Wireguard site to site Hex to UDM

RouterOS Beginner Basics
1

I have tried and failed, so I am reaching out again for help from the group.

I have the following:

Site A: Hex
Site B: Hex
Site C: Ubiquiti UDM Pro
Site D: Ubiquiti UDM SE

I would like to be able to have VPN connectivity between all sites always on.

I started with trying to get Sites A and C setup.

I installed Wireguard on the UDMP at site C with the following wg.conf:

[Interface]
PrivateKey = kByyxxxxxxxxxxxxxxxxx
ListenPort = 51820
Address = 10.10.200.1/32

[Peer]
PublicKey = xx27xxxxxxxxxxxxxxx
AllowedIPs = 10.10.100.0/24
PersistentKeepalive=20
Endpoint = aaaaa.dyndns.org:51820

I made an ACCEPT firewall rules for all traffic originating from 10.10.0.0/16 to anywhere; and another rule for all traffic from anywhere destined to 10.10.0.0/16


At Site A I have the following in my hex’s config:

# nov/18/2022 10:49:26 by RouterOS 7.6
# software id = C3RH-692B
#
# model = RB750Gr3
/interface bridge
add name=Bridge-Port3
add admin-mac=bbbbbbbbb auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=51820 mtu=1420 name=212-Wireguard
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.2.100-192.168.2.200
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=1w3d name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE bridge-learning=no
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface sstp-server server
set default-profile=default-encryption
/interface wireguard peers
add endpoint-address=ccccc.dyndns.org endpoint-port=51820 interface=\
    212-Wireguard persistent-keepalive=1h47m44s public-key=\
    "LXHxxxxxxxxxx"
/ip address
add address=192.168.2.2/24 comment=defconf interface=bridge network=\
    192.168.2.0
add address=192.168.30.2/24 interface=ether3 network=192.168.30.0
add address=10.10.100.1/24 interface=212-Wireguard network=10.10.100.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf gateway=192.168.2.2 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.2.2 comment=defconf name=router.lan
/ip firewall address-list
add address=aaaaaa.dyndns.org list=WAN
add address=192.168.2.0/24 list=LAN
/ip firewall filter
add action=accept chain=input comment=\
    "NEW defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="NEW defconf: accept ICMP" protocol=\
    icmp
add action=accept chain=forward in-interface=212-Wireguard log=yes
add action=accept chain=forward log=yes out-interface=212-Wireguard
add action=drop chain=input comment="NEW defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=input comment=NEW in-interface-list=LAN
add action=drop chain=input comment="NEW drop all else"
add action=fasttrack-connection chain=forward comment=\
    "NEW defconf: fasttrack" connection-state=established,related hw-offload=\
    yes
add action=accept chain=forward comment=\
    "NEW defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="NEW allow port forwarding" \
    connection-nat-state=dstnat log=yes
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="NEW defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=NEW
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
    "Mark connection for hairpin NAT" dst-address-list=WAN \
    new-connection-mark="Hairpin NAT" passthrough=yes src-address-list=LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
    "Hairpin NAT"
add action=masquerade chain=srcnat comment="NEW defconf: masquerade" \
    out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=192.168.2.176 dst-port=8123 log=\
    yes protocol=tcp to-addresses=192.168.2.176
add action=src-nat chain=srcnat comment="new 8123" disabled=yes dst-address=\
    192.168.2.176 dst-port=8123 protocol=tcp to-addresses=192.168.2.176
add action=src-nat chain=srcnat comment="new 5800" disabled=yes dst-port=5800 \
    protocol=tcp to-addresses=192.168.2.22
add action=src-nat chain=srcnat comment="new 5900" disabled=yes dst-port=5900 \
    protocol=tcp to-addresses=192.168.2.22
add action=dst-nat chain=dstnat comment="PORT FWD:  8123" dst-address-list=\
    WAN dst-port=8123 protocol=tcp to-addresses=192.168.2.176 to-ports=8123
/ip route
add disabled=yes dst-address=0.0.0.0/0 gateway=192.168.2.1
/system clock
set time-zone-name=America/New_York
/system identity
set name=RouterOS
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool traffic-monitor
add interface=ether1 name=tmon1

How to make it so the sites have an always on VPN connection so that any device (PC) on either network can access any device on the other network?

