Wireguard guru needed

Need help with firewall rules regarding wireguard.

Setup is next:

R1 is considered server side as it have public IP.

R2 is my LTE router on another location and whole 192.168.88.0/24 subnet needs to be accessible by one or more PCs on 192.168.100.0/24 subnet but 192.168.100.0/24 subnet shouldn’t be accessible by any device on 192.168.88.0/24 subnet.

That’s where I encounter a problem. Wireguard connection is working without a problem, it get established, I can access 192.168.88.0/24 subnet, but also I can access 192.168.100.0/24 subnet and I tried to add firewall rules but they don’t work.

Here is network diagram, PC on 192.168.88.254 is a test laptop for now, just to have some kind of device connected to the network:

Also R1 configuration:

# 2023-12-22 06:42:48 by RouterOS 7.12
# software id = XXXXXXXX
#
# model = RB4011iGS+
# serial number = XXXXXXXX
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether4 ] comment=Trunk_SW_2
set [ find default-name=ether5 ] comment=Trunk_SW_1
set [ find default-name=ether10 ] comment=iLO_VM_srv
/interface wireguard
add listen-port=XXXXX mtu=1420 name=wireguard1
/interface vlan
add comment="" interface=bridge name=VLAN_100 vlan-id=100
add comment="" interface=bridge name=VLAN_150 vlan-id=150
add comment="" interface=bridge name=VLAN_200 vlan-id=200
add comment="" interface=bridge name=VLAN_210 vlan-id=210
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=\
    192.168.100.1-192.168.100.99,192.168.100.101-192.168.100.254
add name=dhcp_pool2 ranges=\
    192.168.150.1-192.168.150.99,192.168.150.101-192.168.150.254
add name=dhcp_pool3 ranges=\
    192.168.200.1-192.168.200.99,192.168.200.101-192.168.200.254
add name=dhcp_pool4 ranges=\
    192.168.210.1-192.168.210.99,192.168.210.101-192.168.210.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=VLAN_100 lease-time=1d name=dhcp1
add address-pool=dhcp_pool2 interface=VLAN_150 lease-time=1d name=dhcp2
add address-pool=dhcp_pool3 interface=VLAN_200 lease-time=1d name=dhcp3
add address-pool=dhcp_pool4 interface=VLAN_210 lease-time=1d name=dhcp4
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2 pvid=100
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=150
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether4
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether9 pvid=100
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether10 pvid=100
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge tagged=bridge,ether5,ether4 untagged=ether10,ether9 \
    vlan-ids=100
add bridge=bridge tagged=bridge,ether5,ether4 untagged=ether3 vlan-ids=150
add bridge=bridge tagged=bridge,ether5,ether4 vlan-ids=200
add bridge=bridge tagged=bridge,ether5 vlan-ids=210
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=VLAN_100 list=LAN
add interface=VLAN_150 list=LAN
add interface=VLAN_200 list=LAN
add interface=VLAN_210 list=LAN
/interface wireguard peers
add allowed-address=10.0.0.2/32 comment="Laptop" interface=wireguard1 \
    public-key=""
add allowed-address=10.0.0.3/32 comment="Phone" interface=wireguard1 \
    public-key=""
add allowed-address=10.0.0.4/32,192.168.88.0/24 interface=wireguard1 \
    public-key=""
/ip address
add address=192.168.100.100/24 comment="" interface=\
    VLAN_100 network=192.168.100.0
add address=192.168.150.100/24 comment="" interface=VLAN_150 network=\
    192.168.150.0
add address=192.168.200.100/24 comment="" interface=VLAN_200 \
    network=192.168.200.0
add address=PublicIP comment=WAN interface=ether1 network=PublicIP
add address=192.168.210.100/24 comment="" interface=VLAN_210 network=\
    192.168.210.0
add address=10.0.0.1/24 comment=VPN interface=wireguard1 network=10.0.0.0

