wireguard with vlan bridge

lpetrov · April 28, 2024, 5:33pm

I have following questions:
–WIREGUARD SETUP—
I would like to connect to setup wireguard tunnel. I need to be able to connect from this tunnel to devices on all vlans. VLAN 10 is my mngmnt network. Ideally I would like wireguard tunnel to have ip from this network.
– FW SETUP–
Best way to restrict access to VLAN 12(servers) and VLAN 30(smarthome) for users on VLAN 100.
Current VLAN setup should stay the same.
Any help would be appreciated. Thank you.
Here is my current configuration:

2024-04-28 20:13:56 by RouterOS 7.14.1

model = RB5009UG+S+

/interface bridge
add name=br-Uplink port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=“POE swith /wi-fi” name=
“ether1-LAN-Trunk(switch)”
set [ find default-name=ether2 ] comment=proxmox name=ether2-LAN-Trunk
set [ find default-name=ether3 ] comment=“ABB IPS 2.1” name=ether3-LAN-Trunk
set [ find default-name=ether4 ] name=ether4-LAN
set [ find default-name=ether7 ] comment=mngmnt name=ether7-LAN-mngmnt
set [ find default-name=ether8 ] name=ether8-WAN-Static
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface vlan
add comment=“Management VLAN” interface=br-Uplink name=Management-10 vlan-id=
10
add comment=“Smart Home VLAN” interface=br-Uplink name=“Smart Home-30”
vlan-id=30
add comment=“Users VLAN” interface=br-Uplink name=Users-100 vlan-id=100
add comment=“Servers VLAN” interface=br-Uplink name=vlan20-Servers vlan-id=20
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_management_pool ranges=192.168.10.242-192.168.10.249
add name=dhcp_users_pool ranges=192.168.100.100-192.168.100.249
add name=dhcp_smarthome_pool ranges=192.168.30.100-192.168.30.249
add name=dhcp_servers_pool ranges=192.168.12.242-192.168.12.254
/ip dhcp-server
add address-pool=dhcp_management_pool interface=Management-10 name=
dhcp-management
add address-pool=dhcp_users_pool interface=Users-100 name=dhcp-users
add address-pool=dhcp_smarthome_pool interface=“Smart Home-30” name=
“dhcp-smart home”
add address-pool=dhcp_servers_pool interface=vlan20-Servers name=dhcp-servers
/interface bridge port
add bridge=br-Uplink comment=“for KNX on the switch” interface=
“ether1-LAN-Trunk(switch)” internal-path-cost=10 path-cost=10 pvid=30
add bridge=br-Uplink interface=ether2-LAN-Trunk pvid=20
add bridge=br-Uplink interface=ether3-LAN-Trunk pvid=30
add bridge=br-Uplink interface=ether4-LAN pvid=10
/ip firewall connection tracking
set udp-timeout=10s
/interface bridge vlan
add bridge=br-Uplink comment=“Smart Home LAN” tagged=
ether2-LAN-Trunk,br-Uplink untagged=
“ether1-LAN-Trunk(switch),ether3-LAN-Trunk” vlan-ids=30
add bridge=br-Uplink comment=“wifi users” tagged=
“ether1-LAN-Trunk(switch),br-Uplink,ether2-LAN-Trunk” vlan-ids=100
add bridge=br-Uplink tagged=
“ether1-LAN-Trunk(switch),br-Uplink,ether2-LAN-Trunk” vlan-ids=10
add bridge=br-Uplink tagged=“ether1-LAN-Trunk(switch),br-Uplink” untagged=
ether2-LAN-Trunk vlan-ids=20
/interface list member
add interface=ether8-WAN-Static list=WAN
add interface=Management-10 list=LAN
add interface=br-Uplink list=LAN
add interface=Users-100 list=LAN
/ip address
add address=XXX.XXX.32.41/24 interface=ether8-WAN-Static network=XXX.XXX.32.0
add address=192.168.12.1/24 interface=vlan20-Servers network=192.168.12.0
add address=192.168.100.1/24 interface=Users-100 network=192.168.100.0
add address=192.168.10.1/24 interface=Management-10 network=192.168.10.0
add address=192.168.30.1/24 interface=“Smart Home-30” network=192.168.30.0
/ip dhcp-server lease
add address=192.168.10.250 client-id=1:d8:d0:90:1b:5b:af comment=
“Lubo Yoga Wired” mac-address=D8:D0:90:1B:5B:AF server=dhcp-management
add address=192.168.10.6 client-id=1:1c:61:b4:14:a0:2c comment=
“TP Link EAP 615 Bedroom” mac-address=1C:61:B4:14:A0:2C server=
dhcp-management
add address=192.168.10.5 client-id=1:1c:61:b4:14:a9:a8 comment=
“TP Link EAP 615 Living Room” mac-address=1C:61:B4:14:A9:A8 server=
dhcp-management
add address=192.168.100.204 client-id=1:48:a6:b8:7:73:e2 comment=“Sonos ARC”
mac-address=48:A6:B8:07:73:E2 server=dhcp-users
add address=192.168.100.249 client-id=1:72:70:2a:fe:13:ab comment=
“iPad Living Room” mac-address=72:70:2A:FE:13:AB server=dhcp-users
add address=192.168.100.203 client-id=1:54:2a:1b:23:ee:38 comment=“Sonos SUB”
mac-address=54:2A:1B:23:EE:38 server=dhcp-users
add address=192.168.100.202 client-id=1:f0:f6:c1:c5:cf:d4 comment=
