Wireguard Peers can't access IPs on VLANs

Hi,

I have had a working Brigde Vlan Setup with my Hex for years now and am trying to set up wireguard now. The connections from the roadwarrior clients are working and I can access the router via https and ssh on all interface IPs (not just the one in the wireguard network).

Quick rundown of my setup (config and rough diagram attached): External Router that connects to the Internet. This is connected at the Hex on eth5 and tagged as vlan 200. The other vlans are in part associated to ports and go as trunks to other switches. 2 are also natted to the 200 vlan for internet access, the guest vlan is completely separate. That part is working fine since basically forever .
VLAN 200: 192.168.2.0/24, Router is 192.168.2.1, Hex 192.168.2.2
VLAN 800/900 are 192.168.8.0/24 and .9.0/24 respectively, Hex has .x.2 on each network.

Now I am adding wireguard for vpn access. Connections from 2 roadwarrior peers is working to the hex, what is missing is access to the computers beyond the hex. In future I might also want to add internet access via wireguard, for now access to the other 3 192.168.x.0 networks is enough.

Wireguard uses 192.168.253.0/24 network. Hex has 192.168.253.2, clients use .100/101. Firewall is configured to accept and forward packets from the wg interface to the all vlans interface group:

[admin@Hex] /ip/firewall/filter> print
Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; accept wireguard
      chain=input action=accept protocol=udp dst-port=51820 log=no log-prefix="" 

 2    ;;; allow WireGuard traffic
      chain=input action=accept src-address=192.168.253.0/24 in-interface=wg-all log=no 
      log-prefix="" 

 3    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 4    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 

 5    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp log=yes log-prefix="PING" 

 6    ;;; forward WireGuard Traffic to all VLans
      chain=forward action=accept in-interface=wg-all out-interface-list=VLAN log=no 
      log-prefix="wg_forward" 

 7    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

 8    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

 9    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection hw-offload=yes 
      connection-state=established,related 

10    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 

11    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 

12 X  ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat 
      in-interface-list=WAN log=no log-prefix=""

Ping to the addresses of the Hex directly works, however ping to other ip’s does not, neither does it using the routerOS ping utility from the wireguard ip:

[admin@Hex] > /ping address=192.168.2.2 src-address=192.168.253.2 
  SEQ HOST                                     SIZE TTL TIME       STATUS                           
    0 192.168.2.2                                56  64 508us     
    1 192.168.2.2                                56  64 498us     
    2 192.168.2.2                                56  64 489us     
    sent=3 received=3 packet-loss=0% min-rtt=489us avg-rtt=498us max-rtt=508us 

[admin@Hex] > /ping address=192.168.2.1 src-address=192.168.253.2
  SEQ HOST                                     SIZE TTL TIME       STATUS                           
    0 192.168.2.1                                                  timeout                          
    1 192.168.2.1                                                  timeout                          
    2 192.168.2.1                                                  timeout                          
    sent=3 received=0 packet-loss=100%

So what am I doing wrong?

Thanks for your advice

hex.conf.rsc (8.59 KB)

The hex is basically acting as a switch.
It does not need any addresses other than the trusted network and assuming this as vlan200 subnet

Post config of hex
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc..).

Edit: See config now at bottom of your post LOL

Why does hex config say RB 5009???

Is this the main router? If so why is there wireguard on the hex as you already have it on the RB5009

Yes, the hex mostly acts as a switch, except where it provides Internet via NAT over the client network (.2.0/24, vlan 200) via the main router that has a built-in VDSL modem and Wireless.

/begin fail
The different subnets/vlans should intentionally not communicate directly, which, stupid me, of course they can once the route has been added on a client… I am so facepalming my 5 year ago self right now…

So now I added the following fw rules to achieve separation and am no longer able to connect to the other subnets from each one:

13    chain=forward action=drop in-interface=bridge-vlan200 out-interface=bridge-vlan800 log=no log-prefix="" 

14    chain=forward action=drop in-interface=bridge-vlan200 out-interface=bridge-vlan900 log=no log-prefix="" 

15    chain=forward action=drop in-interface=bridge-vlan800 out-interface=bridge-vlan200 log=no log-prefix="" 

16    chain=forward action=drop in-interface=bridge-vlan800 out-interface=bridge-vlan900 log=no log-prefix="" 

17    chain=forward action=drop in-interface=bridge-vlan900 out-interface=bridge-vlan200 log=no log-prefix="" 

18    chain=forward action=drop in-interface=bridge-vlan900 out-interface=bridge-vlan800 log=no log-prefix=""

/end of fail…

What I would like to achieve is for the roadwarrior peers (locally I can access all VLANs on certain switch ports) to be able to communicate with the .2.0, .8.0 and .9.0 networks so I can administer my network as if I’m at home.

