Wireguard on a dumb ap

RouterOS General
1

Hi, I have a cAP ax behind ISP router. Because all client devices need to be able to connect to each other, cAP is set-up as a wireless access point (dumb ap: no NAT, firewall or DHCP server), everything works fine, bot now I need to add a wireguard server (RoadWarrior) and cAP is best suited for that.
So now (after adding wg interface, assigning IP to it and adding a peer) wg peer can connect and access cAP (on both wireguard interface ip and the ip assigned on ISP router), but nothing else.

Since there’s no NAT, firewall or interface list (like in RoadWarrior config) how do I now allow wg peers to access internet and other devices (printer, NAS, etc.) in 192.168.1.0/24 network?

Here’s my config:


# by RouterOS 7.13.5
#
# model = cAPGi-5HaxD2HaxD
/interface bridge
add admin-mac=xxx auto-mac=no comment=defconf name=bridge port-cost-mode=short
/interface ethernet
set [ find default-name=ether2 ] poe-out=off
/interface wifi
set [ find default-name=wifi1 ] configuration.country=Poland .mode=ap .ssid=xxx disabled=no mac-address=xxx security.connect-priority=0
set [ find default-name=wifi2 ] configuration.mode=ap .ssid=xxx disabled=no mac-address=xxx security.connect-priority=0
/interface wireguard
add listen-port=59876 mtu=1420 name=wireguard1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=wifi1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=wifi2 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether1 internal-path-cost=10 path-cost=10
/interface wireguard peers
add allowed-address=192.168.99.2/32 comment=1peer interface=wireguard1 preshared-key="xxx" private-key="xxx" public-key="xxx"
/ip address
add address=192.168.1.2/24 comment="static on isp router" interface=bridge network=192.168.1.0
add address=192.168.99.1/24 interface=wireguard1 network=192.168.99.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=bridge
/ip dns
set allow-remote-requests=yes servers=192.168.1.1
/system clock
set time-zone-name=Europe/Warsaw
/system note
set show-at-login=no

and peer config:


[Interface]
PrivateKey = xxx
Address = 192.168.99.2/24
DNS = 192.168.1.1, 1.1.1.1
 
[Peer]
PublicKey = xxx
PresharedKey = xxx
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = ext_ip:59876

Best regards!

2

There needs to be.

3

Thanks. Am I understanding this correctly: this will put only wireguard interface and its peers behind NAT (where 192.168.1.2 is cAP’s LAN IP) and the rest will work as before?

/ip firewall nat
add action=src-nat chain=srcnat src-address=192.168.99.0/24 to-addresses=192.168.1.2

4

Yup.

5

Awesome, worked like a charm, thanks :smiley: