Wireguard Mikrotik - Route all traffic

joshhboss · April 4, 2022, 7:48pm

I just recently got a small little map lite that i would like to use whenever im traveling or working just with the intention to quicly either log into network i set up tunnels with or to route all my traffic over it. I have been able to establish a tunnel but now im having an issue routing all my traffic over it using my office PFsense router I believe i have everything set up right on the pfsense side since ive done this before. Would anyone be able to check out my config and maybe let me know what im doing wrong.

MMM      MMM       KKK                          TTTTTTTTTTT      KKK
  MMMM    MMMM       KKK                          TTTTTTTTTTT      KKK
  MMM MMMM MMM  III  KKK  KKK  RRRRRR     OOOOOO      TTT     III  KKK  KKK
  MMM  MM  MMM  III  KKKKK     RRR  RRR  OOO  OOO     TTT     III  KKKKK
  MMM      MMM  III  KKK KKK   RRRRRR    OOO  OOO     TTT     III  KKK KKK
  MMM      MMM  III  KKK  KKK  RRR  RRR   OOOOOO      TTT     III  KKK  KKK

  MikroTik RouterOS 7.1.5 (c) 1999-2022       https://www.mikrotik.com/

Press F1 for help



[admin@MikroTik] > export hide-sensitive 
# apr/04/2022 15:45:48 by RouterOS 7.1.5
# software id = FTHJ-YLS5
#
# model = RBmAP2nD
# serial number = DE500F5EF7D9
/interface bridge
add admin-mac=DC:2C:6E:39:54:CE auto-mac=no comment=defconf name=bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country="united states" \
    disabled=no distance=indoors frequency=2462 installation=indoor mode=\
    ap-bridge ssid=JoshMikro-Tik vlan-id=200 vlan-mode=use-tag
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=wlan1 name=VLAN200 vlan-id=200
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=10.200.1.2-10.200.1.50
add name=dhcp_pool2 ranges=10.200.1.2-10.200.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=dhcp_pool2 interface=bridge1 name=dhcp1
/routing table
add disabled=no fib name=Wireguard
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=pwr-line1
add bridge=bridge1 comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge1 interface=VLAN200
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=10.55.124.0/24 endpoint-address=12.x.,X.CC:45785 \
    endpoint-port=45785 interface=wireguard1 persistent-keepalive=25s \
    public-key="4nEOvxvvsisboidoifniwerjfp23je9fj2oeipfj923jopfp2jk8="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.200.1.1/24 interface=VLAN200 network=10.200.1.0
add address=10.55.124.2/24 interface=wireguard1 network=10.55.124.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.200.1.0/24 dns-server=8.8.8.8,4.2.2.2 gateway=10.200.1.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=AllowFromWifi src-address=10.200.1.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat out-interface=wireguard1 realm=1024 src-address=\
    10.200.1.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.55.124.1 pref-src=\
    0.0.0.0 routing-table=Wireguard scope=30 suppress-hw-offload=no \
    target-scope=10
/system clock
set time-zone-name=America/New_York
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes
[admin@MikroTik] >

Sob · April 4, 2022, 8:18pm

If you want to route all traffic, you’ll need to allow more than just 10.55.124.0/24, i.e. you want allowed-address=0.0.0.0/0.

joshhboss · April 4, 2022, 8:29pm

I just made that change and i am still not getting out.. besides that is there anything that looks off with the routes? or nat?

thanks for helping by the way

joshhboss · April 4, 2022, 8:45pm

Found this

/routing table add fib name=via-wg
/ip firewall mangle add action=mark-routing chain=prerouting src-address=192.168.88.200 new-routing-mark=via-wg
/ip firewall nat add action=masquerade chain=srcnat out-interface=10.13.13.3 // my local wireguard IP
/ip route add gateway=10.13.13.1@main routing-table=via-wg  // remote wireguard IP

on another post that you were on and i actually followed it using what im doing and it worked out..

Im going to read it over slowly and really try and understand how each command works.

Sob · April 4, 2022, 9:17pm

You got me, I stopped at the first obvious mistake and didn’t notice that you were missing additional stuff. You can also use routing rule instead of mangle rule:

/ip route rule
add dst-address=192.168.88.0/24 action=lookup-only-in-table table=via-wg

Or yet another way to route everything via WG, there are different ones.

anav · April 4, 2022, 9:43pm

Sorry but I am going to go a completely different direction from SOB, his approach sucks! :-0 ;-PP
I need to understand the config and requirements better before attempting to fix the mess.

So let me get this straight, you use this device when you travel away from home. So its mobile?
Presumably you connect via WIFI wherever you are staying to connect to the internet via

Why do you assign vlan200 to the WAN side… reason?
Why is there powerline for a mobile setup?