But, as with the ping using the routerOS /ping utility, I can only ping the hex and nothing else (the 192.168.8.254 ist the pihole address on the server network):

me@roadwarrior2 ~ % ip a show dev wg_hex
10: wg_hex: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 192.168.253.101/24 brd 192.168.253.255 scope global noprefixroute wg_hex
       valid_lft forever preferred_lft forever
    inet6 fe80::acee:a55c:5740:adfb/64 scope link stable-privacy proto kernel_ll
       valid_lft forever preferred_lft forever

me@roadwarrior2 ~ % ip r
default via 192.168.179.1 dev wlp3s0 proto dhcp src 192.168.179.6 metric 600
192.168.2.0/24 via 192.168.253.2 dev wg_hex proto static metric 1
192.168.8.0/24 via 192.168.253.2 dev wg_hex proto static metric 2
192.168.9.0/24 via 192.168.253.2 dev wg_hex proto static metric 3
192.168.179.0/24 dev wlp3s0 proto kernel scope link src 192.168.179.6 metric 600
192.168.253.0/24 dev wg_hex proto kernel scope link src 192.168.253.101 metric 50

me@roadwarrior2 ~ % ping 192.168.253.2 -c4
PING 192.168.253.2 (192.168.253.2) 56(84) Bytes an Daten.
64 Bytes von 192.168.253.2: icmp_seq=1 ttl=64 Zeit=1.75 ms
64 Bytes von 192.168.253.2: icmp_seq=2 ttl=64 Zeit=16.3 ms
64 Bytes von 192.168.253.2: icmp_seq=3 ttl=64 Zeit=40.0 ms
64 Bytes von 192.168.253.2: icmp_seq=4 ttl=64 Zeit=1.94 ms

--- 192.168.253.2 ping-Statistik ---
4 Pakete übertragen, 4 empfangen, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 1.749/15.004/40.026/15.606 ms

me@roadwarrior2 ~ % ping 192.168.2.1 -c4
PING 192.168.2.1 (192.168.2.1) 56(84) Bytes an Daten.

--- 192.168.2.1 ping-Statistik ---
4 Pakete übertragen, 0 empfangen, 100% packet loss, time 3037ms

me@roadwarrior2 ~ % ping 192.168.8.254 -c4
PING 192.168.8.254 (192.168.8.254) 56(84) Bytes an Daten.

--- 192.168.8.254 ping-Statistik ---
4 Pakete übertragen, 0 empfangen, 100% packet loss, time 3036ms

As pointed out you supplied a config for an RB5009.
You have not stated where this router fits.
You have not provided a hex config.

Explain more how the upstream router works… does it provide an IP address on a private local subnet to the hex.
You mention, NATing, please expound.
A network diagram will help understand.

Can you please verify that you were using the correct file on your end? Because I see

# model = RB750Gr3

when I download and open the file I attached to the first post… I am however attaching the current config (including the new firewall rules) to this post.

The upstream router provides 2 different ipv4 networks. 1 guest (192.168.179.0/24, connected at eth2 as vlan1790) and the main client network, 192.168.2.0/24, connected at eth5 as vlan200.

The 2 other networks are only connected to the hex as described. For a rough network diagram see first post. With the changes from the second post access to other subnets/vlans is only possible via NAT Routing (see config).
hex.conf.rsc (9.3 KB)

Perhaps I was imagining it because the first times I opened it the router stated was a 5009. When I do it today its now on the HEX>

Looking at your diagram, can you confirm you use three different ether ports on the WIFI Router to connect three different vlans to three ports on the HEX???
What I was expecting was ONE, trunk port on the wifi router connected to ONE trunk port on the hex, and that port to port connection carrying all three VLANS.

If not, why not??

Lets say its done correctly and all four vlans reach the hex on one trunk port. (200,800,900,1790)
Then the hex should get an IP ONLY on the management vlan.

OH I SEE THE problem, you are a bridge clown.
One bridge is required,

Will assume, trunk port from wifi router is coming in to hex on ETHER1, ether2 is spare, ether3 and ether4 are trunk ports to switches,
ether5 is an off bridge port to initially configure the router for vlan filtering and emergency access if there is a problem with the bridge and you need to access the HEX locally.

