Wireguard tunnel to all clients trafic

nemocir · February 20, 2023, 12:25am

Hi
I need help in a configuration that is not working as I would like, and I tried several things like routes, gateway changes with no sucess. I work with mikrotik router for some time but still consider myself an advance newbie

Some details of the network and what is the objective. (Diagram attached and configurations of the router MKT bellow)

Both Mikrotiks are on normal home internet provides behind a ISP Router.

-A wireguard tunnel is created between them.

-All trafic from MKT2 should go thru the tunnel and get to the internet on MKT1.

-For now all lan on MKT1 is bloqued (firewall rule) from devices conected on MKT2, in the future i will give access only to one IP, if there is a better way to do it than with firewall rules i also apreciate you input, but for now my main goal is the tunnel.
rede1.vpd.jpg
I can create the tunnel and is working but all devices conected on MKT 2 get internet directly and not going thru the tunnel.

I can ping the wireguard IP thru the Winbox Terminal but not on Comand Promt win windows.

Thank for your time in helping me.

ROUTER 1 MKT1 CONFIG

# feb/19/2023 23:05:18 by RouterOS 7.7
# software id = *********
#
# model = RB4011iGS+5HacQ2HnD
# serial number = **************
/interface bridge
add admin-mac=E4:8D:8C:C8:0B:79 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] l2mtu=1598 mac-address=E4:8D:8C:C8:0B:78 \
    speed=100Mbps
set [ find default-name=ether2 ] l2mtu=1598 mac-address=E4:8D:8C:C8:0B:79 \
    speed=100Mbps
set [ find default-name=ether3 ] l2mtu=1598 mac-address=E4:8D:8C:C8:0B:7A \
    speed=100Mbps
set [ find default-name=ether4 ] l2mtu=1598 mac-address=E4:8D:8C:C8:0B:7B \
    speed=100Mbps
/interface wireless
set [ find default-name=wlan1 ] name=wlan2 ssid=MikroTik
set [ find default-name=wlan2 ] name=wlan3 ssid=MikroTik
/interface wireguard
add listen-port=13231 mtu=1420 name=WGSERVER
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128,3des
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1
/ip pool
add name=dhcp ranges=192.168.5.10-192.168.5.254
/ip dhcp-server
add address-pool=dhcp disabled=yes interface=bridge name=defconf
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=*1
/ip settings
set max-neighbor-entries=2048
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=1024
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=sfp-sfpplus1 list=WAN
/interface wireguard peers
add allowed-address=10.10.10.0/24,192.168.2.0/24 comment="Teste Martins" \
    interface=WGSERVER persistent-keepalive=10s public-key=\
    "************************************"
/ip address
add address=192.168.5.1/24 comment=defconf interface=bridge network=\
    192.168.5.0
add address=10.10.10.1/24 interface=WGSERVER network=10.10.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=sfp-sfpplus1
/ip dhcp-server network
add address=192.168.5.0/24 comment=defconf dns-server=192.168.5.1 gateway=\
    192.168.5.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.5.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input in-interface=WGSERVER
add action=accept chain=input comment="Enable Wireguard Traffic" \
    src-address-list=10.10.10.0/24
add action=accept chain=input comment="Enable WireGuard" dst-port=13231 \
    protocol=udp
add action=drop chain=input connection-state=invalid
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward disabled=yes dst-address=\
    192.168.1.2-192.168.1.254 in-interface=WGSERVER
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="Port scanners to list " \
    protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
    protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
    tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
    tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
    tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
    tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=jump chain=input comment="Protect Winbox from brute force" \
    dst-port=8291 in-interface=sfp-sfpplus1 jump-target=winbox protocol=tcp
add action=drop chain=winbox comment="Drop Winbox brute forcers" dst-port=\
    8291 protocol=tcp src-address-list=winbox_blacklist
add action=add-src-to-address-list address-list=winbox_blacklist \
    address-list-timeout=1w3d chain=winbox connection-state=new dst-port=8291 \
    protocol=tcp src-address-list=winbox_stage3
add action=add-src-to-address-list address-list=winbox_stage3 \
    address-list-timeout=1m chain=winbox connection-state=new dst-port=8291 \
    protocol=tcp src-address-list=winbox_stage2
add action=add-src-to-address-list address-list=winbox_stage2 \
    address-list-timeout=1m chain=winbox connection-state=new dst-port=8291 \
    protocol=tcp src-address-list=winbox_stage1
add action=add-src-to-address-list address-list=winbox_stage1 \
    address-list-timeout=1m chain=winbox connection-state=new dst-port=8291 \
    protocol=tcp
add action=accept chain=winbox connection-state=new dst-port=8291 protocol=\
    tcp
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
    protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=\
    1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=3h chain=output content="530 Login incorrect" \
    protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Lisbon
/system identity
set name="HOME SERVER"
/system leds
set 0 interface=wlan3 leds="wlan3_signal1-led,wlan3_signal2-led,wlan3_signal3-\
    led,wlan3_signal4-led,wlan3_signal5-led" type=wireless-signal-strength
add interface=wlan3 leds=wlan3_tx-led type=interface-transmit
add interface=wlan3 leds=wlan3_rx-led type=interface-receive
/system ntp client
set enabled=yes
/system ntp client servers
add address=pt.pool.ntp.org
add address=ntp1.tecnico.ulisboa.pt
/system resource irq rps
set ether1 disabled=no
set ether2 disabled=no
set ether3 disabled=no
set ether4 disabled=no
set sfp-sfpplus1 disabled=no

