt network=10.99.99.0
add address=172.16.0.1/24 interface=wg1 network=172.16.0.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.30.30.0/24 gateway=10.30.30.254
add address=10.99.99.0/24 gateway=10.99.99.254
add address=10.100.100.0/24 gateway=10.100.100.254
add address=10.200.200.0/24 gateway=10.200.200.254
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=10.99.99.0/24 list=LAN
add address=10.200.200.0/24 list=LAN
add address=10.30.30.0/24 list=LAN
add address=10.100.100.0/24 list=LAN
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="Allow ICMP ping" protocol=icmp
add action=accept chain=input comment=\
    "Allow DHCP,DNS, NTP from internal networks only" dst-port=123,53,67,68 \
    in-interface=!ether1 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="allow wireguard" dst-port=13299 log=\
    yes log-prefix=wg protocol=udp
add action=accept chain=input comment="allow wireguard Handshake" dst-port=\
    13299 log=yes log-prefix=wg protocol=udp
add action=accept chain=input comment="RW1 to vlan300" in-interface=wg1 \
    src-address=10.30.30.100
add action=accept chain=input comment="RW2 to vlan200" in-interface=wg1 \
    src-address=10.200.200.100
add action=accept chain=input comment="RW3 to vlan999 mgmt" in-interface=wg1 \
    src-address=10.99.99.0/24
add action=accept chain=input comment="allow wireguard to other networks" \
    in-interface=wg1 log=yes log-prefix=wg
add action=drop chain=input comment="drop everything elase"
add action=accept chain=forward comment=\
    "accept established,related,new,untracked" connection-state=\
    established,related,new,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment=\
    "Allow internet from PPPoE to the local network" in-interface-list=LAN \
    out-interface=ether1
add action=accept chain=forward comment="RW1 to vlan200" dst-address=\
    10.200.200.0/24 in-interface=wg1 src-address=10.200.200.100
add action=accept chain=forward comment="RW2 to vlan300" dst-address=\
    10.30.30.0/24 in-interface=wg1 src-address=10.30.30.100
add action=accept chain=forward comment="RW3 to vlan100" dst-address=\
    10.100.100.0/24 in-interface=wg1 src-address=10.100.100.100
add action=accept chain=forward comment="admin access to all vlans" \
    dst-address=10.99.99.0/24 in-interface=wg1 out-interface-list=LAN \
    src-address=10.99.99.254
add action=drop chain=forward comment="drop everything elase"
add action=fasttrack-connection chain=forward hw-offload=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat comment="masw. wireguard" out-interface=\
    ether1
/system identity
set name="Mikrotik Spine"
/system note
set show-at-login=no

again… several questions:

.this is now been setup for ‘one user - one vlan’. In the case that one company which supports for example ‘smart house and electricity’ has devices on two vlans, how can i setup the connectivity (both in fw and wg) so the wg connection can handle two vlans?
.in the wg peers i have deleted the endpoint:

/interface wireguard peers
add allowed-address=10.200.200.100/32 comment=Roadwarrior1 interface=wg1 public-key="public-key1"

where do i define through which public ip/cloud address should i connect to?
.is this correct? both interfaces should be masqurated?

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat comment="masw. wireguard" out-interface=wg1

.if the device on vlan200 has ip address 10.200.200.10 which i need to connect to, is this correct setup in the fw?

add action=accept chain=forward comment="RW1 to vlan200" dst-address=10.200.200.0/24 in-interface=wg1 src-address=10.200.200.100

tx

anav · March 18, 2024, 5:28pm

NM…

There are bigger issues to solve first.

WHAT THE HECK is your WAN.
You state: am setting up a config for a MT router which is behind NAT

a. you have a static WANIP set up for ether1 which bares no resemblance to any of the VLANS. The static IP makes sense but not the subnet??
b. VLAN999 is your management VLAN from which the MT router should get its IP address from!!
c. You have IP DHCP enabled which is direct opposition to a. ??
d. You have PPPOE client enabled in direct contrast to both a. and c. ??

Please CLARIFY!!!

Also, you get mixed up in your config.
Keep RW1 as User1,., RW2 as user 2, RW2 as user 3, and RW ADMIN will be user 4.

