Community discussions

MikroTik App
 
Solear
just joined
Topic Author
Posts: 6
Joined: Sat Jun 08, 2019 9:27 pm

Wireguard and VLAN

Sat Sep 04, 2021 7:59 pm

Hello,
maybe I'm stupid. I'm using my RB4011 sucessfully with since the first 7 beta with wireguard (without VLANs).
Now I'm changing my config and I'm using 3 VLANs Using this example config).
But I'cant get running wireguard. Wireguard should use the vlan 90.

I'v added wireguard to the vlan-bride. I set the frame-types=admit-only-untagged-and-priority-tagged und vlan=90.

Maybe it's a firewall rule? But I dont know which.
Please give me a hint. Thank you very much.

Here is the config (I delete wlan).
# sep/04/2021 10:28:33 by RouterOS 7.1rc1
# software id = 8H40-SBMV
#
# model = RB4011iGS+5HacQ2HnD
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface wireguard
add listen-port=11197 mtu=1412 name=wireguard1
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=90
add interface=BR1 name=Obergeschoss vlan-id=92
add interface=BR1 name=Untergeschoss vlan-id=91
/interface list
add name=WAN
add name=VLAN
add name=BASE
/ip pool
add name=Untergeschoss ranges=192.168.91.50-192.168.91.254
add name=Obergeschoss ranges=192.168.92.50-192.168.92.254
add name=BASE_POOL ranges=192.168.90.50-192.168.90.254
/ip dhcp-server
add address-pool=Untergeschoss interface=Untergeschoss name=UntergeschossDHCP
add address-pool=Obergeschoss interface=Obergeschoss name=ObergeschossDHCP
add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    wlan1 pvid=91
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    wlan4 pvid=91
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    wlan2 pvid=92
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    wlan5 pvid=92
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    wlan3 pvid=90
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    wlan6 pvid=90
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether2 pvid=90
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether3 pvid=90
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether4 pvid=90
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether5 pvid=90
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether6 pvid=90
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether7 pvid=90
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether8 pvid=90
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether9 pvid=91
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    wireguard1 pvid=90
add bridge=BR1 interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=VLAN
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether10 untagged=wlan3,wlan6 vlan-ids=90
add bridge=BR1 tagged=BR1,ether10 untagged=wlan1,wlan4 vlan-ids=91
add bridge=BR1 tagged=BR1,ether10 untagged=wlan2,wlan5 vlan-ids=92
/interface detect-internet
set detect-interface-list=all internet-interface-list=WAN wan-interface-list=\
    WAN
/interface l2tp-server server
set l2tpv3-circuit-id="" l2tpv3-cookie-length=0 l2tpv3-digest-hash=md5
/interface list member
add interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=Obergeschoss list=VLAN
add interface=Untergeschoss list=VLAN
add interface=BASE_VLAN list=BASE
/interface wireguard peers
add allowed-address=10.9.0.0/24,192.168.1.0/24 endpoint-address=xxxx.de \
    endpoint-port=11199 interface=wireguard1 public-key=\
    "key"
add allowed-address=10.9.0.0/24,192.168.200.0/24 endpoint-address=\
    yyyy.de endpoint-port=11198 interface=wireguard1 public-key=\
    "key"
/ip address
add address=192.168.90.1/24 interface=BASE_VLAN network=192.168.90.0
add address=192.168.1.44/24 disabled=yes interface=ether1 network=192.168.1.0
add address=192.168.91.1/24 interface=Untergeschoss network=192.168.91.0
add address=192.168.92.1/24 interface=Obergeschoss network=192.168.92.0
add address=10.9.0.7/24 interface=wireguard1 network=10.9.0.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.90.0/24 dns-server=1.1.1.1 gateway=192.168.90.1
add address=192.168.91.0/24 dns-server=1.1.1.1 gateway=192.168.91.1
add address=192.168.92.0/24 dns-server=1.1.1.1 gateway=192.168.92.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment=Wireguard dst-port=11197 log=yes \
    log-prefix=WG: protocol=udp
add action=accept chain=input dst-port=11197 log=yes log-prefix=WG: protocol=\
    udp
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
    in-interface=BASE_VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.1.1
add disabled=no dst-address=192.168.200.0/24 gateway=wireguard1 \
    routing-table=main suppress-hw-offload=no
add disabled=no dst-address=192.168.1.0/24 gateway=wireguard1 routing-table=\
    main suppress-hw-offload=no

 
mfrey
newbie
Posts: 36
Joined: Wed Jan 06, 2021 12:31 am

Re: Wireguard and VLAN

Sat Sep 04, 2021 8:21 pm

Servus,

I don't think putting a WireGuard interface into a bridge works, since WireGuard works on Layer 3 (IP), whereas bridges work on Layer 2 (MAC).
I can't quite figure out what you're trying to do, but if you want the (encrypted) WireGuard traffic to be routed via a non-standard route trough VLAN90, you will have to use policy based routing.
 