Thank you!

2

Good plan to start small…

(1) THe problem I see is that the UDM address for wireguard is
10.10.200.1/32

It should be
10.10.100.2/32

(2) Allowed IPs is also a problem on the UDM. The UDM only has 10.10.100/24,
a. are there any subnets on the hex, or future subnets on other devices that the users on the UDM will visit?
b. does any traffic originate on the UDM
c. similarly are there any subnets on the UDM that users on the hex will visit, and if so which subnet are they on the hex…

(3**) MISSING** allowed IPs on hex.

3

Thank you as always, anav!

I changed wg0.conf on the UDM to:

[Interface]
PrivateKey = kByxxxxxxx
ListenPort = 51820
Address = 10.10.100.2/32

[Peer]
PublicKey = xx2xxxxxxx
AllowedIPs = 10.10.100.0/24
PersistentKeepalive=20
Endpoint = aaaaa.dyndns.org:51820

Is the AllowedIPs above not correct? The Hex’s wireguard interface is 10.10.100.1. Should I add 192.168.2/24 (the LAN on the hex)?

The subnets on the hex now is just 192.168.2/24

I might want to add other subnets (192.168.10 or .20).

Yes, I believe traffic would originate on the UDM. I run Home Assistant and I think it monitors data off the UDM.

The UDM has 192.168.0/24 and 192.168.5/24 (IP cameras on a Blue Iris server).

On the Hex, I put in AllowedIPs 10.10.100.0/24 – is that correct? Should I add 192.168/16?

4

Okay, so to be clear, you have users on the UDM that originate traffic? If so where are they headed ( on the hex and perhaps to the other UDM)?
Identify those subnets as allowed IPs on the UDM.

Same on the hex, are users on the hex visiting any subnets on the UDM as that would need to be added to the wireguard peers for the UDM.

*******keep in mind ---->allowed IPs is for two entities and sometimes they are the same! (destination subnets for local traffic AND remote subnets visiting)

I am assuming the hex is acting as the server for wireguard or do I have that wrong… ( the hex has a publicly accessible WANIP)??


(its still not clear to me if users are on the first UDM we are trying to connect, or is it just servers/devices. )

5

Users at all sites need to be able to initiate traffic.

I don’t know which device initiates or creates the vpn.

How is a vpn established between them? With a regular client-server there is an activate or connect button.

6

Well it depends, which device has the publicly accessible WANIP. In other words, a Public IP that can be pinged and private ( not natted (CGNAT, starlink etc.)).

Is each device connected to the net or via an ISP router which provides a private IP to your router?

7

Each device is at a different location with a public ip provided by the isp (spectrum cable for 3 sites, Fios for the 4th).

The UDMs and the HEXs are the only routers at each location. They can be pinged from the internet as well as from the lan (on the private ip network).

8

Okay, so this can get really complicated or it can be made easy…
You could have
Scenario1
hex to hex ( wireguard 1 (bi direction initiation)
hex to udm1 (wireguard 2 (bi direction initiation)
hex to udm2 wireguard 3 (bi direction initiation)
udm1-udm2 wireguard 4 (bi direction initiation)
Road warrior X to…
Road warrior Y to…
Road warrior Z to…

Scenario2
Hex1 is central wireguard server router
ONE WIREGUARD interface/subnet , the three others connect to HEX1 on this interface.

Scenario3
Hex1 is central wireguard server router
3 Wireguard interfaces needed, one for hex2, one for udm1 and one for udm2

In all three scenarios throw in road warrior (could be admins) that need access to one or all devices!!!
Road warrior X to…
Road warrior Y to…
Road warrior Z to…
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

What will help chart a course/path is more detail on REQUIREMENTS!