Finally one thing I strugged with was to understand your bridge ports … are they trunk, access or hybrid ports.
In other words what the heck is on the end of ether2,ether3,ether4,ether5,ether6 ( dont care much about 8 and up but I like details !!! )
If to smart devices they need to be trunk ports
If to unifi smart devices not reconfigured to act normally but as default ( accept management as untagged and rest tagged ) then they are HYBRID ports
If to dumb devices that cannot read tags they need to be access ports.

Please CLARIFY!

korg · March 19, 2024, 10:15am

Hi anav,

so here is the clarification.

I’ve updated the diagram a post above with more information’s so pls check the new diagram picture.

.Mikrotik router is connected as dhcp-client at ether1 port with 5G router given by internet provider and its public IP address is dynamic
.vlan999 is my mgmt subnet given by mikrotik
.i have dhcp-client enabled to the internet router
.pls ignore pppoe connection as the config is taken from my eve-ng lab. There will be no pppoe connectivity but only ether1 dhcp-client

At the end of ether2, 3, 4 will be some devices like.. vlan100 pc’s, vlan200 camera surveillance, vlan300 smart home. There will be vlan400, 500 for different other devices and services like dali light control and so on. The vlan connectivity is already up and running correctly.

korg

anav · March 19, 2024, 11:30am

Well if its working for you great.
Its not apparent to me how you send two vlans through an access port to dumb devices…
The diagram does not show smart switches accepting the vlans so its either correct or the config wrong or the diagram is incorrect and the config is okay.

korg · March 19, 2024, 12:59pm

Hi,

i’ve updated the diagram again.

so, back to the initial question, is this (within the code) correct way to setup a wireguard config for multi users accessing only vlan which they suppose to access and for the connection behind the NAT?

.where do i specify resp what would be the public address for the users to connect to? cloud dns address?

tx

korg

anav · March 19, 2024, 3:48pm

In general, one allows traffic to go from client devices to router server ( once a connection is established its peer to peer, really good for two routers, not so significant to a single device…)
Therefore its at the router where you want to use firewall rules in the forward chain to state which subnets each RW should have access to.

A blanket rule if all users are allowed to all vlans
More specific rules to allow certain users to certain vlans.
Last rule being drop all else → easy peasy and then all other traffic not allowed is auto dropped.

Finally the diagram is starting to make sense LOL.
Will relook at the config.

Remove pvid on actual bridge itself.
Add interface list of WAN
SInce you fail to note which ports are going to your two switches I will assume its this way.
ETHER1 to ISP
ETHER2 to switch Building1
ETHER3 to dumb device expecting untagged vlan300
ETHER4 to switch Building2
ETHER5 to dumb PC on corporate LAN
ETHER6 to dumb PC on managment VLAN
ETHER7 NOT USED
ETHER8 OFF bridge to configure the router and emerg access if problems with bridge.
Wireguard comment is weird, what do you mean to main site ???
Removed address for ether1 as this is handedl by ip dhcp client. one or the other not both!!
firewall address list for subnets is useless, for two or more subnets use interface lists, for subnets use src or dst-address.
( good use for firewall address list is for those allowed to access the router for config purposes. I have added that to the config.
Removed pptp from input chain, old not secure vpn method… I wont put it in any config I present.,
Duplicate rules for wg handshake, removed one, and cleaned up access to router for services and config access.
Missing fastrack default rule in forward chain.
Fixed forward chain rules.
Only single masquerade rule required.
ppoe removed.
other additions review each line.
…

