I’m new to Mikrotik and still reading through the manuals. I have a RB5009 router where the SFP+ port is my WAN connection and all other ethernet connections are bridged. I setup my initial router configurations using the guide on Mikrotik website. Once connected, I followed the Wireguard setup from Mikrotik website for a roadwarrior setup. My log file shows the client connection. The client shows the “Latest handshake” renewing almost every minute.
I am unable to access the internet, access the webFig page, ping a website, or ping any devices on the local network. I’ve included my router config and client configuration as well. My initial thoughts lead me to a firewall and or NAT configuration error. FYI, the mikrotik guide for initial configuration enabled ICMP on the WAN and other services which I did not want to keep open. Any assistance would be appreciated.
Note: I removed serial number, changed MAC info on devices in the DHCP lease, and removed public/private keys.
Router Config:
# 2024-01-11 16:07:32 by RouterOS 7.13
# software id =
#
# model = RB5009UPr+S+
# serial number =
/interface bridge
add name=local
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add name=WAN
add name=LAN
add name=listBridge
/ip pool
add name=dhcp ranges=192.168.0.100-192.168.0.254
add name=dhcp_pool1 ranges=192.168.0.100-192.168.0.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=local lease-time=1d name=dhcp1
/interface bridge port
add bridge=local interface=ether1
add bridge=local interface=ether2
add bridge=local interface=ether3
add bridge=local interface=ether4
add bridge=local interface=ether5
add bridge=local interface=ether6
add bridge=local interface=ether7
add bridge=local interface=ether8
/ip neighbor discovery-settings
set discover-interface-list=listBridge
/interface list member
add interface=sfp-sfpplus1 list=WAN
add interface=local list=listBridge
/interface wireguard peers
add allowed-address=192.168.100.2/32 interface=wireguard1 public-key=\
"MY KEY0="
/ip address
add address=192.168.0.1/24 interface=local network=192.168.0.0
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
/ip cloud
set update-time=no
/ip dhcp-client
add interface=sfp-sfpplus1
/ip dhcp-server lease
add address=192.168.0.197 client-id=1:00:00:71:00:00:00 mac-address=\
50:EB:71:11:AB:7F server=dhcp1
add address=192.168.0.239 mac-address=74:C6:3B:00:00:00 server=dhcp1
/ip dhcp-server network
add address=0.0.0.0/24 dns-server=0.0.0.0 gateway=0.0.0.0 netmask=24
add address=192.168.0.0/24 dns-server=198.168.0.1,8.8.8.8 gateway=192.168.0.1
/ip firewall filter
add action=accept chain=input comment="accept established,related" \
connection-state=established,related
add action=accept chain=input comment="allow WireGuard" dst-port=13231 log=\
yes protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" log=yes \
src-address=192.168.100.0/24
add action=drop chain=input connection-state=invalid
add action=drop chain=input comment="drop everything else" in-interface=\
sfp-sfpplus1 log-prefix=drop
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.0.0/24
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.0.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=America/Chicago
/system note
set show-at-login=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=listBridge
/tool mac-server mac-winbox
set allowed-interface-list=listBridge
/user settings
set minimum-password-length=8
Wireguard Client configuration:
[Interface]
PrivateKey = XXXXXXXXXXXX
Address=192.168.100.2/32
DNS=8.8.8.8
[Peer]
PublicKey=KEY FROM WIREGUARD SERVER
AllowedIPs=0.0.0.0/0
Endpoint=myddns:13231
TO:
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
Your Firewall rules are LACKING. Does this router connect directly to the internet ( aka you get a public IP , or are you forwarding the WG port from an upstream router? )
WWW IP service should be DISABLED , its not a secure access method and is a security risk.
mac-server by itself also not a secure access method and should be set to NONE.
