Wireguard from MT to client (win10) with several users to several VLAN's

korg · Mon Mar 18, 2024 3:41 pm

Hello MT community,

i am setting up a config for a MT router which is behind NAT, has multiple subnets devided in VLANs. What i need is to setup Wireguard connectivity for different user to their own subnet/VLAN. Attached config is from my EVE lab and not online.

Example

10.99.99.0/24 is mgmt subnet with vlan999
10.30.30.0/24 is camera subnet with vlan300
10.20.20.0/24 is home automation subnet with vlan200

So, now .. i need to setup WG connectivity to this site with dynamic public IP for different users/different VLANS.

Although i have setup this config with the help of different YT videos, I still have few questions:

.can i use dyndns.com address in order to connect to the site? (in the config is missing script for dyndns.com or i could use cloud address)
.in the firewall i have taken from another config those lines (172.0.. is my WG subnet and the 192.168... is the subnet of.. what?) do i need to enter all VLANs subnets here?

add action=accept chain=forward comment="fwd LAN to WG" disabled=yes dst-address=172.16.0.0/24 src-address=192.168.88.0/24
add action=accept chain=forward comment="fwd WG to LAN" disabled=yes dst-address=192.168.88.0/24 dst-address-list="" src-address=172.16.0.0/24
.Is this the right way to enable different WG users only to their subnet/vlan:
/interface wireguard peers
add allowed-address=10.200.200.0/24 endpoint-address=address.dyndns.com interface=wg1 public-key="public-key1"
add allowed-address=10.30.30.0/24 endpoint-address=address.dyndns.com interface=wg1 public-key="public-key2"
add allowed-address=10.99.99.0/24 endpoint-address=address.dyndns.com interface=wg1 public-key="public-key"

My script:


