WireGuard only to ether5

Shchedrin · November 29, 2024, 8:51pm

warm greetings to all

MKT RB750Gr3 7.16.2

What I did and what I am not able to succeed.

I would like WireGuard to use only ether5 and others 2 3 4 to leave with a local provider.

I made the Routing → Tables table WG, IP → Address, IP- > Pool-WG, bridge-WG, DHCP-WG, WireGuard interface and Peer.

192.168.192.0 plan to use for WG, Pool = pool-WG = 192.168.192.10-192.168.192.254, GateWay 192.168.192.1

I am trying a different NAT bridge and IP->FireWall but failed.

Why am I looking for solution through the bridge-WG? Because it is easy to turn on/off different bridge to ether5 when needed, for example, to return to a local subnet or use other protocols or other WireGuard or SSTP servers etc. ether2 3 4 should work as usual, need not to

Please, how would you solve this?

For example, you have 3 different WireGuard WG1 WG2 WG3 interfaces and would like to connect to WG1 or WG2 or WG3 in the simplest way using only ether5 ? Should not redirect ether2 3 4 internet traffic through WireGuard, only ether5.

Thank you.

anav · November 29, 2024, 10:11pm

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )

Shchedrin · November 30, 2024, 4:05am

Hi !

as required /export file=2024-11-30

the MKT RB750Gr3 router is installed after the provider’s VDSL router the same apartment.
I switch off everything I could in the provider’s router, making the ISP router as transparent as possible, only get the Internet from ISP router that connect ether1 WAN in the MKT.

Proton manual
https://protonvpn.com/support/wireguard-mikrotik-routers

ppp.ppp.ppp.ppp address below is Proton Wire Guard server

sss.sss.sss.sss address below is SSTP servers BG or RS

a year about regular bridges and SSTP client to the MKT SSTP server to friend work fine, ether5 is isolated when necessary as described initial topic, easy switch on/off Ports to any bridge -

my today question - is how to do approximately the same for WireGuard?