/interface bridge
add ingress-filtering=no name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] name=emergaccess-5
/interface vlan
add interface=bridge name=vlan900-MANAGE  vlan-id=900
/interface list
add name=management
/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-only-tagged  interface=ether1
add bridge=bridge ingress-filtering=yes frame-types=admit-only-tagged  interface=ether3
add bridge=bridge ingress-filtering=yes frame-types=admit-only-tagged  interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=management
/interface bridge vlan
add bridge=bridge tagged=ether1,bridge,ether3,ether4   vlan-ids=900
add bridge=bridge tagged=ether1,ether3,ether4  vlan-ids=200,800,1790
/interface list member
add interface=vlan900-MANAGE list=management
add interface=emergaccess list=management
/ip address
add address=192.168.9.2/24 interface=vlan900-MANAGE network=192.168.9.0  comment="IP of hex on trusted subnet"
add address=192.168.55.1/24 interface=emergaccess-5 network=192.168.55.0 comment="ether5 access off bridge"
/ip dns
set allow-remote-requests=yes servers=192.168.9.1  { Note: Done so all dns requests use trusted subnet } 
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.9.1 comment="ensures route avail through trusted subnet gateway"
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.9.1
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=management

For off bridge approach
https://forum.mikrotik.com/viewtopic.php?t=181718

Hi anav,

no, the wifi router does not provide a trunk port. Therefore the 2 subnets (separated on the wifi router) are 2 separate point-to-point connections from there to the hex and need to be tagged there. The 2 trunk ports connect to other vlan capable switches in different rooms. The port with vlan900 is there so I can plug in and administer the mgmt network in an emergency. The hex mgmt was supposed to be only available from the mgmt network as well, but since I am on the road a bit more again after covid a enabled it on the client net again (wifi router ipsec vpn can reach that) to be able to try stuff on the road with the plan of creating the wireguard vpn so I don’t need that anymore.

Sorry for being a bridge clown, back in the day that was the way I was able to set it up as I wanted it. Will have a closer look at your example after work and update this post with the results.

Thanks so far!

Okay so to recap and make sure on same page.

1. VDSL Modem/Wifi Router is where internet terminates. The modem gets the public IP.
   It provides a flat network of 192.168.2.0/24 where the modem router is the gateway 192.168.2.1

2. HEX is a second router with NAT, its WANIP for all intensive purposes is 192.168.2.2 with gateway 192.168.2.1 and provides NAT for vlans 800 and 900
   
   
   Your diagram is confusing it implies that the wifi router has a vlan 200 and a vlan 1790 but quite clearly you state that the LAN on the wifi router gets tagged with vlan200 at the hex.
   So how does 17980 come into play. How does the VSDL modem have two LAN subnets ???
   I can only assume that this vdsl modem router provides two subnets, a LAN trusted subnet which we know about 192.168.2.0/24 but it has a guest network isolated for both ethernet and wifi? and is what you are calling 1790, although it has no practical affiliation with the hex at all that I can see.

However you have it coming off ether2 , into the hex, so I will assume for some reason you want to be able to extend this guest network from the wifi router to the rest of the network and thus have to vlan it when it hits the hex… In this case its just a passthrough and not really local to the hex ( hex not involved in dhcp etc).

Lastly you want to be able to create a wireguard server on the HEX and you need to confirm that you can forward a port on the VDLS modem router to the hex on 192.168.2.2 ???
I will assume this is the case…

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

As far as wireguard goes, you have what coming in…
A. single remote users only ?
B. other MT routers with whole subnets ?
C. something else?

Suggest your review line by line to digest all changes.
No mangling required, no vlan for WAN needed. Tried to keep it clean and simple.
Access to the router is safely done via Ether1 using 192.168.55.5 set in laptop ipv4 settings etc…
Setup so that you can access the router when sitting on the 192.168.2.X network on the WIFI ROUTER network.
One bridge approach.
VLAN1790 is transparent to the hex, just traffic being passed along like a switch.
Interface list and members greatly simplified.

TO USE WG- Connect as usual via app.

a. TO CONFIG: open up winbox on laptop, or MT app on iphone for example and type: 192.168.253.2:winboxport

b. TO LANS: put in your browser, desired IP address 192.168.8.X or 192.168.9.X
Note: Since Switches should have their IP address on the 192.168.9.0 subnet they will be reachable.