# mar/18/2024 13:28:58 by RouterOS 7.9.1
# software id = 
#
/interface bridge
add ingress-filtering=no name=bridge1  vlan-filtering=yes
/interface wireguard
add comment="Wireguard Access for RWs"  listen-port=13299 mtu=1420 name=wg1 \
    private-key="private-key="
/interface ethernet
set [ find default-name=ether8 ] name=ether8-access
/interface vlan
add interface=bridge1 name=vlan100-corp vlan-id=100
add interface=bridge1 name=vlan200-guest vlan-id=200
add interface=bridge1 name=vlan300-camera vlan-id=300
add interface=bridge1 name=vlan999-mgmt vlan-id=999
/interface list
add name=LAN
add name=WAN
add name=MGMT
/ip pool
add name=dhcp_pool0 ranges=10.100.100.1-10.100.100.253
add name=dhcp_pool1 ranges=10.200.200.1-10.200.200.253
add name=dhcp_pool2 ranges=10.30.30.1-10.30.30.253
add name=dhcp_pool3 ranges=10.99.99.1-10.99.99.253
/ip dhcp-server
add address-pool=dhcp_pool0 interface=vlan100-corp name=dhcp1
add address-pool=dhcp_pool1 interface=vlan200-guest name=dhcp2
add address-pool=dhcp_pool2 interface=vlan300-camera name=dhcp3
add address-pool=dhcp_pool3 interface=vlan999-mgmt name=dhcp4
/interface bridge port
add bridge=bridge1  ingress-filtering=yes frame-types=admit-only-tagged-vlans  interface=ether2
add bridge=bridge1  ingress-filtering=yes frame-types=admit-only-priority-and-untagged  interface=ether3 pvid=300
add bridge=bridge1  ingress-filtering=yes frame-types=admit-only-tagged-vlans  interface=ether4
add bridge=bridge1  ingress-filtering=yes frame-types=admit-only-priority-and-untagged  interface=ether5 pvid=100
add bridge=bridge1  ingress-filtering=yes frame-types=admit-only-priority-and-untagged  interface=ether6 pvid=999
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether2,ether4  untagged=ether5 vlan-ids=100
add bridge=bridge1 tagged=bridge1,ether2,ether4  vlan-ids=200
add bridge=bridge1 tagged=bridge1  untagged=ether3  vlan-ids=300
add bridge=bridge1 tagged=bridge1,ether2,ether4  untagged=ether6  vlan-ids=999
/interface list member
add interface=ether1  list=WAN
add interface=vlan100-corp list=LAN
add interface=vlan200-guest list=LAN
add interface=vlan300-camera list=LAN
add interface=vlan999-mgmt list=LAN
add interface=wireguard1 list=LAN
add interface=vlan999-mgmt list=MGMT
add interface=ether8-access  list=MGMT
/interface wireguard peers
add allowed-address=172.16.0.2/32 interface=wg1 public-key="public-key1"  comment="RW1"
add allowed-address=172.16.0.3/32 interface=wg1 public-key="public-key2"  comment="RW2"
add allowed-address=172.16.0.4/32 interface=wg1 public-key="public-key3"  comment="RW3"
add allowed-address=172.16.0.5/32 interface=wg1 public-key="public-key4"  comment="admin RW"
/ip address
add address=10.100.100.254/24 interface=vlan100-corp network=10.100.100.0
add address=10.200.200.254/24 interface=vlan200-guest network=10.200.200.0
add address=10.30.30.254/24 interface=vlan300-camera network=10.30.30.0
add address=10.99.99.254/24 interface=vlan999-mgmt network=10.99.99.0
add address=172.16.0.1/24 interface=wg1 network=172.16.0.0
add address=192.168.55.1/24 interface=ether8-access network=192.168.55.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.30.30.0/24 gateway=10.30.30.254
add address=10.99.99.0/24 gateway=10.99.99.254
add address=10.100.100.0/24 gateway=10.100.100.254
add address=10.200.200.0/24 gateway=10.200.200.254
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip firewall address-list
add address=172.16.0.5/32 list=Authorized  comment="admin RW"
add address=10..99.99.X  list=Authorized comment="admin wired or wifi #1"
add address=10..99.99.X  list=Authorized comment="admin wiredor wifi #2"
add address=192.168.55.5 list=Authorized comment="admin via emerg access"
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="wireguard handshake" dst-port=13299 log=\
    yes log-prefix=wg protocol=udp
add action=accept chain=input comment="admin only access"  src-address-list=Authorized
add action=accept chain=input comment="users to DNS"  dst-port=53 protocol=udp in-interface-list=LAN
add action=accept chain=input comment="users to DNS"  dst-port=53 protocol=tcp in-interface-list=LAN
add action=drop chain=input comment="Drop all else"  { put in last ensure Authorized List and Rule are in place!! }
++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes 
add action=accept chain=forward  connection-state=established,related,new,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet access"  in-interface-list=LAN  out-interface-list=WAN
add action=accept chain=forward comment="admin vlan access"  src-address-list=authorized  out-interface-list=LAN
add action=accept chain=forward comment="User1-RW1 vlan100 access"  dst-address=10.100.100.0/24 in-interface=wireguard1 src-address=172.16.0.2/32
add action=accept chain=forward comment="User2-RW2 vlan200 access"  dst-address=10.200.200.0/24 in-interface=wireguard1 src-address=172.16.0.3/32
add action=accept chain=forward comment="User3-RW3 vlan300 access"  dst-address=10.30.30.0/24 in-interface=wireguard1 src-address=172.16.0.4/32
add action=accept chain=forward comment="port forwarding"  connection-nat-state=dstnat  disabled=yes  { enable if required }
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip route
add dst-address=0.0.0.0/0 gateway=10.0.0.1  routing-table=main disabled=yes {  only required if you do NOT have default route=yes in IP DHCP client settings }
/tool mac-server mac-winbox
set allowed-interface-list=MGMT

