Wireguard routing

randomname · November 22, 2024, 6:07pm

Hello I have a setup very similar to the below help article:
https://help.mikrotik.com/docs/spaces/ROS/pages/69664792/WireGuard#WireGuard-SitetoSiteWireGuardtunnel

So I have two sites with a public IP address connected through a wireguard site to site tunnel. Connectivity between both works perfect.
Now I would like to try to route all the public internet traffic of a specific host through the Tunnel. E.g. workstation 1 can still reach workstation 2 as it’s in the same subnet. But when workstation 1 goes to a public website it is via the public ip of Office 2 instead of office 1.
How should I set this up?
So far I tried with a routing rule:
Source: your IP you want to route out over VPN
Action lookup, Table vpn-only
But I get a ERR_ADDRESS_UNREACHABLE in chrome when accessing public websites. When accessing things in the subnet of the other site I get a perfect response. How could I debug what’s going wrong?

wiseroute · November 22, 2024, 6:22pm

hello

How could I debug what’s going wrong?

how about :

check default route on the computer and the router. there should be 2 default route entries. make your tunnel gateway route have lower metric so that the request will use the tunnel.
ping and traceroute to the website. this should show you which route the request take to reach the website. make some adjustments or corrections accordingly.
good luck

anav · November 22, 2024, 6:46pm

Please post config at both ends.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )

randomname · November 23, 2024, 10:29am

So for the host where I am trying to route all the traffic through the VPN tunnel I am observing the following trace route when the routing rule is enabled:

traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  router.local.lan (192.168.88.1)  0.125 ms  0.084 ms  0.110 ms
 2  router.local.lan (192.168.88.1)  0.140 ms !H  0.118 ms !H  0.121 ms !H

When the rule is disabled and it uses the main routing table I get:

traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  router.local.lan (192.168.88.1)  0.120 ms  0.127 ms  0.103 ms
 2  ***.infra.isp.net (public ip)  4.489 ms  4.467 ms  4.445 ms
 3 ...

So I assume from the above traceroute I can assume there is a routing problem on the first router the request are passing?

Below you can see a export from my router configuration (removed sensitive information and some unrelevant parts):

# 2024-11-23 11:16:34 by RouterOS 7.16
# software id = SDHK-0LAC
#
# model = RB4011iGS+
# serial number = ***


/interface bridge
add admin-mac=*** auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface ethernet
set [ find default-name=ether10 ] poe-out=off
/interface wireguard
add comment=wireguard-vpn listen-port=13231 mtu=1420 name=\
    wireguard-vpn


/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/ip pool
add name=dhcp ranges=192.168.88.150-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf


/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
set *0 bridge=bridge dns-server=192.168.88.100,192.168.88.1 local-address=\
    192.168.90.1 remote-address=ike2-pool use-encryption=yes
add comment=isp name=isp
/interface pppoe-client
add add-default-route=yes comment=isp disabled=no interface=vlan10 name=\
    pppoe-wan profile=edpnet user=***
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add comment="Via VPN" disabled=no fib name=via-vpn

/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1 \
    internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=pppoe-wan list=WAN
add interface=wireguard-vpn list=LAN
add interface=wireguard-vpn list=LAN

/interface wireguard peers
add allowed-address=192.168.33.0/24,192.168.35.0/24 comment=\
    wireguard-vpn endpoint-address=site B public ip endpoint-port=13231 \
    interface=wireguard-vpn name=peer1 persistent-keepalive=30s \
    preshared-key="***=" public-key=\
    "***="

/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.255.255.1/30 interface=wireguard-vpn network=\
    10.255.255.0
add address=192.168.89.1/24 comment=guest interface=guest network=\
    192.168.89.0

/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add comment=defconf interface=ether1

/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=\
    192.168.88.104,192.168.88.1 gateway=192.168.88.1
add address=192.168.89.0/24 comment=guest dns-server=8.8.8.8,8.8.4.4 \
    gateway=192.168.89.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,1.1.1.1,1.0.0.1