/ip dhcp-server lease

/ip dns
set allow-remote-requests=yes servers=PublicIP

/ip firewall address-list
add address=10.0.0.2 comment="Laptop" list=VPN
add address=10.0.0.3 comment="Phone" list=VPN
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=log chain=input dst-port=XXXXX log-prefix="WG inbound" \
    protocol=udp
add action=accept chain=input comment=VPN dst-port=XXXXX in-interface-list=\
    WAN protocol=udp
add action=accept chain=input comment=VPN_winbox dst-port=8291 in-interface=\
    wireguard1 protocol=tcp src-address-list=VPN
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=PublicIP routing-table=main \
    suppress-hw-offload=no
add disabled=no dst-address=192.168.88.0/24 gateway=wireguard1 routing-table=\
    main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes

/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=Ured
/system logging
add topics=wireguard
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

And R2 configuration:

# 2023-12-21 07:47:35 by RouterOS 7.12rc2
# software id = XXXXXXXX
#
# model = L41G-2axD&FG621-EA
# serial number = XXXXXXXXX
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration.mode=ap .ssid=MikroTik-0E0DCD \
    security.authentication-types=wpa2-psk,wpa3-psk
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band=""
/interface wireguard
add listen-port=XXXXX mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn= use-network-apn=no
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wifi1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/interface wireguard peers
add allowed-address=10.0.0.1/32,192.168.100.0/24 endpoint-address=R1_PublicIP \
    endpoint-port=XXXXX interface=wireguard1 persistent-keepalive=30s \
    public-key=""
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.0.0.4/24 interface=wireguard1 network=10.0.0.0
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment=VPN_winbox dst-port=8291 in-interface=\
    wireguard1 protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment=VPN dst-address=192.168.88.0/24 \
    in-interface=wireguard1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=192.168.100.0/24 gateway=wireguard1 \
    routing-table=main suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Zagreb
/system leds
add interface=lte1 leds=user-led type=interface-activity
/system logging
add topics=wireguard
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Also in R2 i set allowed IPs in peer to 192.168.100.92 and then only one PC can access 192.168.88.0 subnet but that’s kinda workaround…

So, it seems a wireguard guru is no longer needed.

This is a purely “firewall filter” question. You need to drop new connections to 192.168.100.0/24 in forward chain if originated from 192.168.88.0/24. According to the diagram, it is better to implement such a rule on R1.

Thanks, will try that

Waiting for @anav to find something wrong with setup

PARTIALLY… however what is needed is a clearer path from R1 to R2 in firewall rules and then drop all other traffic. Easy Peasy and thus no traffic not accepted will be permitted in general.

R1
Your R1 seems to be set up mostly okay

(1) ON R1 Change firewall rules to the following.
Remove this rule…
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

AND REPLACE WITH THE FOLLOWING RULES>
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“access to R2-outgoing” src-address=192.168.100.0/24 out-interface=wireguard1
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat disabled=yes {enable if required}
add action=drop chain=forward comment=“Drop All Else”

The only other traffic permitted, besides local LAN to WAN traffic, is allowing local Subnet to go out wireguard to remote subnet .88 )

(2) Remove Bridge from interface list members, its not required when you move to all vlans and you already have correctly all the vlans entered!!
add comment=defconf interface=bridge list=LAN


R2

(1) Allowed IPs change the IP address to the server as follows…
add allowed-address=10.0.0.0/24,192.168.100.0/24 endpoint-address=R1_PublicIP
endpoint-port=XXXXX interface=wireguard1 persistent-keepalive=30s
public-key=“”

**Note: ****** The reason to this is flexibility. With this rule you as admin can remotely connect to the R2 Via the R1 for example.

(2) Same process with this default rule which should be ditched once the config grows from the deafult.
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

(3) add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“access from R1-incoming” in-interface=wireguard1 dst-address=192.168.88.0/24
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat disabled=yes {enable if required}
add action=drop chain=forward comment=“Drop All Else”

The only additional traffic permitted then local LAN to WAN, is the remote subnet on R1 to come in on wireguard and visit local subnet on R2.