2. To Access wifi router
   (i) subnet… Type in browser 192.168.2.X, the hex will send out the WAN port ( sourcnatted to 192.168.2.2 and thus the wifi router will know where to send return traffic )
   (ii) subnet… 192.168.179.X UNKNOWN - see below.

Since you have stated that the two subnets on the WIFI router are distinct. I gather the 192.168.2 and the GUEST 192.168.179 are ISOLATED in some way?
So not sure if one can access vlan1709 at all coming in on wireguard or on a 800 or 900 subnet behind the hex, basically attempting to reach guest from 192.168.2.2 ??
You will need to provide more details on any firewall rules or static routes possible on the WIFI router.

/interface bridge
add comment=onebr  vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=eth1-configaccess
set [ find default-name=ether2 ] name=eth2
set [ find default-name=ether3 ] name=eth3
set [ find default-name=ether4 ] name=eth4
set [ find default-name=ether5 ] name=eth5
/interface wireguard
add listen-port=51820 mtu=1420 name=wg-all
/interface vlan
add interface=onebr name=data800 vlan-id=800
add interface=onebr name=mngmt900 vlan-id=900
/interface list
add name=WAN
add name=LAN comment="LocalTraffic incl WG"
add name=MANAGE comment="trusted interfaces"
/ip pool
add name=network-mgmt ranges=192.168.9.201-192.168.9.220
add name=network-server ranges=192.168.8.201-192.168.8.220
/ip dhcp-server
add address-pool=network-mgmt interface=mngmt900 lease-time=10m name=\
    mgmt-dhcp
add address-pool=network-server interface=data800 lease-time=10m name=\
    server-dhcp
/interface bridge port
add bridge=onebr ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether2 vlan-ids=1790
add bridge=onebr ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether3
add bridge=onebr ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=MANAGE
/interface bridge vlan
add bridge=onebr tagged=bridge,ether3,eth4 vlan-ids=800,900
add bridge=onebr tagged=ether3,ether4  untagged=ether2  vlan-ids=1790
/interface detect-internet
set lan-interface-list=NONE
/interface list member
add interface=ether5 list=WAN
add interface=data800 list=LAN
add interface=mngmt900 list=LAN
add interface=wg-all list=LAN
add interface=ether1-configaccess list=LAN
add interface=mngmt900900 list=MANAGE
add interface=ether1-configaccess list=MANAGE
add interface=wg-all list=MANAGE
/interface wireguard peers
add allowed-address=192.168.253.101/32 comment=carrot interface=wg-all \
    private-key="redacted" public-key=\
    "redacted"
add allowed-address=192.168.253.102?/32 comment=cyberphlinx interface=wg-all \
    private-key="redacted" public-key=\
    "redacted"
/ip address
add address=192.168.2.2/24 comment="WAN link" interface=ether5\
   network=192.168.2.0
add address=192.168.8.2/24 comment="server network ip" interface=\
    data800 network=192.168.8.0
add address=192.168.9.2/24 comment="mgmt network ip" interface=mngmt900 \
    network=192.168.9.0
add address=192.168.253.2/24 comment="wireguard network ip" interface=wg-all \
    network=192.168.253.0
add address=192.168.55.1/29 comment="offbridge access" interface=ether1-configaccess network=192.168.55.0
/ip dhcp-server network
add address=192.168.8.0/24 comment="server network" dns-server=192.168.8.254 \
    gateway=192.168.8.2
add address=192.168.9.0/24 comment="management network" dns-server=\
    192.168.9.254 gateway=192.168.9.2
/ip dns
set allow-remote-requests=yes servers=192.168.2.1
/ip firewall address-list  { using static set dhcp leases and wg addresses }
add address=192.168.2.X/32 list=Authorized  comment="admin on wifi router network - WIFI - mobile device"
add address=192.168.2.Y/32 list=Authorized  comment="admin on wifi router network - etherenet-fixed device"
add address=192.253.101/32 list=Authorized  comment="admin device1 remote wirguard"
add address=192.253.102/32 list=Authorized  comment="admin device2 remote wirguard"
add address=192.168.9.x/32 list=Authorized  comment="local admin on mngmt network"
add address=192.168.8.x/32 list=Authorized  comment="local admin on server network"
add address=192.168.55.5/32 list=Authorized comment="hex off bridge access"
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" log=no protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback \
   (for router uses only)" dst-address=127.0.0.1
add action=accept chain=input comment="wg handshake wireguard" dst-port=51820 \
    protocol=udp
add action=accept chain=input comment="allow Admin Access" \
    src-address-list=Authorized
add action=accept chain=input comment="LAN DNS & NTP queries-UDP" \
    dst-port=53,123 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
    dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else and put this rule in last"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
add action=accept chain=forward comment="local to WAN internet" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="admin to all local VLANS" 
    src-address-list=Authorized out-interface-list=LAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="DROP All Else" 
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.2.1
/ip service
set winbox disabled=no
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=MANAGE

