Okay, this is fairly straightforward then, laptop or iphone to home for internet, to subnets and to configure router.
As in all wireguard setups.
1. configure the wireguard settings.
2. ensure firewall rules allow traffic.
3. ensure routes are provided
Since it appears that the MT router is internet facing (public IP), there is less complication.
Not sure why you have two bridges?? I removed it, also all the interfaces keeping it WAN and LAN for now, simplify simplify simplify.
Removed IP DHCP client ether1 --->, all is configured from your pppoe menus....... thus not required.
Not sure the purpose of your IP arp but left that in there.
IP address was set to ether3 an error, it should be bridge.
DISABLED THIS RULE FOR NOW DURING TESTING....
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=NotPublic disabled=yes
I loathe people who mix forward chain and input chain rules, gets confusing fast and more prone to errors.
Why do you need destination addresses in your input chain for ipsec????
THe input chain is too the router?? I left them in but cannot recall ever seeing destination addresses in this spot ?????
Your IP is pppoe and not static correct?, so if its the routers WANIP it would have to be changed anyway, in any case NOT required.
I see these rules are disabled for now........
Instead of saying drop all traffic not coming from LAN, simply state
accept traffic coming from LAN, Add the wireguard interface to the LAN list and you now have access to the router via firewall rules.
Last input chain rule should simply be drop all. JUST MAKE SURE you do this rule AFTER, allowing LAN access rule above.
It seems you have multiple rule for allowing wireguard to the forward chain......
just need
add chain=forward action=accept in-interface=wireguard1 and now you have access to any subnets and to WAN.
However I dont like wide open necessarily and it also shows that you have no rule allowing specifically LAN to WAN traffic.
I dont like implied anything and nail down what traffic flow is permitted and the rest is dropped.
Dont understand this one. What would be the purpose of trying to wireguard to your iphone from the home router.
A little better I suppose is attempting to wireguard to a work desktop from home but what would you be doing in this case??
add action=accept chain=forward comment="Wireguard Forward" disabled=yes \
dst-address=192.168.10.0/24 src-address=10.160.100.0/24
Modifed the end of the forwaard chain to make it clear allow port forwarding, allow lan to wan, and drop all else...
Lots going on lots disabled, so not sure what the intent is regarding vpn. Hopefully you will get rid of everything but wireguard LOL.
Looking at routes, the pppoe route for all WAN traffic is handled (add default route).
Since you have IP address for wireguard........ this is autogenerated:
<DAC> dst-address=192.168.10.0/24 gateway=wireguard1 table=main
Covers the return flow (from subnets and internet) from external originated traffic (aka phone or desktop)
Covers outgoing flow (from local subnet) to laptop if that is a valid need
jan/04/1970 03:58:14 by RouterOS 7.2.3
# model = RouterBOARD 750G r3
/interface bridge
add admin-mac=6C:3B:6B:7E:AD:EF auto-mac=no comment=\
"created from master port" name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] advertise=\
100M-half,100M-full,1000M-half,1000M-full rx-flow-control=auto speed=\
100Mbps tx-flow-control=auto
set [ find default-name=ether2 ] name=ether2-master rx-flow-control=auto \
speed=100Mbps tx-flow-control=auto
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
service-name=Vodafone use-peer-dns=yes user=\
dsl002066683@broadband.vodafone.co.uk
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add name=LAN
add name=WAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name="Group VPN"
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 dpd-interval=1h enc-algorithm=\
aes-256,aes-128,3des hash-algorithm=sha256 lifetime=1h
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 \
hash-algorithm=sha256 name="Profile VPN"
/ip ipsec peer
add exchange-mode=ike2 local-address=90.255.245.65 name="Peer VPN" passive=\
yes profile="Profile VPN"
/ip ipsec proposal
set [ find default=yes ] disabled=yes enc-algorithms=\
aes-256-cbc,aes-128-cbc,3des lifetime=8h pfs-group=none
add auth-algorithms=sha256 disabled=yes enc-algorithms=\
aes-256-cbc,aes-256-gcm name=myproposal pfs-group=modp2048
add auth-algorithms=sha256,sha1 lifetime=8h name="Proposal VPN" pfs-group=\
none
/ip pool
add name=dhcp ranges=10.160.100.30-10.160.100.130
add name=VPN_Pool ranges=192.168.11.10-192.168.11.100
/ip dhcp-server
add address-pool=dhcp interface=bridge1 lease-time=1h name=defconf
/ip ipsec mode-config