+++++++++++++++++++++++++++++++++

**Note: ****** To allow access to R2, while the admin is remotely connecting to R1 ( for config purposes for example ) I have outlined the allowed IPs changes to R2 above required. In addition you need a relay rule added to the R1 filrewall rule forward set as per below.

add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WA
add action=accept chain=forward comment=“access to R2-outgoing” src-address=192.168.100.0/24 out-interface=wireguard1
add action=accept chain=forward comment=“Relay wg” in-interface=wireguard1 out-interface=wireguard1
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat disabled=yes {enable if required}
add action=drop chain=forward comment=“Drop All Else”

With given destination address, the router needs to find a route for it, needs to be allowed in firewall rules, and needs to match to an existing peer…
Since its peer to peer, your connection at R1 coming in will exit at the LAN level and the rule basically says traffic exiting from wireguard is also permitted to re-enter wireguard.
With the destination address of the R2 wireguard address or the destination address of .88, the R1 router will match that destination up with a known peer and will send traffic to R2.
It will send the traffic via one of two routes existing on R1, either the DAC default route created by the wireguard1 address on R1 dst-address=10.0.0.0/24 gateway=wireguard1 routing-table=main OR the manual route you created for .88 traffic.

Thank you @anav, i will make those changes when i return to the office at wednesday.

I do have remote connection to the office but i don’t want to risk screwing something up and then ending up going to the office

Did the changes, now from R1 I can ping R2 but can’t ping from R2 to R1 anything but R1 on 192.168.100.100, for that ping is going trough, other addresses not.

R1 new config:

# 2023-12-27 07:46:57 by RouterOS 7.12
# software id = xxxx-xxxx
#
# model = RB4011iGS+
# serial number = xxxxxxxxxx
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether4 ] comment=Trunk_SW_2
set [ find default-name=ether5 ] comment=Trunk_SW_1
set [ find default-name=ether10 ] comment=iLO_VM_srv
/interface wireguard
add listen-port=xxxxx mtu=1420 name=wireguard1
/interface vlan
add comment="" interface=bridge name=VLAN_100 vlan-id=100
add comment="" interface=bridge name=VLAN_150 vlan-id=150
add comment="" interface=bridge name=VLAN_200 vlan-id=200
add comment="" interface=bridge name=VLAN_210 vlan-id=210
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=\
    192.168.100.1-192.168.100.99,192.168.100.101-192.168.100.254
add name=dhcp_pool2 ranges=\
    192.168.150.1-192.168.150.99,192.168.150.101-192.168.150.254
add name=dhcp_pool3 ranges=\
    192.168.200.1-192.168.200.99,192.168.200.101-192.168.200.254
add name=dhcp_pool4 ranges=\
    192.168.210.1-192.168.210.99,192.168.210.101-192.168.210.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=VLAN_100 lease-time=1d name=dhcp1
add address-pool=dhcp_pool2 interface=VLAN_150 lease-time=1d name=dhcp2
add address-pool=dhcp_pool3 interface=VLAN_200 lease-time=1d name=dhcp3
add address-pool=dhcp_pool4 interface=VLAN_210 lease-time=1d name=dhcp4
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2 pvid=100
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=150
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether4
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether9 pvid=100
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether10 pvid=100
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge tagged=bridge,ether5,ether4 untagged=ether10,ether9 \
    vlan-ids=100
add bridge=bridge tagged=bridge,ether5,ether4 untagged=ether3 vlan-ids=150
add bridge=bridge tagged=bridge,ether5,ether4 vlan-ids=200
add bridge=bridge tagged=bridge,ether5 vlan-ids=210
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=VLAN_100 list=LAN
add interface=VLAN_150 list=LAN
add interface=VLAN_200 list=LAN
add interface=VLAN_210 list=LAN
/interface wireguard peers

