Community discussions

MikroTik App
 
User avatar
hendry
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Sat Jan 18, 2014 9:59 am
Location: Cornwall, UK
Contact:

Bridge to Wireguard interface

Thu Jul 29, 2021 5:05 pm

I asked on Reddit but didn't get a good answer: https://www.reddit.com/r/mikrotik/comme ... ific_port/

I don't understand how I connect my bridge network to the Wireguard interface.
Image

Any tips please?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Bridge to Wireguard interface

Thu Jul 29, 2021 5:20 pm

Reddit is the new "users forum" for MikroTik?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Bridge to Wireguard interface

Thu Jul 29, 2021 5:27 pm

I have no idea what the OP is asking, and no I am not going to go to other websites to read.......
So best
a. provide a network diagram
b. a clear set of requirements (what he/she wants users to be able to do) without discussing the config
c. provide current effort
/export hide-sensitive file=anynameyouwish

Pics unless specifically requested dont do much for me, hard on my eyes LOL.
but I did see the word wireguard.

viewtopic.php?f=23&t=174417
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Bridge to Wireguard interface

Thu Jul 29, 2021 11:14 pm

Wireguard is a layer 3 tunnel and cannot be bridged. I would call it a bug that it even allows you to add it as a bridge port, since other tunnel types that cannot be bridged (like GRE) are hidden from the list of potential bridge ports.
 
User avatar
hendry
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Sat Jan 18, 2014 9:59 am
Location: Cornwall, UK
Contact:

Re: Bridge to Wireguard interface

Sat Jul 31, 2021 8:55 am

If I can't bridge, how do I route my devices connected on ether4/ether5 that are reliant on dhcpd? Surely I route through to Wireguard via a NAT?

The guide https://help.mikrotik.com/docs/display/ROS/WireGuard is incomplete to me because it doesn't show how to connect the VPN to a port.
Furthermore it would be nice if they showed how to test the connection.

As requested, a diagram
Image
and my config https://s.natalian.org/2021-07-31/vpn.rsc

I need some guidance to set up a nat or whatever I need to do to get my ports onto the wireguard interface please.

Thank you in advance,
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Bridge to Wireguard interface

Sat Jul 31, 2021 11:18 am

Is there a specific reason using Wireguard ?
 
User avatar
hendry
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Sat Jan 18, 2014 9:59 am
Location: Cornwall, UK
Contact:

Re: Bridge to Wireguard interface

Sat Jul 31, 2021 11:31 am

Wireguard I know works, I'm familiar with using `sudo wg-quick up wg0` to use this UK VPN. Now I just want to get Mikrotik to effectively do the same thing with more devices.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: Bridge to Wireguard interface

Sat Jul 31, 2021 11:36 am

You can route between devices, connected to ethernet ports, and wireguard. You just can't have both LAN and wireguard in same IP subnet. At the same time you don't really want to extend broadcast domain over some (relatively low speed and high delay) tunnel.

Unless you have very specific reasons for that. But if you do, you'll need some kind of Ethernet over IP solution. I guess (I never tried) you could run EoIP tunnel over wireguard tunnel, the problem with this solution is that EoIP is Mikrotik proprietary protocol meaning the other end has to be mikrotik as well. EoIP interface is L2 interface and you can bridge it with other L2 interfaces (ethernet, wireless). Beware of MTU changes when you add EoIP interface to bridge.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Bridge to Wireguard interface

Sat Jul 31, 2021 2:57 pm

Wireguard doesnt connect to a port.
It connects to the router (server) on its wireguard interface which you create and define.

Destination Route for the subnet or IP address at the client with gateway being the wiregaurd interface.

If you want the users on the WG interface to be able to access LAN resources, then suggest
this could possible be done using firewall rules.
add chain=forward action=accept in-interface=wginterface [ out-interface=, or dst-address=, etc............ ]
 
User avatar
hendry
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Sat Jan 18, 2014 9:59 am
Location: Cornwall, UK
Contact:

Re: Bridge to Wireguard interface

Sat Jul 31, 2021 4:03 pm

I'm still confused about how to set up the routing for the ukvpn bridge. When I attach a client, it doesn't seem to know to go via wireguardUK!
[admin@MikroTik] /ip/route> print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, s - STATIC, d - DHCP, y - COPY; + - ECMP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
# DST-ADDRESS GATEWAY D
0 As+ 0.0.0.0/0 wireguardUK 1
DAd+ 0.0.0.0/0 192.168.1.1 1
DAc 192.168.1.0/24 bridgeLocal 0
DAc 192.168.2.0/24 ukvpn 0
DAc 192.168.2.4/32 wireguardUK 0
[admin@MikroTik] /ip/route> /ip/firewall/
address-list calea connection filter layer7-protocol mangle nat raw service-port export
[admin@MikroTik] /ip/route> /ip/firewall/filter/print
Flags: X - disabled, I - invalid; D - dynamic
0 chain=forward action=accept in-interface=wireguardUK out-interface=ukvpn
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Bridge to Wireguard interface

