Wireguard + VLAN -> Route one client through Wireguard tunnel

Hi,

Recently I upgraded my Mikrotik setup to a more advanced setup. I introduced multiple VLANs and did the configuration from scratch.
Ether 1 is my WAN, Ether 8 is the trunkport to the switch.

In my old setup with no VLANs and just one local address pool (192.168.88.0/0), I was able to route any client I wanted thorugh the WG Tunnel by following these steps:

Wireguard Setup for RouterOS with device Selection:

1. Add a Wireguard Interface and a Wireguard Peer using the config file given by the wireguard server
   (Endpoint-Port == Listen-Port)

2. Create a new Table /routing/table

3. Add a new rule (/routing/rule):
   Src.Addr: device in the network which should use Wireguard
   Action: lookup only in table
   Table: Table which was created in step 2

4. Add new IP address (/ip/addresses):
   Address: Interface address as seen in the config file given by the wireguard server
   Interface: Choose interface created in step 1
   (This creates automatically a entry in /ip/routes)

5. Create a new route (/ip/routes):
   Dst. Address: 0.0.0.0/0
   Gateway: Name of the Interface defined in step 1
   Routing Table: Table which was created in step 2

6. Firewall rulw (/ip/firewall/)
   Chain: srcnat
   Src.Address: 192.168.88.0/24
   Out.Interface: Interface of step 1
   Action: masquerade

Now I want the same with my more complex setup, but I am not able to get it to work.
This is my current config where I am trying to route 10.0.10.246 through the WG Tunnel, which is not working!