/ip address
add address=192.168.100.100/24 comment="" interface=\
    VLAN_100 network=192.168.100.0
add address=192.168.150.100/24 comment="" interface=VLAN_150 network=\
    192.168.150.0
add address=192.168.200.100/24 comment="" interface=VLAN_200 \
    network=192.168.200.0
add address=PublicIP comment=WAN interface=ether1 network=PublicIP
add address=192.168.210.100/24 comment="" interface=VLAN_210 network=\
    192.168.210.0
add address=10.0.0.1/24 comment=VPN interface=wireguard1 network=10.0.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease

/ip dns
set allow-remote-requests=yes servers=PublicIP
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=10.0.0.2 comment="" list=VPN
add address=10.0.0.3 comment="" list=VPN
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=DNS-UDP dst-port=53 in-interface-list=\
    LAN protocol=udp
add action=accept chain=input comment=DNS-TCP dst-port=53 in-interface-list=\
    LAN protocol=tcp
add action=log chain=input dst-port=45298 log-prefix="Dolazni WG zahtjevi" \
    protocol=udp
add action=accept chain=input comment=VPN dst-port=45298 in-interface-list=\
    WAN protocol=udp
add action=accept chain=input comment=VPN_winbox dst-port=8291 in-interface=\
    wireguard1 protocol=tcp src-address-list=VPN
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="Internet traffic" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward comment="Access to R2-outgoing" \
    out-interface=wireguard1 src-address=192.168.100.0/24
add action=accept chain=forward comment="Wireguard relay" in-interface=\
    wireguard1 out-interface=wireguard1
add action=accept chain=forward comment="Port forwarding" \
    connection-nat-state=dstnat
add action=accept chain=forward comment="VLAN200 to DNS" dst-address=\
    192.168.100.103 in-interface=VLAN_200
add action=accept chain=forward comment="VLAN150 to DNS" dst-address=\
    192.168.100.103 in-interface=VLAN_150
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=""
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=PublicIP routing-table=main \
    suppress-hw-offload=no
add disabled=no dst-address=192.168.88.0/24 gateway=wireguard1 routing-table=\
    main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=Ured
/system logging
add topics=wireguard
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

R2 new config:

# 2023-12-27 07:53:07 by RouterOS 7.12rc2
# software id = xxxx-xxxx
#
# model = L41G-2axD&FG621-EA
# serial number = xxxxxxxxxx
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration.mode=ap .ssid=MikroTik-0E0DCD \
    security.authentication-types=wpa2-psk,wpa3-psk
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band=""
/interface wireguard
add listen-port=xxxxx mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=internet.telemach.hr use-network-apn=no
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wifi1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/interface wireguard peers
add allowed-address=10.0.0.0/24,192.168.100.0/24 endpoint-address=PublicIP \
    endpoint-port=45298 interface=wireguard1 persistent-keepalive=30s \
    public-key=""
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.0.0.4/24 interface=wireguard1 network=10.0.0.0
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.100.92 list=VPN
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=VPN_winbox dst-port=8291 in-interface=\
    wireguard1 protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="Internet traffic" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward comment="Access from R1 incomming" \
    dst-address=192.168.88.0/24 in-interface=wireguard1
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=""
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=192.168.100.0/24 gateway=wireguard1 \
    routing-table=main suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Zagreb
/system leds
add interface=lte1 leds=user-led type=interface-activity
/system logging
add topics=wireguard
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Comments: Okay so we solved the initial problems in that subnet .100 (r1) can reach subnet .88 (r2) and the reverse should not be possible.
So now I find it very confusing that you are asking R2 to be able to ping R1 subnet. Are you confused?? The only thing that should be pingable from R2 is the wireguard IP address of R1.

The only thing that makes sense to me is that you want remote wireguard users to be able to reach R1 and R2 subnets???

Observations
R1
(1) Missing the Wireguard peer settings!!

(2) Dont like your firewall input chain rules,
a. they are OUT of order and
b. messy and you have duplicate rules for wg handshake!!..
c. not efficient, if your wireguard interface is part of the LAN interface then you allow all LAN interface members to your winbox port and no other rule is required.
d. not efficient as you do not need to allow LAN to DNS because you allow all LAN to router anyway via last rule.