If I understand your configuration, and that’s a real pig’s breakfast, your issue is that the hosts on 192.168.2.0/24 have no idea where to forward the return packets for your wireguard network. A possible workaround would be to NAT all that subnet behind the Hex’s IP.

I’m afraid that it would just be an ugly hack to a very poor design.

Which configuration, the OPs?
If you look at the suggested config, all traffic from 800 and 900 vlans AND WIREGUARD, go through the WAN side of the router aka via ether5 and since there is a masquerade rule. all such traffic is already natted and gets a source IP of 192.168.2.2. That problem no longer exists…

The RSC configuration the OP attached. Did not even look at the recommended changes as the OP’s design is fundamentally bad.

Correct.

Yes, the router provides 2 separate subnets as described. The guest lan (tagged as vlan1790) is only processed at layer 2 in the hex and forwarded via the trunk ports to the other switches so it is available there as well.

Use Case A.

Port forwarding on the internet router is working, I can establish a wireguard connection from the 2 configured laptops. The Hex is reachable from there (on all subnets, so on .253.2, .2.2, .8.2 and .9.2), just not any other device on the .2.0, .8.0 and .9.0 subnets. Client IP config is as follows:

me@roadwarrior2 ~ % ip a show dev wg_hex
10: wg_hex: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 192.168.253.101/24 brd 192.168.253.255 scope global noprefixroute wg_hex
       valid_lft forever preferred_lft forever
    inet6 fe80::acee:a55c:5740:adfb/64 scope link stable-privacy proto kernel_ll
       valid_lft forever preferred_lft forever

me@roadwarrior2 ~ % ip r
default via 192.168.179.1 dev wlp3s0 proto dhcp src 192.168.179.6 metric 600
192.168.2.0/24 via 192.168.253.2 dev wg_hex proto static metric 1
192.168.8.0/24 via 192.168.253.2 dev wg_hex proto static metric 2
192.168.9.0/24 via 192.168.253.2 dev wg_hex proto static metric 3
192.168.179.0/24 dev wlp3s0 proto kernel scope link src 192.168.179.6 metric 600
192.168.253.0/24 dev wg_hex proto kernel scope link src 192.168.253.101 metric 50

I provided a much simpler, cleaner config, so cannot comment further.

Hi anav,

I have tried the config you provided and adjusted for the tagging and some typos. Loaded the config by uploading via sftp and running

/system/reset-configuration no-defaults=yes skip-backup=yes run-after-reset=hex-new.rsc

However I am neither able to connect with ip 192.168.55.5/29 to 192.168.55.2 on eth1 (changed ip to match the .2 on all other subnets) nor does 192.168.2.2 show up as connected in my router. Will revert to my old config now for the time being.

Complete new config except credentials is attached, I will try the config in a routerOS vm as well.

EDIT: Running with an abridged config (only 3 ports instead of 5: client, config and trunk) showed that the file ran into errors before setting the ip addresses. Setting config address directly after ethernet config fixed that. As I will be away from home for a few days I won’t be able to test directly with the hex, but I will see if I can get the config to work with the CHR.

/interface bridge
add name=onebr comment=onebr vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=eth1-client
set [ find default-name=ether2 ] name=eth2-configaccess
set [ find default-name=ether3 ] name=eth3-trunk
/ip address add address=192.168.55.2/29 comment="offbridge access" interface=eth2-configaccess network=192.168.55.0

Log looks as follows (omitted working parts, attached chr config as well):

15:49:44 system,info interface list member added by run-after-reset (*7 = /interface list member add interface=eth2-configaccess list=MANAGE)
 15:49:44 system,error,critical,36352,52024,52056,54650,33376,4738,36352,36352,info,7474 error while running run-after-reset script: input does not match any value of interface
 15:49:44 system,error,critical,36352,52024,52056,54650,33376,4738,36352,36352,info,7474 
 15:49:44 system,info interface list member added by run-after-reset (*8 = /interface list member add interface=wg-all list=MANAGE)
 15:49:44 system,info,account user admin logged in via local

chr-new.redacted.rsc (5.53 KB)
hex-new.redacted.rsc (5.9 KB)

To be clear are you trying the SAME configuration on both devices for testing purposes??
Yes, you may have errors if you relied on scripts as the config has changed significantly so the rest of the config will have to be modified as required.