# 2025-01-31 09:42:21 by RouterOS 7.17
# software id = 6Y1M-YB75
#
# model = RB5009UG+S+
# serial number = <removed>
/interface bridge
add frame-types=admit-only-vlan-tagged name=BR1 vlan-filtering=yes
/interface wireguard
add comment="Mullvad WG1" listen-port=51820 mtu=1420 name=MullvadWG_1
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=CAMERAS_VLAN vlan-id=30
add interface=BR1 name=GUEST_VLAN vlan-id=20
add interface=BR1 name=IOT_VLAN vlan-id=40
add interface=BR1 name=MAIN_VLAN vlan-id=10
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wifi configuration
add country=**** disabled=no name=BASE security.authentication-types=wpa2-psk,wpa3-psk .encryption="" ssid=B1
add country=**** datapath.vlan-id=10 disabled=no name=MAIN security.authentication-types=wpa2-psk,wpa3-psk ssid=B2
add country=**** datapath.vlan-id=20 disabled=no name=GUEST security.authentication-types=wpa2-psk,wpa3-psk ssid=B3
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=SEC_IOT_CAMERAS
/interface wifi configuration
add country=**** datapath.vlan-id=40 disabled=no name=IOT security=SEC_IOT_CAMERAS ssid=CrossbonesGarden_I
add country=**** datapath.vlan-id=30 disabled=no name=CAMERAS security=SEC_IOT_CAMERAS ssid=CrossbonesGarden_C
/ip pool
add name=BASE_POOL ranges=192.168.112.10-192.168.112.254
add name=MAIN_POOL ranges=10.0.10.2-10.0.10.254
add name=GUEST_POOL ranges=10.0.20.2-10.0.20.254
add name=CAMERAS_POOL ranges=10.0.30.2-10.0.30.254
add name=IOT_POOL ranges=10.0.40.2-10.0.40.254
/ip dhcp-server
add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP
add address-pool=MAIN_POOL interface=MAIN_VLAN name=MAIN_DHCP
add address-pool=GUEST_POOL interface=GUEST_VLAN name=GUEST_DHCP
add address-pool=CAMERAS_POOL interface=CAMERAS_VLAN name=CAMERAS_DHCP
add address-pool=IOT_POOL interface=IOT_VLAN name=IOT_DHCP
/routing table
add disabled=no fib name=MullvadWG_1_Table
/interface bridge port
add bridge=BR1 interface=ether2 pvid=99
add bridge=BR1 interface=ether3 pvid=10
add bridge=BR1 interface=ether4 pvid=20
add bridge=BR1 interface=ether5 pvid=30
add bridge=BR1 interface=ether6 pvid=40
add bridge=BR1 comment=Trunk frame-types=admit-only-vlan-tagged interface=ether8
/ip neighbor discovery-settings
set discover-interface-list=all discover-interval=5s
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether8 untagged=ether2 vlan-ids=99
add bridge=BR1 tagged=BR1,ether8 untagged=ether3 vlan-ids=10
add bridge=BR1 tagged=BR1,ether8 untagged=ether4 vlan-ids=20
add bridge=BR1 tagged=BR1,ether8 untagged=ether5 vlan-ids=30
add bridge=BR1 tagged=BR1,ether8 untagged=ether6 vlan-ids=40
/interface list member
add interface=ether1 list=WAN
add interface=MAIN_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
add interface=CAMERAS_VLAN list=VLAN
add interface=IOT_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
/interface ovpn-server server
add mac-address=FE:6D:F2:68:A5:62 name=ovpn-server1
/interface wifi capsman
set enabled=yes package-path="" require-peer-certificate=no upgrade-policy=suggest-same-version
/interface wifi provisioning
add action=create-dynamic-enabled comment=EG_OG_PROVISIONING disabled=no identity-regexp=cAP112 master-configuration=BASE name-format=EG_OG_CONF_MASTER \
    slave-configurations=MAIN slave-name-format=EG_OG_CONF_SLAVE
add action=create-dynamic-enabled comment=KG_PROVISIONING disabled=no identity-regexp=wAP112 master-configuration=IOT name-format=KG_CONF_MASTER \
    slave-configurations=BASE,MAIN slave-name-format=KG_CONF_SLAVE
add action=create-dynamic-enabled comment=GUEST_PROVISIONING disabled=yes master-configuration=GUEST name-format=GUEST_CONF
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=185.209.196.76 endpoint-port=51820 interface=MullvadWG_1 name=MullvadWG_1_Peer persistent-keepalive=1m \
    public-key="<Removed by me, because of privacy reasons>"
/ip address
add address=192.168.112.1/24 interface=BASE_VLAN network=192.168.112.0
add address=10.0.10.1/24 interface=MAIN_VLAN network=10.0.10.0
add address=10.0.20.1/24 interface=GUEST_VLAN network=10.0.20.0
add address=10.0.30.1/24 interface=CAMERAS_VLAN network=10.0.30.0
add address=10.0.40.1/24 interface=IOT_VLAN network=10.0.40.0
add address=10.73.250.17 interface=MullvadWG_1 network=10.73.250.17
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=10.0.10.251 client-id=1:de:e5:7f:69:c2:12 mac-address=DE:E5:7F:69:C2:12 server=MAIN_DHCP
add address=10.0.10.246 client-id=1:80:e6:50:26:cb:8 mac-address=80:E6:50:26:CB:08 server=MAIN_DHCP
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=192.168.112.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=192.168.112.1 gateway=10.0.20.1
add address=10.0.30.0/24 dns-server=192.168.112.1 gateway=10.0.30.1
add address=10.0.40.0/24 dns-server=192.168.112.1 gateway=10.0.40.1
add address=192.168.112.0/24 dns-server=192.168.112.1 gateway=192.168.112.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip firewall filter
add action=passthrough chain=forward comment="special dummy rule to show fasttrack counters"
add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" in-interface-list=BASE
add action=accept chain=input comment="accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="Drop the rest"
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=forward comment="VLAN Internet access" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="BASE_VLAN Internet access" connection-state=new in-interface-list=BASE out-interface-list=WAN
add action=drop chain=forward comment="Drop the rest"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=MullvadWG_1 src-address=0.0.0.0/0
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=MullvadWG_1 routing-table=MullvadWG_1_Table suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.112.0/24 port=8080
set ssh address=192.168.112.0/24
set winbox address=192.168.112.0/24
/ip smb shares
set [ find default=yes ] directory=pub
/routing rule
add action=lookup-only-in-table disabled=no src-address=10.0.10.246 table=MullvadWG_1_Table
/system identity
set name=BBB
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE

Would be awesome if you could help me!
Thanks

Cheers

I appreciate any tip

Suggest adding the WG interface to the WAN interface list:

/interface list member
add interface=MullvadWG_1 list=WAN

Dont get your point in the added bit in orange, get rid of it.
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=MullvadWG_1 src-address=0.0.0.0/0

add one of the two following rules, to help with MTU, whichever works better for you.
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=MullvadWG
add action=change-mss chain=forward comment=“Clamp MSS to PMTU for Outgoing packets” new-mss=clamp-to-pmtu out-interface=MullvadWG_1 passthrough=yes protocol=tcp tcp-flags=syn
OR
add action=change-mss chain=forward new-mss=1380 out-interface=MullvadWG_1 protocol=tcp tcp-flags=syn tcp-mss=1381-65535_

/interface bridge
add name=BR1 vlan-filtering=yes
/interface bridge port
add bridge=BR1 ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether2 pvid=99
add bridge=BR1 ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether3 pvid=10
add bridge=BR1 ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether4 pvid=20
add bridge=BR1 ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether5 pvid=30
add bridge=BR1 ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether6 pvid=40
add bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether8 comment=trunk
/ip neighbor discovery-settings
set discover-interface-list=BASE

/interface list member
add interface=ether1 list=WAN
add interface=MAIN_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
add interface=CAMERAS_VLAN list=VLAN
add interface=IOT_VLAN list=VLAN
add interface=BASE_VLAN list=VLAN
add interface=BASE_VLAN list=BASE

/ip firewall address-list
add address=192.168.112.XX list=Authorized comment=“admin desktop”
add address=192.168.112.XY list=Authorized comment=“admin laptop”

/ip firewall filter
add action=accept chain=input comment=“Allow Estab & Related” connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=“accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input comment=“admin only Access” in-interface-list=BASE src-address-list=Authorized
add action=accept chain=input comment="Allow VLAN to services" in-interface-list=VLAN dst-port=53 protocol=udp
add action=accept chain=input comment=“Allow VLAN to services” in-interface-list=VLAN dst-port=53 protocol=tcp
add action=drop chain=input comment=“Drop the rest”
++++++++++++++++++++
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=“Allow Estab,Related&Untrack” connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment=“VLAN Internet access” in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment**=“admin to LAN”** in-interface=list=BASE src-address-list=Authorized out-interface-list=VLAN
add action=drop chain=forward comment=“Drop the rest”

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=MullvadWG_1

/ip firewall mangle
add action=change-mss chain=forward comment=“Clamp MSS to PMTU for Outgoing packets” new-mss=clamp-to-pmtu out-interface=MullvadWG_1 passthrough=yes protocol=tcp tcp-flags=syn

/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=BASE

Did mulvad give you a DNS address as well?

That was it! Thanks

@Anav, thanks for your feedback, I will adapt my config!

Just so you understand CATs advice…

MULVAD gave you one IP address to use. That is the address they have in their peer settings for your connection.
If you send any of your internal user with their private lan subnet IP as source it will get rejected at the other end.
We use sourcenat like (like normal local WAN) to give all OUTGOING traffic the local wanip of the router,
and the same goes for out the wireguard interface. Here we give all LAN traffic the source IP of the mulvan IP address and thus all traffic is accepted at their end.

There are two way to accomplish this:
a. add mulvad to the WAN interface list
assumes that you have kept the default sourcenat rule
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN

b. Simply add another sourcenat rule, for example if you changed the default rule
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=wireguard

Hi Anav,

thanks! I think your alternative suggestion (point 2) will not work on its own. Since I am using VLANs I would need to duplicate all rules where WAN is involved, correct?
e.g:

add action=accept chain=forward comment="VLAN Internet access" in-interface-list=VLAN out-interface-list=WAN

needs to be duplicated to

add action=accept chain=forward comment="VLAN Internet access" in-interface-list=VLAN out-interface=WG

Cheers

You are mixing apples and oranges.
Source nat rules are made so that the traffic leaving an interface is given the IP of that interface…

Forward chain rules are granting permission for the identified traffic to flow from indicated source to indicated destination.