“Sonos ERA 300” mac-address=F0:F6:C1:C5:CF:D4 server=dhcp-users
add address=192.168.100.201 client-id=1:f0:f6:c1:c5:cf:58 comment=
“Sonos ERA 300” mac-address=F0:F6:C1:C5:CF:58 server=dhcp-users
add address=192.168.30.2 client-id=1:2:78:7f:7f:66:2e comment=
“Home Assistant” mac-address=02:78:7F:7F:66:2E server=“dhcp-smart home”
add address=192.168.30.205 client-id=1:64:d2:c4:e1:f5:dc comment=
“Apple TV Bedroom - Wireless” mac-address=64:D2:C4:E1:F5:DC server=
“dhcp-smart home”
add address=192.168.30.3 comment=“ABB IPS2.1 (KNX)” mac-address=
00:0C:DE:93:50:5A server=“dhcp-smart home”
add address=192.168.30.250 client-id=1:b0:a4:60:9a:8c:1a comment=
“YOGA camelot” mac-address=B0:A4:60:9A:8C:1A server=“dhcp-smart home”
add address=192.168.100.250 client-id=1:b0:a4:60:9a:8c:1a comment=
“YOGA castle” mac-address=B0:A4:60:9A:8C:1A server=dhcp-users
add address=192.168.30.4 client-id=1:0:24:6d:2:a6:6c comment=1HOME
mac-address=00:24:6D:02:A6:6C server=“dhcp-smart home”
add address=192.168.30.5 client-id=1:64:d2:c4:d4:fb:c7 comment=
“Apple TV Bedroom - Wired” mac-address=64:D2:C4:D4:FB:C7 server=
“dhcp-smart home”
/ip dhcp-server network
add address=192.168.10.0/24 comment=mngmt gateway=192.168.10.1
add address=192.168.12.0/24 comment=servers gateway=192.168.12.1
add address=192.168.30.0/24 comment=“smart home” gateway=192.168.30.1
add address=192.168.100.0/24 comment=users gateway=192.168.100.1
/ip dns
set servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=192.168.12.0/24 list=Servers
add address=192.168.100.0/24 list=Users
add address=192.168.30.0/24 list=SmartHome
add address=192.168.10.248/29 list=Admins
add address=192.168.12.0/24 list=LAN
add address=192.168.30.0/24 list=LAN
add address=192.168.10.0/24 list=LAN
add address=192.168.100.0/24 list=LAN
add address=192.168.12.248/29 list=Admins
add address=192.168.30.248/29 list=Admins
add address=192.168.100.248/29 list=Admins
add address=88.203.229.253 list=Svetulcho
/ip firewall filter
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=accept chain=forward comment=“allow internet traffic”
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input in-interface-list=LAN
add action=accept chain=forward comment=“Allow HTTPS from WAN to nginx proxy”
dst-address=192.168.12.254 dst-port=443 in-interface=ether8-WAN-Static
protocol=tcp
add action=accept chain=forward comment=“Allow access from WAN to Plex”
dst-address=192.168.12.140 dst-port=32400 in-interface=ether8-WAN-Static
protocol=tcp
add action=accept chain=input comment=“Svetulcho remote access” dst-port=8291
protocol=tcp src-address-list=Svetulcho
add action=drop chain=input comment=“Drop All Incoming Traffic from WAN”
in-interface=ether8-WAN-Static
add action=accept chain=forward comment=“allow access from LAN to Plex”
dst-address=192.168.12.140 dst-port=32400 protocol=tcp src-address-list=
LAN
add action=drop chain=forward comment=
“block users from access to servers LAN list” dst-address-list=Servers
src-address=192.168.100.0/24
add action=drop chain=forward comment=
“block Users access to Smart Home Network” dst-address-list=SmartHome
src-address=192.168.100.0/24
add action=accept chain=input comment=“Allow Access to Mikrotik for Admins”
dst-port=22,23,8291,8728 protocol=tcp src-address=192.168.30.248/29
add action=accept chain=input comment=“Allow Access to Mikrotik for Admins”
dst-port=22,23,8291,8728 protocol=tcp src-address=192.168.10.248/29
add action=drop chain=input comment=“Restrict Access to Mikrotik for LAN”
dst-port=22,23,8291,8728 protocol=tcp src-address-list=LAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether8-WAN-Static
add action=dst-nat chain=dstnat comment=“port 443 to nginx proxy” dst-port=
443 in-interface=ether8-WAN-Static protocol=tcp to-addresses=
192.168.12.254 to-ports=443
add action=dst-nat chain=dstnat comment=“port 32400 to Plex” dst-port=32400
in-interface=ether8-WAN-Static protocol=tcp to-addresses=192.168.12.140
to-ports=32400
add action=masquerade chain=srcnat comment=“hairpin rule for LAN interfaces”
dst-address=192.168.12.0/24 src-address-list=LAN
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=XXX.XXX.32.1 routing-table=main
suppress-hw-offload=no
/system clock
set time-zone-name=Europe/XXX
/system identity
set name=RB5009
/system note
set show-at-login=no
/tool sniffer
set filter-interface=ether2-LAN-Trunk