FIXED TO WHAT YOU WANT WHICH I DISLIKE, fear to actually name names LOL aka the admin.:
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=log chain=input dst-port=45298 log-prefix=“Dolazni WG zahtjevi”
protocol=udp comment=“Wireguard handshake”
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN

FIXED TO WHAT YOU SHOULD HAVE ( only admin accesses router, users only access dns services )

/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=log chain=input dst-port=45298 log-prefix=“Dolazni WG zahtjevi”
protocol=udp comment=“Wireguard handshake”
**add action=accept chain=input comment=“Admin Access” src-address-list=**Authorized
add action=accept chain=input comment=DNS-UDP dst-port=53 in-interface-list=
LAN protocol=udp
add action=accept chain=input comment=DNS-TCP dst-port=53 in-interface-list=
LAN protocol=tcp
add action=drop chain=input comment=“Drop all else”

WhERE
/ip firewall address-list ( mostly static dhcp leases )
add address=admin-IP1 list=Authorized comment=“local admin desktop”
add address=admin-IP2 list=Authorized comment=“local admin laptop”
add address=admin-IP3 list=Authorized comment=“local admin smartphone/ipad”
add address=10.0.0.2 list=Authorized comment=“remote admin wireguard”
add address=10.0.0.3 list=Authorized comment=“remote admin wireguard”

(3) Missing the invalid rule in the forward chain after the established related rule.

(4) If you want to allow remote WG users to access R1 Subnets then on R1 Add.
add action=accept chain=forward comment=“Internet traffic” in-interface-list=
LAN out-interface-list=WAN
add action=accept chain=forward comment=“Access to R2-outgoing”
out-interface=wireguard1 src-address=192.168.100.0/24
add action=accept chain=forward in-interface=wireguard1 src-address-list=VPN out-interface-list=LAN { if not all vlans then state which one }
add action=accept chain=forward comment=“Wireguard relay” in-interface=
wireguard1 out-interface=wireguard1
add action=accept chain=forward comment=“Port forwarding”
connection-nat-state=dstnat
add action=accept chain=forward comment=“VLAN200 to DNS” dst-address=
192.168.100.103 in-interface=VLAN_200
add action=accept chain=forward comment=“VLAN150 to DNS” dst-address=
192.168.100.103 in-interface=VLAN_150
add action=drop chain=forward comment=“drop all else”

(5) Why is this still hanging around??
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan

(6) It appears you are sending vlans 200 and 150 to some DNS server on vlan100.
I dont see your IP DHCP SERVER-NETWORK SETTINGS???
assuming for vlans 150 and 200 you have dns-server=192.168.100.103 ??

In any case you should add a destination nat rule to ensure this is done…
/interface list
add DNS-PI
/interface list members
add interface=vlan150 list=DNS-PI
add interface=vlan200 list=DNS-PI

add chain=dst-nat action=dstnat in-interface-list=DNS-PI dst-port=53 protocol=udp to-addresses=192.168.100.103
add chain=dst-nat action=dstnat in-interface-list=DNS-PI dst-port=53 protocol=tcp to-addresses=192.168.100.103

+++++++++++++++

R2

(7) Just to make it clear the reason 192.168.100.0/24 is on the list of allowed Peers for R1 is so that the R2 router can perform incoming filtering, so that traffic coming from that subnet over the wireguard tunnel is recognized and allowed to enter the router. It is by firewall rules and such that we allow or disallow that traffic to actually go anywhere.