Sat Jul 31, 2021 6:01 pm

Sorry, not sure what you are doing using a separate UK VPN?
One only needs wireguard and not some other VPN on top (too complicated for me, plus dont touch layer 7 with a ten foot pole))
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Bridge to Wireguard interface

Sat Jul 31, 2021 8:54 pm

I'm still confused about how to set up the routing for the ukvpn bridge. When I attach a client, it doesn't seem to know to go via wireguardUK!
Currently you are doing ECMP it looks like, which is doing load balancing where some traffic is going over your regular connection and some is going over wireguard UK but you don't have control over what traffic is using what.

Also you are using 192.168.2.0/24 and .0 is not a valid final octet for an IPv4 address except for /32 and /31 subnets.

If you want to send traffic for some systems across to wireguard UK and other systems to go through the regular network, you need to configure policy routing.
 
User avatar
hendry
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Sat Jan 18, 2014 9:59 am
Location: Cornwall, UK
Contact:

Re: Bridge to Wireguard interface

Sun Aug 01, 2021 2:56 am

Sorry, not sure what you are doing using a separate UK VPN?
One only needs wireguard and not some other VPN on top (too complicated for me, plus dont touch layer 7 with a ten foot pole))
ukvpn is a bridge, just so that I can organise a dhcpd for connected devices on ether{4,5}
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Bridge to Wireguard interface  [SOLVED]

Sun Aug 01, 2021 3:47 am

ukvpn is a bridge, just so that I can organise a dhcpd for connected devices on ether{4,5}
I presume what you are trying to do is get the devices on ether4 and ether5 to go online through the wireguard VPN whereas everything else should go online the normal way. Is this correct? If so, you need to do policy routing, and those devices should not have IPs on the wireguard subnet but on a different subnet (ex. 192.168.3.0/24).
 
User avatar
hendry
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Sat Jan 18, 2014 9:59 am
Location: Cornwall, UK
Contact:

Re: Bridge to Wireguard interface

Sun Aug 01, 2021 10:10 am

With Michael's help, I got there with https://s.natalian.org/2021-08-01/vpn-working.rsc
 
WiraSoenaryo
just joined
Posts: 2
Joined: Fri Feb 25, 2022 5:19 am

Re: Bridge to Wireguard interface

Tue Mar 29, 2022 9:31 am

ukvpn is a bridge, just so that I can organise a dhcpd for connected devices on ether{4,5}
I presume what you are trying to do is get the devices on ether4 and ether5 to go online through the wireguard VPN whereas everything else should go online the normal way. Is this correct? If so, you need to do policy routing, and those devices should not have IPs on the wireguard subnet but on a different subnet (ex. 192.168.3.0/24).
Sorry bumping old topic... this is what I want to do also on my network.
May I know how to do that?
Thanks..
 
FabioMen10
just joined
Posts: 1
Joined: Tue Jan 05, 2021 10:20 am

Re: Bridge to Wireguard interface

Thu Apr 07, 2022 7:06 pm



I presume what you are trying to do is get the devices on ether4 and ether5 to go online through the wireguard VPN whereas everything else should go online the normal way. Is this correct? If so, you need to do policy routing, and those devices should not have IPs on the wireguard subnet but on a different subnet (ex. 192.168.3.0/24).
Sorry bumping old topic... this is what I want to do also on my network.
May I know how to do that?
Thanks..
Me too.

In short, WireGuard does not work with Bridge-LAN. That's it?
 
mischa01101
just joined
Posts: 8
Joined: Wed Feb 08, 2023 12:31 pm

Re: Bridge to Wireguard interface

Fri Mar 24, 2023 9:39 am

In short, WireGuard does not work with Bridge-LAN. That's it?
Exactly. You can't bridge a layer2 network directly into wireguard. Use a encapsulation Mechanism like VXLAN or EoIP and then route the traffic over the wireguard interfaces.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Bridge to Wireguard interface

Fri Mar 24, 2023 1:35 pm

Wireguard doesn't work with a bridge-lan is a ridiculous statement that means nothing!
Wireguard is a peer to peer layer3 construct.
If you want to connect subnets at layer 2 then
a. use zerotier
b. eiop over wg
c. vxlan over wg. etc.