Requirements identification
a. is there any case here where a subnet on a router or a single user at a router, or home user (road warrior) that will require to access one of the routers internet connection??
These need to be identified!
b. which subnets/users need access to which subnets/user on other devices (aka via tunnel)
c. what does admin need ( how many admins?)
d. Is there any one router that will handle most of the incoming wireguard traffic…

(which router has the biggest capacity in terms of processing power)
(which router has the biggest internet connectivity to the WWW)

9

Wow, I love how you laid out the 3 scenarios.

Seems like #1 is the most robust with respect to outages or failures, but I don’t know enough to have an opinion on which to choose. An important consideration is that with my limited knowledge, if any one scenario were easier to manage (more difficult to break), then that would be a big vote for that scenario.

I can easily replace the hex at Site A with an RB5009 (already ordered one), so that would be the most powerful processor. Site A has 1gb bidirectional FIOS so Site A wins there also.

a. is there any case here where a subnet on a router or a single user at a router, or home user (road warrior) that will require to access one of the routers internet connection??

Not sure I understand. Do you mean a time when User-1 at Site A would need to use a VPN connection to Site B and then go out the internet connection at Site B? If so, I don’t believe so. It would seem to me that if User-a at Site A can reach the router at Site B, then it would have Internet connectivity already. I’m sure I’m missing some scenario where it would be of use, but I can’t think of it.

b. which subnets/users need access to which subnets/user on other devices (aka via tunnel)

It would be nice if I (for example) could be at any of the 4 sites (or anywhere, for that matter), and have full access to all the devices on all the subnets at each site.

As it is now configured:

Site A uses 192.168.2/24
Site B uses 192168.88/24
Site C uses 192.168.0/24 and 192.168.5/24
Site D uses 192.168.1/24

c. what does admin need ( how many admins?)

Just me – what I describe above.

But, I run a Home Assistant server and a Blue Iris server at Site C that need access to devices at Site B and D directly. And, a Home Assistant server at Site A that needs access to devices at all the other sites.

d. Is there any one router that will handle most of the incoming wireguard traffic…

Site A (upgraded to RB5009) could be considered the main router.

10

Concur, we can keep it simple for now for sure…

In term of the this iris server and home assistant server at site C… do they initiate traffic or do they only respond to traffic incoming from site B and D…
How does a server start a session is my question I guess… I am used to simple FTP server which is just dumb and sits there waiting.

Same question for the home assistant server at site A which needs access to sites B, C, D ( again does this server oriiginate traffic??)

11

The Blue Iris and Home Assistant servers both initiate traffic with individual devices (cameras, sensors, etc.) at other sites (as well as cloud-based data sources).

BI uses ONVIF, RTSP and uPnP (possibly other protocols).

12

Interesting, if wireguard doesnt work for those services a fall back plan would be to try zerotier.

13

I just looked into Zerotier and it seems like it will not work on the Hex platform (MMIPS).

Amplifi Teleport seems to be popular on the UDM platform.

But, I do like the idea of getting wireguard to work.

Would you be willing to help me some more with getting wireguard to work?

14

You don’t seem to understand WG basics, e.g. for simple access between all sites, important parts of site A config can be (and similar for others):

/interface wireguard
add name=WG listen-port=<site A port>
/interface wireguard peers
add interface=WG endpoint-address=<site B public address> endpoint-port=<site B port> public-key=<site B key> allowed-address=192.168.88.0/24
add interface=WG endpoint-address=<site C public address> endpoint-port=<site C port> public-key=<site C key> allowed-address=192.168.0.0/24,192.168.5.0/24
add interface=WG endpoint-address=<site D public address> endpoint-port=<site D port> public-key=<site D key> allowed-address=192.168.1.0/24
/ip route
add dst-address=192.168.88.0/24 gateway=WG
add dst-address=192.168.0.0/24 gateway=WG
add dst-address=192.168.5.0/24 gateway=WG
add dst-address=192.168.1.0/24 gateway=WG

That’s assuming that all sites have public addresses. If not, you wouldn’t set endpoint-address/port for them and site A would wait for incoming connection from them.