No clue as to why you do this.
add name=dhcp_pool1 ranges=10.200.1.2-10.200.1.50 {get rid of this one serves no purpose}
add name=dhcp_pool2 ranges=10.200.1.2-10.200.1.254

Not sure why you have two bridges either!

This is not correct, vlans are not bridge ports.
add bridge=bridge1 comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge1 interface=VLAN200

You seem to have two primary subnets.
192.168.88.0/24 for which I presume you want to use the regular internet whenever you are connected at a location.
10.200..1/0/24 for which I presume you want to use or send over wireguard to your office PF sense device (THE WG SERVER) for the initial connection.

What is the WIreguard Interface address on the PFS server?

Last questions

what subnet will you be reaching at the office
did you want to access internet through the wireguard connection (aka use the internet at the office location).

joshhboss · April 5, 2022, 12:05pm

Sorry but I am going to go a completely different direction from SOB, his approach sucks! :-0 ;-PP
I need to understand the config and requirements better before attempting to fix the mess.

Why do you assign vlan200 to the WAN side… reason? - I did Not realize i did this.
Why is there powerline for a mobile setup? I do not know what a powerline is

No clue as to why you do this.
add name=dhcp_pool1 ranges=10.200.1.2-10.200.1.50 {get rid of this one serves no purpose}
add name=dhcp_pool2 ranges=10.200.1.2-10.200.1.254 I’m new to mikrotik and i was just trying to get dhcp to work and i was having a hard time. was probably overlooked

Not sure why you have two bridges either! - This is a MAP mikrotik wifi device. and in every video i watched about using vlans with these types of devices made me feel as if i need to do this. just followed the videos. Ive set up VLANs on crs3XX series and i enjoyed that much more, but I always hear about different models need to be configured differently so i just blindly followed the videos.

This is not correct, vlans are not bridge ports.
add bridge=bridge1 comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge1 interface=VLAN200 — Couldnt get different networks to broadcast on different wifis any other way.

You seem to have two primary subnets.
192.168.88.0/24 for which I presume you want to use the regular internet whenever you are connected at a location. - correct
10.200..1/0/24 for which I presume you want to use or send over wireguard to your office PF sense device (THE WG SERVER) for the initial connection. - correct

What is the WIreguard Interface address on the PFS server? 10.55.124.1/24

Last questions

what subnet will you be reaching at the office - the subnet at the office is 192.168.2.0/24

did you want to access internet through the wireguard connection (aka use the internet at the office location). - Yes I did, one ssid for using the existing internet, and the other to use for all traffic over the wireguard connection

Answered all the questions above and ill be adding the new config i did, since i completely reset the device and started over

[admin@MikroTik] > export hide-sensitive 
# apr/05/2022 08:04:41 by RouterOS 7.1.5
# software id = FTHJ-YLS5
#
# model = RBmAP2nD
# serial number = DE500F5EF7D9
/interface bridge
add admin-mac=DC:2C:6E:39:54:CE auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik-3954D0 wireless-protocol=802.11
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=ether1 name=200 vlan-id=200
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=josh \
    supplicant-identity=""
/interface wireless
add disabled=no keepalive-frames=disabled mac-address=DE:2C:6E:39:54:D0 \
    master-interface=wlan1 multicast-buffering=disabled name=wlan2 \
    security-profile=josh ssid=Josh-Mik-WG wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=10.200.1.2-10.200.1.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=dhcp_pool1 interface=bridge1 name=dhcp1
/routing table
add disabled=no fib name=Wireguard
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=pwr-line1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether1
add bridge=bridge1 interface=200
add bridge=bridge1 interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=wlan1,bridge vlan-ids=200
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=dfhgertge \
    endpoint-port=45785 interface=wireguard1 public-key=\
    "4nEOahDsdfgsdfgvsergsdfgbsertbsedrfbsertbss="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.200.1.1/24 interface=bridge1 network=10.200.1.0
add address=10.55.124.2/30 interface=wireguard1 network=10.55.124.0
/ip dhcp-client
# DHCP client can not run on slave interface!
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.200.1.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=10.200.1.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wireguard1 src-address=\
    10.200.1.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.55.124.1 pref-src=\
    0.0.0.0 routing-table=Wireguard scope=30 suppress-hw-offload=no \
    target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
    src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
    dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/routing rule
add action=lookup disabled=no dst-address=0.0.0.0/0 src-address=10.200.1.0/24 \
    table=Wireguard
/system clock
set time-zone-name=America/New_York
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] >

anav · April 5, 2022, 12:41pm

Yeah blindly following things is not the way to go. Far more important to learn what the config means and what the commands do, in the long run.

