maybe I'm stupid. I'm using my RB4011 sucessfully with since the first 7 beta with wireguard (without VLANs).
Now I'm changing my config and I'm using 3 VLANs Using this example config).
But I'cant get running wireguard. Wireguard should use the vlan 90.
I'v added wireguard to the vlan-bride. I set the frame-types=admit-only-untagged-and-priority-tagged und vlan=90.
Maybe it's a firewall rule? But I dont know which.
Please give me a hint. Thank you very much.
Here is the config (I delete wlan).
Code: Select all
# sep/04/2021 10:28:33 by RouterOS 7.1rc1
# software id = 8H40-SBMV
#
# model = RB4011iGS+5HacQ2HnD
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface wireguard
add listen-port=11197 mtu=1412 name=wireguard1
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=90
add interface=BR1 name=Obergeschoss vlan-id=92
add interface=BR1 name=Untergeschoss vlan-id=91
/interface list
add name=WAN
add name=VLAN
add name=BASE
/ip pool
add name=Untergeschoss ranges=192.168.91.50-192.168.91.254
add name=Obergeschoss ranges=192.168.92.50-192.168.92.254
add name=BASE_POOL ranges=192.168.90.50-192.168.90.254
/ip dhcp-server
add address-pool=Untergeschoss interface=Untergeschoss name=UntergeschossDHCP
add address-pool=Obergeschoss interface=Obergeschoss name=ObergeschossDHCP
add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
wlan1 pvid=91
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
wlan4 pvid=91
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
wlan2 pvid=92
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
wlan5 pvid=92
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
wlan3 pvid=90
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
wlan6 pvid=90
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
ether2 pvid=90
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
ether3 pvid=90
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
ether4 pvid=90
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
ether5 pvid=90
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
ether6 pvid=90
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
ether7 pvid=90
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
ether8 pvid=90
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
ether9 pvid=91
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
wireguard1 pvid=90
add bridge=BR1 interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=VLAN
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether10 untagged=wlan3,wlan6 vlan-ids=90
add bridge=BR1 tagged=BR1,ether10 untagged=wlan1,wlan4 vlan-ids=91
add bridge=BR1 tagged=BR1,ether10 untagged=wlan2,wlan5 vlan-ids=92
/interface detect-internet
set detect-interface-list=all internet-interface-list=WAN wan-interface-list=\
WAN
/interface l2tp-server server
set l2tpv3-circuit-id="" l2tpv3-cookie-length=0 l2tpv3-digest-hash=md5
/interface list member
add interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=Obergeschoss list=VLAN
add interface=Untergeschoss list=VLAN
add interface=BASE_VLAN list=BASE
/interface wireguard peers
add allowed-address=10.9.0.0/24,192.168.1.0/24 endpoint-address=xxxx.de \
endpoint-port=11199 interface=wireguard1 public-key=\
"key"
add allowed-address=10.9.0.0/24,192.168.200.0/24 endpoint-address=\
yyyy.de endpoint-port=11198 interface=wireguard1 public-key=\
"key"
/ip address
add address=192.168.90.1/24 interface=BASE_VLAN network=192.168.90.0
add address=192.168.1.44/24 disabled=yes interface=ether1 network=192.168.1.0
add address=192.168.91.1/24 interface=Untergeschoss network=192.168.91.0
add address=192.168.92.1/24 interface=Obergeschoss network=192.168.92.0
add address=10.9.0.7/24 interface=wireguard1 network=10.9.0.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.90.0/24 dns-server=1.1.1.1 gateway=192.168.90.1
add address=192.168.91.0/24 dns-server=1.1.1.1 gateway=192.168.91.1
add address=192.168.92.0/24 dns-server=1.1.1.1 gateway=192.168.92.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
connection-state=established,related
add action=accept chain=forward comment=Wireguard dst-port=11197 log=yes \
log-prefix=WG: protocol=udp
add action=accept chain=input dst-port=11197 log=yes log-prefix=WG: protocol=\
udp
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
in-interface=BASE_VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" \
connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.1.1
add disabled=no dst-address=192.168.200.0/24 gateway=wireguard1 \
routing-table=main suppress-hw-offload=no
add disabled=no dst-address=192.168.1.0/24 gateway=wireguard1 routing-table=\
main suppress-hw-offload=no