(1) Why do you still have the incorrect setting for wireguard allowed IPs…
add allowed-address=0.0.0.0/0 comment=cyberphlinx interface=wg-all
private-key=“redacted” public-key=
“redacted”

Should be the /32 address of the client device!!

PLEASE CONFIRM, that what you actually want is to ALSO pass the LAN subnet 192.168.2.0/24 like 1790, to the switches and thus to other users, so that users down the line can also get assigned to the 192.168.2 network of the MAIN WIFI ROUTER??

Assuming I had it wrong all along and you need to pass the MAIN WIFI subnet to other devices behind the managed switches. I have modified the CHR script below.
I also noted my handling of 1790 was not quite right, it needs to be defined as an interface, but no other place…
I also do not see the requirement of having another 192.168.2.XX client on ether1.
It would not be part of HEX LANS, . but would be part of the WIFI ROUTER lan
NO advantage that I can see.

a. you could be connected directly to the WIFI ROUTER via directly connected switch or its actual ports to manage WIFI router
b. you could be on subnets 800 or 900 and manage WIFI ROUTER ( from behind managed switches)
c. you could be coming in on wireguard and manage WIFI ROUTER. ( coming in on hex ).

If on the other hand, its convenient to be on the main subnet all the time from the hex ( its on your desk ) then perhaps there is some merit.
I would weight this off and compare to the having the OFF Bridge access to initially configure the router and for later on to access it, even if the bridge burps on you.

So need direction on which way you wish to proceedfor this config, I have chosen the harder path of extending the main subnet to one port on the hex for a user and scrapped the off-bridge port.

/interface bridge
add name=onebr comment=onebr vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=eth1-client
set [ find default-name=ether1 ] name=eth2-guest
set [ find default-name=ether3 ] name=eth3-trunk
set [ find default-name=ether4 ] name=eth4-trunk
/interface wireguard
add listen-port=51820 mtu=1420 name=wg-all
/interface wireguard peers
add allowed-address=192.168.253.101/32 comment=carrot interface=wg-all \
    private-key="redacted" public-key=\
    "redacted"
add allowed-address=192.168.253.102/32 comment=cyberphlinx interface=wg-all \
    private-key="redacted" public-key=\
    "redacted"
/interface vlan
and interface=onebr name=WAN-200 vlan-id=200
add interface=onebr name=server800 vlan-id=800
add interface=onebr name=mgmt900 vlan-id=900
add interface=onebr name=guest1790 vlan-id=1790
/interface list
add name=WAN comment="Traffic to client network"
add name=LAN comment="LocalTraffic incl WG"
add name=MANAGE comment="trusted interfaces"
/ip pool
add name=network-mgmt ranges=192.168.9.201-192.168.9.220
add name=network-server ranges=192.168.8.201-192.168.8.220
/ip dhcp-server
add address-pool=network-mgmt interface=mgmt900 lease-time=10m name=\
    mgmt-dhcp
add address-pool=network-server interface=server800 lease-time=10m name=\
    server-dhcp
/interface bridge port
add bridge=onebr ingress-filtering=yes frame-types=admit-priority-and-untagged interface=eth1-client pvid=200
add bridge=onebr ingress-filtering=yes frame-types=admit-priority-and-untagged interface=eth2-guest pvid=1790
add bridge=onebr ingress-filtering=yes frame-types=admit-only-tagged-frames interface=eth3-trunk
add bridge=onebr ingress-filtering=yes frame-types=admit-only-tagged-frames interface=eth4-trunk
add bridge=onebr ingress-filtering=yes frame=types=admit-only-priority-and-untagged interface=ether5 pvid=200 
/ip neighbor discovery-settings
set discover-interface-list=MANAGE
/interface bridge vlan
add bridge=onebr tagged=bridge,eth3-trunk,eth4-trunk untagged=eth1-client,ether5 vlan-ids=200
add bridge=onebr tagged=bridge,eth3-trunk,eth4-trunk  vlan-ids=800,900
add bridge=onebr tagged=eth3-trunk,eth4-trunk  untagged=eth2-guest  vlan-ids=1790
/interface detect-internet
set lan-interface-list=none
/interface list member
add interface=ether5 list=WAN
add interface=WAN-200 list=WAN
add interface=server800 list=LAN
add interface=mgmt900 list=LAN
add interface=wg-all list=LAN
add interface=mgmt900 list=MANAGE
add interface=wg-all list=MANAGE
/ip address
add address=192.168.8.2/24 comment="server network ip" interface=\
    server800 network=192.168.8.0
add address=192.168.9.2/24 comment="mgmt network ip" interface=mgmt900 \
    network=192.168.9.0
add address=192.168.253.2/24 comment="wireguard network ip" interface=wg-all \
    network=192.168.253.0
add address=192.168.2.2/24 comment="WAN" interface=WAN-200 network=192.168.2.0
/ip dhcp-server network
add address=192.168.8.0/24 comment="server network" dns-server=192.168.8.254 \
    gateway=192.168.8.2
add address=192.168.9.0/24 comment="management network" dns-server=\
    192.168.9.254 gateway=192.168.9.2
/ip dns
set allow-remote-requests=yes servers=192.168.2.1
/ip firewall address-list
add address=192.168.2.126/32 list=Authorized  comment="admin on wifi router network - WIFI - mobile device"
add address=192.168.2.145/32 list=Authorized  comment="admin on wifi router network - ethernet-fixed device"
add address=192.253.101/32 list=Authorized  comment="admin device1 remote wirguard"
add address=192.253.102/32 list=Authorized  comment="admin device2 remote wirguard"
add address=192.168.9.0/24 list=Authorized  comment="local admin on mngmt network
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" log=no protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback \
   (for router uses only)" dst-address=127.0.0.1
add action=accept chain=input comment="wg handshake wireguard" dst-port=51820 \
    protocol=udp
add action=accept chain=input comment="allow Admin Access" \
    src-address-list=Authorized
add action=accept chain=input comment="LAN DNS & NTP queries-UDP" \
    dst-port=53,123 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
    dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else and put this rule in last"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
add action=accept chain=forward comment="local to WAN internet" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="admin to all local VLANS" src-address-list=Authorized out-interface-list=LAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="DROP All Else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.2.1
/ip service
set winbox disabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MANAGE