(8) What is not clear to me is what the heck is this line for. It seems to serve no purpose at the moment.
/ip firewall address-list
add address=192.168.100.92 list=VPN

(9) Same omission for the forward chain rule of invalid, It appears you used that rule to make the last rule DROP all LOL…

(10) If ipv6 is disabled, as it should be if not used, also modify firewall rules and get rid of rest ( on both routers )
add chain=input action=drop
add chain=forward action=drop

by anav » Wed Dec 27, 2023 4:53 pm

Comments: Okay so we solved the initial problems in that subnet .100 (r1) can reach subnet .88 (r2) and the reverse should not be possible.
So now I find it very confusing that you are asking R2 to be able to ping R1 subnet. Are you confused?? The only thing that should be pingable from R2 is the wireguard IP address of R1.

The only thing that makes sense to me is that you want remote wireguard users to be able to reach R1 and R2 subnets???

I do want for remote users can to be able to reach R1 and R2 and that is working without a problem.

Observations
R1
(1) Missing the Wireguard peer settings!!

Sorry, deleted by accident, will provide it tomorrow.

(2) Dont like your firewall input chain rules,
a. they are OUT of order and
b. messy and you have duplicate rules for wg handshake!!..
c. not efficient, if your wireguard interface is part of the LAN interface then you allow all LAN interface members to your winbox port and no other rule is required.
d. not efficient as you do not need to allow LAN to DNS because you allow all LAN to router anyway via last rule

a. I will correct this with suggestions given in your post

b. I’m not sure i know about what rule do you talk about

c. I will do that and delete firewall rule that is not required.

d. Yea but after I modified drop all rule and removed connection state invalid it stopped working and this make it working again.

(3) Missing the invalid rule in the forward chain after the established related rule.

Yea after i removed option invalid in this rule i was unable to access DNS server on from VLANs 150 and 200.

(4) If you want to allow remote WG users to access R1 Subnets then on R1 Add.
add action=accept chain=forward comment=“Internet traffic” in-interface-list=
LAN out-interface-list=WAN
add action=accept chain=forward comment=“Access to R2-outgoing”
out-interface=wireguard1 src-address=192.168.100.0/24
add action=accept chain=forward in-interface=wireguard1 src-address-list=VPN out-interface-list=LAN { if not all vlans then state which one }
add action=accept chain=forward comment=“Wireguard relay” in-interface=
wireguard1 out-interface=wireguard1
add action=accept chain=forward comment=“Port forwarding”
connection-nat-state=dstnat
add action=accept chain=forward comment=“VLAN200 to DNS” dst-address=
192.168.100.103 in-interface=VLAN_200
add action=accept chain=forward comment=“VLAN150 to DNS” dst-address=
192.168.100.103 in-interface=VLAN_150
add action=drop chain=forward comment=“drop all else”

Road warriors can access R1 and subnets without a problem but I will made changes you suggested.

5. Will delete, i forgot about that

6. All VLANs have same DNS server on VLAN100

7. I think i got it, we send subnet across tunnel and then on R2 we decide with firewall rules what go to LAN on R2.

8. Will be removed, it was just experimentation.

9. Yea, i removed connection state invalid because i didn’t see it in your first post. Sorry

10. Will address that, i don’t use IPv6, that’s whole new level for me and i don’t wanna go there…

Send new configs with the latest issues of what doesnt work…

Well… VPN is working the way I wanted and with firewall rules i added i have access to dns from vlans 150 and 200.

But i want to make firewall rules the right way. I will post new configuration tomorrow as i don’t have access to my laptop right now.

New, updated configurations:

R1 (I hope I made all changes as suggested, I didn’t delete ipv6 firewall address list)