BartoszP · April 28, 2024, 7:25pm

Please edit post and use proper tags for code.

anav · April 28, 2024, 8:52pm

What you would like is not a valid requirement, what is valid is what traffic your users and yourself as admin need.
Thus the Wireguard IP is a unique IP address structure.
Through firewall rules you can decide which if any wireguard remote users have access to the router for config purposes and to the LANs as well.

You need to create the wireguard interface but suggested name is wireguard1 and port 14567
/ip address
add address=10.10.20.1/24 interface=wireguard1 network=10.10.20.0

Since you have a managment vlan create a MGMT interface.
Add your vlan to that interface
Add wireguard to that interface.

Create a firewall address list of authorized folks that can access the Router for config purposes
/ip firewall address-list { using mostly static dhcp leases }
add address=192.168.10.X/32 list=Authorized comment=“admin desktop local”
add address=192.168.10.Y/32 l list=Authorized comment=“admin laptop wired local”
add address=192.168.10.Z/32 l list=Authorized comment=“admin laptop wifi local”
add address=10.10.20.2/32 list=Authorized comment=“admin laptop remote wireguard”
add address=10.10.20.3/32 list=Authorized comment=“admin smartphone/ipad remote wireguard”

/interface list
add name=LAN
add name=WAN
add name=MGMT

/interface list member
add interface=ether8-WAN-Static list=WAN
add interface=Management-10 list=LAN
add interface=br-Uplink list=LAN
add interface=Users-100 list=LAN
add interface=wireguard1 list=LAN
add interface=wireguard1 list=MGMT
add interface=Management-10 list=MGMT

add input chain=input action=accept in-interface-list=MGMT src-address-list=Authorized

FIXED Bridge ports Bridge VLans ( assumes ethe2 and ether2 are trunk ports not hybrid ports and ether4 is an access port ).
/interface bridge port
add bridge=br-Uplink ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether1-LAN-Trunk comment=“KNX switch”
add bridge=br-Uplink ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether2-LAN-Trunk
add bridge=br-Uplink ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether3-LAN-Trunk
add bridge=br-Uplink ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether4-LAN pvid=10

/interface bridge vlan
add bridge=br-Uplink tagged=br-Uplink,ether2-LAN-Trunk,ether3-LAN-Trunk vlan-id=20,30,100
add bridge=br-Uplink tagged=br-Uplink,ether2-LAN-Trunk,ether2-LAN-trunk untagged=ether4-LAN vlan-ids=10

Fixed firewall rules.

This is not a legitimate rule or at least the right way to accomplish reaching a server… remove. Perhaps you mean to do this in port fowarding dstnat rules ??
add action=accept chain=forward comment=“Allow HTTPS from WAN to nginx proxy”
dst-address=192.168.12.254 dst-port=443 in-interface=ether8-WAN-Static
protocol=tcp

This is not a secure rule, use wireguard to access router and then config so assume its temporary until you get wireguard acccess…
add action=accept chain=input comment=“Svetulcho remote access” dst-port=8291
protocol=tcp src-address-list=Svetulcho Also recommend you change from default port!!

/ip firewall filter
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=accept chain=forward comment=“allow internet traffic”
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“allow access from LAN to Plex”
dst-address=192.168.12.140 dst-port=32400 protocol=tcp src-address-list=LAN
add action=accept chain=forward in-interface-list=MGMT src-address-list=Authorized out-interface-list=LAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“Drop all else”
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=input comment=connection-state=
established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-port=14567 protocol=udp comment=“wireguard handshake”
add input chain=input action=accept in-interface-list=MGMT src-address-list=Authorize
add action=accept chain=input in-interface-list=LAN comment=“users to services”
dst-port=53 protocol=udp
add action=accept chain=input in-interface-list=LAN comment=“users to services”
dst-port=53 protocol=tcp
add action=drop chain=input comment=“Drop all else” { ensure this is the last rule you enter so you dont lock yourself out }

LOOKING AT NAT RULES IF YOU are going to have users in the same LAN as the servers reach the servers via DYNDNS URL and not direct LAN IP then you need hairpin nat rule.
IF, users are in different subnets, then you dont need hairpin nat rule.
Since you have segregated users from servers etc, it would seem you dont need hairpin nat rule

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether8-WAN-Static
add action=dst-nat chain=dstnat comment=“port 443 to nginx proxy” dst-port=
443 in-interface=ether8-WAN-Static protocol=tcp to-addresses=
192.168.12.254 to-ports=443
add action=dst-nat chain=dstnat comment=“port 32400 to Plex” dst-port=32400
in-interface=ether8-WAN-Static protocol=tcp to-addresses=192.168.12.140
to-ports=32400

lpetrov · April 29, 2024, 7:50am

I followed most of the suggestions, except some for VLAN’s. I have unmanaged switch connected to my router and because of that I cannot apply all the filters. I have 2 wi-fi networks. One is VLAN 100 and the other VLAN 30 is for smarthome devices and my laptop only. Because wifi AP are powered thru POE on the switch I have to keep my bridge VLAN setup. I fixed the FW rules. I added wireguard tunnel.
I need to restrict access to VLAN30(smarthome) and VLAN20(servers) for users on VLAN100 with some exceptions. For instance 192.168.30.3:80 should accessible from LAN. Plex 192.168.12.140:32400 should be also accessible from LAN.

Current issues:
1.Still when connected thru this tunnel I cannot access anything. I can see on my windows PC that I’m connected to the tunnel, but no GW appears on the connection.
2.No internet connection for VLAN-30
3. Cannot ping any of servers on 192.168.12.0/24 and smart home devices 192.168.30.0/24

Here is my current config:

2024-04-29 10:43:47 by RouterOS 7.14.1

software id = YDH9-P57P

model = RB5009UG+S+

/interface bridge
add name=br-Uplink port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=“POE swith /wi-fi” name=
“ether1-LAN-Trunk(switch)”
set [ find default-name=ether2 ] comment=proxmox name=ether2-LAN-Trunk
set [ find default-name=ether3 ] comment=“ABB IPS 2.1” name=ether3-LAN-Trunk
set [ find default-name=ether4 ] name=ether4-LAN
set [ find default-name=ether7 ] comment=mngmnt name=ether7-LAN-mngmnt
set [ find default-name=ether8 ] name=ether8-WAN-Static
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface wireguard
add listen-port=14567 mtu=1420 name=wireguard1
/interface vlan
add comment=“Management VLAN” interface=br-Uplink name=Management-10 vlan-id=
10
add comment=“Smart Home VLAN” interface=br-Uplink name=“Smart Home-30”
vlan-id=30
add comment=“Users VLAN” interface=br-Uplink name=Users-100 vlan-id=100
add comment=“Servers VLAN” interface=br-Uplink name=vlan20-Servers vlan-id=20
/interface list
add name=LAN
add name=WAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_management_pool ranges=192.168.10.242-192.168.10.249
add name=dhcp_users_pool ranges=192.168.100.100-192.168.100.249
add name=dhcp_smarthome_pool ranges=192.168.30.100-192.168.30.249
add name=dhcp_servers_pool ranges=192.168.12.242-192.168.12.254
/ip dhcp-server
add address-pool=dhcp_management_pool interface=Management-10 name=
dhcp-management
add address-pool=dhcp_users_pool interface=Users-100 name=dhcp-users
add address-pool=dhcp_smarthome_pool interface=“Smart Home-30” name=
“dhcp-smart home”
add address-pool=dhcp_servers_pool interface=vlan20-Servers name=dhcp-servers
/interface bridge port
add bridge=br-Uplink comment=“unmanaged switch” interface=
“ether1-LAN-Trunk(switch)” internal-path-cost=10 path-cost=10 pvid=30
add bridge=br-Uplink comment=proxmox interface=ether2-LAN-Trunk pvid=20
add bridge=br-Uplink comment=“ABB IPS” frame-types=
admit-only-untagged-and-priority-tagged interface=ether3-LAN-Trunk pvid=
30
add bridge=br-Uplink comment=“office(right socket)” frame-types=
admit-only-untagged-and-priority-tagged interface=ether4-LAN pvid=10
/ip firewall connection tracking
set udp-timeout=10s
/interface bridge vlan
add bridge=br-Uplink tagged=ether2-LAN-Trunk,br-Uplink untagged=
“ether1-LAN-Trunk(switch),ether3-LAN-Trunk” vlan-ids=30
add bridge=br-Uplink comment=“wifi users” tagged=
“ether1-LAN-Trunk(switch),br-Uplink,ether2-LAN-Trunk” vlan-ids=100
add bridge=br-Uplink tagged=
“ether1-LAN-Trunk(switch),br-Uplink,ether2-LAN-Trunk” vlan-ids=10
add bridge=br-Uplink tagged=“ether1-LAN-Trunk(switch),br-Uplink” untagged=
ether2-LAN-Trunk vlan-ids=20
/interface list member
add interface=ether8-WAN-Static list=WAN
add interface=Management-10 list=LAN
add interface=br-Uplink list=LAN
add interface=Users-100 list=LAN
add interface=wireguard1 list=LAN
add interface=wireguard1 list=MGMT
add interface=Management-10 list=MGMT
/interface wireguard peers
add allowed-address=10.10.20.2/32 client-address=10.10.20.2/32 client-dns=
8.8.8.8 client-endpoint=151.237.32.41 endpoint-port=14567 interface=
wireguard1 public-key=“zAP+f8dzG9G0mgJVwPVWNbpbH6+SMTnZxVlVN+sjAQ0=”
/ip address
add address=XXX.XXX.32.41/24 interface=ether8-WAN-Static network=XXX.XXX.32.0
add address=192.168.12.1/24 interface=vlan20-Servers network=192.168.12.0
add address=192.168.100.1/24 interface=Users-100 network=192.168.100.0
add address=192.168.10.1/24 interface=Management-10 network=192.168.10.0
add address=192.168.30.1/24 interface=“Smart Home-30” network=192.168.30.0
add address=10.10.20.1/24 interface=wireguard1 network=10.10.20.0
/ip dhcp-server lease
add address=192.168.10.250 client-id=1:d8:d0:90:1b:5b:af comment=
“Lubo Yoga Wired” mac-address=D8:D0:90:1B:5B:AF server=dhcp-management
add address=192.168.10.6 client-id=1:1c:61:b4:14:a0:2c comment=
“TP Link EAP 615 Bedroom” mac-address=1C:61:B4:14:A0:2C server=
dhcp-management
add address=192.168.10.5 client-id=1:1c:61:b4:14:a9:a8 comment=
“TP Link EAP 615 Living Room” mac-address=1C:61:B4:14:A9:A8 server=
dhcp-management
add address=192.168.100.204 client-id=1:48:a6:b8:7:73:e2 comment=“Sonos ARC”
mac-address=48:A6:B8:07:73:E2 server=dhcp-users
add address=192.168.100.249 client-id=1:72:70:2a:fe:13:ab comment=
“iPad Living Room” mac-address=72:70:2A:FE:13:AB server=dhcp-users
add address=192.168.100.203 client-id=1:54:2a:1b:23:ee:38 comment=“Sonos SUB”
mac-address=54:2A:1B:23:EE:38 server=dhcp-users
add address=192.168.100.202 client-id=1:f0:f6:c1:c5:cf:d4 comment=
“Sonos ERA 300” mac-address=F0:F6:C1:C5:CF:D4 server=dhcp-users
add address=192.168.100.201 client-id=1:f0:f6:c1:c5:cf:58 comment=
“Sonos ERA 300” mac-address=F0:F6:C1:C5:CF:58 server=dhcp-users
add address=192.168.30.2 client-id=1:2:78:7f:7f:66:2e comment=
“Home Assistant” mac-address=02:78:7F:7F:66:2E server=“dhcp-smart home”
add address=192.168.30.205 client-id=1:64:d2:c4:e1:f5:dc comment=
“Apple TV Bedroom - Wireless” mac-address=64:D2:C4:E1:F5:DC server=
“dhcp-smart home”
add address=192.168.30.3 comment=“ABB IPS2.1 (KNX)” mac-address=
00:0C:DE:93:50:5A server=“dhcp-smart home”
add address=192.168.30.250 client-id=1:b0:a4:60:9a:8c:1a comment=
“YOGA camelot” mac-address=B0:A4:60:9A:8C:1A server=“dhcp-smart home”
add address=192.168.100.250 client-id=1:b0:a4:60:9a:8c:1a comment=
“YOGA castle” mac-address=B0:A4:60:9A:8C:1A server=dhcp-users
add address=192.168.30.4 client-id=1:0:24:6d:2:a6:6c comment=1HOME
mac-address=00:24:6D:02:A6:6C server=“dhcp-smart home”
add address=192.168.30.5 client-id=1:64:d2:c4:d4:fb:c7 comment=
“Apple TV Bedroom - Wired” mac-address=64:D2:C4:D4:FB:C7 server=
“dhcp-smart home”
/ip dhcp-server network
add address=192.168.10.0/24 comment=mngmt gateway=192.168.10.1
add address=192.168.12.0/24 comment=servers gateway=192.168.12.1
add address=192.168.30.0/24 comment=“smart home” gateway=192.168.30.1
add address=192.168.100.0/24 comment=users gateway=192.168.100.1
/ip dns
set servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=192.168.12.0/24 list=Servers
add address=192.168.100.0/24 list=Users
add address=192.168.30.0/24 list=SmartHome
add address=192.168.12.0/24 list=LAN
add address=192.168.30.0/24 list=LAN
add address=192.168.10.0/24 list=LAN
add address=192.168.100.0/24 list=LAN
add address=88.203.229.253 list=Svetulcho
add address=192.168.10.250 comment=“admin local” list=Authorized
add address=192.168.30.250 comment=“admin wifi” list=Authorized
add address=10.10.20.2 comment=“admin remote wireguard” list=Authorized
add address=10.10.20.3 comment=“admin remote ios wireguard” list=Authorized
/ip firewall filter
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=accept chain=forward comment=“allow internet traffic”
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“allow access from LAN to Plex”
dst-address=192.168.12.140 dst-port=32400 protocol=tcp src-address-list=
LAN
add action=accept chain=forward in-interface-list=MGMT out-interface-list=LAN
src-address-list=Authorized
add action=accept chain=forward comment=“port forwarding”
connection-nat-state=dstnat
add action=drop chain=forward comment=“Drop all else”
add action=accept chain=input comment=
“accept established, related, untracked” connection-state=
established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=“wireguard handshake” dst-port=14567
protocol=udp
add action=accept chain=input comment=“wireguard handshake” dst-port=14567
protocol=udp
add action=accept chain=input in-interface-list=MGMT src-address-list=
Authorize
add action=accept chain=input comment=“users to services” dst-port=53
in-interface-list=LAN protocol=udp
add action=accept chain=input comment=“users to services” dst-port=53
in-interface-list=LAN protocol=tcp
add action=drop chain=input comment=“Drop all else”
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether8-WAN-Static
add action=dst-nat chain=dstnat comment=“port 443 to nginx proxy” dst-port=
443 in-interface=ether8-WAN-Static protocol=tcp to-addresses=
192.168.12.254 to-ports=443
add action=dst-nat chain=dstnat comment=“port 32400 to Plex” dst-port=32400
in-interface=ether8-WAN-Static protocol=tcp to-addresses=192.168.12.140
to-ports=32400
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=XXX.XXX.32.1 routing-table=main
suppress-hw-offload=no
/system clock
set time-zone-name=Europe
/system identity
set name=RB5009
/system note
set show-at-login=no
/tool sniffer
set filter-interface=ether2-LAN-Trunk