ROUTER 2 MKT2 CONFIG

# feb/19/2023 23:06:15 by RouterOS 7.7
# software id = *******
#
# model = RB931-2nD
# serial number = ***********
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=portugal disabled=no \
    mode=ap-bridge ssid=******** wireless-protocol=802.11
/interface wireguard
add listen-port=13231 mtu=1420 name=WGCLIENT
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.2.2-192.168.2.200
/ip dhcp-server
add address-pool=dhcp interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/interface wireguard peers
add allowed-address=10.10.10.0/24,192.168.2.0/24 endpoint-address=\
    96890a0d246e.sn.mynetname.net endpoint-port=13231 interface=WGCLIENT \
    persistent-keepalive=30s public-key=\
    "*****************************************"
/ip address
add address=192.168.2.1/24 interface=bridge1 network=192.168.2.0
add address=10.10.10.111/24 interface=WGCLIENT network=10.10.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=0.0.0.0/24 dns-server=0.0.0.0 gateway=0.0.0.0 netmask=24
add address=192.168.2.0/24 dns-server=8.8.8.8 gateway=192.168.2.1 netmask=24
/ip dns
set servers=192.168.2.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Lisbon
/system identity
set name=*****CLT

anav · February 20, 2023, 1:38am

The general idea will be to force all local users at R2 out the wireguard tunnel.
The best place to decide what the remote users can access at R1, is best handled by the firewall rules at R1.
For example you can elect to
a. allow some or all out the internet. ( forward chain on R1)
b. allow some or all to the local lan at R1 (forward chain on R1)
c. allow admin to configure R1 remotely from their user station at R2 ( via the input chain on R1)
d. allow admin to configure R1 remotely from the road (laptop, iphone) (via the input chain on R1 )
+++++++++++++++++++++++++++++++++++++++++++++
e. allow admin to configure R2 remotely from their user station at R1 (via the input chain on R2)
f. allow admin to configure R2 remotely from the road laptop, iphone through R1 ( via the input chain on R2)

In any case lets fix up the configs…
R2 ( client device for the initial hookup )

Quick look you have no routing for the users to go out the tunnel ??

(1) Allowed IPs…
You are confused as to the purpose of allowed IPs. it always to consider the other side.
a. what will you be reaching at the other side OR
b. what from the other side is coming here.

Thus although 10.10.10.0/24 is very good for the Wireguard network itself, putting your own local subnet there is useless.
Furthermore, what you want is to go out the internet at R1, so how do you propose to do that with those settings??
What you need is
allowed-address=0.0.0.0/0

This covers all wireguard, remote LAN destination, incoming remote LAN sources and internet!!!