/ip firewall address-list
add address=192.168.88.0/24 list=secure-lan
add address=192.168.90.0/24 list=secure-lan
add address=192.168.33.0/24 list=secure-lan
add address=192.168.35.0/24 list=secure-lan
add address=10.255.255.0/30 list=secure-lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=wireguard dst-port=13231 protocol=udp \
    src-address=192.168.33.1
add action=accept chain=forward comment=wireguard dst-address-list=secure-lan \
    src-address-list=secure-lan
add action=accept chain=forward comment=wireguard dst-address-list=secure-lan
add action=accept chain=input comment=wireguard-vpn src-address=\
    192.168.90.0/24
add action=accept chain=input comment=wireguard-vpn dst-port=13232 protocol=\
    udp
add action=accept chain=input comment="Allow L2PT / IPSec VPN access" \
    disabled=yes dst-port=500,1701,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input disabled=yes in-interface-list=WAN protocol=\
    ipsec-esp
add action=accept chain=input disabled=yes in-interface-list=WAN protocol=\
    ipsec-ah
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow all trusted networks" \
    src-address-list=secure-lan
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment=guest dst-address=192.168.89.0/24 \
    src-address=192.168.0.0/16
add action=drop chain=forward comment=guest dst-address=192.168.0.0/16 \
    src-address=192.168.89.0/24
/ip firewall mangle
add action=change-mss chain=forward comment="Force VPN" new-mss=\
    clamp-to-pmtu out-interface=wireguard-vpn passthrough=no \
    protocol=tcp src-address=192.168.88.231 tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN

/ip route
add dst-address=192.168.33.0/24 gateway=wireguard-vpn
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    wireguard-vpn routing-table=via-vpn suppress-hw-offload=\
    no
/ip service
set www address=192.168.88.0/24
set www-ssl address=192.168.88.0/24,192.168.33.0/24 certificate=\
    letsencrypt-cert-2024-11-02-16:44:45 disabled=no tls-version=only-1.2
set api disabled=yes
set api-ssl address=192.168.88.100/32,192.168.88.253/32,192.168.88.102/32 \
    certificate=letsencrypt-cert-2024-11-02-16:44:45 tls-version=only-1.2
/ip smb shares
set [ find default=yes ] directory=/pub
/routing rule
add action=lookup comment="Force VPN" disabled=no src-address=\
    192.168.88.20 table=via-vpn
/system clock
set time-zone-name=Europe/Brussels
/system identity
set name="MikroTik Site A"
/system logging
add action=echo topics=ipsec,l2tp,!packet
/system note
set show-at-login=no
/system resource irq rps
set sfp-sfpplus1 disabled=no
/system routerboard settings
set auto-upgrade=yes

/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=wireguard-vpn

anav · November 23, 2024, 12:28pm

I asked for config at both ends?
Which Router is supposed to be the Server for wireguard handshake??
Missing the wireguard address in allowed addresses ( depends upon if server or client for handshake what it should be).

Why do you limite wg to /30 at least make it /29 so you can as admin remotely connect to both router via wireguard ( from laptop smartphone etc wherever )

wiseroute · November 23, 2024, 1:25pm

 1  router.local.lan (192.168.88.1)  0.125 ms  0.084 ms  0.110 ms
2  router.local.lan (192.168.88.1)  0.140 ms !H  0.118 ms !H  0.121 ms !H

that showed correct behavior for the
ip rule to flow through the tunnel, except that either:

you don’t have gateway installed for the tunnel (to remote router).
you don’t have bidirectional route from local router and remote router (for communication inside the tunnel).
make sure you create additional src nat rules for the local router subnets to go to internet.

do some check

while this result - it showed directly to the internet via local router main table…

1 router.local.lan (192.168.88.1)  0.120 ms  0.127 ms  0.103 ms
2  ***.infra.isp.net (public ip)  4.489 ms  4.467 ms  4.445 ms
 3 ...

randomname · November 23, 2024, 2:16pm

Ok thank you already so much for taking the effort for helping me.

Below my latest configurations: (cleaned the export a bit and took into account remarks from the previous comment)
Site A:

# 2024-11-23 14:55:16 by RouterOS 7.16.1
# software id = SDHK-0LAC
#
# model = RB4011iGS+
# serial number = ***
/interface bridge
add admin-mac=*** auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface ethernet
set [ find default-name=ether10 ] poe-out=off
/interface wireguard
add comment=wireguard-site-b listen-port=13231 mtu=1420 name=\
    wireguard-site-b
add listen-port=13232 mtu=1420 name=wireguard-vpn
/interface vlan
add comment=site-a-guest interface=bridge name=site-a-guest vlan-id=89
add comment=edpnet interface=ether1 name=vlan10 vlan-id=10
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes local-forwarding=yes name=\
    datapath1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless channels
add band=2ghz-b/g/n frequency=2412 list=test name=ch1 width=20
add band=2ghz-b/g/n frequency=2437 list=test name=ch6 width=20
add band=2ghz-b/g/n frequency=2462 list=test name=ch11 width=20
add band=5ghz-a/n/ac frequency=5250 list=test name=ch50 width=40
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
set *0 bridge=bridge dns-server=192.168.88.100,192.168.88.1 local-address=\
    192.168.90.1 remote-address=ike2-pool use-encryption=yes
add comment=edpnet name=edpnet
/interface pppoe-client
add add-default-route=yes comment=edpnet disabled=no interface=vlan10 name=\
    pppoe-wan profile=edpnet user=***
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add comment="Via Site B" disabled=no fib name=via-site-b
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1 \
    internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=pppoe-wan list=WAN
add interface=wireguard-vpn list=LAN
add interface=wireguard-site-b list=LAN
/interface ovpn-server server
set auth=sha1,md5 certificate=*10
/interface wireguard peers
add allowed-address="192.168.33.0/24,192.168.35.0/24,10.255.255.0/24,192.168.8\
    8.0/24,192.168.90.0/24" comment=wireguard-site-b endpoint-address=\
    public IP site B endpoint-port=13231 interface=wireguard-site-b name=\
    peer1 persistent-keepalive=30s preshared-key=\
    "***" public-key=\
    "***"
add allowed-address=192.168.90.2/32 comment=road-warior-site-a interface=\
    wireguard-vpn name=peer2 preshared-key=\
    "***" public-key=\
    "***"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.255.255.1/30 interface=wireguard-site-b network=\
    10.255.255.0
add address=192.168.89.1/24 comment=site-a-guest interface=site-a-guest network=\
    192.168.89.0
add address=192.168.90.1/24 comment=site-a-vpn interface=wireguard-vpn network=\
    192.168.90.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=\
    192.168.88.104,192.168.88.1 gateway=192.168.88.1
add address=192.168.89.0/24 comment=site-a-guest dns-server=8.8.8.8,8.8.4.4 \
    gateway=192.168.89.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,1.1.1.1,1.0.0.1
/ip firewall address-list
add address=192.168.88.0/24 list=secure-lan
add address=192.168.90.0/24 list=secure-lan
add address=192.168.33.0/24 list=secure-lan
add address=192.168.35.0/24 list=secure-lan
add address=10.255.255.0/24 list=secure-lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=wireguard dst-port=13231 protocol=udp \
    src-address=192.168.33.1
add action=accept chain=forward comment=wireguard dst-address-list=secure-lan \
    src-address-list=secure-lan
add action=accept chain=forward comment=wireguard dst-address-list=secure-lan
add action=accept chain=input comment=wireguard-vpn src-address=\
    192.168.90.0/24
add action=accept chain=input comment=wireguard-vpn dst-port=13232 protocol=\
    udp
add action=accept chain=input disabled=yes in-interface-list=WAN protocol=\
    ipsec-esp
add action=accept chain=input disabled=yes in-interface-list=WAN protocol=\
    ipsec-ah
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow all trusted networks" \
    src-address-list=secure-lan
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment=site-a-guest dst-address=192.168.89.0/24 \
    src-address=192.168.0.0/16
add action=drop chain=forward comment=site-a-guest dst-address=192.168.0.0/16 \
    src-address=192.168.89.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add dst-address=192.168.33.0/24 gateway=wireguard-site-b
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    wireguard-site-b routing-table=via-site-b suppress-hw-offload=\
    no
add disabled=no distance=1 dst-address=192.168.88.0/24 gateway=bridge \
    routing-table=via-site-b suppress-hw-offload=no
/ip service
set www address=192.168.88.0/24
set www-ssl address=\
    192.168.88.0/24,192.168.33.0/24,192.168.90.0/24,192.168.35.0/24 \
    certificate=letsencrypt-cert-2024-11-02-16:44:45 disabled=no tls-version=\
    only-1.2
set api disabled=yes
set api-ssl address=192.168.88.100/32,192.168.88.253/32,192.168.88.102/32 \
    certificate=letsencrypt-cert-2024-11-02-16:44:45 tls-version=only-1.2
/ip smb shares
set [ find default=yes ] directory=/pub
/routing rule
add action=lookup comment="Force Site B" disabled=no src-address=\
    192.168.88.231 table=via-site-b
/system clock
set time-zone-name=Europe/Brussels
/system identity
set name="MikroTik Site A"
/system logging
add action=echo topics=ipsec,l2tp,!packet
/system note
set show-at-login=no
/system resource irq rps
set sfp-sfpplus1 disabled=no
/system routerboard settings
# Firmware upgraded successfully, please reboot for changes to take effect!
set auto-upgrade=yes
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=wireguard-vpn

Site B:

# 2024-11-23 14:56:07 by RouterOS 7.15
# software id = K7VY-RVUN
#
# model = RB5009UG+S+
# serial number = ***
/interface bridge
add admin-mac=*** auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface wireguard
add comment=wireguard listen-port=13231 mtu=1420 name=wireguard
add listen-port=13232 mtu=1420 name=wireguard-vpn
/interface vlan
add comment=site-b-Guest interface=bridge name=site-b-guest vlan-id=101
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=dhcp ranges=192.168.33.110-192.168.33.254
add comment=site-b-Guest name=site-b-guest ranges=192.168.34.100-192.168.34.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
add address-pool=site-b-guest comment=site-b-Guest interface=site-b-guest lease-time=\
    10m name=site-b-guest
/ip smb users
set [ find default=yes ] disabled=yes
/ppp profile
set *0 bridge=bridge dns-server=192.168.33.100,192.168.33.1 local-address=\
    192.168.35.1 remote-address=l2tp-pool use-encryption=yes
/routing ospf instance
add disabled=no name=default-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1 \
    internal-path-cost=10 path-cost=10
add bridge=bridge disabled=yes interface=ether1
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge vlan-ids=1-4094
/interface l2tp-server server
set authentication=mschap2 default-profile=default enabled=yes use-ipsec=\
    required
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=wireguard list=LAN
add interface=bridge list=LAN
add interface=wireguard-vpn list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address="192.168.88.0/24,192.168.90.0/24,10.255.255.0/24,192.168.3\
    3.0/24,192.168.35.0/24" comment=wireguard endpoint-address=\
    213.219.163.102 endpoint-port=13231 interface=wireguard name=peer7 \
    persistent-keepalive=30s preshared-key=\
    "***" public-key=\
    "***"
add allowed-address=192.168.35.2/32 comment=road-warior interface=\
    wireguard-vpn name=peer8 preshared-key=\
    "***" public-key=\
    "***"
/ip address
add address=192.168.33.1/24 comment=defconf interface=bridge network=\
    192.168.33.0
add address=10.255.255.2/30 comment=wireguard interface=wireguard network=\
    10.255.255.0
add address=192.168.34.1/24 comment=site-b-Guest interface=site-b-guest network=\
    192.168.34.0
add address=192.168.35.1/24 comment=site-b-vpn interface=wireguard-vpn network=\
    192.168.35.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add comment=defconf interface=bridge
add interface=ether1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.33.0/24 comment=defconf dns-server=\
    192.168.33.104,192.168.33.1 gateway=192.168.33.1 netmask=24
add address=192.168.34.0/24 comment=site-b-Guest dns-server=8.8.8.8,8.8.4.4 \
    gateway=192.168.34.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,1.1.1.1,1.0.0.1
/ip firewall address-list
add address=192.168.88.0/24 list=lan-secure
add address=192.168.90.0/24 list=lan-secure
add address=192.168.33.0/24 list=lan-secure
add address=192.168.35.0/24 list=lan-secure
add address=10.255.255.0/24 list=lan-secure
/ip firewall filter
add action=accept chain=forward disabled=yes dst-port=53 protocol=udp \
    src-address=192.168.33.0/24
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=wireguard dst-port=13231 protocol=udp \
    src-address=192.168.88.1
add action=accept chain=forward comment=wireguard dst-address-list=\
    lan-secure src-address-list=lan-secure
add action=accept chain=forward comment=wireguard dst-address-list=\
    lan-secure
add action=accept chain=input comment=wireguard-vpn src-address=\
    192.168.35.0/24
add action=accept chain=input comment=wireguard-vpn dst-port=13232 protocol=\
    udp
add action=accept chain=input comment="Allow L2TP / IPSec VPN access" \
    disabled=yes dst-port=500,1701,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input disabled=yes in-interface-list=WAN protocol=\
    ipsec-esp
add action=accept chain=input disabled=yes in-interface-list=WAN protocol=\
    ipsec-ah
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow all trusted networks" \
    src-address-list=lan-secure
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log=yes log-prefix="DROP NOT LAN"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment=site-b-Guest dst-address=192.168.34.0/24 \
    log-prefix=site-b-GUEST src-address=192.168.0.0/16
add action=drop chain=forward comment=site-b-Guest dst-address=192.168.0.0/16 \
    src-address=192.168.34.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Force internal DNS" disabled=yes \
    dst-port=53 in-interface-list=LAN protocol=udp to-addresses=\
    192.168.33.100 to-ports=53
add action=dst-nat chain=dstnat comment="Force internal DNS" disabled=yes \
    dst-port=53 in-interface-list=LAN protocol=tcp to-addresses=\
    192.168.33.100 to-ports=53
/ip ipsec identity
add generate-policy=port-override peer=vpn
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip route
add comment=wireguard disabled=no distance=1 dst-address=192.168.88.0/24 \
    gateway=wireguard pref-src="" routing-table=main suppress-hw-offload=no
/ip service
set www address=192.168.88.0/24,192.168.33.0/24
set www-ssl address=\
    192.168.88.0/24,192.168.33.0/24,192.168.90.0/24,192.168.35.0/24 \
    certificate=letsencrypt-cert-2024-11-02-16:43:57 disabled=no tls-version=\
    only-1.2
set api disabled=yes
set api-ssl address=192.168.33.100/32,192.168.88.253/32 certificate=\
    letsencrypt-cert-2024-11-02-16:43:57 tls-version=only-1.2
/ip smb shares
set [ find default=yes ] directory=/pub
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ppp secret
add name=vpn service=l2tp
/system clock
set time-zone-name=Europe/Brussels
/system identity
set name="MikroTik Site B"
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