# mar/18/2024 13:28:58 by RouterOS 7.9.1
# software id = 
#
/interface bridge
add ingress-filtering=no name=bridge1 pvid=999 vlan-filtering=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1
/interface wireguard
add comment="WG connection to main site" listen-port=13299 mtu=1420 name=wg1 \
    private-key="private-key="
/interface vlan
add interface=bridge1 name=vlan100-corp vlan-id=100
add interface=bridge1 name=vlan200-guest vlan-id=200
add interface=bridge1 name=vlan300-camera vlan-id=300
add interface=bridge1 name=vlan999-mgmt vlan-id=999
/interface list
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.100.100.1-10.100.100.253
add name=dhcp_pool1 ranges=10.200.200.1-10.200.200.253
add name=dhcp_pool2 ranges=10.30.30.1-10.30.30.253
add name=dhcp_pool3 ranges=10.99.99.1-10.99.99.253
/ip dhcp-server
add address-pool=dhcp_pool0 interface=vlan100-corp name=dhcp1
add address-pool=dhcp_pool1 interface=vlan200-guest name=dhcp2
add address-pool=dhcp_pool2 interface=vlan300-camera name=dhcp3
add address-pool=dhcp_pool3 interface=vlan999-mgmt name=dhcp4
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=ether3 pvid=200
add bridge=bridge1 interface=ether2 pvid=999
add bridge=bridge1 interface=ether4 pvid=999
add bridge=bridge1 interface=ether8 pvid=999
add bridge=bridge1 interface=ether7 pvid=200
add bridge=bridge1 interface=ether5 pvid=999
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether2,ether4,ether5 vlan-ids=200
add bridge=bridge1 tagged=bridge1,ether2,ether4,ether5 vlan-ids=100
add bridge=bridge1 tagged=bridge1,ether2,ether4,ether5 vlan-ids=300
add bridge=bridge1 tagged=bridge1 untagged=ether4,ether2,ether5 vlan-ids=999
/interface list member
add interface=vlan100-corp list=LAN
add interface=vlan200-guest list=LAN
add interface=vlan300-camera list=LAN
add interface=vlan999-mgmt list=LAN
/interface wireguard peers
add allowed-address=10.200.200.0/24 endpoint-address=address.dyndns.com \
    interface=wg1 public-key="public-key1"
add allowed-address=10.30.30.0/24 endpoint-address=address.dyndns.com \
    interface=wg1 public-key="public-key2"
add allowed-address=10.99.99.0/24 endpoint-address=address.dyndns.com \
    interface=wg1 public-key="public-key"
/ip address
add address=10.0.0.20/24 interface=ether1 network=10.0.0.0
add address=10.100.100.254/24 interface=vlan100-corp network=10.100.100.0
add address=10.200.200.254/24 interface=vlan200-guest network=10.200.200.0
add address=10.30.30.254/24 interface=vlan300-camera network=10.30.30.0
add address=10.99.99.254/24 interface=vlan999-mgmt network=10.99.99.0
add address=172.16.0.1/24 interface=wg1 network=172.16.0.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.30.30.0/24 gateway=10.30.30.254
add address=10.99.99.0/24 gateway=10.99.99.254
add address=10.100.100.0/24 gateway=10.100.100.254
add address=10.200.200.0/24 gateway=10.200.200.254
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=10.99.99.0/24 list=LAN
add address=10.200.200.0/24 list=LAN
add address=10.30.30.0/24 list=LAN
add address=10.100.100.0/24 list=LAN
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="allow wireguard" dst-port=13299 log=\
    yes log-prefix=wg protocol=udp
add action=accept chain=input comment="allow wireguard Handshake" dst-port=\
    13299 log=yes log-prefix=wg protocol=udp
add action=accept chain=input comment="allow wireguard to other networks" \
    in-interface=wg1 log=yes log-prefix=wg
add action=accept chain=forward comment="allow wireguard to LAN" \
    in-interface=wg1 out-interface-list=LAN
add action=accept chain=forward comment="allow wireguard to WAN" \
    in-interface=wg1 out-interface=ether1
add action=accept chain=forward comment=\
    "accept established,related,new,untracked" connection-state=\
    established,related,new,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=input comment="Allow ICMP ping" protocol=icmp
add action=accept chain=forward comment="fwd LAN to WG" disabled=yes \
    dst-address=172.16.0.0/24 src-address=192.168.88.0/24
add action=accept chain=forward comment="fwd WG to LAN" disabled=yes \
    dst-address=192.168.88.0/24 dst-address-list="" src-address=172.16.0.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat comment="masw. wireguard" out-interface=\
    ether1
/system identity
set name="Mikrotik Spine"
/system note
set show-at-login=no

Thank you for any help/info/tipp/guidance!

korg

erlinden · Mon Mar 18, 2024 3:52 pm

Instead of using the DDNS address, you can just use the peers IP address.
Can you make an overview (diagram) of all devices involved?

korg · Mon Mar 18, 2024 4:12 pm

Hi erlinden, tx for your answer. Here is a diagram of my config.

WG-Diagram-v3.jpg

I hope, I've made it understandable.

korg

anav · Mon Mar 18, 2024 4:28 pm

No...
/interface wireguard peers
add allowed-address= wireguardIP-X/32 interface=wg1 public-key="public-key1" comment=Roadwarrior1
add allowed-address= wireguardIP-Y/32 interface=wg1 public-key="public-key2" comment=Roadwarrior2
add allowed-address= wireguardIP-Z/32 interface=wg1 public-key="public-key3" comment=Roadwarrior3
add allowed-address= wireguardIP-A/32 interface=wg1 public-key="public-key4" comment=admin

/interface list members
add interface=wireguard1 list=LAN
/ip firewall filter
.....
add input chain action=accept in-interface=wireguard1 src-address=wireguardIP-A/32
.....
add chain=forward action=accept in-interface=wireguard1 src-address=wireguardIP-X/32 dst-address=192.168.100.0/24 comment="RW1 to vlan100"
add chain=forward action=accept in-interface=wireguard1 src-address=wireguardIP-Y/32 dst-address=192.168.200.0/24 comment="RW2 to vlan200"
add chain=forward action=accept in-interface=wireguard1 src-address=wireguardIP-Z/32 dst-address=192.168.300.0/24 comment="RW2 to vlan300"
add chain=forward action=accept in-interface=wireguard1 src-address=wireguardIP-A/32 out-interface-list=LAN comment="admin access to all vlans"
.....
add chain=forward action=drop comment="drop all else"

korg · Mon Mar 18, 2024 6:22 pm

tx anav... i've edited my script upon your tipps and now it looks like this:


# mar/18/2024 16:34:44 by RouterOS 7.9.1
# software id = 
#
/interface bridge
add ingress-filtering=no name=bridge1 pvid=999 vlan-filtering=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1
/interface wireguard
add comment="WG connection to main site" listen-port=13299 mtu=1420 name=wg1 \
    private-key="private-key"
/interface vlan
add interface=bridge1 name=vlan100-corp vlan-id=100
add interface=bridge1 name=vlan200-guest vlan-id=200
add interface=bridge1 name=vlan300-camera vlan-id=300
add interface=bridge1 name=vlan999-mgmt vlan-id=999
/interface list
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.100.100.1-10.100.100.253
add name=dhcp_pool1 ranges=10.200.200.1-10.200.200.253
add name=dhcp_pool2 ranges=10.30.30.1-10.30.30.253
add name=dhcp_pool3 ranges=10.99.99.1-10.99.99.253
/ip dhcp-server
add address-pool=dhcp_pool0 interface=vlan100-corp name=dhcp1
add address-pool=dhcp_pool1 interface=vlan200-guest name=dhcp2
add address-pool=dhcp_pool2 interface=vlan300-camera name=dhcp3
add address-pool=dhcp_pool3 interface=vlan999-mgmt name=dhcp4
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=ether3 pvid=200
add bridge=bridge1 interface=ether2 pvid=999
add bridge=bridge1 interface=ether4 pvid=999
add bridge=bridge1 interface=ether8 pvid=999
add bridge=bridge1 interface=ether7 pvid=200
add bridge=bridge1 interface=ether5 pvid=999
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether2,ether4,ether5 vlan-ids=200
add bridge=bridge1 tagged=bridge1,ether2,ether4,ether5 vlan-ids=100
add bridge=bridge1 tagged=bridge1,ether2,ether4,ether5 vlan-ids=300
add bridge=bridge1 tagged=bridge1 untagged=ether4,ether2,ether5 vlan-ids=999
/interface list member
add interface=vlan100-corp list=LAN
add interface=vlan200-guest list=LAN
add interface=vlan300-camera list=LAN
add interface=vlan999-mgmt list=LAN
add interface=wg1 list=LAN
/interface wireguard peers
add allowed-address=10.200.200.100/32 comment=Roadwarrior1 interface=wg1 \
    public-key="public-key1"
add allowed-address=10.30.30.100/32 comment=Roadwarrior2 interface=wg1 \
    public-key="public-key2"
add allowed-address=10.99.99.0/24 comment="Roadwarrior admin" interface=wg1 \
    public-key="public-key3
/ip address
add address=10.0.0.20/24 interface=ether1 network=10.0.0.0
add address=10.100.100.254/24 interface=vlan100-corp network=10.100.100.0
add address=10.200.200.254/24 interface=vlan200-guest network=10.200.200.0
add address=10.30.30.254/24 interface=vlan300-camera network=10.30.30.0
add address=10.99.99.254/24 interface=vlan999-mgmt network=10.99.99.0
add address=172.16.0.1/24 interface=wg1 network=172.16.0.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.30.30.0/24 gateway=10.30.30.254
add address=10.99.99.0/24 gateway=10.99.99.254
add address=10.100.100.0/24 gateway=10.100.100.254
add address=10.200.200.0/24 gateway=10.200.200.254
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=10.99.99.0/24 list=LAN
add address=10.200.200.0/24 list=LAN
add address=10.30.30.0/24 list=LAN
add address=10.100.100.0/24 list=LAN
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="Allow ICMP ping" protocol=icmp
add action=accept chain=input comment=\
    "Allow DHCP,DNS, NTP from internal networks only" dst-port=123,53,67,68 \
    in-interface=!ether1 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="allow wireguard" dst-port=13299 log=\
    yes log-prefix=wg protocol=udp
add action=accept chain=input comment="allow wireguard Handshake" dst-port=\
    13299 log=yes log-prefix=wg protocol=udp
add action=accept chain=input comment="RW1 to vlan300" in-interface=wg1 \
    src-address=10.30.30.100
add action=accept chain=input comment="RW2 to vlan200" in-interface=wg1 \
    src-address=10.200.200.100
add action=accept chain=input comment="RW3 to vlan999 mgmt" in-interface=wg1 \
    src-address=10.99.99.0/24
add action=accept chain=input comment="allow wireguard to other networks" \
    in-interface=wg1 log=yes log-prefix=wg
add action=drop chain=input comment="drop everything elase"
add action=accept chain=forward comment=\
    "accept established,related,new,untracked" connection-state=\
    established,related,new,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment=\
    "Allow internet from PPPoE to the local network" in-interface-list=LAN \
    out-interface=ether1
add action=accept chain=forward comment="RW1 to vlan200" dst-address=\
    10.200.200.0/24 in-interface=wg1 src-address=10.200.200.100
add action=accept chain=forward comment="RW2 to vlan300" dst-address=\
    10.30.30.0/24 in-interface=wg1 src-address=10.30.30.100
add action=accept chain=forward comment="RW3 to vlan100" dst-address=\
    10.100.100.0/24 in-interface=wg1 src-address=10.100.100.100
add action=accept chain=forward comment="admin access to all vlans" \
    dst-address=10.99.99.0/24 in-interface=wg1 out-interface-list=LAN \
    src-address=10.99.99.254
add action=drop chain=forward comment="drop everything elase"
add action=fasttrack-connection chain=forward hw-offload=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat comment="masw. wireguard" out-interface=\
    ether1
/system identity
set name="Mikrotik Spine"
/system note
set show-at-login=no