(2) MISSING
a. table
b. IP route
c. Routing rule

a. /routing table add name=useWG fib
b. /ip route
add dst-address=0.0.0.0/0 gwy=WGCLIENT table=useWG
c. /routing rule add src-address=192.168.2.0/24 action=lookup table=useWG

Note: If you want your R2 users to never access their local internet if the wireguard tunnel is down change to action=lookup-only-in-table
Note: If you wanted R2 users to reach the R1 LAN but not internet you would have needed
dst-address=192.168.5.0/24 gwy=WGCLIENT routing-table=main (for local outbound or return traffic back to R1 users or both).

(3) Also you have no firewall rules, so cannot help there…

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

R1

(4) WHY is your dhcp-server disabled??
/ip dhcp-server
add address-pool=dhcp disabled=yes interface=bridge name=defconf

(5) Wireguard peers,
Allowed IPs needs one change on the server side you have to be specific for each peer regarding their wireguard IP address!!
Also you can remove the keep alive, thats not relevant for the peer settings on the R1 device.
/interface wireguard peers
add allowed-address=10.10.10.**111/32,**192.168.2.0/24 comment=“Teste Martins”
interface=WGSERVER **persistent-keepalive=**10s public-key=\

(6) Surprized you dont have other peers setup for this, like your iphone or laptop etc…

(7) Okay you asked about control and access…
What is the purpose of this rule… suggest REMOVE>
add action=accept chain=input comment=“Enable Wireguard Traffic”
src-address-list=10.10.10.0/24

It really servers little purpose. You already have a pingable testable interface on R1 due to the IP address.
This rule does not allow an admin to config the router, so its a bit of loss why its here…

Its really a duplicate of the rule previous to it… which is also TOO WIDE OPEN as it will include every R2 user!!!
add action=accept chain=input in-interface=WGSERVER
add action=accept chain=input comment=“Enable Wireguard Traffic”
src-address-list=10.10.10.0/24

If you had another WG peer like the admin coming in via wireguard, as a road warrior, then it would make sense to do it precisely
src-address=10.10.10.52 for example…

Another point there is no such thing as dst-address-list=subnet, its dst-address=subnet.

Another point a useless firewall rule blocking dst of a non-existent subnet 192.168.1.0/24

(8) OMFG please get rid of all the crap that has nothing to do with traffic you need users to pass…

(9) FTLOG please organize your firewall chains so that input chain rules and forward chain rules are together.

(10 FIXED
/interface list members
add interface=bridge list=LAN
add interface=WGSERVER list=LAN

This will be efficient for both input chain rules (access to router) and forward chain rules (access to internet)

/firewall address list
add ip-address=admin-desktop_IP list=AdminAccess (from R1) 192.168.5.AB/32
add ip-address=admin-laptop_IP list=AdminAccess (from R1) 192.168.5.CD/32
add ip-address=admin-iphone/ipad_IP list=AdminAccess (from R1) 192.168.5.RT/32
add ip-address=admin_PC_from-R2 list=AdminAccess ( thru tunnel ) 192.168.2.XX/32
add ip-address=admin-roadwarrior_IP list=AdminAccess (thru tunnel ) 10.10.10.52/32

/ip firewall filter
{Input Chain}
(default rules)
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
(admin rules)
add action=accept chain=input comment=“Handshake WG” dst-port=13231 protocol=udp
add action=accept chain=input in-interface-list=LAN src-address-list=AdminAccess
add action=accept chain=input comment=“Allow LAN DNS queries-UDP/NTP”
dst-port=53,123 in-interface-list=LAN protocol=udp
add action=accept chain=input comment=“Allow LAN DNS queries - TCP”
dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment=“drop all else” ( last rule put in or you will lock yourself out )
{forward chain}
(default rules)
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
(admin rules)
add action=accept chain=forward comment=“allow internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“allow R2 admin access to R1 LAN” in-interface=WGSERVER src-address=192.168.2.XX dst-address=192.168.5.0/24
add action=accept chain=forward comment=“port forwarding)” connection-nat-state=dstnat {disable if not required}
add action=drop chain=forward comment=“drop all else”

all traffic is blocked unless allowed, thus I just gave one example extra rule where the admin on R2 could reach the R1 LAN.