So both sides of the site-to-site wireguard tunnel have responder false. According to the documentation both routers will repeatedly try to connect “endpoint-address” or “current-endpoint-address” with this setting.

I also added all the subnets I’m using in the allowed ranges of the wireguard peers now.

But still no success. When on site a the force site B routing rule is enabled
192.168.88.231 is able to retrieve responses from 192.168.33.0/24 but not from the public internet.

I indeed don’t know why I did this. I changed it to 24 now. On both sides I also have a few road warrior VPN clients via wireguard. Once I connect to one of those I also don’t have access to the subnet on the other side. (E.g. from 192.168.90.0/24 I can’t reach 192.168.33.0/24)

anav · November 23, 2024, 2:58pm

Okay will see what I can figure out, just confused why you have two different WIREGUARD NETWORKS???
Can you provide network diagrams for each side, its very confusing due to all the extra subnets showing that are not complete subnets.

For Example.
Router A has a Bridge network of 192.168.88.0/24
But you have a vpn for another subnet, but WHY? and which port is it on???
192.168.89.0/24
Why is assigned to the bridge and yet you have bridge vlan filtering OFF, no /interface bridge or or /interface bridge vlan to identify this subnet???

You could either simply assign the subnet to the port in Ip address ( no need for vlan ) OR
create a second vlan for the bridge network and have two vlans and all ports on the bridge.

In any case you cannot assign the vlan to the bridge as you have done, simply assign it to the port directly
You are mixing apples and oranges and have to state more clearly the requirements.

+++++++++++++++++++++++++++++++++++++++++++
Okay then it looks like you have other subnets that are perhaps local on the router ??
192.168.90.1 ( is this some sort of pp anchor ?? ) are you serving a bunch of others attached to this router on your network?? Or something else???
what is the purpose of this config???

In allowed IPs you identify MANY subnets… Two that are clearly LAN type subnets on Router B,
192.168.33.0/24 and 192.168.34.0/24 and you appear to be making the same error with vlan and bridge on Router B…

But from allowed IPs then who is remote… 192.168.35.0/24 ??? and 192.168.90.0/24 is a subnet identified ON THIS router and thus does not qualify.,

+++++++++++++++++++++++++

On Router B, same issue. Subnets 192.168.33 and 192.168.35 seem to be local subnets and do no qualify. And what is 192.168.90 referring to.

add allowed-address=“192.168.88.0/24,192.168.90.0/24,10.255.255.0/24,192.168.3
3.0/24,192.168.35.0/24”

+++++++++++++++++++++++++++++++++++++++++++++++++++++

Clearly I am at a loss what you are doing on each router and finding it hard to muddle my way through

randomname · November 23, 2024, 3:21pm

I hope the below helps a bit:

So on both sites I indeed configured two wireguard interfaces. One interface for the site to site VPN and another interface for the road warriors. So that I always can connect back to the network of both sites even if the site to site tunnel is broken.

And yes I should probably clean up my configuration and improve the naming. I started with not a lot of networking knowledge and it’s still a learning project for me.

So to summerize the currently broken features:

road warrior vpn client 192.168.90.2 can not access 192.168.33.100
client in default A network 192.168.88.231 (which should be routed through the site-to-site VPN) can access 192.168.33.100 but not 8.8.8.8

wiseroute · November 23, 2024, 3:25pm

hello,

no problem. we’re all happy to help

so to make things clear,
site a, 33.0/24, internet
site b, 88.0/24, internet-client

When on site a the force site B routing rule is enabled
192.168.88.231 is able to retrieve responses from 192.168.33.0/24 but not from the public internet.

yup - that is your first traceroute output which is the correct behavior. means that your ip rules worked.

have you put any site b subnets on your src nat rule on the router a (site b need this rule to go to the internet)??

you should push default route via the tunnel for all of site b members that needs to go to the internet.

on router b, you should have 2 default routes to 0/0 :

main, gateway= wan interface.
vpn-only, gateway= router a wireguard.

on site b clients , you should have

1 default route if directly connected to the riuter.
2 default routes if connected via vpn to the router, 1 via its own internet and 1 via vpn. make that via vpn metric lower than via internet (preferred gateway).