# 2024-11-30 03:56:06 by RouterOS 7.16.2
# software id = MMW4-PZNQ
#
# model = RB750Gr3
# serial number = xxxxxxx
/interface bridge
add admin-mac=EE:AE:49:DB:20:F0 auto-mac=no name=2-bridge
add admin-mac=3A:96:B4:1B:8A:0D auto-mac=no name=3-bridge
add admin-mac=48:A9:8A:AC:43:F5 auto-mac=no name=4-bridge
add admin-mac=E6:2C:F2:55:16:BA auto-mac=no name=5-bridge
add admin-mac=48:A9:8A:AC:43:F2 auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
add admin-mac=48:A9:8A:AC:43:FA auto-mac=no comment=defconf name=bridge-SSTP \
    port-cost-mode=short
add admin-mac=72:A1:ED:3D:8F:EC auto-mac=no name=bridge-WG
/interface ethernet
set [ find default-name=ether1 ] name=1-WAN
set [ find default-name=ether2 ] name=2-LAN
set [ find default-name=ether3 ] name=3-LAN
set [ find default-name=ether4 ] name=4-LAN
set [ find default-name=ether5 ] name=5-LAN
/interface wireguard
add disabled=yes listen-port=13231 mtu=1420 name=proton-DE-009
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=SSTP
add name=WG
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool ranges=192.168.88.10-192.168.88.254
add name=pool-SSTP ranges=192.168.191.10-192.168.191.254
add name=pool-WG ranges=192.168.192.10-192.168.192.254
add name=5-pool ranges=192.168.95.10-192.168.95.254
add name=4-pool ranges=192.168.94.10-192.168.94.254
add name=3-pool ranges=192.168.93.10-192.168.93.254
add name=2-pool ranges=192.168.92.10-192.168.92.254
/ip dhcp-server
add address-pool=pool interface=bridge lease-time=10m name=dhcp
add address-pool=pool-SSTP interface=bridge-SSTP name=DHCP-SSTP
add address-pool=4-pool interface=4-bridge name=4-dhcp
add address-pool=5-pool interface=5-bridge name=5-dhcp
add address-pool=2-pool interface=2-bridge name=2-dhcp
add address-pool=3-pool interface=3-bridge name=3-dhcp
add address-pool=pool-WG interface=bridge-WG name=DHCP-WG
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/ppp profile
add bridge=bridge-SSTP name=profile-SSTP on-down=\
    "ip route remove [find gateway=\"192.168.89.1\"]" on-up="ip route add disa\
    bled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.89.1   pref-src=\
    \"\" routing-table=SSTP scope=30 suppress-hw-offload=no   target-scope=10"
/interface sstp-client
add authentication=mschap2 ciphers=aes256-sha,aes256-gcm-sha384 connect-to=\
    [i]sss.sss.sss.sss[/i] name=SSTP-BG profile=profile-SSTP user=EG6721 \
    verify-server-address-from-certificate=no
add ciphers=aes256-sha,aes256-gcm-sha384 connect-to=[i]sss.sss.sss.sss[/i] name=\
    SSTP-RS profile=profile-SSTP user=nomad \
    verify-server-address-from-certificate=no
/routing table
add disabled=no fib name=SSTP
add disabled=no fib name=WG
add disabled=no fib name=5-rtab
add disabled=no fib name=4-rtab
add disabled=no fib name=2-rtab
add disabled=no fib name=3-rtab
/interface bridge nat
add action=accept chain=dstnat in-bridge=bridge-WG in-interface-list=WG
/interface bridge port
add bridge=bridge comment=defconf interface=2-LAN internal-path-cost=10 \
    path-cost=10
add bridge=bridge-SSTP comment=defconf interface=3-LAN internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=4-LAN internal-path-cost=10 \
    path-cost=10
add bridge=bridge-WG comment=defconf interface=5-LAN internal-path-cost=10 \
    path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN
/interface list member
add interface=1-WAN list=WAN
add interface=bridge list=LAN
add interface=bridge-SSTP list=LAN
add interface=bridge-SSTP list=SSTP
add interface=4-bridge list=LAN
add interface=5-bridge list=LAN
add interface=3-bridge list=LAN
add interface=2-bridge list=LAN
add interface=bridge-WG list=WG
add interface=bridge-WG list=LAN
add interface=proton-DE-009 list=WG
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment="proton DE 009" endpoint-address=\
    [i]ppp.ppp.ppp.ppp[/i] endpoint-port=51280 interface=proton-DE-009 name=\
    proton-DE-009 persistent-keepalive=25s public-key=\
    "xxxx"
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=192.168.191.1/24 interface=bridge-SSTP network=192.168.191.0
add address=192.168.92.1/24 interface=2-bridge network=192.168.92.0
add address=192.168.95.1/24 interface=5-bridge network=192.168.95.0
add address=192.168.93.1/24 interface=3-bridge network=192.168.93.0
add address=192.168.94.1/24 interface=4-bridge network=192.168.94.0
add address=192.168.192.1/24 interface=bridge-WG network=192.168.192.0
add address=10.2.0.2/30 interface=proton-DE-009 network=10.2.0.0
/ip dhcp-client
add interface=1-WAN use-peer-dns=no
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=\
    1.1.1.1,8.8.8.8,1.0.0.1,8.8.4.4 gateway=192.168.88.1 netmask=24
add address=192.168.91.0/24 dns-server=1.1.1.1,8.8.8.8,1.0.0.1,8.8.4.4 \
    gateway=192.168.91.1 netmask=24
add address=192.168.92.0/24 dns-server=1.1.1.1,8.8.8.8,1.0.0.1,8.8.4.4 \
    gateway=192.168.92.1 netmask=24
add address=192.168.93.0/24 dns-server=1.1.1.1,8.8.8.8,1.0.0.1,8.8.4.4 \
    gateway=192.168.93.1 netmask=24
add address=192.168.94.0/24 dns-server=1.1.1.1,8.8.8.8,1.0.0.1,8.8.4.4 \
    gateway=192.168.94.1 netmask=24
add address=192.168.95.0/24 dns-server=1.1.1.1,8.8.8.8,1.0.0.1,8.8.4.4 \
    gateway=192.168.95.1 netmask=24
add address=192.168.191.0/24 dns-server=1.1.1.1,8.8.8.8,1.0.0.1,8.8.4.4 \
    gateway=192.168.191.1 netmask=24
add address=192.168.192.0/24 dns-server=10.2.0.1 gateway=192.168.192.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes servers=\
    1.1.1.1,8.8.8.8,1.0.0.1,8.8.4.4,10.2.0.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input dst-port=13231 in-interface=proton-DE-009 \
    protocol=udp
add action=accept chain=forward dst-address= [i]ppp.ppp.ppp.ppp[/i] src-address=\
    192.168.192.0/24
add action=accept chain=forward dst-address=192.168.192.0/24 src-address=\
     [i]ppp.ppp.ppp.ppp[/i]
/ip firewall mangle
add action=mark-routing chain=prerouting in-interface=bridge-SSTP \
    new-routing-mark=SSTP passthrough=yes
add action=mark-routing chain=prerouting in-interface=4-bridge \
    new-routing-mark=WG passthrough=yes
add action=mark-routing chain=prerouting in-interface=5-bridge \
    new-routing-mark=5-rtab passthrough=yes
add action=mark-routing chain=prerouting in-interface=bridge-WG \
    new-routing-mark=WG passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=all-ppp
add action=masquerade chain=srcnat out-interface=bridge-WG \
    out-interface-list=WG
add action=masquerade chain=srcnat disabled=yes out-interface=proton-DE-009 \
    routing-mark=WG src-address=192.168.192.0/24
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/1 gateway=10.2.0.1 pref-src="" \
    routing-table=WG scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=128.0.0.0/1 gateway=10.2.0.1 \
    pref-src="" routing-table=WG scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address= [i]ppp.ppp.ppp.ppp[/i]/32 gateway=\
    192.168.192.1 routing-table=WG scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system identity
set name=xxxxxxx
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