(11) MISSING a NAT rule. Here is why…
You will have users coming from 192.168.2.0/24 going out the internet on R1.
But its clear from your diagram that your server router gets a private IP and not a public IP. 192.168.1.0 etc…
So, I can only surmize that you are ABLE TO PORT FORWARD on the ISP modem router to 192.168.1.X whatever the IP of the router is, not sure why you didnt provide it, if its a private IP…???

The users will come across the tunnel go out the WAN port of R1 and then the ISP router will funnel the requests out thru its public IP and out the internet.
The return traffic will come back to the router and when the router sees 192.168.2.X as a source address, it will then drop any such traffic.
This is due to the fact that the router does not have any such local interface!!!
Thus we need to sourcenat the wireguard traffic such that, it is given the source IP of the R1 router 192.168.1.X, and in this way, when the return traffic comes back from the internet, the ISP modem router will say, OH, I have that local interface, I know where to send the traffic. It then hits the R1 router which un-sourcenats it to the 192.168.2.X address and then the R1 router will know where to send the traffic etc… ( assuming you have an ip route for it but YOU DONT )

Thus

/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat source-address=192.168.2.0/24 out-interface-list=WAN

If you have remote road warriors wishing to use the internet then you need to add more rules.
It may be simpler just to state…
add action=masquerade chain=srcnat in-interface=WGSERVER out-interface-list=WAN

Thus anything routed out the WAN of the R1 towards the internet will get source-natted appropriately.

(12) MISSING an IP route for traffic to R2.
How will the R1 router know where to:
a. send local traffic that has destination of 192.168.2.yy ???
b. send return traffic from either the internet or return traffic being sent by the local LAN back to 192.168.2.0/24 ???

NEED
add dst-address=192.168.2.0/24 gwy=WGSERVER routing-table=main

nemocir · February 20, 2023, 6:23pm

Hi
Thank you for your time in helping me and reviewing my config. I Leave some comments and questions .
Your solution did not full worked, i just needed a little bit of time to test it and more important understand all your good and very helpful comments.

I follow your advice and something is still not working.

Some info and questions
R1 is on a DMZ but Router 2 isa simple client, do I need port forward on DMZ also? Since I initiate all the traffic on R2 I think I can go out? I am right? I tried DMZ but no difference.
I can ping the R1 WG IP on R2 terminal so I have a Tunnel.
When I try a client connected by wifi to R2 I can not get internet, if I disable route rule I can got to internet but thru local ISP ROUTER 2.
Bellow some comments on your points.
3) Since the R2 is the initiator of the tunnel and is behind a ISP router with no portforward open I do not need the Firewall rules
4) R1 for now is just the WG server, nothing will go thru him for now, some servers in the future, so I do not need dhcp for now, 192.168.5.0 for now is not used by nothing, I believe here is the problem, my bridge on R1 is on 192.168.5.1. DNS not found.

for now I only need one but will be 3 in the future, but I am going step by step, I I can not get one working, having 3…
you are right I have R1 on a DMZ , the ip is 192.168.1.111
When I try to add
add action=masquerade chain=srcnat in-interface=WGSERVER out-interface-list=WAN
I get
Couldn’t add New NAT Rule – incoming interface matching not possible in output and postrouting chains(6)