anav · March 19, 2024, 4:42pm

Each RW should have a setup such that
you have
client device generated public key, ==>>>> this gets inserted onto the router on the routers peer settings for the specific RW device
IP address —> as we assigned in the peers settings on the router
allowed addresses…
a. if the user also requires internet access then they should put 0.0.0.0 and nothing else for addresses as this covers ALL addresses.
otherwise if to specific subnet
b. 172.16.0.0/24,SUBNET1,SUBNET2 ( etc all the remote subnets they need to visit )

Allowed IPs at peer devices should also contain endpoint-address, endpoint port, public Key generated by MT router, persistent-keep-alive set to …25-45s

korg · March 19, 2024, 8:15pm

anav.. many many thanks for your help!

still.. i have few questions regarding your description..

1.‘Each RW should have a setup such that you have…’ means what?
2.‘IP address —> as we assigned in the peers settings on the router…’ i dont see the public dyndns address (as i will not have a static one) with which i will connect to the MT from ‘outside’
3.‘if the user also requires internet access then they should put 0.0.0.0 and nothing else for addresses as this covers ALL addresses.
otherwise if to specific subnet’… where should i enter 0.0.0.0/0? The users will still need to have internet… something like here?
/interface wireguard peers
add allowed-address=0.0.0.0/0
4.‘Allowed IPs at peer devices should also contain endpoint-address, endpoint port, public Key generated by MT router, persistent-keep-alive set to …25-45s’ .. you mean endpoint address should be the IP address of the device they need to access?

tx

korg

anav · March 19, 2024, 9:57pm

1.‘Each RW should have a setup such that you have…’ means what?

All the devices that are peers ( clients for handshank require basically the same setup )
they need endpoint address, endpoint port, public key of MAIN Router, persistent-keep alive.
As for allowed IPs, depends what the needs are …as discussed.

2.'IP address —> as we assigned in the peers settings on the router…’ i dont see the public dyndns address (as i will not have a static one) with which i will connect to the MT from ‘outside’
I was stating here that the IP address you set on the single devices ( client for hanshake, should be within the wireguard subnet described on the router ) as you can see I gave ( on the router config ) a separate wireguard IP, for each RW, this is the same IP you put on the client device for its wireguard IP.

3.‘if the user also requires internet access then they should put 0.0.0.0 and nothing else for addresses as this covers ALL addresses.
otherwise if to specific subnet’… where should i enter 0.0.0.0/0? The users will still need to have internet… something like here?
/interface wireguard peers
add allowed-address=0.0.0.0/0

YES, if the roadwarrior needs access to internet then put 0.0.0.0/0 that automatically includes all subnets ( hence why we put fw rules on the receiving end of wg traffic if needed )

4.‘Allowed IPs at peer devices should also contain endpoint-address, endpoint port, public Key generated by MT router, persistent-keep-alive set to …25-45s’ .. you mean endpoint address should be the IP address of the device they need to access?

ENDPOINT address is the
a. the publicly reachable IP address of the MT router (acting as server for handshake ) you can use your IP Cloud address if you so desire.
b. could be the reachable IP of the Router upstream from teh MT router (again IP cloud will work), and one needs to port forward the wireguard port to the LAN address of the MT router in this setup.

korg · March 20, 2024, 8:40pm

anav… great help, great learning process! Many thanks!

I have something not from the my lab but from the ‘real life’ which i would like to ask you. I have an crs354 (in the script there are only 24 port not 48 as EVE is not allowing me to have a 48 port device) which does everything from the attached diagram. As a first step, i have added CRS112 which has a trunk port from/to crs354 and as ‘extending’ the network to another part of the customers building.
Now, i have tested crs354 (surely, within EVE lab) and all ports on CRS354 are doing as they should: every port is getting the correct ip subnet. CRS112 is connected to CRS354, is getting the mgmt network (and the correct vlan999 ip address on port 2,3 and 4 - Ap1, Ap2, Ap3) but i dont get the vlans on particular ethernet ports (ether 5, ether 6, ether7 - everything can be seen in the diagram). Could you pls take a look at my scripts (both CRS354-Spine and CRS112-Leaf1) as i can not find the logical error with the vlan transport. In the diagram is also another CRS326 with exist in reality but for now, I will skip its config as is should do ‘almost the same as CRS112’. Also, have i setup WG RW’s in the correct manner on CRS354?