again... several questions:

.this is now been setup for 'one user - one vlan'. In the case that one company which supports for example 'smart house and electricity' has devices on two vlans, how can i setup the connectivity (both in fw and wg) so the wg connection can handle two vlans?
.in the wg peers i have deleted the endpoint:

/interface wireguard peers
add allowed-address=10.200.200.100/32 comment=Roadwarrior1 interface=wg1 public-key="public-key1"

where do i define through which public ip/cloud address should i connect to?
.is this correct? both interfaces should be masqurated?

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat comment="masw. wireguard" out-interface=wg1

.if the device on vlan200 has ip address 10.200.200.10 which i need to connect to, is this correct setup in the fw?

add action=accept chain=forward comment="RW1 to vlan200" dst-address=10.200.200.0/24 in-interface=wg1 src-address=10.200.200.100

tx

anav · Mon Mar 18, 2024 7:28 pm

NM................

There are bigger issues to solve first.

1. WHAT THE HECK is your WAN.
You state: am setting up a config for a MT router which is behind NAT

a. you have a static WANIP set up for ether1 which bares no resemblance to any of the VLANS. The static IP makes sense but not the subnet??
b. VLAN999 is your management VLAN from which the MT router should get its IP address from!!
c. You have IP DHCP enabled which is direct opposition to a. ??
d. You have PPPOE client enabled in direct contrast to both a. and c. ??

Please CLARIFY!!!

Also, you get mixed up in your config.
Keep RW1 as User1,., RW2 as user 2, RW2 as user 3, and RW ADMIN will be user 4.

Finally one thing I strugged with was to understand your bridge ports ............ are they trunk, access or hybrid ports.
In other words what the heck is on the end of ether2,ether3,ether4,ether5,ether6 ( dont care much about 8 and up but I like details !!! )
If to smart devices they need to be trunk ports
If to unifi smart devices not reconfigured to act normally but as default ( accept management as untagged and rest tagged ) then they are HYBRID ports
If to dumb devices that cannot read tags they need to be access ports.

Please CLARIFY!

korg · Tue Mar 19, 2024 12:15 pm

Hi anav,

so here is the clarification.