anav · November 30, 2024, 2:58pm

Reading your first post.
Want anyone using ethernet 5, to go out proton wireguard for internet.

Wireguarg does not get an IP pool. It simply an interface with a subnet ( it carries traffic from other wireguard address, typically incoming or outgoing and also, router to router it carries subnets).
In this case you want the subnet on ether5 to go out wireguard to the proton server.
I dont subscribe to multiple bridge so will try to keep it to one bridge ( I will ignore all SSTP in this config )
You cannot have a pool and subnet for the bridge and then also put the ports on the bridge with their own subnets… Probably illegal and very confusing.
Either go with subnets, for each port with NO bridge, or use vlans associated with bridge.
What is with bridge NAT?? dont need it.
Detect Internet should be set to NONE, causes issues otherwise.
FOR DHCP-server network settings DNS, for port 5, use the supplied DNS server given to you by proton, if not provided use 10.2.0.1
(if you added netmask manually, remove, not required)
If not using IPV6 set to disable and remove all ipv6 address lists and firewall rules save 2.
add chain=input action=drop
add chain=forward action=drop

8.Remove static default IP DNS setting.

Leaving input chain for now ( except remove useless proton rule) , modified forward chain.
It would appear from your config that there is no traffic from one LAN port to the other??
Just in case, there is, and using ether2 as your trusted port, will in forward rules give access to other lan subnets as an example.
Mangling not required for moving ether5 out to proton, but will add mangle rule to help out any MTU issues that often arise using 3rd party providers.
Will use Routing Rules to move ether5 traffic to proton.
Added NAT rule to ensure port5 users are directed to proton for DNS>
Ip route for wireguard is not required to be manually inserted as one is created when making the IP address. However we will add one in case the proton supplied dns, if there is one is different from the subnet given.