Solear
just joined
Topic Author
Posts: 6
Joined: Sat Jun 08, 2019 9:27 pm

Re: Wireguard and VLAN

Sat Sep 04, 2021 10:36 pm

Thank you.
I want to connect My 192.168.90.0/24 (VLAN 90) network connected via my 10.9.0.0/0 network to my 2 other places (192.168.1.0 and 192.168.200.0).

I will look again my config.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard and VLAN

Sun Sep 05, 2021 2:19 am

The best thing to do is post you config and we can what is missing.
one thing is probably rule to ensure internet returning traffic goes back out the tunnel etc......
and maybe firewall rules to allow WG access to vlan etc..

Anyway post your config
/export hide-sensitive file=anynameyouwish
and network diagram would be helpful also
 
Solear
just joined
Topic Author
Posts: 6
Joined: Sat Jun 08, 2019 9:27 pm

Re: Wireguard and VLAN

Sun Sep 05, 2021 9:37 am

Hello, my config is already in #1.

But here is a simple network diagram. Thank you!
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard and VLAN

Sun Sep 05, 2021 3:13 pm

(1) I do not believe you an attach wireguard as a bridge interface as its neither an ethernet port or wlan port. Thus remove.
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
wireguard1 pvid=90

(2) For untagged vlans, they are not required to be shown on the interface bridge vlan settings but you have done so for wlan ports but not ethernet ports.
I prefer manually inserting them as you have so it clear to me and the reader what is going on. Just be consistent, all or none I guess.
Here is what I would have...

/interface bridge vlan
add bridge=BR1 tagged=BR1,ether10 untagged=wlan3,wlan6,ether2,ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=90
add bridge=BR1 tagged=BR1,ether10 untagged=wlan1,wlan4,ether9 vlan-ids=91
add bridge=BR1 tagged=BR1,ether10 untagged=wlan2,wlan5 vlan-ids=92

(3) What is the purpose of this rule?? It should be deleted in my opinion.
add action=accept chain=forward comment=Wireguard dst-port=11197 log=yes \
log-prefix=WG: protocol=udp


I understand the similar rule you have for the INPUT chain as this will be used for the initial connection from the external user to your RB4011 server.
add action=accept chain=input dst-port=11197 log=yes log-prefix=WG: protocol=\
udp


(4) I like the drop all rule at the end of the input chain, but what is the purpose of the two input rules for interface lists. Clearly the VLAN one already includes the base vlans so one or the other is a wasted rule. However what makes sense if ONLY full access is giving to BASE and for the rest, you allow only services required..... DNS for example.
Up to you. For example...
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
in-interface=BASE_VLAN
\
In other words keep base vlan and for the rest of the users..........
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=VLAN protocol=udp

(5) You are missing some standard input chain rules
/ip firewall filter
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp ( especially important for troubleshooting wg connections to ensure router availabiility)

(6) You are missing some key forward chain rules......
First rule should be fastrack, also need drop invalid. I am assuming you have no port forwarding to worry about so no need for an allow dstnat rule.
Also the drop invalid rule.

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="Allow Estab & Related" \
connection-state=established,related

add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid

add action=accept chain=forward comment="VLAN Internet Access only" \
connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop


(7) Okay lets take a look at IP routes.
/ip route
add distance=1 gateway=192.168.1.1 - Good, all users/devices have access to the WAN through this connection.
add disabled=no dst-address=192.168.200.0/24 gateway=wireguard1 \ Good, all traffic coming back from the internet get sent back through the tunnel
routing-table=main suppress-hw-offload=no


add disabled=no dst-address=192.168.1.0/24 gateway=wireguard1 routing-table=\ ???? What is the purpose of this route rule??
main suppress-hw-offload=no


The first rule will ensure traffic gets to the internet from all subnets and interfaces, and the second rule ensures that any replies from the internet will get back through the tunnel to the other end of the wireguard connection. I dont use ip addresses for my wg interfaces but try removing the last line (disable) and see if you have success.

(8) If you want the wireguard interface to be able to interact with vlan 90, suggest a forward chain rule just before the drop rule.
add chain=forward action=accept in-interface=wireguard out-interface=vlan90

This assumes you want to allow wireguard users to users/devices on vlan90.
If you wish the reverse then switch the in and out interfaces
If you need unsoliticed access both ways then you need two rules.

Please clarify what you mean by ..........wireguard should use vlan90??

Who is online

Users browsing this forum: No registered users and 49 guests