15

Good start…
Since It was not clear to me the purpose of ether3 and another subnet, I took the liberty of removing the bridge from anything but bridging
and created two vlans for the two subnets. Assuming the etheports 2,3,4,5 are all access ports NOT going to smart devices (managed switches, or APs etc).
Its easy peasy, define vlans as belonging to bridge,
then each vlan gets its IP pool, dhcp server, dhcp server network and Ip address.
Set the /interface bridge ports and /interface bridge vlans as appplicable.
Make necessary wireguard settings
Adjust firewall rules
Adjust routes.

For the RB5009 you will have extra ports so recommend you create/use lets say port 7 ( and dont put it on the bridge). It will be an off bridge emergency access or you can use it to configure the router at all times and the best part is one does not have to worry about any screwups on bridge configuration which can lock people out for a bit…
explained here - https://forum.mikrotik.com/viewtopic.php?t=181718

# model = RB750Gr3/RB5009
/interface bridge
add name=bridge
/interface vlan
add interface=bridge name=vlan2-home vlan-id=2
add interface=bridge name=vlan30-other vlan-id=30
/interface wireguard
add listen-port=51820 mtu=1420 name=212-Wireguard
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MANAGE
/ip pool
add name=dhcp-v2 ranges=192.168.2.100-192.168.2.200
add name=dhcp-v30  ranges=192.168.30.100-192.168.30.200
/ip dhcp-server
add address-pool=dhcp-v2 interface=vlan02-home  lease-time=1w3d name=defconf
add address-pool=dhcp-v30 interface=vlan30-other  lease-time=1w3d name=defconf
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether2 pvid=2
add bridge=bridge comment=defconf ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether3 pvid=30
add bridge=bridge comment=defconf ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether4 pvid=2
add bridge=bridge comment=defconf ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether5 pvid=2
/interface bridge vlans
add bridge=bridge tagged=bridge untagged=ether2,ether4,ether5  vlan-ids=2
add bridge=bridge tagged=bridge untagged=ether3  vlan-ids=30
/ip neighbor discovery-settings
set discover-interface-list=MANAGE
/interface list members
add comment=defconf interface=ether1 list=WAN
add interface=vlan02-home list=LAN
add interface=vlan30-other list=LAN
add interface=212-Wireguard list=LAN
add interface=vlan02-home list=MANAGE
/interface wireguard peers
add interface=212-Wireguard endpoint-address=<site B hex2 public address> endpoint-port=52820 public-key=<site B key> allowed-address=10.10.100.2/32,192.168.88.0 keep-alive=25
add interface=212-Wireguard endpoint-address=<site C udm pro public address> endpoint-port=53820 public-key=<site C key> allowed-address=10.10.100.3/32,192.168.0.0/24,192.168.5.0/24 keep-alive=30
add interface=212-Wireguard endpoint-address=<site D udm se public address> endpoint-port=<54820 public-key=<site D key> allowed-address=10.10.100.4/32,192.168.1.0/24 keep-alive=35
add interface=212-Wireguard public key=() allowed-address=10.10.100.5/32  ( admin windows laptop ) 
add interface=212-Wireguard public key=[] allowed-address=10.10.100.6/32  ( admin iphone/ipad )
/ip address
add address=192.168.2.2/24  interface=vlan02-home network=192.168.2.0
add address=192.168.30.2/24 interface=vlan30-other network=192.168.30.0
add address=10.10.100.1/24 interface=212-Wireguard network=10.10.100.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf gateway=192.168.2.2 netmask=24
add address=192.168.30.0/24 comment=defconf gateway=192.168.30.2 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=aaaaaa.dyndns.org list=WANIP
add address=adminDesktop 192.168.2.X list=manage
add address=adminLaptop 192.168.2.y  list=manage
add address=adminIphone/Ipad  192.168.2.Z list=manage 
add address=10.10.100.5/32 list=authorized { remote laptop wg } 
add address=10.10.100.6/32 list=authorized  { remote iphone/pad wg } 
add address=192.168.88.A/32 list=authorized { local lan address of admin at site B hex }
add address=192.168.0.B/32 list=authorized { local lan address of admin at site C udm pro }
add address=192.168.1.C/32 list=authorized { local lan address of admin at site C udm se }
/ip firewall filter
add action=accept chain=input comment=\
"NEW defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input accept ICMP" protocol=icmp
add action=accept chain=input dst-port=51820 protocol=udp log=yes
add action=accept chain=input in-interface-list=MANAGE src-address-list=manage
add actio=acccept chain=input in-interface=212-Wireguard src-address-list=authorized
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment=\
"NEW defconf: fasttrack" connection-state=established,related hw-offload=\
yes
add action=accept chain=forward comment=\
"NEW defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="NEW allow port forwarding" \
connection-nat-state=dstnat log=yes
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.2.0/24 src-address=192.168.2.0/24 comment="hairpin nat"
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=WANIP dst-port=8123 log=\
yes protocol=tcp to-addresses=192.168.2.176 
/ip route
add dst-address=0.0.0.0/0  gwy=WAN gateway IP   table=main  { required if add route not selected at IP DHCP-CLIENT }
add dst-address=192.168.88.0/24 gateway=212-Wireguard table=main
add dst-address=192.168.0.0/24 gateway=212-Wireguard table=main
add dst-address=192.168.5.0/24 gateway=212-Wireguard table=main
add dst-address=192.168.1.0/24 gateway=212-Wireguard table=main
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=MANAGE
16

