I would like to access my switches which is with a customer who does not have the possibility of opening a port in his firewall (HAP22 side). I am on the PC ADMIN (CCR side)
I'd like to use Wireguard to achieve this simply.
Here is the export of my configuration and a diagram to understand.
Thanks for your help
On PC ADMIN
- Ping 192.168.130.1 : ok
- Ping 192.168.131.1 : ok
- Ping 192.168.131.2 : ko
- Ping 192.168.222.1 : ko
- Ping 192.168.222.10 : ko
- Ping 192.168.130.2 : ok
- Ping 192.168.131.1 : ok
- Ping 192.168.131.2 : ok
- Ping 192.168.222.1 : ko
- Ping 192.168.222.10 : ko
Code: Select all
/interface bridge
add name=bridge
/interface wireguard
add listen-port=13232 mtu=1420 name=wireguardclient
/interface list
add name=WAN
add name=LAN
/ip pool
add name=POOL222 ranges=192.168.222.100-192.168.222.200
/ip dhcp-server
add address-pool=POOL222 interface=bridge name=DHCP222
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=192.168.131.0/24,192.168.130.0/24 endpoint-address=\
xxx.xxx.xxx.xxx endpoint-port=13231 interface=wireguardclient \
persistent-keepalive=35s public-key=\
"x"
/ip address
add address=192.168.222.1/24 interface=bridge network=192.168.222.0
add address=192.168.131.2/24 interface=wireguardclient network=192.168.131.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.222.0/24 dns-server=192.168.222.1 gateway=192.168.222.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment=\
"Acc\E8s externe au routeur avec Winbox" dst-port=6666 protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
WAN
/ip firewall service-port
set sip disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=6666
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=HAP22
Code: Select all
/interface bridge
add name=bridge
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguardserveur
/interface list
add name=WAN
add name=LAN
/ip pool
add name=POOL130 ranges=192.168.130.100-192.168.130.200
/ip dhcp-server
add address-pool=POOL130 interface=bridge name=DHCP130
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=192.168.131.0/24 endpoint-address=\
interface=wireguardserveur \
persistent-keepalive=35s public-key=\
"x"
/ip address
add address=192.168.130.1/24 interface=bridge network=192.168.130.0
add address=192.168.131.1/24 interface=wireguardserveur network=192.168.131.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.130.0/24 dns-server=192.168.130.1 gateway=192.168.130.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment=\
"Acc\E8s externe au routeur avec Winbox" dst-port=6666 protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
WAN
/ip firewall service-port
set sip disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=6666
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=CCR