# 2023-12-29 06:19:23 by RouterOS 7.12
# software id = XXXX-XXXX
#
# model = RB4011iGS+
# serial number = XXXXXXXXXXX
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether4 ] comment=Trunk_SW_2
set [ find default-name=ether5 ] comment=Trunk_SW_1
set [ find default-name=ether10 ] comment=iLO_VM_srv
/interface wireguard
add listen-port=XXXXX mtu=1420 name=wireguard1
/interface vlan
add comment="" interface=bridge name=VLAN_100 vlan-id=100
add comment="" interface=bridge name=VLAN_150 vlan-id=150
add comment="" interface=bridge name=VLAN_200 vlan-id=200
add comment="" interface=bridge name=VLAN_210 vlan-id=210
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=DNS
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=\
    192.168.100.1-192.168.100.99,192.168.100.101-192.168.100.254
add name=dhcp_pool2 ranges=\
    192.168.150.1-192.168.150.99,192.168.150.101-192.168.150.254
add name=dhcp_pool3 ranges=\
    192.168.200.1-192.168.200.99,192.168.200.101-192.168.200.254
add name=dhcp_pool4 ranges=\
    192.168.210.1-192.168.210.99,192.168.210.101-192.168.210.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=VLAN_100 lease-time=1d name=dhcp1
add address-pool=dhcp_pool2 interface=VLAN_150 lease-time=1d name=dhcp2
add address-pool=dhcp_pool3 interface=VLAN_200 lease-time=1d name=dhcp3
add address-pool=dhcp_pool4 interface=VLAN_210 lease-time=1d name=dhcp4
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2 pvid=100
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=150
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether4
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether9 pvid=100
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether10 pvid=100
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge tagged=bridge,ether5,ether4 untagged=ether10,ether9 \
    vlan-ids=100
add bridge=bridge tagged=bridge,ether5,ether4 untagged=ether3 vlan-ids=150
add bridge=bridge tagged=bridge,ether5,ether4 vlan-ids=200
add bridge=bridge tagged=bridge,ether5 vlan-ids=210
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=VLAN_100 list=LAN
add interface=VLAN_150 list=LAN
add interface=VLAN_200 list=LAN
add interface=VLAN_210 list=LAN
add interface=wireguard1 list=LAN
add interface=VLAN_150 list=DNS
add interface=VLAN_200 list=DNS
add interface=VLAN_210 list=DNS
/interface wireguard peers
add allowed-address=10.0.0.2/32 comment="" interface=wireguard1 \
    public-key=""
add allowed-address=10.0.0.3/32 comment="" interface=wireguard1 \
    public-key=""
add allowed-address=10.0.0.4/32,192.168.88.0/24 interface=wireguard1 \
    public-key=""
/ip address
add address=192.168.100.100/24 comment="" interface=\
    VLAN_100 network=192.168.100.0
add address=192.168.150.100/24 comment="" interface=VLAN_150 network=\
    192.168.150.0
add address=192.168.200.100/24 comment="" interface=VLAN_200 \
    network=192.168.200.0
add address=PublicIP comment=WAN interface=ether1 network=PublicIP
add address=192.168.210.100/24 comment=AC_Hypo interface=VLAN_210 network=\
    192.168.210.0
add address=10.0.0.1/24 comment=VPN interface=wireguard1 network=10.0.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease

/ip dhcp-server network
add address=192.168.100.0/24 dns-server=192.168.100.103 gateway=\
    192.168.100.100
add address=192.168.150.0/24 dns-server=192.168.100.103 gateway=\
    192.168.150.100
add address=192.168.200.0/24 dns-server=192.168.100.103 gateway=\
    192.168.200.100
add address=192.168.210.0/24 dns-server=192.168.100.103 gateway=\
    192.168.210.100
/ip dns
set allow-remote-requests=yes servers=PublicIP
/ip firewall address-list
add address=10.0.0.2 comment="Lpatop" list=VPN
add address=10.0.0.3 comment="Phone" list=VPN
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=DNS-UDP dst-port=53 in-interface-list=\
    LAN protocol=udp
add action=accept chain=input comment=DNS-TCP dst-port=53 in-interface-list=\
    LAN protocol=tcp
add action=accept chain=input comment=VPN dst-port=XXXXX in-interface-list=\
    WAN protocol=udp
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="Internet traffic" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward comment="Access to R2-outgoing" \
    out-interface=wireguard1 src-address=192.168.100.0/24
add action=accept chain=forward in-interface=wireguard1 out-interface-list=\
    LAN src-address-list=VPN
add action=accept chain=forward comment="Wireguard relay" in-interface=\
    wireguard1 out-interface=wireguard1
add action=accept chain=forward comment="Port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=""
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat in-interface-list=DNS dst-port=53 protocol=tcp to-addresses=\
    192.168.100.103
add action=dst-nat chain=dstnat in-interface-list=DNS dst-port=53 protocol=udp to-addresses=\
    192.168.100.103
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=PublicIP routing-table=main \
    suppress-hw-offload=no
add disabled=no dst-address=192.168.88.0/24 gateway=wireguard1 routing-table=\
    main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add chain=input action=drop
add chain=forward action=drop
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=Ured
/system logging
add topics=wireguard
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