I am thanking you in advance for your time and effort

the diagram

CRS354 Spine Config

# mar/20/2024 20:26:39 by RouterOS 7.9.1
# software id = 
#
/interface bridge
add ingress-filtering=no name=bridge-main pvid=999 vlan-filtering=yes
/interface wireguard
add comment="Wireguard for RW's" listen-port=13299 mtu=1420 name=wireguard1 \
    private-key="lalalalala"
/interface vlan
add interface=bridge-main name=vlan100-corp vlan-id=100
add interface=bridge-main name=vlan200-guests vlan-id=200
add interface=bridge-main name=vlan300-cameras vlan-id=300
add interface=bridge-main name=vlan500-dali vlan-id=500
add interface=bridge-main name=vlan600-IoT1 vlan-id=600
add interface=bridge-main name=vlan700-POS vlan-id=700
add interface=bridge-main name=vlan800-IoT2 vlan-id=800
add interface=bridge-main name=vlan999-mgmt vlan-id=999
/interface list
add name=LAN
add name=Authorized
add name=WAN
add name=mgmt
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp-vlan100 ranges=10.10.100.100-10.10.100.200
add name=dhcp-vlan200 ranges=10.20.100.1-10.20.100.250
add name=dhcp-vlan300 ranges=10.30.100.100-10.30.100.150
add name=dhcp-vlan500 ranges=10.50.100.100-10.50.100.150
add name=dhcp-vlan600 ranges=10.60.100.100-10.60.100.150
add name=dhcp-vlan700 ranges=10.70.100.100-10.70.100.150
add name=dhcp-vlan800 ranges=10.80.100.100-10.80.100.150
add name=dhcp-vlan999 ranges=10.99.99.50-10.99.99.200
/ip dhcp-server
add address-pool=dhcp-vlan100 interface=vlan100-corp lease-time=4h name=\
    dhcp-corp
add address-pool=dhcp-vlan200 interface=vlan200-guests name=dhcp-guests
add address-pool=dhcp-vlan300 interface=vlan300-cameras lease-time=8h30m \
    name=dhcp-cameras
add address-pool=dhcp-vlan500 interface=vlan500-dali lease-time=8h name=\
    dhcp-dali
add address-pool=dhcp-vlan600 interface=vlan600-IoT1 lease-time=8h name=\
    dhcp-IoT1
add address-pool=dhcp-vlan700 interface=vlan700-POS lease-time=8h name=\
    dhcp-POS
add address-pool=dhcp-vlan800 interface=vlan800-IoT2 lease-time=8h name=\
    dhcp-IoT2
add address-pool=dhcp-vlan999 interface=vlan999-mgmt lease-time=8h name=\
    dhcp-mgmt
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge-main comment=Corp-vlan100 frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2 pvid=100
add bridge=bridge-main frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4 pvid=200
add bridge=bridge-main frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5 pvid=200
add bridge=bridge-main comment="AP's-vlan999" frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether6 pvid=999
add bridge=bridge-main frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether7 pvid=999
add bridge=bridge-main frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether8 pvid=999
add bridge=bridge-main comment="Camera's vlan300" frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether9 pvid=300
add bridge=bridge-main frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether10 pvid=300
add bridge=bridge-main comment=Dali-vlan500 frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether11 pvid=500
add bridge=bridge-main frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether12 pvid=500
add bridge=bridge-main comment=IpT1-vlan600 frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether13 pvid=600
add bridge=bridge-main frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether14 pvid=600
add bridge=bridge-main comment=POS frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether15 pvid=700
add bridge=bridge-main frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether16 pvid=700
add bridge=bridge-main frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether17 pvid=700
add bridge=bridge-main comment=IoT2-vlan800 frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether18 pvid=800
add bridge=bridge-main frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether19 pvid=800
add bridge=bridge-main comment="Trunk Connection to CRS326" \
    ingress-filtering=no interface=ether20 pvid=999
add bridge=bridge-main comment="Trunk Connection to CRS112" \
    ingress-filtering=no interface=ether21 pvid=999
add bridge=bridge-main comment="Spare trunk port" interface=ether22
add bridge=bridge-main comment="mgmt port" frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether24 pvid=999
add bridge=bridge-main frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3 pvid=100
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=bridge-main tagged=bridge-main vlan-ids=100
add bridge=bridge-main tagged=\
    bridge-main,ether6,ether7,ether8,ether20,ether21,ether24 vlan-ids=200