Caveat access to the HEX ( for config or lan subnets ) is limited to the Authorized List!

If you want to reach the HEX From the WIFI main subnet 192.168.2.0, then on winbox put 192.168.2.2:winbox port.
If you want to reach the HEX from wireguard then in winbox or MT app enter 192.168.253.2:winbox port.

If you want to reach VLANS 800,900 from wireguard, then simply put the LANIP address in browser after connecting to wireguard.
If you want to reach VLANS 800,900 from WIFI main subnet, the HEX will permit such traffic BUT. MORE is required. The WIFI router does not know where to send such traffic.
In other words you would need to setup a static routes on the WIFI ROUTER, if you can, otherwise not possible.
Something like…
dst-address=vlan800 subnet gateway=192.168.2.2
dst-address=vlan900 subnet gateway=192.168.2.2

If you want to reach main subnet from vlans 800,900, simply put in the IP address in the browser. 192.168.2.YY, the HEX will know to send this out the WAN which happens to be gateway 192.168.2.1 and the WIFI router knows where to send this request being local.
Since we masquerade outgoing WAN traffic to 192.168.2.2, the WIFI router will send return traffic back to the HEX and the HEx will unsourcenat that back to the originator of the traffic.

First off: Thanks a lot for all the patience and the help so far. I have decided that I need to get a basic 1 vlan config working to fully understand what is happening there before moving on to the routing and the other advanced stuff. For my steps so far see below (very long post…).

Not the same as VirtualBox only allows 4 NICs total, but I intend it to be as similar as possible.

For now I have created startup configs like the one below that only do the naming and setup of the config interfaces so I can always start the remaining config from scratch after a /system/reset-configuration no-defaults=yes skip-backup=yes keep-users=yes run-after-reset=chr_hex-startup.rsc

/interface ethernet
set [ find default-name=ether1 ] name=client
set [ find default-name=ether2 ] name=configaccess
set [ find default-name=ether3 ] name=trunk
/ip address add address=192.168.55.2/29 comment="offbridge config for hex" interface=configaccess network=192.168.55.0
/system identity
set name=Hex

Correct.