anav · April 29, 2024, 11:00am

Since your text does not match reality and the config is mixed up.
What is connected to each port
ether1 ( unmanaged switch / managed switch / dumb AP / smart AP, dumb device like PC )?
ether2 ( unmanaged switch / managed switch / dumb AP / smart AP, dumb device like PC )?
ether3 ( unmanaged switch / managed switch / dumb AP / smart AP, dumb device like PC )?
ether4 ( unmanaged switch / managed switch / dumb AP / smart AP, dumb device like PC )?
ether7 ( unmanaged switch / managed switch / dumb AP / smart AP, dumb device like PC )?

lpetrov · April 29, 2024, 12:22pm

Ports:
eth1-unmannaged POE switch. On the switch I have smart home IP GW. I cannot change VLAN on this device.I also have AP’s connected to VLAN10. On the AP I have 5Ghz on VLAN 30(smart home)
and 2.4GHz(VLAN 100 - home users. VLAN 30 must be untagged.
eth2-proxmox. I need VLAN 20(untagged) and VLAN 30
eth3- VLAN30 backup IP GW for smart home devices
eth4-VLAN 10 MGMT(my computer).

VLANS:
VLAN 10 -MGMT VLAN range 192.168.10.248/29 - Access to LAN and WAN
VLAN 20 Servers - Access to WAN
VLAN 30 Smart Home - Access to WAN. Range 192.168.30.248/29(wi-fi MGMT)
VLAN 100 Users - Access to WAN. Access to Plex 192.168.12.140:32400 and Home Assistant Server 192.168.30.3:80
I need wireguard client to have access to LAN like VLAN 10

mozerd · April 29, 2024, 12:47pm

Excellent stuff 
......
......
anav

STOP in the name ov coding

And to innkeeping with your outstanding direction why is so hard for you not to use code tags which makes far easier to follow each of your coded step … then perhap the people you are helping would follow your direction by also using code tags for their code

anav · April 29, 2024, 1:08pm

I cannot help further as I dont support using an unmanaged switch for multiple vlans. Hopefully somebody else will.

jaclaz · April 29, 2024, 1:11pm

Conscientious objector?

anav · April 29, 2024, 1:13pm

I cannot guarantee success when out of my element… same with capsman, IPV6 etc…

lpetrov · April 29, 2024, 1:19pm

Please can you re-consider. I followed your instructions and now I’m stack in the middle. In my case the unmanaged switch is not the problem. The VLAN are passed thru. Disregard the switch setup. Please, I need help with FW and WG. Thanks.

anav · April 29, 2024, 2:08pm

Okay, so lets say the vlans are all visible on the unmanged switch, I can pretend that LOL.
In any case the unmanaged switch needs to be passed as untagged and thus the port would have to be considered hybrid port.