add bridge=bridge-main tagged=bridge-main untagged=\
    ether6,ether7,ether8,ether20,ether21,ether24 vlan-ids=999
add bridge=bridge-main tagged=\
    bridge-main,ether6,ether7,ether8,ether20,ether21,ether24 vlan-ids=300
add bridge=bridge-main tagged=\
    bridge-main,ether6,ether7,ether8,ether20,ether21,ether24 vlan-ids=500
add bridge=bridge-main tagged=\
    bridge-main,ether6,ether7,ether8,ether20,ether21,ether24 vlan-ids=600
add bridge=bridge-main tagged=\
    bridge-main,ether6,ether7,ether8,ether20,ether21,ether24 vlan-ids=700
add bridge=bridge-main tagged=bridge-main vlan-ids=800
/interface list member
add interface=ether1 list=WAN
add interface=vlan100-corp list=LAN
add interface=vlan300-cameras list=LAN
add interface=vlan200-guests list=LAN
add interface=vlan500-dali list=LAN
add interface=vlan600-IoT1 list=LAN
add interface=vlan700-POS list=LAN
add interface=vlan800-IoT2 list=LAN
add interface=vlan999-mgmt list=mgmt
add interface=ether22 list=mgmt
/interface wireguard peers
add allowed-address=172.16.0.2/32 comment="RW1 - vlan300" interface=\
    wireguard1 public-key="lalalala"
add allowed-address=172.16.0.3/32 comment="RW2 - 600" interface=wireguard1 \
    public-key="lalalala"
add allowed-address=172.16.0.4/32 comment="RW3 - vlan700" interface=\
    wireguard1 public-key="lalalala"
add allowed-address=172.16.0.5/32 comment="admin RW - vlan999" interface=\
    wireguard1 public-key="lalalala"
/ip address
add address=10.10.100.254/24 interface=vlan100-corp network=10.10.100.0
add address=10.20.100.254/24 interface=vlan200-guests network=10.20.100.0
add address=10.30.100.254/24 interface=vlan300-cameras network=10.30.100.0
add address=10.50.100.254/24 interface=vlan500-dali network=10.50.100.0
add address=10.60.100.254/24 interface=vlan600-IoT1 network=10.60.100.0
add address=10.70.100.254/24 interface=vlan700-POS network=10.70.100.0
add address=10.80.100.254/24 interface=vlan800-IoT2 network=10.80.100.0
add address=10.99.99.254/24 interface=vlan999-mgmt network=10.99.99.0
add address=192.168.55.5/24 comment="spare mgmt port" interface=ether22 \
    network=192.168.55.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.10.100.0/24 dns-server=10.10.100.254 gateway=10.10.100.254
add address=10.20.100.0/24 dns-server=10.20.100.254 gateway=10.20.100.254
add address=10.30.100.0/24 dns-server=10.30.100.254 gateway=10.30.100.254
add address=10.50.100.0/24 dns-server=10.50.100.254 gateway=10.50.100.254
add address=10.60.100.0/24 dns-server=10.60.100.254 gateway=10.60.100.254
add address=10.70.100.0/24 dns-server=10.70.100.254 gateway=10.70.100.254
add address=10.80.100.0/24 dns-server=10.80.100.254 gateway=10.80.100.254
add address=10.99.99.0/24 dns-server=10.99.99.254 gateway=10.99.99.254
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=172.16.0.200 comment="admin RW" list=Authorized
add address=192.168.55.5 comment="admin via emergence access" list=Authorized
add address=10.99.99.0/24 comment="allow to mgmt network" list=Authorized
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="wireguard handshake" dst-port=13299 \
    log=yes log-prefix=wg protocol=udp
add action=accept chain=input comment="admin only access" src-address-list=\
    Authorized
add action=accept chain=input comment="users to DNS" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="users to DNS" dst-port=53 \
    in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="Drop all else"
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward connection-state=\
    established,related,new,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet access" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward comment="admin vlan access" \
    out-interface-list=LAN src-address-list=Authorized
add action=accept chain=forward comment="User1-RW1 vlan300 access" \
    dst-address=10.30.100.100 in-interface=wireguard1 src-address=172.16.0.2
add action=accept chain=forward comment="User2-RW2 vlan600 access" \
    dst-address=10.60.100.100 in-interface=wireguard1 src-address=172.16.0.3
add action=accept chain=forward comment="User3-RW3 vlan700 access" \
    dst-address=10.70.100.100 in-interface=wireguard1 src-address=172.16.0.4
add action=accept chain=forward comment="User4-RW4 vlan999 access" \
    dst-address=10.99.99.0/24 in-interface=wireguard1 src-address=172.16.0.5
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat disabled=yes
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip route
add disabled=yes dst-address=0.0.0.0/0 gateway=10.0.0.1 routing-table=main
/system note
set show-at-login=no