As for power line,I saw that on your config on the bridge ports??
add bridge=bridge comment=defconf ingress-filtering=no interface=pwr-line1

As for vlan200 to the wan side, how could you not know you did this?
I am starting to think you didnt originally configure this device, so good idea to start fresh!!

Okay the difficulty on this requirement is that you have split your internet access requirements at the mikrotik.
However this is a solvable thing!
The allowed IPs between set on the Mikrotik will have to be 0.0.0.0/0 which will include the subnet at the pFSENSE.

At the PFSENSE you will need firewall rules allowing the incoming mikrotik traffic to reach the server ( with source address of the right subnet from MT) and traffic to reach the internet (with source address of the right subnet on the MT ). Cannot help you with pfsense settings though.

POST the new config when its ready!

452 · May 1, 2022, 7:50am

This is a configuration example of how to route all traffic to a VPN service with Internet access
Also you can read more https://forum.mikrotik.com/viewtopic.php?t=182340

/interface wireguard add listen-port=51820 name=wireguard-inet private-key="xxx" comment="Internet through WireGuard commercial VPN provider"
/interface wireguard peers add allowed-address=0.0.0.0/0 endpoint-address=xxx.xxx.xxx.xxx endpoint-port=51820 interface=wireguard-inet persistent-keepalive=25m \
    preshared-key="xxx" public-key="xxx" comment="Internet through WireGuard commercial VPN provider"
/interface list member add interface=wireguard-inet list=WAN comment="Internet through WireGuard commercial VPN provider"
###
/ip address add address=xxx.xxx.xxx.xxx/32 interface=wireguard-inet comment="Internet through WireGuard commercial VPN provider"
/routing table add name=wireguard-wan fib comment="Internet through WireGuard commercial VPN provider"
/ip route add dst-address=0.0.0.0/0 gateway=wireguard-inet routing-table=wireguard-wan comment="Internet through WireGuard commercial VPN provider"
# xxx.xxx.xxx.xxx/24 replace to your local network
/routing rule add action=lookup src-address=192.168.xxx.0/24 table=wireguard-wan comment="Internet through WireGuard commercial VPN provider"
# Add connection speed limit if CPU load 100%, depends from mikrotik hardware
# /queue simple add max-limit=0/4500k name=queue-vpn target=wireguard-inet
# Add DNS from VPN service
/ip/dhcp-server/network/set dns-server=10.xxx.0.1 0
# Need to reconnect your device(PC, PHONE) for receive new DNS server from router

rextended · May 1, 2022, 1:28pm

0.0.0.0/1 ???
half internet… from 1.0.0.0 to 126.255.255.255… (useless 0.x , 10.x, 127.x , and the others)
and the rest from 128.0.0.0 to 223.255.255.255?

anav · May 1, 2022, 1:49pm

Set your IP address for the wireguard interface as so…
/ip address
add address=10.101.121.122**/24** interface=wireguard-inet network=10.101.121.122
(Assuming the allowed IP at the pfsense or server site for your mobile device is 10.101.121.122/32)

Not sure on your IP route… you do need internet first
Not sure how you do this but lets assume you have a default route from the provider in IP DHCP…
Thus need an additional route to force users out WG.

/ip route
add distance=1 dst-address=0.0.0.0**/0** gateway=wireguard-inet table=useWG

/routing rule add src-address=LANsubnet action=lookup table=useWG
/routing table add name=useWG fib

( if you dont want to be able to access normal internet through the provider your mobile device is using, if WG is down, then use action=lookup-only-in-table )

Depending upon firewall rule structure you may need a forward chain rule
add chain=forward action=accept in-interface-list=LAN (or src-address=subnet) out-interface=wireguard-inet

PS showing a truncated config, is not helpful…

Sob · May 1, 2022, 2:25pm

If you're not ready for whole internet and want to start slow.

anav · May 1, 2022, 3:15pm

Well with haplite wifi, one has to be careful of saturating the wifi capacity.

452 · May 2, 2022, 10:19am

Yes you absolutely right it's my mistake because I newbie)))

I made updated my post please review it again

452 · May 2, 2022, 10:35am

Thank you it’s helped me, works

anav · May 2, 2022, 11:19am

Take the time to read the parts that interest you.
https://forum.mikrotik.com/viewtopic.php?t=182340

452 · May 2, 2022, 1:42pm

also, in my configuration added

/queue simple add max-limit=0/4500k name=queue-vpn target=wireguard-inet

it’s because I have a lot of syn traffic and CPU load is 100%, and I have lags and logouts from winbox(ethernet port connected to PC link down → link up restart)

with speed limitations, CPU load is around 97-99% without internet lags(Internet works mostly correct)
Screenshot from 2022-05-02 16-39-00.png