For some reason R2 no longer conncets to R1 after changes are made so I can’t make any changes there

Slap EOIP tunnel on top of wireguard so you can always ROMON in.

So Holvoe, the config is correct and thus you can impart ROMON wisdom.
Do pray tell while I show you how to actually review a config, what value does ROMON provide in this scenario…I would like to know as I probably could use it too.


Observations
(1) There is no point in having ether5,6,7 showing on the /interface bridge ports. Should be removed.

(2) HHBC Syndrome: Must be to have missed this one ( Holvoe High on Belgian Chocolate )

Please indicate to me where the OP, has access to the router for config purposes**???**
All I see is two rules for DNS, and one rule to allow wireguard handshake!

I am assuming that he somehow deleted it from the rsc file prior to pasting it here otherwise he would not have been able to access router, a mystery.

/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input comment=DNS-UDP dst-port=53 in-interface-list=
LAN protocol=udp
add action=accept chain=input comment=DNS-TCP dst-port=53 in-interface-list=
LAN protocol=tcp
add action=accept chain=input comment=VPN dst-port=XXXXX in-interface-list=
WAN protocol=udp
add action=drop chain=input comment=“drop all else”

FWIW, there is “Safe Mode”: https://help.mikrotik.com/docs/display/ROS/Configuration+Management#ConfigurationManagement-SafeMode

Big fan of RoMON – but like most Mikrotik things, confusing at first, then super handy once working. But it does require Layer2/Ethernet-like connection.

As an alternative to running EoIP over WG. You can use EOIP as a “side-channel” (e.g. in addition to wireguard) to keep them separate. You do need a public IP, but if you enable IPSec on EoIP tunnel it’s secure & leave the WG for normal IP traffic. And simple, with just EoIP tunnel alone (no bridging needed), you can connect to any MT router that both has RoMON enabled & connected somehow via ethernet (or “fake ethernet” like EoIP, etc.).

If your interconnecting IP setup is completely barfed but Wireguard connection is still present, an EOIP on top of those 2 WG-endpoints allows to use ROMON. Quite easy to do.

Zerotier can be used as well but not all devices are ARM-based.
And the free Zerotier option is limited to 25 addresses, last time I checked.
So EOIP to the rescue for both cases …

With my customer I have a central RB5009 for Capsman-environment on that specific location, but I also use it as termination point for all 34 other sites using EOIP.
Some direct via the underlying MPLS being present to connect all locations, some via WG since those sites are not part of the larger MPLS scheme.

One access from where ever I am to that central RB5009 using either Wireguard or Zerotier (yeah, I prefer a backup) and via ROMON I can reach all MT devices present on those 35 locations (ok, there are some segments I still need to add but that’s hair-splitting).

Yea, i fu***ed up… Deleted that rule by accident… Can’t access R1 config but can access subnet and R2 is not accessible at all. Can’t ping 10.0.0.4

I tried to connect by winbox from virtual machine that is on subnet that “was supposed to be admin” but i cant access the router… Soooo i fu***ked up big time…

I am sure it will the first and LAST time LOL.

Yea and I didn’t do off bridge port for emg.access… I told myself that i will do it later…

But what went wrong ? I presume that missing fw rule to drop everything not coming from LAN before drop all rule fu***ked things up…

Yes, that is the rule removed that did you in. Since your kicking yourself, go back to post 7 to reread,