I really am trying to understand and learn – and (as always) appreciate the help!

With the code below, there appears to be active VPN connections between sites A, B and C, but it’s still not completely working.

Using the Ping tool at the Hex at SITE-B I can ping the UDM at SITE-C (192.168.0.1) and devices on the LAN behind the UDM.

Using the same Ping tool at the Hex at SITE-B I cannot ping the Hex at Site-A (192.168.2.1) or any devices behind the Hex.

Using the Ping tool at the Hex at SITE-A I can ping the UDM at SITE-C (192.168.0.1) and devices on the LAN behind the UDM.

Using the same Ping tool at the Hex at SITE-A I cannot ping the Hex at Site-A (192.168.88.1) or any devices behind the Hex.

From the UDM at SITE-C I cannot ping anything at SITE-A or SITE-B

SITE-C UDM

# UDM Pro Site C

Address = 10.10.20.1/32
SaveConfig = true
ListenPort = 51820
PrivateKey = WBj6xxxxx


[Peer]
# SITE A
PublicKey = xx27xxxxx
AllowedIPs = 10.10.10.0/24, 192.168.2.0/24
Endpoint = 22.22.22.22:51820

[Peer]
# SITE B
PublicKey = zoZtixxxxxx
AllowedIPs = 10.10.30.0/24, 192.168.88.0/24
Endpoint = 33.33.33.33:51820

SITE-B Hex

# Hex site B

/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard1

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=WAN

/interface wireguard peers

add allowed-address=192.168.2.0/24 comment=212 endpoint-address=\
    SITE-A.dyndns.org endpoint-port=51820 interface=wireguard1 public-key=\
    "xx27ccccc"

add allowed-address=192.168.0.0/24,192.168.5.0/24 comment=355 \
    endpoint-address=SITE-C.dyndns.org endpoint-port=51820 interface=\
    wireguard1 public-key="4HEOxxxxxxxx"

/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.10.30.1/24 interface=wireguard1 network=10.10.30.0

/ip firewall address-list
add address=SITE-C.dyndns.org list=mtdale
add address=SITE-A.dyndns.org list=212

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow incoming wireguard connections" \
    dst-port=51820 log=yes protocol=udp
add action=accept chain=input comment="Alow wireguard to router" \
    in-interface=wireguard1 log=yes
add action=accept chain=forward comment="Allow wireguard to subnet" \
    dst-address=192.168.88.0/24 in-interface=wireguard1 log=yes
add action=accept chain=forward in-interface=wireguard1 protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input disabled=yes src-address-list=mtdale
add action=accept chain=input src-address-list=212
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log=yes
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat log=yes
add action=drop chain=forward comment="Drop all else"

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-port=9000,8080,554,1935,8035 \
    in-interface=wireguard1 log=yes protocol=tcp to-addresses=192.168.88.35
add action=dst-nat chain=dstnat dst-port=9000,8080,554,1935,8035 protocol=tcp \
    src-address-list=212 to-addresses=192.168.88.35
add action=dst-nat chain=dstnat comment=cam dst-port=8080,9000,554,1935,8035 \
    protocol=tcp src-address-list=mtdale to-addresses=192.168.88.35