So my filling is that the DNS is not working well or bad defined, can you help

R1

# feb/20/2023 18:17:35 by RouterOS 7.7
# software id = xxxxxxxxx
#
# model = RB4011iGS+5HacQ2HnD
# serial number = xxxxxxxxxxx
/interface bridge
add admin-mac=E4:8D:8C:C8:0B:79 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] l2mtu=1598 mac-address=E4:8D:8C:C8:0B:78 \
    speed=100Mbps
set [ find default-name=ether2 ] l2mtu=1598 mac-address=E4:8D:8C:C8:0B:79 \
    speed=100Mbps
set [ find default-name=ether3 ] l2mtu=1598 mac-address=E4:8D:8C:C8:0B:7A \
    speed=100Mbps
set [ find default-name=ether4 ] l2mtu=1598 mac-address=E4:8D:8C:C8:0B:7B \
    speed=100Mbps
/interface wireless
set [ find default-name=wlan1 ] name=wlan2 ssid=MikroTik
set [ find default-name=wlan2 ] name=wlan3 ssid=MikroTik
/interface wireguard
add listen-port=13231 mtu=1420 name=WGSERVER
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128,3des
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1
/ip pool
add name=dhcp ranges=192.168.5.10-192.168.5.254
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=*1
/ip settings
set max-neighbor-entries=2048
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=1024
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=sfp-sfpplus1 list=WAN
add interface=WGSERVER list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment="Teste Martins" interface=WGSERVER \
    public-key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
/ip address
add address=192.168.1.112 comment=defconf interface=bridge network=\
    192.168.1.0
add address=10.10.10.1/24 interface=WGSERVER network=10.10.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=sfp-sfpplus1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.5.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow R2 admin access to R1 LAN" \
    dst-address=192.168.1.0/24 in-interface=WGSERVER src-address=192.168.2.0
add action=accept chain=forward comment="port forwarding)" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Handshake WG" dst-port=13231 protocol=\
    udp
add action=accept chain=input in-interface-list=LAN src-address-list=\
    AdminAccess
add action=accept chain=input comment="Allow LAN DNS queries-UDP/NTP" \
    dst-port=53,123 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" dst-port=\
    53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes out-interface-list=WAN \
    src-address=192.168.2.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
/ip route
add disabled=no distance=1 dst-address=192.168.2.0/24 gateway=WGSERVER \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Lisbon
/system identity
set name="HOME SERVER"
/system leds
set 0 interface=wlan3 leds="wlan3_signal1-led,wlan3_signal2-led,wlan3_signal3-\
    led,wlan3_signal4-led,wlan3_signal5-led" type=wireless-signal-strength
add interface=wlan3 leds=wlan3_tx-led type=interface-transmit
add interface=wlan3 leds=wlan3_rx-led type=interface-receive
/system ntp client
set enabled=yes
/system ntp client servers
add address=pt.pool.ntp.org
add address=ntp1.tecnico.ulisboa.pt
/system resource irq rps
set ether1 disabled=no
set ether2 disabled=no
set ether3 disabled=no
set ether4 disabled=no
set sfp-sfpplus1 disabled=no

~

R2


# feb/20/2023 17:42:33 by RouterOS 7.7
# feb/20/2023 18:25:44 by RouterOS 7.7
# software id = xxxxxxxxx
#
# model = RB931-2nD
# serial number = xxxxxxxxxxxxx
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=portugal disabled=no \
    mode=ap-bridge ssid=NETFLXWF wireless-protocol=802.11
/interface wireguard
add listen-port=13231 mtu=1420 name=WGCLIENT
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.2.2-192.168.2.200
/ip dhcp-server
add address-pool=dhcp interface=bridge1 name=dhcp1
/routing table
add disabled=no fib name=UsaWireGuard
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=96890a0d246e.sn.mynetname.net \
    endpoint-port=13231 interface=WGCLIENT persistent-keepalive=30s \
    public-key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
/ip address
add address=192.168.2.1/24 interface=bridge1 network=192.168.2.0
add address=10.10.10.111/24 interface=WGCLIENT network=10.10.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=0.0.0.0/24 dns-server=0.0.0.0 gateway=0.0.0.0 netmask=24
add address=192.168.2.0/24 gateway=192.168.2.1 netmask=24
/ip dns
set servers=192.168.1.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=WGCLIENT routing-table=\
    UsaWireGuard suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/routing rule
add action=lookup-only-in-table disabled=no src-address=192.168.2.0/24 table=\
    UsaWireGuard
/system clock
set time-zone-name=Europe/Lisbon
/system identity
set name=NETFLXCLT

anav · February 20, 2023, 7:28pm

Some info and questions
R1 is on a DMZ but Router 2 isa simple client, do I need port forward on DMZ also? Since I initiate all the traffic on R2 I think I can go out? I am right? I tried DMZ but no difference.
I can ping the R1 WG IP on R2 terminal so I have a Tunnel.
BETTER is to just port forward on ISP1 to R1 the wireguard port and never use DMZ if you dont have to.
No, there is no port forward or DMZ required on ISP2 for R2 the client device.