on router a,

you should have route back to site b subnets.
you should add site b subnets in your source nat rule (otherwise router a won’t allow site b subnet to go to internet).

and for what purpose did you make 2 wireguard tunnels? for the same back to back routers?

ok. good luck,

anav · November 23, 2024, 3:25pm

Okay I added a bunch more questions above,that need answering.
You only need one wireguard network now that I know your wireguard requirements but only when two things happen.

a. you fix your guest VPN and bridge setup.

recommend create vlan for bridge subnet, put both vlans on same bridge as per proper vlan filtering
OR
keep bridge setup if guest network is on a single port and simply assign the ether port with the IP address and forget using vlans

b. I understand what is going on with 192.68.90 and 192.168.35 etc… and what those are used for??

randomname · November 29, 2024, 2:34pm

Ok I understand that I didn’t configure everything correctly now. I will put some effort in configuring my two Routers completely via commands and have an easy to read rsc file with some documentation included.

So I have the following requirements:

Isolated guest WiFi
Possibility to isolate IoT devices
Connect two sites via a site to site tunnel
On every site I should be able to connect with clients (smartphones, laptops) from anywhere in the world
Beeing able to route traffic from one client through the site to site tunnel to use the public ip address from the other site.

In order to achieve this I was thinking about putting the below VLAN’s with each a dedicated subnet:
2 = Management (same VLAN ID on both sites, would this possibly give me issues later on? Or would it be cleaner to have a separate VLAN ID?)
10 = Main Site A
11 = Guest Site A
12 = IoT Site A
20 = Main Site B
21 = Guest Site B
22 = IoT Site B

Would this make sense according to you?

wiseroute · November 29, 2024, 2:54pm

hello,

Connect two sites via a site to site tunnel

On every site I should be able to connect with clients (smartphones, laptops) from anywhere in the world

Beeing able to route traffic from one client through the site to site tunnel to use the public ip address from the other site.

the first point is doable for simple lan to lan routing.

the second and third is doable - but is very tricky. there will be a lot of source and destination nat for session tracking and lot of routing rules involved to push the traffic - as they are the same thing as having dual wan Interface.

as for vlans is normal thing to do for network isolations method - but just be aware of any layer 2 loops. you can put your site to site wg tunnel in its own vlan for routing/filtering simplicity.

but if you are ready for the challenge - have a try. and good luck

Amm0 · November 29, 2024, 2:59pm

Have you consider just using a dedicated subnet for the WG between site A and site B, then using normal routing (/ip/route) instead of WG’s allowed-address to handle routing?

Also, I don’t know if you control the IP numbering (i.e. if the sites are operational)… but using a 10...x format makes the config a lot easier to read.

randomname · November 29, 2024, 4:19pm

Thank you for the feedback sounds logical indeed. Yes I am in full control of all the IP addresses and given I will have to start from scratch I will take your suggestion into account. So basically I will have

10.0.0.0/24 - Wireguard
10.1.2.0/24 - Site A - VLAN 2 - Management
10.1.20.0/24 - Site A - VLAN 20 - Main
10.1.21.0/24 - Site A - VLAN 21 - Guest
10.1.22.0/24 - Site A - VLAN 22 - IoT
10.2.2.0/24 - Site B - VLAN 2 - Management
10.2.20.0/24 - Site B - VLAN 20 - Main
10.2.21.0/24 - Site B - VLAN 21 - Guest
10.2.22.0/24 - Site B - VLAN 22 - IoT

And if I understand correct I will need one Wireguard interface. This interface could contain both wireguard road warrior peers as well as the site-to-site peer?

Or should I have a dedicated wireguard subnet per site?

Amm0 · November 29, 2024, 5:44pm

Have you consider just using a dedicated subnet for the WG between site A and site B, then using normal routing (/ip/route) instead of WG’s allowed-address to handle routing?

Also, I don’t know if you control the IP numbering (i.e. if the sites are operational)… but using a 10...x format makes the config a lot easier to read.

Thank you for the feedback sounds logical indeed. Yes I am in full control of all the IP addresses and given I will have to start from scratch I will take your suggestion into account. So basically I will have

10.0.0.0/24 - Wireguard

10.1.2.0/24 - Site A - VLAN 2 - Management

10.1.20.0/24 - Site A - VLAN 20 - Main

10.1.21.0/24 - Site A - VLAN 21 - Guest

10.1.22.0/24 - Site A - VLAN 22 - IoT

10.2.2.0/24 - Site B - VLAN 2 - Management

10.2.20.0/24 - Site B - VLAN 20 - Main

10.2.21.0/24 - Site B - VLAN 21 - Guest

10.2.22.0/24 - Site B - VLAN 22 - IoT

And if I understand correct I will need one Wireguard interface. This interface could contain both wireguard road warrior peers as well as the site-to-site peer?