/ip route
add disabled=no dst-address=192.168.2.0/24 gateway=wireguard1 routing-table=\
    main suppress-hw-offload=no
add disabled=no dst-address=192.168.0.0/24 gateway=wireguard1 routing-table=\
    main suppress-hw-offload=no
add disabled=no dst-address=192.168.1.0/24 gateway=wireguard1 routing-table=\
    main suppress-hw-offload=no

SITE-A Hex

# Hex site A

/interface wireguard
add listen-port=51820 mtu=1420 name=212-Wireguard

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=212-Wireguard list=LAN
add interface=212-Wireguard list=WAN

/interface wireguard peers
add allowed-address=192.168.0.0/24 comment=355 endpoint-address=\
    SITE-C.dyndns.org endpoint-port=51820 interface=212-Wireguard \
    persistent-keepalive=1h47m44s public-key=\
    "4HEOBxxxxxx"

add allowed-address=192.168.88.0/24 comment=371 \
    endpoint-address=SITE-B.dydns.org endpoint-port=51820 interface=\
    212-Wireguard persistent-keepalive=30m public-key=\
    "zoZtxxxxxxxx"

/ip address
add address=192.168.2.2/24 comment=defconf interface=bridge network=\
    192.168.2.0
add address=192.168.30.2/24 interface=ether3 network=192.168.30.0
add address=10.10.10.1/24 interface=212-Wireguard network=10.10.10.0

/ip firewall address-list
add address=jrs212.dyndns.org list=WAN
add address=192.168.2.0/24 list=LAN

/ip firewall filter
add action=accept chain=input comment="NEW defconf: accept ICMP" protocol=\
    icmp
add action=accept chain=input in-interface=212-Wireguard log=yes
add action=accept chain=forward log=yes out-interface=212-Wireguard
add action=accept chain=input log=yes protocol=udp src-port=51820
add action=accept chain=forward in-interface=212-Wireguard
add action=accept chain=forward dst-address=192.168.2.0/24 in-interface=\
    212-Wireguard log=yes
add action=accept chain=input comment=\
    "NEW defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="NEW defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=input comment=NEW in-interface-list=LAN
add action=drop chain=input comment="NEW drop all else"
add action=fasttrack-connection chain=forward comment=\
    "NEW defconf: fasttrack" connection-state=established,related hw-offload=\
    yes
add action=accept chain=forward comment=\
    "NEW defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="NEW allow port forwarding" \
    connection-nat-state=dstnat log=yes
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="NEW defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=NEW
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
    "Mark connection for hairpin NAT" dst-address-list=WAN \
    new-connection-mark="Hairpin NAT" passthrough=yes src-address-list=LAN

/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
    "Hairpin NAT"
add action=masquerade chain=srcnat comment="NEW defconf: masquerade" \
    out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=192.168.2.176 dst-port=8123 log=\
    yes protocol=tcp to-addresses=192.168.2.176
add action=src-nat chain=srcnat comment="new 8123" disabled=yes dst-address=\
    192.168.2.176 dst-port=8123 protocol=tcp to-addresses=192.168.2.176
add action=src-nat chain=srcnat comment="new 5800" disabled=yes dst-port=5800 \
    protocol=tcp to-addresses=192.168.2.22
add action=src-nat chain=srcnat comment="new 5900" disabled=yes dst-port=5900 \
    protocol=tcp to-addresses=192.168.2.22
add action=dst-nat chain=dstnat comment="PORT FWD:  8123" dst-address-list=\
    WAN dst-port=8123 protocol=tcp to-addresses=192.168.2.176 to-ports=8123

/ip route
add disabled=yes dst-address=0.0.0.0/0 gateway=192.168.2.1
add disabled=no distance=1 dst-address=192.168.88.0/24 gateway=212-Wireguard \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
17

