Wireguard only for WiFi sitting in its own VLAN

RouterOS General
1

Good day

Here is my current setup:

  • Default bridge with all the Eth and also WiFi


  • New bridge that contains a VLAN with a slave WiFi

As it stands (without Wireguard or any of the associated config) it all works as expected.

My aim to to add a Wireguard VPN, and then let all the traffic from the slave WiFi flow over this Wireguard VPN.


I followed these 2 posts but somewhere I am doing something wrong because I can see traffic going over my Wireguard (Tx and Rx), but websites never load.
http://forum.mikrotik.com/t/kill-switch-set-up-wireguard-surfshark-ros-7-8/165681/1
http://forum.mikrotik.com/t/surfshark-vpn-does-not-work-with-wg-on-mt/162360/1

Here is my config

# 2024-11-22 17:14:27 by RouterOS 7.16.1
# software id = JBXS-9FVW
#
# model = L41G-2axD
/interface bridge
add admin-mac=48:A9:8A:AB:B2:DE auto-mac=no comment=defconf name=bridge
add name=bridge1-vlan20
/interface wifi
set [ find default-name=wifi1 ] channel.band=2ghz-ax .frequency=2422 \
    .skip-dfs-channels=10min-cac .width=20/40mhz configuration.country=\
    "South Africa" .mode=ap .ssid=Main_WiFi disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes \
    .wps=disable
/interface wireguard
add listen-port=13231 mtu=1420 name=wg-ss
/interface vlan
add interface=bridge1-vlan20 name=vlan20 vlan-id=20
/interface wifi
add channel.band=2ghz-n .width=20mhz configuration.mode=ap .ssid=Second_WiFi \
    datapath.vlan-id=20 disabled=no mac-address=xxxx \
    master-interface=wifi1 name=wifi-vlan20 security.authentication-types=\
    wpa2-psk,wpa3-psk
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp-leigh ranges=192.168.1.100-192.168.1.199
add name=dhcp-vlan20 ranges=192.168.20.100-192.168.20.199
/ip dhcp-server
add address-pool=dhcp-leigh interface=bridge name=dhcp
add address-pool=dhcp-vlan20 interface=vlan20 name=dhcp-vlan20
/routing table
add disabled=no fib name=wg-ss-rt
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/ip smb
set enabled=no
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge1-vlan20 interface=wifi-vlan20
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=de-fra.prod.surfshark.com \
    endpoint-port=51820 interface=wg-ss name=wg-ss-peer persistent-keepalive=\
    25m public-key="fJDA+OA6jzQxfRcoHfC27xz7m3C8/590fRjpntzSpGo="
/ip address
add address=192.168.1.1/24 interface=bridge network=192.168.1.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=10.14.0.2/16 interface=wg-ss network=10.14.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.1.102 mac-address=xxxxx
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.114 gateway=192.168.1.1
add address=192.168.20.0/24 dns-server=162.252.172.57,149.154.159.92 gateway=\
    192.168.20.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
    dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward connection-limit=100,32 dst-limit=\
    1,5,dst-address/1m40s limit=1,5:packet new-mss=clamp-to-pmtu passthrough=\
    yes protocol=tcp psd=21,3s,3,1 tcp-flags=syn time=\
    0s-1d,sun,mon,tue,wed,thu,fri,sat
add action=mark-routing chain=prerouting dst-address=10.14.0.0/16 \
    new-routing-mark=wg-ss-rt passthrough=yes src-address=192.168.20.0/24 \
    src-address-type=!local
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wg-ss src-address=\
    192.168.20.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wg-ss routing-table=\
    wg-ss-rt scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/routing rule
add action=lookup-only-in-table disabled=no interface=wg-ss src-address=\
    192.168.20.0/24 table=wg-ss-rt
/system clock
set time-zone-name=Africa/Johannesburg
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

(PS, I just disabled the slave WiFi for now until I can test again)
Please let me know if you need more information.