ONE bridge, and vlans
…

/interface bridge
add admin-mac=EE:AE:49:DB:20:F0 auto-mac=no name=2-bridge
add admin-mac=3A:96:B4:1B:8A:0D auto-mac=no name=3-bridge
add admin-mac=48:A9:8A:AC:43:F5 auto-mac=no name=4-bridge
add admin-mac=E6:2C:F2:55:16:BA auto-mac=no name=5-bridge
add admin-mac=48:A9:8A:AC:43:F2 auto-mac=no comment=defconf name=bridge vlan-filtering=NO  { change to yes as last step in config }
/interface ethernet
set [ find default-name=ether1 ] name=1-WAN
set [ find default-name=ether2 ] name=2-LAN
set [ find default-name=ether3 ] name=3-LAN
set [ find default-name=ether4 ] name=4-LAN
set [ find default-name=ether5 ] name=5-LAN
/interface vlan
add interface=bridge name=vlanPORT2  vlan-id=20
add interface=bridge name=vlanPORT3  vlan-id=30
add interface=bridge name=vlanPORT4  vlan-id=40
add interface=bridge name=vlanPORT5  vlan-id=50
/interface wireguard
add disabled=yes listen-port=13231 mtu=1420 name=proton-DE-009
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=TRUSTED
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=2-pool ranges=192.168.92.10-192.168.92.254
add name=3-pool ranges=192.168.93.10-192.168.93.254
add name=4-pool ranges=192.168.94.10-192.168.94.254
add name=5-pool ranges=192.168.95.10-192.168.95.254
/ip dhcp-server
add address-pool=2-pool interface=2-bridge name=2-dhcp
add address-pool=3-pool interface=3-bridge name=3-dhcp
add address-pool=4-pool interface=4-bridge name=4-dhcp
add address-pool=5-pool interface=5-bridge name=5-dhcp
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/routing table
add disabled=no fib name=WG
/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-taggged-and-untagged  interface=2-LAN pvid=20
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-taggged-and-untagged  interface=3-LAN pvid=30
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-taggged-and-untagged  interface=4-LAN pvid=40
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-taggged-and-untagged  interface=5-LAN pvid=50
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=2-LAN vlan-id=20
add bridge=bridge tagged=bridge untagged=3-LAN vlan-id=30
add bridge=bridge tagged=bridge untagged=4-LAN vlan-id=40
add bridge=bridge tagged=bridge untagged=5-LAN vlan-id=50
/interface detect-internet
set detect-interface-list=NONE
/interface list member
add interface=1-WAN list=WAN
add interface=proton-DE-009 list=WAN 
add interface=vlanPORT2 list=LAN
add interface=vlanPORT3  list=LAN
add interface=vlanPORT4 list=LAN
add interface=vlanPORT5  list=LAN
add interface=vlanPORT2 list=TRUSTED  { assuming this port is your local home port with trusted users }
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment="proton DE 009" endpoint-address=\
    [i]ppp.ppp.ppp.ppp[/i] endpoint-port=51280 interface=proton-DE-009 name=\
    proton-DE-009 persistent-keepalive=25s public-key="xxxx"
/ip address
add address=192.168.92.1/24 interface=vlanPORT2 network=192.168.92.0
add address=192.168.93.1/24 interface=vlanPORT3 network=192.168.93.0
add address=192.168.94.1/24 interface=vlanPORT4 network=192.168.94.0
add address=192.168.95.1/24 interface=vlanPORT5 network=192.168.95.0
add address=10.2.0.2/24 interface=proton-DE-009 network=10.2.0.0
/ip dhcp-client
add interface=1-WAN use-peer-dns=no
/ip dhcp-server network
add address=192.168.92.0/24 dns-server=1.1.1.1,8.8.8.8,1.0.0.1,8.8.4.4 \
    gateway=192.168.92.1 
add address=192.168.93.0/24 dns-server=1.1.1.1,8.8.8.8,1.0.0.1,8.8.4.4 \
    gateway=192.168.93.1
add address=192.168.94.0/24 dns-server=1.1.1.1,8.8.8.8,1.0.0.1,8.8.4.4 \
    gateway=192.168.94.1 
add address=192.168.95.0/24 dns-server=10.2.0.1  { better is proton  supplied DNS }
    gateway=192.168.95.1 
/ip dns
set allow-remote-requests=yes servers=\
    1.1.1.1,8.8.8.8,1.0.0.1,8.8.4.4
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="internet traffic"  in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="trusted to LAN"  in-interface=vlanPORT2  src-address=192.168.192.0/24  out-interface-list=LAN
add action=accept chain=forward comment="port forwarding"  connection-nat-state=dstnat 
add action=drop  chain=forward  comment="drop  all else" 
/ip firewall mangle
add action=change-mss chain=forward new-mss=1380 out-interface=proton-DE-009 protocol=tcp tcp-flags=syn tcp-mss=1381-65535
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add chain=dstnat action=dst-nat src-address=192.168.95.0/24  dst-port=53 protocol=udp dst-address=10.2.0.1  { better is proton supplied dns address } 
add chain=dstnat action=dst-nat src-address=192.168.95.0/24  dst-port=53 protocol=tcp dst-address=10.2.0.1  { better is proton supplied dns address } 
/ip hotspot profile
set [ find default=yes ] html-directory=hotspo
/ip route
add dst-address=proton-supplied-dns-address  gateway=proton-DE-009   routing-table=main  { if none provided, this rule is not required }
/routing rules
add action=lookup-only-in-table min-prefix=0   table=main
add action=lookup-only-in-table src-address=192.168.195.0/24 table=WG
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/system identity
set name=xxxxxxx
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