Cart before the horse LOL.
We need to ensure the three other setups are in step with the first one…
I will have a look… egads, why have you introduced mangling ****???
I provided the proper hairpin nat rule and showed you how to config the destination (port forwarding rules) argg…

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat dst-address=192.168.2.0/24 src-address=192.168.2.0/24 comment=“hairpin nat”
add action=dst-nat chain=dstnat dst-address-list=WANIP dst-port=8123 log=
yes protocol=tcp to-addresses=192.168.2.176

[/b][/color]
(1) Okay, you have not followed anything coherent at all, if you cannot follow the guide, I dont know what to say ???
The config I provided pointed out for example that the IP addresses for wireguard interfaces of the other devices were on the same subnet…
Also that each device with a public IP uses a different listening port to avoid any confusion.

HEXA/RB5009
ip address = 10.0.100**.1/2**4 (wg interface)

Wireguard Peers
/interface wireguard peers
add interface=212-Wireguard endpoint-address=<site B hex2 public address> endpoint-port=52820 public-key= allowed-address=10.10.100.2/32,192.168.88.0 keep-alive=25
add interface=212-Wireguard endpoint-address=<site C udm pro public address> endpoint-port=53820 public-key= allowed-address=10.10.100**.3**/32,192.168.0.0/24,192.168.5.0/24 keep-alive=30
add interface=212-Wireguard endpoint-address=<site D udm se public address> endpoint-port=<54820 public-key= allowed-address=10.10.100.4/32,192.168.1.0/24 keep-alive=35
add interface=212-Wireguard public key=() allowed-address=10.10.100**.5**/32 ( admin windows laptop )
add interface=212-Wireguard public key=[] allowed-address=10.10.100.6/32 ( admin iphone/ipad )

Hence the IP addresses for your other devices wireguard should be

hex b - 10.0.100.2/24
udm pro - 10.0.100.3/24
udm se - 10.0.100.4/24
remote admin laptop - 10.0.100.5/32
remote admin iphone/ipad - 10.0.100.6/32

(2) why did you add hexa/rb5009 wg interface to the WAN, its associated with the LAN already…

(3) Back to (1) you failed to add the wireguard addresses of peers to allowed IPs ???

(4) On input chain why did you put SOURCE port for the incoming wireguard handshake/connection??
add action=accept chain=input log=yes protocol=udp src-port=51820

Here is what is on the config I provided which is the correct one…
add action=accept chain=input dst-port=51820 protocol=udp log=yes

Its destination port because external remote devices are looking to connect on their destination port aka aiming to connect to 51820 on the hex A.
The other devices are not coming from port 51820, in fact my understanding is that selection of source port from the source/remote devices is random as its the destination port that matters.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

In summary, why are you deviating? If you know what you are doing, then sure by all means but clearly you dont but yet are making stuff up? Why?

I could go on, like why the EFF did you make a hairy disorganized mess of the firewall rules mixing input chain and forward chain…

18

OKAY, this first iteration attempt which is not going well, was to KISS and thus we are doing everything through Router A at the moment SO the peer settings will be different…

For example notice you have routes for 192.168.0.0 and 192.168.5.0 but you also have one for 192.168.1.0 ?? But you have no allowed IPs for 192.168.1.0 ???
So we have to ensure 192.168.1.0 is included in allowed routes.

Vice versa, you have 192.168.5.0/24 in allowed IPs, but its missing from IP routes, so have to add that…

Hex site B

/interface wireguard
add listen-port**=52820** mtu=1420 name=wireguard1

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list**=LAN**

/interface wireguard peers

add allowed-address=10.0.100.0/24/192.168.2.0/24,192.168.5.0/24,192.168.0.0/24,192.168.1.0/24 comment=212 endpoint-address=
SITE-A.dyndns.org endpoint-port=51820 interface=wireguard1 public-key=
“xx27ccccc” keep alive=40sec

/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=10.0.1**00.2/**24 interface=wireguard1 network=10.0.100.0

/ip firewall address-list
add address=subnet_1 list=external-access
add address=subnet_2 list=external-access

add address=subnet_XX list=external-access
add address=10.0.100.5/32 list=external-access
add address=10.0.100.6/32 list=external-access
add address=IP-local-admin-destkop list=authorized
add address=IP-local-admin-laptop list=authorized
add address=IP-local-admin-iphone/ipad list=authorized