I will connect Two routers, with bridge-LANS using WG. EASY PEASY.[/color]

Lets say Router one has a single subnet 192.168.1.0/24 attached to a bridge.
Lets say Router two has a single subnet 192.168.2.0/24 attached to a bridge.

Each bridge feeds ports 2,3,4,5

The user requirements is that users from each subnet should be able to reach users in the other subnet.

R1 acts as server for handshake.
/allowed-addresses=10.10.10.2/32,192.168.2.0/24 ... Peer1=R2
/allowed-addresses=10.10.10.3/32 ....Peer2 { admin on remote connection }

R2 acts as client for handshake
/allowed-addresses=10.10.10.0/24,192.168.1.0/24 persistent-keep-alive=30s ...Single Peer=R1

R1 fw rules
add chain=input action=accept dst-port=wireguardlisteningport protocol=udp
add chain=input action=accept in-interface=wg1 src-address=10.10.10.3 { admin wireguard remote config access }
add chain=forward action=accept in-interface=wg1 out-interface=bridge1
add chain=forward action=accept in-interface=bridge1 out-interface=wg1
add chain=forward action=accept in-interface=wg1 out-interface=wg1 { allow admin to relay to R2 }

R1 Routes
/ip route
add dst-address=192.168.2.0/24 gwy=wg1 table=main

R2 fw rules
add chain=input action=accept in-interface=wg2 src-address=10.10.10.3 { allow remote admin to config R2 }
add chain=forward action=accept in-interface=wg2 out-interface=bridge2
add chain=forward action=accept in-interface=bridge2 out-interface=wg2

R2 Routes
/ip route
add dst-address=192.168.1.0/24 gwy=wg2 table=main

DONE" Connected two bridge-lans via wireguards, so please stop smoking dope and then posting.
The alternative comment perhaps more fruitful IS

State the user requirements clearly and accurately.

If you want some ideas on using Wireguard to attempt to join subnets at a Layer 2 level ---> viewtopic.php?t=194646
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Bridge to Wireguard interface

Fri Mar 24, 2023 4:37 pm

ukvpn is a bridge, just so that I can organise a dhcpd for connected devices on ether{4,5}
I presume what you are trying to do is get the devices on ether4 and ether5 to go online through the wireguard VPN whereas everything else should go online the normal way. Is this correct? If so, you need to do policy routing, and those devices should not have IPs on the wireguard subnet but on a different subnet (ex. 192.168.3.0/24).
......
To Clarify !

1. A few users in a subnet can deviate from the rest of the user/devices on a subnet and go out wireguard or the normal WAN depending, with routing rules
2. A whole subnet can deviate from the rest of the subnets behind a router, and go out wireguard or normal WAn depending, with routing rules.
3. A group of users ( a subset of one subnet, contiguous or not, or even a group of users from various subnets ) can go out wireguard or normal WAN depending, by putting them on a firewall address list and using mangling.
4. Single remote users ( single wireguard IP ) is not the topic here.
5. No one should be using wireguard addresses for users behind a router........ as noted by ( dont get how mud is charming) guy, dont use wireguard addresses as though it was a normal user subnet.
 
rplant
Member Candidate
Member Candidate
Posts: 282
Joined: Fri Sep 29, 2017 11:42 am

Re: Bridge to Wireguard interface

Sun Apr 02, 2023 1:04 pm

The following can be done and is usually near enough.
The router hosting wireguard does not need to be the gateway.

eg. Lan Using 192.168.0.0/24
Though if you are using a very common IP address range like above, you might want to consider renumbering your Lan.

Note: The router needs an IP address in the range on its Lan port. (eg. 192.168.0.10/24)

Grab a subnet range out of the Lan that is not in use. To use for your wireguard. Make sure DHCP won't assign IP addresses in this range.
eg. 192.168.0.224/28 (.224 to .239, 16 addresses, 15 clients)

Create your wireguard interface, give it the ip address 192.168.0.224/28 <= Sets up required routing.
Enable Proxy Arp on the Lan interface <= main magic.

For each peer entry, likely only allow it's 192.168.0.x IP address

On the clients:

Give the wireguard clients IP Addresses 192.168.0.225-192.168.0.239
With allowed IP addresses on the client 192.168.0.0/24
And an appropriate DNS server (perhaps 192.168.0.224)

The remote clients, and local systems should now be able to connect to each other.
You may (or may not) want/need to make the wireguard interface a LAN interface.

Who is online

Users browsing this forum: No registered users and 24 guests