I've updated the diagram a post above with more information's so pls check the new diagram picture.

.Mikrotik router is connected as dhcp-client at ether1 port with 5G router given by internet provider and its public IP address is dynamic
.vlan999 is my mgmt subnet given by mikrotik
.i have dhcp-client enabled to the internet router
.pls ignore pppoe connection as the config is taken from my eve-ng lab. There will be no pppoe connectivity but only ether1 dhcp-client

At the end of ether2, 3, 4 will be some devices like.. vlan100 pc's, vlan200 camera surveillance, vlan300 smart home. There will be vlan400, 500 for different other devices and services like dali light control and so on. The vlan connectivity is already up and running correctly.

korg

anav · Tue Mar 19, 2024 1:30 pm

Well if its working for you great.
Its not apparent to me how you send two vlans through an access port to dumb devices...........
The diagram does not show smart switches accepting the vlans so its either correct or the config wrong or the diagram is incorrect and the config is okay.

korg · Tue Mar 19, 2024 2:59 pm

Hi,

i've updated the diagram again.

so, back to the initial question, is this (within the code) correct way to setup a wireguard config for multi users accessing only vlan which they suppose to access and for the connection behind the NAT?

.where do i specify resp what would be the public address for the users to connect to? cloud dns address?

tx

korg

anav · Tue Mar 19, 2024 5:48 pm

In general, one allows traffic to go from client devices to router server ( once a connection is established its peer to peer, really good for two routers, not so significant to a single device........)
Therefore its at the router where you want to use firewall rules in the forward chain to state which subnets each RW should have access to.

A blanket rule if all users are allowed to all vlans
More specific rules to allow certain users to certain vlans.
Last rule being drop all else --> easy peasy and then all other traffic not allowed is auto dropped.

Finally the diagram is starting to make sense LOL.
Will relook at the config.

1. Remove pvid on actual bridge itself.
2. Add interface list of WAN
3. SInce you fail to note which ports are going to your two switches I will assume its this way.
ETHER1 to ISP
ETHER2 to switch Building1
ETHER3 to dumb device expecting untagged vlan300
ETHER4 to switch Building2
ETHER5 to dumb PC on corporate LAN
ETHER6 to dumb PC on managment VLAN
ETHER7 NOT USED
ETHER8 OFF bridge to configure the router and emerg access if problems with bridge.
4. Wireguard comment is weird, what do you mean to main site ????
5. Removed address for ether1 as this is handedl by ip dhcp client. one or the other not both!!
6. firewall address list for subnets is useless, for two or more subnets use interface lists, for subnets use src or dst-address.
( good use for firewall address list is for those allowed to access the router for config purposes. I have added that to the config.
7. Removed pptp from input chain, old not secure vpn method......... I wont put it in any config I present.,
8. Duplicate rules for wg handshake, removed one, and cleaned up access to router for services and config access.
9. Missing fastrack default rule in forward chain.
10. Fixed forward chain rules.
11. Only single masquerade rule required.
12. ppoe removed.
13. other additions review each line.
................