…

FOR S&G , no vlans, no bridge
…

/interface ethernet
set [ find default-name=ether1 ] name=1-WAN
set [ find default-name=ether2 ] name=2-LAN
set [ find default-name=ether3 ] name=3-LAN
set [ find default-name=ether4 ] name=4-LAN
set [ find default-name=ether5 ] name=5-LAN
/interface wireguard
add disabled=yes listen-port=13231 mtu=1420 name=proton-DE-009
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=TRUSTED
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=2-pool ranges=192.168.92.10-192.168.92.254
add name=3-pool ranges=192.168.93.10-192.168.93.254
add name=4-pool ranges=192.168.94.10-192.168.94.254
add name=5-pool ranges=192.168.95.10-192.168.95.254
/ip dhcp-server
add address-pool=2-pool interface=2-bridge name=2-dhcp
add address-pool=3-pool interface=3-bridge name=3-dhcp
add address-pool=4-pool interface=4-bridge name=4-dhcp
add address-pool=5-pool interface=5-bridge name=5-dhcp
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/routing table
add disabled=no fib name=WG
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface detect-internet
set detect-interface-list=NONE
/interface list member
add interface=1-WAN list=WAN
add interface=proton-DE-009 list=WAN 
add interface=2-LAN list=LAN
add interface=3-LAN  list=LAN
add interface=4-LAN list=LAN
add interface=5-LAN  list=LAN
add interface=2-LAN  list=TRUSTED  { assuming this port is your local home port with trusted users }
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment="proton DE 009" endpoint-address=\
    [i]ppp.ppp.ppp.ppp[/i] endpoint-port=51280 interface=proton-DE-009 name=\
    proton-DE-009 persistent-keepalive=25s public-key="xxxx"
/ip address
add address=192.168.92.1/24 interface=2-LAN network=192.168.92.0
add address=192.168.93.1/24 interface=3-LAN network=192.168.93.0
add address=192.168.94.1/24 interface=4-LAN network=192.168.94.0
add address=192.168.95.1/24 interface=5-LAN network=192.168.95.0
add address=10.2.0.2/24 interface=proton-DE-009 network=10.2.0.0
/ip dhcp-client
add interface=1-WAN use-peer-dns=no
/ip dhcp-server network
add address=192.168.92.0/24 dns-server=1.1.1.1,8.8.8.8,1.0.0.1,8.8.4.4 \
    gateway=192.168.92.1 
add address=192.168.93.0/24 dns-server=1.1.1.1,8.8.8.8,1.0.0.1,8.8.4.4 \
    gateway=192.168.93.1
add address=192.168.94.0/24 dns-server=1.1.1.1,8.8.8.8,1.0.0.1,8.8.4.4 \
    gateway=192.168.94.1 
add address=192.168.95.0/24 dns-server=10.2.0.1  { better is proton  supplied DNS }
    gateway=192.168.95.1 
/ip dns
set allow-remote-requests=yes servers=\
    1.1.1.1,8.8.8.8,1.0.0.1,8.8.4.4
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="internet traffic"  in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="trusted to LAN"  in-interface=2-LAN  src-address=192.168.192.0/24  out-interface-list=LAN
add action=accept chain=forward comment="port forwarding"  connection-nat-state=dstnat 
add action=drop  chain=forward  comment="drop  all else" 
/ip firewall mangle
add action=change-mss chain=forward new-mss=1380 out-interface=proton-DE-009 protocol=tcp tcp-flags=syn tcp-mss=1381-65535
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add chain=dstnat action=dst-nat src-address=192.168.95.0/24  dst-port=53 protocol=udp dst-address=10.2.0.1  { better is proton supplied dns address } 
add chain=dstnat action=dst-nat src-address=192.168.95.0/24  dst-port=53 protocol=tcp dst-address=10.2.0.1  { better is proton supplied dns address } 
/ip hotspot profile
set [ find default=yes ] html-directory=hotspo
/ip route
add dst-address=proton-supplied-dns-address  gateway=proton-DE-009   routing-table=main  { if none provided, this rule is not required }
/routing rules
add action=lookup-only-in-table min-prefix=0   table=main
add action=lookup-only-in-table src-address=192.168.195.0/24 table=WG
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/system identity
set name=xxxxxxx
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

Shchedrin · November 30, 2024, 4:06pm

Thank you.

Shchedrin · November 30, 2024, 5:41pm

thank you