That is for ether1,
what is the case for
ether2 also appears to be asking for hybrid, one untagged and one tagged, assuming your proxmox can handle it okay fair enough
ether3 - appears to be a an access port one untagged vlan
ether4 - appears to be a true access port only one untagged vlan

anav · April 29, 2024, 2:09pm

STOP in the name ov coding

And to innkeeping with your outstanding direction why is so hard for you not to use code tags which makes far easier to follow each of your coded step … then perhap the people you are helping would follow your direction by also using code tags for their code
[/quote]

I am doing you a favour, buildup up your scroll wheel finger

anav · April 29, 2024, 4:41pm

MODIFIED NAMES TO MAKE SENSE

/interface ethernet
set [ find default-name=ether1 ] comment="POE swith /wi-fi" name=ether1-LAN-Hybrid
set [ find default-name=ether2 ] comment="proxmox" name=ether2-LAN-Hybrid
set [ find default-name=ether3 ] comment="ABB IPS 2.1" name=ether3-LAN-Access
set [ find default-name=ether4 ] name=ether4-LAN
set [ find default-name=ether7 ] comment="mngmnt" name=ether7-LAN-mngmnt
set [ find default-name=ether8 ] name=ether8-WAN-Static
set [ find default-name=sfp-sfpplus1 ] disabled=yes

…

FIXED

/interface bridge port
add bridge=br-Uplink comment="unmanaged switch poe"  interface=ether1-LAN-Hybrid  pvid=30
add bridge=br-Uplink comment="proxmox" interface=ether2-LAN-Hybrid pvid=20
add bridge=br-Uplink comment="ABB IPS" ingress-filtering=yes frame-types=\
admit-only-untagged-and-priority-tagged interface=ether3-LAN-Access pvid=\
30
add bridge=br-Uplink comment="office(right socket)" ingress-filtering=yes frame-types=\
admit-only-untagged-and-priority-tagged interface=ether4-LAN pvid=10[/i]
add bridge=br-Uplink comment="unknown" ingress-filtering=yes frame-types=\
admit-only-untagged-and-priority-tagged interface=ether7-LAN-mngmnt pvid=10

…

/interface bridge vlan
add bridge=br-Uplink tagged=br-Uplink,ether1-LAN-Hybrid,ether2-LAN-Hybrid
untagged=ether4-LAN,ether7-LAN-mngmnt vlan-ids=10
add bridge=br-Uplink tagged=br-Uplink,ether1-LAN-Hybrid untagged=ether2-LAN-Hybrid vlan-ids=20
add bridge=br-Uplink tagged=br-Uplink,ether2-LAN-Trunk untagged=
ether1-LAN-Hybrid,ether3-LAN-Access vlan-ids=30
add bridge=br-Uplink tagged=br-Uplink,ether1-LAN-Hybrid,ether2-LAN-Hybrid vlan-ids=100

FOR FILTER RULES YOU HAVE DUPLICATE input chain rule for wireguard get rid of one of them!
/ip firewall filter
add action=accept chain=input in-interface-list=MGMT src-address-list=
Authorized

lpetrov · April 29, 2024, 5:14pm

Thank you for your help. I followed the instructions.
My current problems are:
how to setup wireguard client to be a part of MGMT and setup GW?
how to give access to MGMT VLAN to all other VLANS?
Config after changes:

2024-04-29 20:18:58 by RouterOS 7.14.1

software id = YDH9-P57P

model = RB5009UG+S+

/interface bridge
add name=br-Uplink port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=“POE swith /wi-fi” name=
ether1-LAN-Hybrid
set [ find default-name=ether2 ] comment=proxmox name=ether2-LAN-Hybrid
set [ find default-name=ether3 ] comment=“ABB IPS 2.1” name=ether3-LAN-Access
set [ find default-name=ether4 ] name=ether4-LAN
set [ find default-name=ether7 ] comment=mngmnt name=ether7-LAN-mngmnt
set [ find default-name=ether8 ] name=ether8-WAN-Static
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface wireguard
add listen-port=14567 mtu=1420 name=wireguard1
/interface vlan
add comment=“Management VLAN” interface=br-Uplink name=Management-10 vlan-id=
10
add comment=“Smart Home VLAN” interface=br-Uplink name=“Smart Home-30”
vlan-id=30
add comment=“Users VLAN” interface=br-Uplink name=Users-100 vlan-id=100
add comment=“Servers VLAN” interface=br-Uplink name=vlan20-Servers vlan-id=20
/interface list
add name=LAN
add name=WAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_management_pool ranges=192.168.10.242-192.168.10.249
add name=dhcp_users_pool ranges=192.168.100.100-192.168.100.249
add name=dhcp_smarthome_pool ranges=192.168.30.100-192.168.30.249
add name=dhcp_servers_pool ranges=192.168.12.242-192.168.12.254
/ip dhcp-server
add address-pool=dhcp_management_pool interface=Management-10 name=
dhcp-management
add address-pool=dhcp_users_pool interface=Users-100 name=dhcp-users
add address-pool=dhcp_smarthome_pool interface=“Smart Home-30” name=
“dhcp-smart home”
add address-pool=dhcp_servers_pool interface=vlan20-Servers name=dhcp-servers
/interface bridge port
add bridge=br-Uplink comment=“unmanaged switch poe” interface=
ether1-LAN-Hybrid internal-path-cost=10 path-cost=10 pvid=30
add bridge=br-Uplink comment=proxmox interface=ether2-LAN-Hybrid pvid=20
add bridge=br-Uplink comment=“ABB IPS” frame-types=
admit-only-untagged-and-priority-tagged interface=ether3-LAN-Access pvid=
30
add bridge=br-Uplink comment=“office(right socket)” frame-types=
admit-only-untagged-and-priority-tagged interface=ether4-LAN pvid=10
add bridge=br-Uplink comment=unknown frame-types=
admit-only-untagged-and-priority-tagged interface=ether7-LAN-mngmnt pvid=
10
/ip firewall connection tracking
set udp-timeout=10s
/interface bridge vlan
add bridge=br-Uplink tagged=ether2-LAN-Hybrid,br-Uplink untagged=
ether1-LAN-Hybrid,ether3-LAN-Access vlan-ids=30
add bridge=br-Uplink comment=“wifi users” tagged=
ether1-LAN-Hybrid,br-Uplink,ether2-LAN-Hybrid vlan-ids=100
add bridge=br-Uplink tagged=ether1-LAN-Hybrid,br-Uplink,ether2-LAN-Hybrid
vlan-ids=10
add bridge=br-Uplink tagged=ether1-LAN-Hybrid,br-Uplink untagged=
ether2-LAN-Hybrid vlan-ids=20
/interface list member
add interface=ether8-WAN-Static list=WAN
add interface=Management-10 list=LAN
add interface=br-Uplink list=LAN
add interface=Users-100 list=LAN
add interface=wireguard1 list=LAN
add interface=wireguard1 list=MGMT
add interface=Management-10 list=MGMT
/interface wireguard peers
add allowed-address=10.10.20.2/32 client-address=10.10.20.2/32 client-dns=
8.8.8.8 client-endpoint=XXX.XXX.32.41 endpoint-port=14567 interface=
wireguard1 public-key=“zAP+f8dzG9G0mgJVwPVWNbpbH6+SMTnZxVlVN+sjAQ0=”
/ip address
add address=XXX.XXX.32.41/24 interface=ether8-WAN-Static network=XXX.XXX.32.0
add address=192.168.12.1/24 interface=vlan20-Servers network=192.168.12.0
add address=192.168.100.1/24 interface=Users-100 network=192.168.100.0
add address=192.168.10.1/24 interface=Management-10 network=192.168.10.0
add address=192.168.30.1/24 interface=“Smart Home-30” network=192.168.30.0
add address=10.10.20.1/24 interface=wireguard1 network=10.10.20.0
/ip dhcp-server lease
add address=192.168.10.250 client-id=1:d8:d0:90:1b:5b:af comment=
“Lubo Yoga Wired” mac-address=D8:D0:90:1B:5B:AF server=dhcp-management
add address=192.168.10.6 client-id=1:1c:61:b4:14:a0:2c comment=
“TP Link EAP 615 Bedroom” mac-address=1C:61:B4:14:A0:2C server=
dhcp-management
add address=192.168.10.5 client-id=1:1c:61:b4:14:a9:a8 comment=
“TP Link EAP 615 Living Room” mac-address=1C:61:B4:14:A9:A8 server=
dhcp-management
add address=192.168.100.204 client-id=1:48:a6:b8:7:73:e2 comment=“Sonos ARC”
mac-address=48:A6:B8:07:73:E2 server=dhcp-users
add address=192.168.100.249 client-id=1:72:70:2a:fe:13:ab comment=
“iPad Living Room” mac-address=72:70:2A:FE:13:AB server=dhcp-users
add address=192.168.100.203 client-id=1:54:2a:1b:23:ee:38 comment=“Sonos SUB”
mac-address=54:2A:1B:23:EE:38 server=dhcp-users
add address=192.168.100.202 client-id=1:f0:f6:c1:c5:cf:d4 comment=
“Sonos ERA 300” mac-address=F0:F6:C1:C5:CF:D4 server=dhcp-users
add address=192.168.100.201 client-id=1:f0:f6:c1:c5:cf:58 comment=
“Sonos ERA 300” mac-address=F0:F6:C1:C5:CF:58 server=dhcp-users
add address=192.168.30.2 client-id=1:2:78:7f:7f:66:2e comment=
“Home Assistant” mac-address=02:78:7F:7F:66:2E server=“dhcp-smart home”
add address=192.168.30.205 client-id=1:64:d2:c4:e1:f5:dc comment=
“Apple TV Bedroom - Wireless” mac-address=64:D2:C4:E1:F5:DC server=
“dhcp-smart home”
add address=192.168.30.3 comment=“ABB IPS2.1 (KNX)” mac-address=
00:0C:DE:93:50:5A server=“dhcp-smart home”
add address=192.168.30.250 client-id=1:b0:a4:60:9a:8c:1a comment=
“YOGA camelot” mac-address=B0:A4:60:9A:8C:1A server=“dhcp-smart home”
add address=192.168.100.250 client-id=1:b0:a4:60:9a:8c:1a comment=
“YOGA castle” mac-address=B0:A4:60:9A:8C:1A server=dhcp-users
add address=192.168.30.4 client-id=1:0:24:6d:2:a6:6c comment=1HOME
mac-address=00:24:6D:02:A6:6C server=“dhcp-smart home”
add address=192.168.30.5 client-id=1:64:d2:c4:d4:fb:c7 comment=
“Apple TV Bedroom - Wired” mac-address=64:D2:C4:D4:FB:C7 server=
“dhcp-smart home”
/ip dhcp-server network
add address=192.168.10.0/24 comment=mngmt gateway=192.168.10.1
add address=192.168.12.0/24 comment=servers gateway=192.168.12.1
add address=192.168.30.0/24 comment=“smart home” gateway=192.168.30.1
add address=192.168.100.0/24 comment=users gateway=192.168.100.1
/ip dns
set servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=192.168.12.0/24 list=Servers
add address=192.168.100.0/24 list=Users
add address=192.168.30.0/24 list=SmartHome
add address=192.168.12.0/24 list=LAN
add address=192.168.30.0/24 list=LAN
add address=192.168.10.0/24 list=LAN
add address=192.168.100.0/24 list=LAN
add address=88.203.229.253 list=Svetulcho
add address=192.168.10.250 comment=“admin local” list=Authorized
add address=192.168.30.250 comment=“admin wifi” list=Authorized
add address=10.10.20.2 comment=“admin remote wireguard” list=Authorized
add address=10.10.20.3 comment=“admin remote ios wireguard” list=Authorized
/ip firewall filter
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=accept chain=forward comment=“allow internet traffic”
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“allow access from LAN to Plex”
dst-address=192.168.12.140 dst-port=32400 protocol=tcp src-address-list=
LAN
add action=accept chain=forward in-interface-list=MGMT out-interface-list=LAN
src-address-list=Authorized
add action=accept chain=forward comment=“port forwarding”
connection-nat-state=dstnat
add action=drop chain=forward comment=“Drop all else”
add action=accept chain=input comment=
“accept established, related, untracked” connection-state=
established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=“wireguard handshake” dst-port=14567
protocol=udp
add action=accept chain=input in-interface-list=MGMT src-address-list=
Authorize
add action=accept chain=input comment=“users to services” dst-port=53
in-interface-list=LAN protocol=udp
add action=accept chain=input comment=“users to services” dst-port=53
in-interface-list=LAN protocol=tcp
add action=drop chain=input comment=“Drop all else”
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether8-WAN-Static
add action=dst-nat chain=dstnat comment=“port 443 to nginx proxy” dst-port=
443 in-interface=ether8-WAN-Static protocol=tcp to-addresses=
192.168.12.254 to-ports=443
add action=dst-nat chain=dstnat comment=“port 32400 to Plex” dst-port=32400
in-interface=ether8-WAN-Static protocol=tcp to-addresses=192.168.12.140
to-ports=32400
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=XXX.XXX.32.1 routing-table=main
suppress-hw-offload=no
/system clock
set time-zone-name=Europe
/system identity
set name=RB5009
/system note
set show-at-login=no
/tool sniffer
set filter-interface=ether2-LAN-Hybrid