/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input accept ICMP" protocol=icmp
add action=accept chain=input comment=“allow incoming wireguard connections”
dst-port=52820 log=yes protocol=udp
add action=accept chain=input comment=“Allow wireguard to router”
in-interface=wireguard1 src-address-list=external-access log=yes
add action=accept chain=input in-interface-list=LAN src-address-list=authorized
add action=accept chain=input dst-port=53 protocol=udp in-interface-list=LAN
add action=accept chain=input dst-port=53 protocol=tcp in-interface-list=LAN
add action=drop chain=input comment=“drop all else”
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid log=yes
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“Allow wireguard to subnet”
dst-address=192.168.88.0/24 in-interface=wireguard1 log=yes
add action=accept chain=forward comment=“allow port forwarding”
connection-nat-state=dstnat log=yes
add action=drop chain=forward comment=“Drop all else”
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-port=9000,8080,554,1935,8035
in-interface=wireguard1 log=yes protocol=tcp to-addresses=192.168.88.35
add action=dst-nat chain=dstnat dst-port=9000,8080,554,1935,8035 protocol=tcp
src-address-list=212 to-addresses=192.168.88.35
add action=dst-nat chain=dstnat comment=cam dst-port=8080,9000,554,1935,8035
protocol=tcp src-address-list=mtdale to-addresses=192.168.88.35
/ip route
add disabled=no dst-address=192.168.2.0/24 gateway=wireguard1 routing-table=
main suppress-hw-offload=no
add disabled=no dst-address=192.168.0.0/24 gateway=wireguard1 routing-table=
main suppress-hw-offload=no
add disabled=no dst-address=192.168.1.0/24 gateway=wireguard1 routing-table=
main suppress-hw-offload=no
add dst-address=192.168.5.0/24 gateway=wireguard1 table=main

19

UDM Pro Site C

Address = 10.0.**100.3/**32
SaveConfig = true
ListenPort = 53820
PrivateKey = WBj6xxxxx


[Peer]

SITE A

PublicKey = xx27xxxxx
AllowedIPs = 10.0.100.0/24, 192.168.2.0/24,192.168.88.0/24,192.168.1.0/24[/b]
Endpoint = SITE-A.dyndns.org endpoint-port=51820
keep alive=35seconds

20

JUST TO ORIENT YOU ON WHAT IS GOING ON.

We have setup a situation where HexA/RB5009 is the MAIN wireguard server.
In that we start with the assumption that external remote devices will connect to the Hex/RB5009
All wireguard traffic goes between each device to and from the HEX/RB5009.

When traffic needs to go from hexB to UDM PRO, or vice versa it will do it via the Hex/RB5009.

By using different wireguard ports for the three devices, its clear that users on the hexB and UDM Pro can also initiate a connection.

I provide two external wireguard clients .5 and .6, that represent the admin using a laptop remotely and an ipad/iphone remotely (hotel, coffee shop) from anywhere to reach any router.

+++++++++++++++++++++++++++++++++++++++++++++++++

With the above in mind we have to now adjust the firewall rules in the forward chain on the HexA/RB5009
FROM
add action=accept chain=forward comment=
“NEW defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment=“NEW allow port forwarding”
connection-nat-state=dstnat log=yes
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN[i/]
ADD RULES FOR WIREGUARD TRAFFIC HERE
add action=drop chain=forward comment=“drop all else”

TO
add action=accept chain=forward comment=
“NEW defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment=“NEW allow port forwarding”
connection-nat-state=dstnat log=yes
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface=212-wireguard out-interface=212-wireguard { allows cross peer subnet traffic }
add action=accept chain=forward in-interface=212-wireguard out-interface=vlan2 { allow wg peer traffic to local subnet 192.168.2.0/24 }
add action=accept chain=forward in-interface=vlan2 out-interface=212-wireguard { allow local subnet traffic to wireguard peers }
add action=drop chain=forward comment=“drop all else”