CRS112-Leaf1 config

# mar/20/2024 20:26:56 by RouterOS 7.9.1
# software id = 
#
/interface bridge
add ingress-filtering=no name=bridge-leaf1-112 pvid=999 vlan-filtering=yes
/interface vlan
add interface=bridge-leaf1-112 name=vlan100-corp vlan-id=100
add interface=bridge-leaf1-112 name=vlan200-guests vlan-id=200
add interface=bridge-leaf1-112 name=vlan300-cameras vlan-id=300
add interface=bridge-leaf1-112 name=vlan500-dali vlan-id=500
add interface=bridge-leaf1-112 name=vlan600-IoT1 vlan-id=600
add interface=bridge-leaf1-112 name=vlan700-POS vlan-id=700
add interface=bridge-leaf1-112 name=vlan800-IoT2 vlan-id=800
add interface=bridge-leaf1-112 name=vlan999-mgmt vlan-id=999
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge-leaf1-112 ingress-filtering=no interface=ether1 pvid=999
add bridge=bridge-leaf1-112 ingress-filtering=no interface=ether2 pvid=999
add bridge=bridge-leaf1-112 ingress-filtering=no interface=ether3 pvid=999
add bridge=bridge-leaf1-112 ingress-filtering=no interface=ether4 pvid=999
add bridge=bridge-leaf1-112 ingress-filtering=no interface=ether5 pvid=100
add bridge=bridge-leaf1-112 ingress-filtering=no interface=ether6 pvid=200
add bridge=bridge-leaf1-112 ingress-filtering=no interface=ether7 pvid=700
/interface bridge vlan
add bridge=bridge-leaf1-112 tagged=ether1 untagged=bridge-leaf1-112 vlan-ids=\
    100
add bridge=bridge-leaf1-112 tagged=ether1 untagged=bridge-leaf1-112 vlan-ids=\
    200
add bridge=bridge-leaf1-112 tagged=ether1 untagged=bridge-leaf1-112 vlan-ids=\
    300
add bridge=bridge-leaf1-112 tagged=ether1 untagged=bridge-leaf1-112 vlan-ids=\
    500
add bridge=bridge-leaf1-112 tagged=ether1 untagged=bridge-leaf1-112 vlan-ids=\
    600
add bridge=bridge-leaf1-112 tagged=ether1 untagged=bridge-leaf1-112 vlan-ids=\
    700
add bridge=bridge-leaf1-112 vlan-ids=999
/ip dhcp-client
add interface=bridge-leaf1-112
/system identity
set name=Mikrotik-Leaf1-CRS112
/system note
set show-at-login=no

Thank you

korg

anav · March 20, 2024, 9:08pm

The CRS112 has to be programmed differently…
There are probably videos on it to be found…
Also the MT docs should discuss - https://help.mikrotik.com/docs/pages/viewpage.action?pageId=103841836

CRS1xx VLAN Example

###############################################################################
# Recommended reading
# https://wiki.mikrotik.com/wiki/Manual:Basic_VLAN_switching
#
# Notes: Start with a reset (/system reset-configuration)
#
# Based on: http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
###############################################################################

#######################################
# Naming
#######################################

# name the device being configured
/system identity set name="CRS1xx_Switch"

#######################################
# VLAN Overview
#######################################

# 10 = BLUE
# 20 = GREEN
# 30 = RED
# 99 = BASE (MGMT) VLAN

#######################################
# Bridge
#######################################

# create one bridge
/interface bridge add name=BR1 protocol-mode=none

# add "all" ports to this one bridge
/interface bridge port
add bridge=BR1 interface=ether1
add bridge=BR1 interface=ether2
add bridge=BR1 interface=ether3
add bridge=BR1 interface=ether4
# and so on until you get to 24 ...