add address-pool=VPN_Pool address-prefix-length=32 name="Modeconf VPN" \
split-include=0.0.0.0/0 static-dns=192.168.11.1 system-dns=no
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=VPN_Pool
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
add disabled=no name=default-v3 version=3
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
add disabled=yes instance=default-v3 name=backbone-v3
/routing table
add fib name=VPN
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,rest-api"
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=ether3
add bridge=bridge1 ingress-filtering=no interface=ether4
add bridge=bridge1 ingress-filtering=no interface=ether5
add bridge=bridge1 ingress-filtering=no interface=ether2-master
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=NONE
/interface l2tp-server server
set authentication=mschap2 use-ipsec=yes
/interface list member
add interface=bridge1 list=LAN
add interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/interface wireguard peers
add allowed-address=192.168.10.2/32 comment=iPhone interface=wireguard1 \
public-key="lh1V7h9b4YnavEDrDhokyZGUMfTnQPUgZkE6zabQEj4="
add allowed-address=192.168.10.3/32 comment="Work Desktop" interface=\
wireguard1 public-key="i8IiqYCyUi6Qmg5L0wfdNg+Stpgtz5PSGrGxgX8etGY="
/ip address
add address=10.160.100.1/24 comment=defconf interface=bridge1 network=\
10.160.100.0
add address=192.168.10.1/24 comment=WireGuard1 interface=wireguard1 network=\
192.168.10.0
/ip arp
add address=10.160.100.140 comment=D-Link interface=bridge1 mac-address=\
6C:19:8F:CC:40:1C
add address=10.160.100.201 interface=bridge1 mac-address=0C:96:BF:51:D8:32
/ip cloud
set ddns-enabled=yes
/ip dhcp-server lease
add address=10.160.100.79 mac-address=60:B4:F7:F5:E9:0A server=defconf
add address=10.160.100.34 mac-address=60:B4:F7:F5:E8:B0 server=defconf
add address=10.160.100.85 mac-address=60:B4:F7:F5:E4:9C server=defconf
add address=10.160.100.76 mac-address=60:B4:F7:F5:E9:58 server=defconf
add address=10.160.100.46 client-id=1:0:18:dd:24:d:e8 mac-address=\
00:18:DD:24:0D:E8 server=defconf
add address=10.160.100.65 client-id=33:30:44:33:32:44:41:32:45:43:34:32 \
mac-address=30:D3:2D:A2:EC:42 server=defconf
add address=10.160.100.31 client-id=1:f4:8e:38:3f:77:f7 mac-address=\
F4:8E:38:3F:77:F7 server=defconf
add address=10.160.100.30 client-id=1:0:11:32:b7:b2:15 mac-address=\
00:11:32:B7:B2:15 server=defconf
add address=10.160.100.74 client-id=1:3c:2a:f4:f5:bf:7e mac-address=\
3C:2A:F4:F5:BF:7E server=defconf
add address=10.160.100.52 client-id=1:b8:27:eb:21:63:14 mac-address=\
B8:27:EB:21:63:14 server=defconf
add address=10.160.100.68 client-id=1:ec:71:db:2e:8c:e0 mac-address=\
EC:71:DB:2E:8C:E0 server=defconf
/ip dhcp-server network
add address=10.160.100.0/24 comment=defconf domain=campbell-andrews.com \
gateway=10.160.100.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.160.100.1 name=router
add address=10.160.100.30 comment="Point to the NAS box" name=\
dazzaling69.synology.me
add address=10.160.100.30 comment="Point Campbell-Andrews traffic to NAS" \
disabled=yes name=campbell-andrews.com
add address=10.160.100.30 comment="Send internal mail traffic to server" \
name=mail.campbell-andrews.com
add address=8.8.8.8 name=test.lan
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=NotPublic disabled=yes
/ip firewall filter
add action=accept chain=input comment=\
"Maintain related and established connections" connection-state=\
established,related
add action=accept chain=input comment="Allow Wireguard" dst-port=13231 \
protocol=udp
add action=accept chain=input comment=\
"Accept all traffic from ike2-vpn clients / ipsec-in" disabled=yes \
ipsec-policy=in,ipsec src-address=192.168.11.0/24
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="ICMP Accept Rule" log=yes log-prefix=\
ICMP protocol=icmp
add action=accept chain=input comment="Allow IPSec_ESP" disabled=yes \
dst-address=90.255.245.65 protocol=ipsec-esp
add action=accept chain=input comment="Allow UDP 500,4500 IPSEC" disabled=yes \
dst-address=90.255.245.65 dst-port=500,4500 protocol=udp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="Drop all other packets"
add action=fasttrack-connection chain=forward comment=\
"Fasttrack everything but IPSEC traffic" connection-mark=!ipsec \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN comment=\
"allow subnet and WG to internet"
add action=accept chain=forward in-interface=wireguard1 dst-address=10.160.100.0/24 comment=\
"Allow WG to subnets"
add action=accept chain=forward comment="allow Subnet to WG Desktop" disabled=yes \
dst-address=192.168.10.3/32 src-address=10.160.100.0/24
add action=accept chain=forward comment="allow port forwarding"\
connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall mangle
add action=change-mss chain=forward comment="TCP MSS CUT for ike2 vpn" \
ipsec-policy=in,ipsec new-mss=1360 passthrough=yes protocol=tcp \
src-address=192.168.11.0/24 tcp-flags=syn tcp-mss=!0-1360
add action=change-mss chain=forward comment="TCP MSS CUT for ike2 vpn" \
dst-address=192.168.11.0/24 ipsec-policy=out,ipsec new-mss=1360 \
passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1300
add action=mark-connection chain=forward comment=\
"Mark IPSEC connections to exclude them from fasttrack - out" \
ipsec-policy=out,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment=\
"Mark IPSEC connections to exclude them from fasttrack - In" \
ipsec-policy=in,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall nat
add action=dst-nat chain=dstnat disabled=yes in-interface=pppoe-out1 \
protocol=ipsec-esp to-addresses=10.160.100.30
add action=dst-nat chain=dstnat comment="Synology L2TP VPN" disabled=yes \
dst-port=500,1701,4500 in-interface=pppoe-out1 log=yes log-prefix=\
"Synology VPN" protocol=udp to-addresses=10.160.100.30
add action=dst-nat chain=dstnat comment=Email dst-port=25,465,587,110,993,995 \
in-interface=pppoe-out1 log=yes log-prefix=Email protocol=tcp \
to-addresses=10.160.100.30
add action=dst-nat chain=dstnat comment="Plex TCP" dst-port=32400 \
in-interface=pppoe-out1 log=yes log-prefix=PlexNAT protocol=tcp \
to-addresses=10.160.100.30 to-ports=32400
add action=masquerade chain=srcnat comment=\
"MSQRD all WAN traffice / non-ipsec" ipsec-policy=out,none \
out-interface-list=WAN
/ip ipsec identity
add auth-method=eap-radius certificate=Cert,DigiCertCA generate-policy=\
port-strict mode-config="Modeconf VPN" peer="Peer VPN" \
policy-template-group="Group VPN"
add auth-method=digital-signature certificate=*8 disabled=yes \
generate-policy=port-strict match-by=certificate mode-config=\
"Modeconf VPN" peer="Peer VPN" policy-template-group="Group VPN" \
remote-id=user-fqdn:cl@VPN
/ip ipsec policy
set 0 disabled=yes dst-address=0.0.0.0/0 proposal=myproposal src-address=\
0.0.0.0/0
add comment="Policy template for Road warriors" dst-address=192.168.11.0/24 \
group="Group VPN" proposal="Proposal VPN" src-address=0.0.0.0/0 template=\
yes
/ip route
add check-gateway=ping disabled=yes dst-address=0.0.0.0/0 gateway=pppoe-out1 \
routing-table=VPN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl certificate=Cert disabled=no port=10443
set api disabled=yes
set api-ssl disabled=yes
/ip smb
set allow-guests=no domain=WORKGROUP enabled=yes interfaces=bridge1
/ip smb users
add name=Darren read-only=no
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip tftp
add real-filename=/flash/pub/CISCO/SIPDefault.cnf req-filename=SIPDefault.cnf
add real-filename=/flash/pub/CISCO/OS79XX.TXT req-filename=OS79XX.TXT
add real-filename=/flash/pub/CISCO/SIP000821ACFE4F.cnf req-filename=\
SIP000821ACFE4F.cnf
add real-filename=/flash/pub/CISCO/P0S3-8-12-00.loads req-filename=\
P0S3-8-12-00.loads
add real-filename=/flash/pub/CISCO/P0S3-8-12-00.sb2 req-filename=\
P0S3-8-12-00.sb2
add real-filename=/flash/pub/CISCO/P003-8-12-00.bin req-filename=\
P003-8-12-00.bin
add real-filename=/flash/pub/CISCO/P003-8-12-00.sbn req-filename=\
P003-8-12-00.sbn
add real-filename=/flash/pub/CISCO/dialplan.xml req-filename=dialplan.xml
add read-only=no real-filename=/flash/pub/Dell_Switch req-filename=\
Dell_Switch
add read-only=no real-filename=/flash/pub/Dell_Running req-filename=\
Dell_Running
add read-only=no real-filename=/flash/pub/Dell_Startup req-filename=\
Dell_Startup
add real-filename=x10xx_boot-10025.rfb req-filename=x10xx_boot-10025.rfb
/ip upnp
set enabled=yes
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/ppp secret
add name=Darren remote-address=10.160.100.254 service=l2tp
/radius
add address=10.160.100.30 service=ipsec src-address=10.160.100.1
/snmp
set contact=Routerboard trap-interfaces=all trap-target=10.160.100.30 \
trap-version=3
/system clock
set time-zone-name=Europe/London
/system logging
add topics=ipsec
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=194.35.252.7
add address=130.88.203.12
/system resource irq rps
set ether1 disabled=no
set ether3 disabled=no
set ether4 disabled=no
set ether5 disabled=no
set ether2-master disabled=no
/system routerboard settings
set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
.....................
As for the work laptop, i am not quite sure how that works.............. I am assuming you have allowed IPs on the windows wireguard client of 0.0.0.0/0?
and that the MT router never sees the actual subnet IP address the desktop is on but only the assigned wireguard IP address as source traffic (thus current allowed IPs at MT works)!