Or should I have a dedicated wireguard subnet per site?

You can use one subnet for WG, if it’s a hub-and-spoke topology for your site. Otherwise, then different subnet be each site-to-site. You can use 172.16-31.x.x or the 192.168.x.x for the site-to-site ones…

Personally, I’d use a different WG for “road warriors” since those more client than backbone links & that make dealing with firewall rules easier if they were different.

anav · November 29, 2024, 6:30pm

Actually AMMO, you can use a single wireguard interface, and just use a different IP address schema for the road warriors, if you need some granularity over firewall rules…

Amm0 · November 29, 2024, 9:05pm

Yeah that’s true: different peers + subnet is enough for firewall. A different interface only adds using the different port for outer traffic identification but that shouldn’t generally be needed.

anav · November 29, 2024, 9:17pm

The only example I can think of is if there is some need for a 0.0.0.0/0 allowed IP on the server router, and thus any other needs would require a separate wg interface

randomname · November 30, 2024, 10:44pm

So I’m now starting from scratch and I am aiming to configure everything via a script which will allow me to easily restore and structure the config.

I was able to connect with the road warrior to the router but I’m still missing the correct firewall rules. I’m not sure what I would exactly need.

#######################################
# Naming
#######################################

/system identity set name="Mikrotik Test"


#######################################
# IP & VLAN Overview
#######################################

# IP ranges
# Useage: 10.<site-id>.<vlan-id>.0/24

# Site ID
# 0 = common
# 1 = Site A
# 2 = Site B

# VLAN ID
# 2  = Management
# 20 = Main
# 21 = Guest
# 22 = IoT


#######################################
# Bridge
#######################################

# create one bridge, set VLAN mode off while we configure
/interface bridge add name=bridge protocol-mode=none vlan-filtering=no


#######################################
# Trunk ports
#######################################

# ingress behavior
/interface bridge port

    add bridge=bridge interface=ether3
    add bridge=bridge interface=ether4
    add bridge=bridge interface=ether5

# egress behavior
/interface bridge vlan

    add bridge=bridge tagged=bridge,ether3,ether4,ether5 vlan-ids=2  comment="VLAN Management"
    add bridge=bridge tagged=bridge,ether3,ether4,ether5 vlan-ids=20 comment="VLAN Site A Main"
    add bridge=bridge tagged=bridge,ether3,ether4,ether5 vlan-ids=21 comment="VLAN Site A Guest"
    add bridge=bridge tagged=bridge,ether3,ether4,ether5 vlan-ids=22 comment="VLAN Site A IoT"


#######################################
# VLAN MGMT
#######################################

/interface vlan add interface=bridge name=vlan-mgmt vlan-id=2
/ip address add interface=vlan-mgmt address=10.1.2.1/24
/ip pool add name=pool-mgmt ranges=10.1.2.250-10.1.2.254
/ip dhcp-server add address-pool=pool-mgmt interface=vlan-mgmt name=dhcp-mgmt disabled=no
/ip dhcp-server network add address=10.1.2.0/24 dns-server=10.1.2.1 gateway=10.1.2.1


#######################################
# VLAN Site A Main
#######################################

/interface vlan add interface=bridge name=vlan-site-a-main vlan-id=20
/ip address add interface=vlan-site-a-main address=10.1.20.1/24
/ip pool add name=pool-site-a-main ranges=10.1.20.100-10.1.20.254
/ip dhcp-server add address-pool=pool-site-a-main interface=vlan-site-a-main name=dhcp-site-a-main disabled=no
/ip dhcp-server network add address=10.1.20.0/24 dns-server=10.1.20.1 gateway=10.1.20.1


#######################################
# VLAN Site A Guest
#######################################

/interface vlan add interface=bridge name=vlan-site-a-guest vlan-id=21
/ip address add interface=vlan-site-a-guest address=10.1.21.1/24
/ip pool add name=pool-site-a-guest ranges=10.1.21.2-10.1.21.254
/ip dhcp-server add address-pool=pool-site-a-guest interface=vlan-site-a-guest name=dhcp-site-a-guest disabled=no
/ip dhcp-server network add address=10.1.21.0/24 dns-server=10.1.21.1 gateway=10.1.21.1


#######################################
# VLAN Site A IoT
#######################################