Thank you

2

  1. Remove vlan and datapath from wifi setting, we will apply it on the bridge ports/interface settings.

  2. Only need one bridge

  3. I am not sure if this is LEGAL. your slave WLAN for wireguard has a different BAND from the master.
    Is this allowed, I know the frequency and such is copied over… I believe the virtual WLAN can have ONLY its own SSID, and security setting
    and can be assigned to a different subnet/vlan.
    Therefore you have to decide if both WLANs have 2ghz-ax or 2ghz-n

  4. Where did you get these DNS addresses ???
    =162.252.172.57,149.154.159.92

  5. Fixed interface bridge ports

  6. Fixed interface list members

  7. Fixed dhcp-server and IP address

  8. Mangle clamp rule seems way to complex recommend simply
    add action=change-mss chain=forward new-mss=1380 out-interface=wg-ss protocol=tcp tcp-flags=syn tcp-mss=1381-65535

  9. Dont need source address on srcnat rule for wireguard, its not a firewall of any sort so if you need firewall rules for something specific that is the place to apply them.

  10. YOu only use ONE or the other but not both MANGLE and Routing Rule for capturing user out wireguard
    We will try first with the simpler just ROUTING RULES

  11. Remove static IP DNS default rule.
    /ip dns static
    add address=192.168.88.1 comment=defconf name=router.lan type=A

  12. MISSING /interface bridge vlan rule for vlan20 also added in home vlan.

/interface bridge
add admin-mac=48:A9:8A:AB:B2:DE auto-mac=no comment=defconf name=bridge

/interface wifi
add channel.band=2ghz-n**???** .width=20mhz configuration.mode=ap .ssid=Second_WiFi
disabled=no mac-address=xxxx master-interface=wifi1
name=WLAN-WG security.authentication-types=wpa2-psk,wpa3-psk

/interface vlan
add interface=bridge1 name=vlan20 vlan-id=20
add interface=bridge1 name=home-vlan vlan-id=10
/interface wifi
add channel.band=2ghz-n .width=20mhz configuration.mode=ap .ssid=Second_WiFi
disabled=no mac-address=xxxx
master-interface=wifi1 name**=wlan-wg** security.authentication-types=
wpa2-psk,wpa3-psk

/ip dhcp-server
add address-pool=dhcp-leigh interface=home-vlan name=dhcp
add address-pool=dhcp-vlan20 interface=vlan20 name=dhcp-vlan2

/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether2 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether3 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether4 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wifi1 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan-wg pvid=20

/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether2,ether3,ether4,wifi1 vlan-id=10
add bridge=bridge tagged=bridge untagged=wlan-wg vlan-id=20

/interface list member
add comment=defconf interface=home-vlan list=LAN
add interface=vlan20 list=LAN
add comment=defconf interface=ether1 list=WAN

/ip address
add address=192.168.1.1/24 interface=home-vlan network=192.168.1.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=10.14.0.2/16 interface=wg-ss network=10.14.0.0

/ip firewall mangle
add action=change-mss chain=forward new-mss=1380 out-interface=wg-ss protocol=tcp tcp-flags=syn tcp-mss=1381-65535

/ip firewall nat
add action=masquerade chain=srcnat out-interface=wg-ss
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN

/routing rule
add action=lookup-only-in-table src-address=192.168.20.0/24 table=wg-ss-rt

+++++++++++++++++++++++++++++++
Last step Turn VLAN filtering ON, on the bridge.

3

Hi Anav

Thanks so much for you very in-depth reply! You knowledge about Mikrotik never siezes to amaze.

I am away for a day or so, but as soon as I get a chance I will implement your config.

Regards

4

Absolutely correct, although no laywer is going to come after you if you do not obey these rules :laughing:

5

lol! You learn something new every day about WiFi and its regulatory requirements.

Happy to report that everything is working as it should. I did not implement the VLANs for now, will get my hands on an old second hand Mikrotik then play around with that. But at least the VPN is working on the slave WiFi which is perfect for now. Thanks @anav for all the help!