I am now trying to get a minimal viable example working with 3 chr instances on virtualbox (3 nic each, with ether2 always being the configaccess; all client/trunk nics set to allow promiscuous mode) with internal networks that mimic the cables at home connecting my internet router, the hex and a switch. From there I am now going step by step.

configaccess network is HostOnly with no routing.
chr-client, chr-trunk, switch-client are the internal networks between the CHR instances as shown in the attached diagram.

First I set up a CHR as a simple router with the following config and confirmed it was working with an ubuntu test vm directly attached to that network (chr-client). DHCP and Internet access working fine.

/interface ethernet
set [ find default-name=ether3 ] name=client
set [ find default-name=ether2 ] name=configaccess
set [ find default-name=ether1 ] name=wan
/ip address
add address=192.168.55.1/29 comment="config access" interface=configaccess \
    network=192.168.55.0
/ip pool
add name=network-client ranges=192.168.2.201-192.168.2.220
/ip address
add address=192.168.2.1/24 interface=client network=192.168.2.0
/ip dhcp-client
add interface=wan
/ip dhcp-server
add address-pool=network-client interface=client lease-time=10m name=client-dhcp
/ip dhcp-server network
add address=192.168.2.0/24 comment="client network" dns-server=\
    192.168.2.1 gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wan src-address=\
    192.168.2.0/24
/system identity
set name=InternetRouter

Second step was getting the connectivity working with the hex and the switch simply acting as bridges with the following config, same result as before, so the basic bridging works:

/interface bridge
add comment=onebr name=onebr
/interface ethernet
set [ find default-name=ether1 ] name=client
set [ find default-name=ether2 ] name=configaccess
set [ find default-name=ether3 ] name=trunk
/interface bridge port
add bridge=onebr ingress-filtering=no interface=trunk
add bridge=onebr ingress-filtering=no interface=client
/ip address
add address=192.168.55.2/29 comment="offbridge access" interface=configaccess network=192.168.55.0
add address=192.168.2.2/24 comment="client link" interface=client network=192.168.2.0
/ip firewall address-list
add address=192.168.55.5 comment="hex off bridge access" list=Authorized
/system identity
set name=HexAsSwitch
/system note
set show-at-login=no

That was successful, so then I moved on to a very simple setup as shown in the with just the vlan200 tagged at the hex and switch sides to verify that the vlan setup was working, but that failed. Configs were as follows for Switch (Hex acting as switch #commented out):

/interface ethernet
set [ find default-name=ether1 ] name=client
set [ find default-name=ether2 ] name=configaccess
set [ find default-name=ether3 ] name=trunk
/ip address add address=192.168.55.3/29 comment="offbridge switch" interface=configaccess network=192.168.55.0
# /ip address add address=192.168.55.2/29 comment="offbridge hex" interface=configaccess network=192.168.55.0
/system identity
set name=Switch
# set name=HexAsSwitch
/interface bridge
add name=onebr comment=onebr vlan-filtering=yes
/interface vlan
add interface=onebr name=client200 vlan-id=200
/ip address
add address=192.168.2.3/24 comment="client link" interface=client200 network=192.168.2.0
# add address=192.168.2.2/24 comment="client link" interface=client200 network=192.168.2.0
/interface bridge port
add bridge=onebr ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=trunk
add bridge=onebr ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=client pvid=200
/interface bridge vlan
add bridge=onebr tagged=trunk vlan-ids=200
add bridge=onebr untagged=client vlan-ids=200

Not sure why you are continuing with off bridge setup?
You dont have enough ports ( with 5 on hex ), you need 1 for client on Main WIFI router subnet, 2 for 1790, 3,4 for switches and 5 from wifi router???

In terms of vlans, read this.
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

The WiFi router has additional ports for client subnet access if needed, so I need 4 ports: 2 access ports to tag the incoming traffic from client and guest lans and 2 trunk ports, leaving one free for the off-bridge access.

After removing the “/interface vlan” part from my config to match the simple access/trunk example the vlans are now working, confirmed with the ubuntu attached to the trunk with a vlan subinterface .

Will try to add more vlans and SRC-NAT stuff bit by bit until the one bridge setup is equivalent to my convoluted multi-bridge setup so that it can be replaced. If I run into trouble I’ll open a new topic with specific information. But I hope that with the things I have learned from you I will be able to solve this on my own now!

Thanks again!

EDIT: Quick update: Not sure why removing the “/interface vlan” did the trick, probably just some coincidence as I added them now to get management IPs on the 900 vlan and everything still works…