CLIENT
Don’t see persistent keep alive set??? but from the text above, appears there must be one…
My RB5009 SFP+ is configured as a WAN interface and connects directly to my ISP modem. The ‘address acquisition’ is set to automatic. Could you help clarify what other settings are recommended? My SFP+ port is configured for the WAN access to my ISP and all other ports are bridged for a local LAN. At this time, I only want to allow WireGuard connections for roadwarriors. Roadwarriors would route all traffic through Wireguard and have access to internet and all LAN devices. Access to the router web configuration or winbox to be limited to users on the local lan or remote users using Wireguard. I’ll work on creating VLANs in the future to separate IOT devices but once I better educate myself.
With the configuration file allowing 192.168.0.0/24 which is the local LAN, how does would this be a security risk? Could you clarify or provide a recommendation?
I started off using winbox for my initial configuration. I may need to turn this off as I need to better understand what this is for. My initial assumption was to allow access for winbox on the local lan which is why I set the allowed interface list to ‘listBridge’ which are my bridged lan ports.
The client file does not have a PersistentKeepalive entry. I need to read up on this option and educate myself. Is this a setting for both the RB5009 and client file?
Can the DHCP network with 0.0.0.0 be removed without impacting connectiviity to the clients? What does a DHCP of 0.0.0.0 actually mean or do? I will remove the unused dhcp pool. I restarted some configurations when I received the router and may have forgotten to remove the previous settings. Thanks for the catch.
It can be removed. In theory, it shouldn’t be used.
e.g., the DHCP “networks” are where the DHCP server gets the various parameters & it’s perfectly allowed to have multiple ones. Since you have a /24 network defined, that’s what should be used since the DHCP server should use the most specific subnet in it’s selection AFAIK (so /24 is smaller number of addresses than the entire internet /0). But safer to just remove it – since 0.0.0.0/0 is completely wrong as DHCP network.
What you should note is that everyone has access to the input chain that is on the LAN.
For you that is fine but later you should only allow Admins full access to the router and everyone else actually only needs access for router services, typically only DNS
So what we do is make a firewall address list of admin IPs, static set on dhcp leases and whichever wireguard road warriors should have permissions ( some may only need lan access or internet access and for those you will need to make that clear in requirements/planning and adjust forward chain firewall rules accordingly )
These are great points! I’ve always understood that anyone on the LAN has access to the router but getting familiar with the Mikrotik router and reading your statement, I realize how this can be a security risk. If I had an IOT device on my LAN that was compromised, it could provide access to the router. I also did not realize that DNS was considered a service. Is it recommended to use the router as a DNS or a public one such as 8.8.8.8 or others out there? Are there pros and cons to using the router as the DNS vs a public one? I will make these changes to tighten control on which devices have access.
Thank you for the recommended firewall settings. Can you confirm input chains are processes separately from forward chain, meaning I can have forward chain listed before input chain OR is there a heirarcy in the firewall? I believe the firewall rules for each chain is processed top to bottom meaning the most restrictive filter should be set last for a chain. For the input chain to accept ICMP, I believe this allows for ping requests to the router WAN interface. I planned to remove this as I do not want the router to respond to ping requests from the internet. If I had multiple routers connected to each other, I could see ICMP being enabled. Any reason why I should keep it?
I plan to work on the router configuration this weekend.
1.Organization of FW rules by chain is personal preference, much easier to read and spot errors.
2. Order of rules within a chain is CRITICAL
3. No issues, safe to use DNS service of router, that is what it is there for. I often include, in the input chain an interface LAN rule for NTP but also add a source-address-list of devices that require NTP…as the whole LAN does not.
Remember the default setup is a single user on a single PC on a flat subnet, ether1 wan ether2-5 LAN. This default setup is good to go.
Once you deviate from that, things need to be modified, as you add subnets, users, devices etc…
Rules order (yes very important) as per the defaults is good to go. Yes the admin added rules, after the default ones one should keep, should be considered in terms of what rule will get tripped the most at the top, and the least at the bottom and the last rule DROP ALL ELSE.
ICMP default is accept, period, from both LAN and WAN and is a useful tool and needed in some cases. Messing with it may cause issues and prevent troubleshooting issues down the line, leaving it as is, poses no problems.
