Community discussions

MikroTik App
 
GreenSparrow
just joined
Topic Author
Posts: 8
Joined: Sun Aug 30, 2020 1:12 pm

Firewall configuration for Wiregurd

Wed Sep 09, 2020 6:07 pm

Hi all,

I have been playing around with configuring Wireguard and while seems everything works if I delete all firewall rules, something is blocking communication if I apply my firewall rules.
Seems I need to add something, but don't know what.

Can anybody assist please?

I have configured 2 interface lists:
public (lte1 and wireguard interface)
local (LAN bridge)

Configuration can be seen below:
-> with this I see some traffic on wireguard interface - probably keepalive?


/interface bridge
add name=LAN
/interface wireguard
add listen-port=23292 mtu=1420 name=wireguard1
/interface list
add comment="public network" name=public
add comment="local network" name=local
add comment="guest network" name=guest
/interface lte apn
add apn=internet default-route-distance=1 use-network-apn=no
/interface lte
set [ find ] allow-roaming=no apn-profiles=internet name=lte1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=WLANsec \
supplicant-identity=MikroTik
/interface wireless
...
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=LAN name=dhcp1
/ip vrf
add list=all name=main
/interface bridge port
add bridge=LAN interface=ether2
add bridge=LAN interface=wlan1
add bridge=LAN interface=wlan2
/interface list member
add interface=lte1 list=public
add interface=LAN list=local
add interface=wireguard1 list=public
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint=10.22.22.22:23292 interface=\
wireguard1 public-key="yyyyy"
/ip address
add address=192.168.88.1/24 interface=LAN network=192.168.88.0
add address=172.16.1.1/24 interface=wireguard1 network=172.16.1.0
/ip cloud
set ddns-enabled=yes update-time=no
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=1.1.1.1 gateway=192.168.88.1
/ip dns
set servers=1.1.1.1,8.8.8.8
/ip firewall filter
add action=fasttrack-connection chain=forward comment=\
"Enable FastTrack for all zones" connection-state=established,related
add action=jump chain=input comment="PUBLIC ---> ROUTER" in-interface-list=\
public jump-target=PUBLIC-TO-ROUTER
add action=accept chain=PUBLIC-TO-ROUTER comment=Wireguard dst-port=23292 \
protocol=udp
add action=return chain=PUBLIC-TO-ROUTER
add action=jump chain=output comment="PUBLIC <--- ROUTER" jump-target=\
ROUTER-TO-PUBLIC out-interface-list=public
add action=return chain=ROUTER-TO-PUBLIC
add action=jump chain=input comment="LOCAL ---> ROUTER" in-interface-list=local \
jump-target=LOCAL-TO-ROUTER
add action=accept chain=LOCAL-TO-ROUTER
add action=jump chain=output comment="LOCAL <--- ROUTER" jump-target=\
ROUTER-TO-LOCAL out-interface-list=local
add action=accept chain=ROUTER-TO-LOCAL
add action=jump chain=forward comment="PUBLIC ---> LOCAL" in-interface-list=\
public jump-target=PUBLIC-TO-LOCAL out-interface-list=local
add action=accept chain=PUBLIC-TO-LOCAL connection-state=\
established,related,untracked
add action=drop chain=PUBLIC-TO-LOCAL connection-state=invalid
add action=drop chain=PUBLIC-TO-LOCAL connection-nat-state=!dstnat \
connection-state=new
add action=accept chain=PUBLIC-TO-LOCAL
add action=jump chain=forward comment="PUBLIC <--- LOCAL" in-interface-list=\
local jump-target=LOCAL-TO-PUBLIC out-interface-list=public
add action=accept chain=LOCAL-TO-PUBLIC
add action=accept chain=input comment="[Default policy] INPUT" \
connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=accept chain=forward comment="[Default policy] FORWARD" \
connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new \
in-interface-list=public
add action=reject chain=forward comment="Forbid connections between networks" \
disabled=yes reject-with=icmp-net-prohibited
add action=accept chain=output comment="[Default policy] OUTPUT"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=lte1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.88.0/24 port=2222
set api disabled=yes
set winbox address=192.168.88.0/24
set api-ssl address=192.168.88.0/24

Cheers,
GreenSparrow
 
GreenSparrow
just joined
Topic Author
Posts: 8
Joined: Sun Aug 30, 2020 1:12 pm

Re: Firewall configuration for Wiregurd  [SOLVED]

Thu Sep 10, 2020 9:31 am

Solved by removing wireguard interface from list of public interfaces.

viewtopic.php?t=166010

Who is online

Users browsing this forum: Google [Bot] and 24 guests