When I try a client connected by wifi to R2 I can not get internet, if I disable route rule I can got to internet but thru local ISP ROUTER 2.
So what you are saying is that clients both wired and wired on LAN2 are not able to get into the tunnel and access the internet out ISP1.
Will have to check the confiig.

Bellow some comments on your points.
3) Since the R2 is the initiator of the tunnel and is behind a ISP router with no portforward open I do not need the Firewall rules
Thats up to you. I prefer trusting MT firewalls before I trust any ISP router.
Correct in that it shouldn’t be a problem for wireguard success but will need to look at that eventually if nothing else fixes the connectivity!
4) R1 for now is just the WG server, nothing will go thru him for now, some servers in the future, so I do not need dhcp for now, 192.168.5.0 for now is not used by nothing, I believe here is the problem, my bridge on R1 is on 192.168.5.1. DNS not found.
You need BASIC structure on R1, especially because of DMZ, there is nothing wrong with having a default bridge in play.
DO NOT DISABLE dhcp server for now. So for testing purposes ensure you put back in both IP DHCP SERVER and IP DHCP_SERVER network for the bridge.

FOUND ONE ISSUE, not sure why I didnt find this the first time??? YOUR IP ADDRESS FOR THE BRIDGE is wrong. This will help wiith those DNS issues.
/ip address
add address=192.168.1.112 comment=defconf interface=bridge network=
192.168.1.0
SHOULD BE>…
add address=192.168.5.1 comment=defconf interface=bridge network=
192.168.5.0

11) you are right I have R1 on a DMZ , the ip is 192.168.1.111
When I try to add
add action=masquerade chain=srcnat in-interface=WGSERVER out-interface-list=WAN
I get Couldn’t add New NAT Rule – incoming interface matching not possible in output and postrouting chains(6)
So my filling is that the DNS is not working well or bad defined, can you help

Sorry, thats the SECOND ISSUE, my fault please ignore and remove the second masquerade rule, it is not required.
Can I assume you have IP DHCP client set to enabled…
Can I assume you have IP DHCP client add default route checkbox marked and enabled??
If so the config only requires the standard masquerade rule which you have. If it does not then we would have to add a route manually.

anav · February 20, 2023, 7:34pm

So in summary, on R1 based on your questions…

fix IP address of bridge
put back in ip dhcp server and ip dhcp-server for the bridge ( if only for testing please )
remove the second masquerade rule not needed.
confirm IP DHCP client settings.
NEW: NOT FRIGGEN NEW you failed to make this change LOL so for the second time…
ON R1 Server, Your PEER allowed address for R2 client are incorrect
It appears you want R2 users to access R1s internet correct???
allowed-addresses=10.10.10.111/32,192.168.2.0/24 would be the right ones!!
Error in the copy and paste you forget the /24.
add action=accept chain=forward comment=“allow R2 admin access to R1 LAN”
dst-address=192.168.1.0/24 in-interface=WGSERVER src-address=192.168.2.0/24****

anav · February 20, 2023, 7:42pm

Will look at R2 later!

anav · February 20, 2023, 10:00pm

R2

(1) An OOPSIE here, not sure why you have the first entry shown but it needs to be removed!!!
/ip dhcp-server network
add address=0.0.0.0/24 dns-server=0.0.0.0 gateway=0.0.0.0 netmask=24
add address=192.168.2.0/24 gateway=192.168.2.1 netmask=24

(2) Other than that, I see no issues with R2, other than missing firewall rules but should not interfere with getting wireguard into the tunnel as all traffic would be allowed.

nemocir · February 20, 2023, 10:27pm

Hi, All aparently working, even if i disconect R2 he is able to create a WG Tunnel and pass all trafic at boot up without any interference.
Thank you for your help, i think i have learned, let me see if i can add anoter Peer with sucess. But for now lets test this one with the user.