Fri Sep 09, 2022 5:54 am
1 - set this to at least LAN.
/ip neighbor discovery-settings
set discover-interface-list=none
2 - set this to none, known to be problematic and not understood in general.
/interface detect-internet
set detect-interface-list=all
3 - PROBLEM Not sure of your intent here.......... other than clearly you want to be able to config the router with access to the input chain Correct ???
add action=accept chain=input comment="allow Wireguard traffic" \
src-address-list=10.0.10.0/24,10.0.0.0/24
I was expecting simply:
add action=accept chain=input comment="allow admin to access Router via Wireguard" \
src-address-list=10.0.10.0/24 ( you could also add in-interface=wireguard_home to be more granular/explicit/accurate )
Why are you giving your entire local LAN SUBNET access to config the router?
Nothing wrong with that as its part of the common default firewall rule set, which is already covered, but the line comment implies its for wireguard access.
Also, only the initial connection establishment line is typically before the default rules, which is fine BUT......... Suggesting the access to the router through wireguard be AFTER the accept ICMP rule.............
4 - Also the format is WRONG!!>
You can either use one source address or you can use a destination address list, but not in the way you have done..............rather amusing actually.
Your rule should look like so......
............... accept ICMP RULE............
add action=accept chain=input comment="allow admin to access Router via Wireguard and LAN access to router services" \
src-address-list=RouterAccess
Where you create a destination firewall address list
add address=10.10.0.2 list=RouterAccess
add address=10.0.0.0/24 list=RouterAccess
.........etc
HOWEVER later on in the input chain rules you have the default rule.
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
Since you have defined the wireguard_home interface to be part of the LAN, it may very well be you dont even need the allow source address rule specifically for wireguard in reality.
However, Its better to be clear and direct in whats allowed for yourself and the reader.
IN fact, I usually get rid of this default LAN rule and change it to allow access to DNS (and NTP if required for LAN users), but only after giving the admin access by his/her LANIP address similar to how wireguard admin access is done, but same same for local lan. After doing that, and give lan users only access to Router service do I put in a last input rule which is basically drop everything else.
5 - Get rid of this bloated crap, not going to do anything for you and makes your config much harder to read and troubleshoot.... simplicity and efficiency are keys to a base config........
add action=return chain=detect-ddos comment="Protection against DDoS" \
dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-target \
address-list-timeout=10m chain=detect-ddos comment=\
"Protection against DDoS"
add action=add-src-to-address-list address-list=ddos-attackers \
address-list-timeout=10m chain=detect-ddos comment=\
"Protection against DDoS"
add action=return chain=detect-ddos comment="SYN-ACK Flood" dst-limit=\
32,32,src-and-dst-addresses/10s protocol=tcp tcp-flags=syn,ack
add action=add-src-to-address-list address-list="Port Scanners" \
address-list-timeout=12h chain=input comment="Port Scanners" \
in-interface-list=WAN protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=Blocked_IP \
address-list-timeout=8h chain=input comment=Block_IP dst-port=\
0,20-23,98,137,138,515,2000,3306,3389,5800,5900,8888 in-interface-list=WAN \
protocol=tcp
6- WHY? Do you provide an extra source nat line for the local LAN. Its already covered by the default rule with out-interface-list=WAN.
Also I would have to check but since the wireguard interface is considered part of the LAN interface, Im assuming that traffic would be covered too?
I would test this once you have a good solid working connection, to disable the rule and see if things still work.
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
add action=masquerade chain=srcnat src-address=10.0.0.0/24
add action=masquerade chain=srcnat src-address=10.10.0.0/24
7 - Round two, get rid of these bloated rules that will get in the way of functioning config with unnecessary added complexity and no real gain on performance.
ip firewall raw
add action=drop chain=prerouting src-address-list="Port Scanners"
add action=drop chain=prerouting src-address-list=Blocked_IP
add action=drop chain=prerouting dst-address-list=ddos-target src-address-list=\
ddos-attackers
add action=accept chain=prerouting comment=\
"defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=udp \
src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment=\
"defconf: drop forward to local lan from WAN" dst-address=10.0.0.0/24 \
in-interface-list=WAN
add action=drop chain=prerouting comment=\
"defconf: drop local if not from default IP range" in-interface-list=LAN \
src-address=!10.0.0.0/24
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \
protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" \
jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment=\
"defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment=\
"defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
protocol=tcp
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 \
limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" icmp-options=\
3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" icmp-options=\
3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" \
icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" icmp-options=\
3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" \
icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=\
5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=\
11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp
8 - NO IP ROUTES VISIBLE so not able to comment on a key part of any wireguard config..........
You should have connectivity from LAN to WAN for the wireguard implicitly because there doesnt appear to be any thing blocking such traffic.
Since you have a Wireguard address, the router dynamically should know that return traffic for 10.10.0.2 should go back through the wireguard tunnel because this route will exist on your router.
<DAC> dst-address=10.10.0.0/24 interface=wireguard_home table=main
9 - This needs to be fixed to LAN
/tool mac-server mac-winbox
set allowed-interface-list=none
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
In summary, for wireguard,
a. fix the input chain rule for wireguard as the format is incorrect, either use a proper destination address list format or create two rules (each with src-address=).
b. Add LAN to neighbours discovery
If you have success, then remove the src-nat rule for 10.10.0.2 and still see if your connection works as desired.