/interface vlan add interface=bridge name=vlan-site-a-iot vlan-id=22
/ip address add interface=vlan-site-a-iot address=10.1.22.1/24
/ip pool add name=pool-site-a-iot ranges=10.1.22.2-10.1.22.254
/ip dhcp-server add address-pool=pool-site-a-iot interface=vlan-site-a-iot name=dhcp-site-a-iot disabled=no
/ip dhcp-server network add address=10.1.22.0/24 dns-server=10.1.22.1 gateway=10.1.22.1


#######################################
# Firewalling & NAT
# A good firewall for WAN. Up to you
# about how you want LAN to behave.
#######################################

# Use MikroTik's "list" feature for easy rule matchmaking.

/interface list add name=WAN
/interface list add name=VLAN
/interface list add name=BASE

/interface list member
    add interface=vlan-mgmt      list=VLAN
    add interface=vlan-site-a-main  list=VLAN
    add interface=vlan-site-a-guest list=VLAN
    add interface=vlan-site-a-iot   list=VLAN
    add interface=vlan-mgmt      list=BASE

# VLAN aware firewall. Order is important.
/ip firewall filter


##################
# INPUT CHAIN
##################
add chain=input action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow VLANs to access router services like DNS, Winbox. Naturally, you SHOULD make it more granular.
add chain=input action=accept in-interface-list=VLAN comment="Allow VLAN"

# Allow BASE_VLAN full access to the device for Winbox, etc.
add chain=input action=accept in-interface=vlan-mgmt comment="Allow Base_Vlan Full Access"

add chain=input action=drop comment="Drop"


##################
# FORWARD CHAIN
##################
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow all VLANs to access the Internet only, NOT each other
add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access only"

add chain=forward action=drop comment="Drop"


##################
# NAT
##################
/ip firewall nat add chain=srcnat action=masquerade out-interface-list=WAN comment="Default masquerade"


#######################################
# VLAN Security
#######################################

# Only allow packets with tags over the Trunk Ports
/interface bridge port
    set bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether3]
    set bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether4]
    set bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether5]


#######################################
# MAC Server settings
#######################################

# Ensure only visibility and availability from BASE_VLAN, the MGMT network
/ip neighbor discovery-settings set discover-interface-list=BASE
/tool mac-server mac-winbox set allowed-interface-list=BASE
/tool mac-server set allowed-interface-list=BASE


#######################################
# Turn on VLAN mode
#######################################

/interface bridge set bridge vlan-filtering=yes


#######################################
# WAN Setup
#######################################

# DHCP Setup
# /ip dhcp-client add interface=ether2 use-peer-dns=no use-peer-ntp=no
# /interface list member add interface=ether2 list=WAN

# VLAN10 + PPoE
/interface vlan add interface=ether2 name=vlan-wan vlan-id=10
/ppp profile add name=profile-wan
/interface pppoe-client add add-default-route=yes disabled=no interface=vlan-wan name=pppoe-wan user=$pppoeUser password=$pppoePassword profile=profile-wan
/interface list member add interface=pppoe-wan list=WAN


#######################################
# Router setup
#######################################

/ip cloud set ddns-enabled=yes ddns-update-interval="300" update-time=no
/ip cloud force-update
/system ntp client set enabled=yes servers="0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org"

# Wait 1 minute for NTP sync and PPPOE session to start
/delay delay-time=60s
:log info "NTP Sync is suposed to be done and PPPoE session should be started"

:local routerDnsName
:set routerDnsName [/ip cloud get dns-name ]
:put $routerDnsName
:log info ("Router DNS Name = '" . $routerDnsName . "'")

########################################
# Wireguard setup
########################################

/interface wireguard add listen-port=55093 name=wireguard
/ip address add interface=wireguard address=10.0.0.1/24 comment="Wireguard Site To Site subnet"

/interface wireguard peers
    add allowed-address="10.0.0.2/32" interface=wireguard private-key=auto endpoint-address="ip" endpoint-port=55093 name="wg-s2s-site-b"

    add allowed-address="10.1.20.16/28" interface=wireguard private-key=auto client-dns="10.1.20.1" client-endpoint=$routerDnsName client-address="10.1.20.17/32" name="wg-rw-pixel-6a-test"


#######################################
# DNS setup
#######################################

/ip dns set allow-remote-requests=yes \
    servers="1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4"

# Define static DNS entries
/ip dns static
    add name=test.local.lan address=10.0.0.1

# Fetch Root CA for Cloudflare DNS
/tool fetch url="https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem" mode=https
/delay delay-time=5s
/certificate import file-name=DigiCertGlobalRootG2.crt.pem name=DigiCertGlobalRootG2.crt.pem

# /ip dns set allow-remote-requests=yes \
#    servers="1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4" \
#    use-doh-server="https://cloudflare-dns.com/dns-query" verify-doh-cert=yes