#######################################
# -- Access Ports --
#######################################

# ingress behavior, egress dynamically handled
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=10 ports=ether2
add customer-vid=0 new-customer-vid=20 ports=ether3
add customer-vid=0 new-customer-vid=30 ports=ether4

#######################################
# -- Trunk Ports --
#######################################

# ingress behavior
# L2 switching only, Bridge (aka switch1-cpu) not needed as tagged member (except for BASE_VLAN)
/interface ethernet switch vlan
add ports=ether1,ether2 vlan-id=10
add ports=ether1,ether3 vlan-id=20
add ports=ether1,ether4 vlan-id=30
add ports=switch1-cpu,ether1 vlan-id=99

# egress behavior
# L2 switching only, Bridge (aka switch1-cpu) not needed as tagged member (except for BASE_VLAN)
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether1 vlan-id=10
add tagged-ports=ether1 vlan-id=20
add tagged-ports=ether1 vlan-id=30
add tagged-ports=switch1-cpu,ether1 vlan-id=99

#######################################
# VLAN Security
#######################################

# drop traffic that does not follow the above port layout
/interface ethernet switch set forward-unknown-vlan=no


#######################################
# IP Addressing & Routing
#######################################

# LAN facing Switch's IP address on a BASE_VLAN
/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=99
/ip address add address=192.168.0.2/24 interface=BASE_VLAN network=192.168.0.0

# The Router's IP this switch will use
/ip route add distance=1 gateway=192.168.0.1

#######################################
# MAC Server settings
#######################################

# Ensure only visibility and availability from BASE_VLAN, the MGMT network
/interface list add name=BASE
/interface list member add interface=BASE_VLAN list=BASE
/ip neighbor discovery-settings set discover-interface-list=BASE
/tool mac-server mac-winbox set allowed-interface-list=BASE
/tool mac-server set allowed-interface-list=BASE

…

korg · March 20, 2024, 9:22pm

Ok, so you think, if i do ‘the same config’ on CRS326, with existing config of the CRS112 it should work? As.. i have never worked with the switch chip before…

korg · March 20, 2024, 9:27pm

Is it too much to help me out on that config for CRS112?

anav · March 21, 2024, 12:40am

Sorry I have no experience with the CRS1xx series. The only thing I can tell you is the concepts are the same.
There will be a trunk port carrying all the data vlans and management vlan from CRS326 to CRS1XX.
What will change is how to setup vlans but the rest of the noise should be similar.

The best thing to do is follow the example provided, the MT Docs and watch some videos, give it a stab and post back here with the results.

Amm0 · March 21, 2024, 1:45am

It should be work documented, which is similar to CRS3xx, but slightly different. Now all CRSxxx VLAN config is way different than using bridge on the hAP/cAP/RB5009/etc for VLANs…

But if you’re testing this in EVE… it may be EVE support for a CRS1xx that’s at issue – I dunno since I’m not the expert on EVE & the CRS1xx are kinda odd in overall scheme of hardware… Is the issue happening in EVE, or in a real physical setup?

I ask since the CRS1xx things is they have the “most raw” interface for correctly setting VLAN — since everything should be done via /interface/ethernet/switch to set the physical switch chip for VLANs/etc. Your config seem to use the more generic “bridge VLAN filtering”… NOT the docs @anav links which show using “/interface ethernet switch” to configure the VLANs. So while this is different than most RouterOS devices, it is the way it’s documented to use VLAN.

Now bridge VLAN filtering should work, but I’m not sure it’s the “right way” on the CRS1xx. I don’t use them, so I’d start with the docs. e.g. it’s possible there are strange things that happen when you use bridge VLAN filtering on them, dunno. But your config is kinda permissive since it use “frame-types=allow-all” and “ingress-filtering=no”, which is add complexity here since if there were VLAN troubles elsewhere, the CRS1xx just pass them along, potentially creating loops that disable ports in RSTP…

Anyway I presume Mikrotik show the /interface ethernet switch way for some good reason. Only down/flip side of doing it the “documented way” is I’m not sure that works in EVE, since your kinda setting the switch chip directly…

anav · March 21, 2024, 2:23am

https://www.youtube.com/watch?v=swXS4sO8smE&t=151s