anav · April 29, 2024, 5:36pm

(1) For Allowed IPs for your remote peer client remove the unecessary stuff should look like.

/interface wireguard peers
add allowed-address=10.10.20.2/32 interface=wireguard1 public-key=“hidden”

(2) At client peer (at the client device ) for DNS put the interface of wireguard 10.10.20.1

(3) You already allow anyone on your authorized list to access the LAN by this rule.
add action=accept chain=forward in-interface-list=MGMT out-interface-list=LAN
src-address-list=Authorized

Everything looks good.

lpetrov · April 29, 2024, 5:46pm

here are the current issues:
VLAN 30 has no internet access, not sure aboute VLAN 20
under network adapters WG client NIC doesn’t have GW set
My IP is 192.168.10.250, but I cannot access VLAN 20 and VLAN 30

anav · April 29, 2024, 6:25pm

As I said, when you mess with standards ( trying to use an unmanaged switch for vlans ) results are not predictable and thus why I prefer not to get involved.

Smarhome30 or vlan30 does not have internet because you didnt give it LAN membership!!

/interface list member
add interface=ether8-WAN-Static list=WAN
add interface=Management-10 list=LAN
add interface=br-Uplink list=LAN <----- GET RID OF THIS
add interface=“Smart Home-30” list=LAN ADD THIS
add interface=vlan20-Servers list=LAN ADD THIS
add interface=Users-100 list=LAN
add interface=wireguard1 list=LAN
add interface=wireguard1 list=MGMT
add interface=Management-10 list=MGMT

anav · April 29, 2024, 6:36pm

Dont understand this comment, can you explain in more detail please.
under network adapters WG client NIC doesn’t have GW set

The WG client device needs the following
Create a WG interface and provide a public key ) this key will go in the allowed IPs on the mikrotik device for peer public key
Will also include an IP address and and interface name could be wgremote1

Under its allowed IPs you want either
allowed-addresses=10.20.20.0/24,subnet1,subnet2,subnet3 endpoint-address=X.X.X.X endpoint-port=14567
persistent-keep-alive=35s interface=wgremote1 public-key=" ..public key generated by mt router goes here "

(where subnets represents the subnets you wish the user to be able to reach on the router)

If you want remote client to be able to acccess internet on your router as well then this changes to.
allowed-address=0.0.0.0/0 endpoint-address=X.X.X.X endpoint-port=14567
persistent-keep-alive=35s interface=wgremote1 public-key=" ..public key generated by mt router goes here "

+++++++++++++
In other words the peer device does not have a gateway to setup for wireguard.

lpetrov · April 29, 2024, 7:03pm

Thank you. Now I have access from all VLANs to internet.
The only problem is Wireguard. Is still not working. When I setup wireguard I followed this instructions: https://www.bgocloud.com/knowledgebase/91/howto-configuring-wireguard-in-mikrotik-chr-faster-and-secure-vpn-protocol.html
Maybe I missed something. I triple checked everything, but not sure what I’m doing wrong.
It seems that I’m able to connect to MK but I cannot ping anything on VLANs and also 10.10.20.1. When I checked network adapters in windows under wg I don’t see gateway entry.