# mar/18/2024 13:28:58 by RouterOS 7.9.1
# software id = 
#
/interface bridge
add ingress-filtering=no name=bridge1  vlan-filtering=yes
/interface wireguard
add comment="Wireguard Access for RWs"  listen-port=13299 mtu=1420 name=wg1 \
    private-key="private-key="
/interface ethernet
set [ find default-name=ether8 ] name=ether8-access
/interface vlan
add interface=bridge1 name=vlan100-corp vlan-id=100
add interface=bridge1 name=vlan200-guest vlan-id=200
add interface=bridge1 name=vlan300-camera vlan-id=300
add interface=bridge1 name=vlan999-mgmt vlan-id=999
/interface list
add name=LAN
add name=WAN
add name=MGMT
/ip pool
add name=dhcp_pool0 ranges=10.100.100.1-10.100.100.253
add name=dhcp_pool1 ranges=10.200.200.1-10.200.200.253
add name=dhcp_pool2 ranges=10.30.30.1-10.30.30.253
add name=dhcp_pool3 ranges=10.99.99.1-10.99.99.253
/ip dhcp-server
add address-pool=dhcp_pool0 interface=vlan100-corp name=dhcp1
add address-pool=dhcp_pool1 interface=vlan200-guest name=dhcp2
add address-pool=dhcp_pool2 interface=vlan300-camera name=dhcp3
add address-pool=dhcp_pool3 interface=vlan999-mgmt name=dhcp4
/interface bridge port
add bridge=bridge1  ingress-filtering=yes frame-types=admit-only-tagged-vlans  interface=ether2
add bridge=bridge1  ingress-filtering=yes frame-types=admit-only-priority-and-untagged  interface=ether3 pvid=300
add bridge=bridge1  ingress-filtering=yes frame-types=admit-only-tagged-vlans  interface=ether4
add bridge=bridge1  ingress-filtering=yes frame-types=admit-only-priority-and-untagged  interface=ether5 pvid=100
add bridge=bridge1  ingress-filtering=yes frame-types=admit-only-priority-and-untagged  interface=ether6 pvid=999
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether2,ether4  untagged=ether5 vlan-ids=100
add bridge=bridge1 tagged=bridge1,ether2,ether4  vlan-ids=200
add bridge=bridge1 tagged=bridge1  untagged=ether3  vlan-ids=300
add bridge=bridge1 tagged=bridge1,ether2,ether4  untagged=ether6  vlan-ids=999
/interface list member
add interface=ether1  list=WAN
add interface=vlan100-corp list=LAN
add interface=vlan200-guest list=LAN
add interface=vlan300-camera list=LAN
add interface=vlan999-mgmt list=LAN
add interface=wireguard1 list=LAN
add interface=vlan999-mgmt list=MGMT
add interface=ether8-access  list=MGMT
/interface wireguard peers
add allowed-address=172.16.0.2/32 interface=wg1 public-key="public-key1"  comment="RW1"
add allowed-address=172.16.0.3/32 interface=wg1 public-key="public-key2"  comment="RW2"
add allowed-address=172.16.0.4/32 interface=wg1 public-key="public-key3"  comment="RW3"
add allowed-address=172.16.0.5/32 interface=wg1 public-key="public-key4"  comment="admin RW"
/ip address
add address=10.100.100.254/24 interface=vlan100-corp network=10.100.100.0
add address=10.200.200.254/24 interface=vlan200-guest network=10.200.200.0
add address=10.30.30.254/24 interface=vlan300-camera network=10.30.30.0
add address=10.99.99.254/24 interface=vlan999-mgmt network=10.99.99.0
add address=172.16.0.1/24 interface=wg1 network=172.16.0.0
add address=192.168.55.1/24 interface=ether8-access network=192.168.55.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.30.30.0/24 gateway=10.30.30.254
add address=10.99.99.0/24 gateway=10.99.99.254
add address=10.100.100.0/24 gateway=10.100.100.254
add address=10.200.200.0/24 gateway=10.200.200.254
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip firewall address-list
add address=172.16.0.5/32 list=Authorized  comment="admin RW"
add address=10..99.99.X  list=Authorized comment="admin wired or wifi #1"
add address=10..99.99.X  list=Authorized comment="admin wiredor wifi #2"
add address=192.168.55.5 list=Authorized comment="admin via emerg access"
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="wireguard handshake" dst-port=13299 log=\
    yes log-prefix=wg protocol=udp
add action=accept chain=input comment="admin only access"  src-address-list=Authorized
add action=accept chain=input comment="users to DNS"  dst-port=53 protocol=udp in-interface-list=LAN
add action=accept chain=input comment="users to DNS"  dst-port=53 protocol=tcp in-interface-list=LAN
add action=drop chain=input comment="Drop all else"  { put in last ensure Authorized List and Rule are in place!! }
++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes 
add action=accept chain=forward  connection-state=established,related,new,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet access"  in-interface-list=LAN  out-interface-list=WAN
add action=accept chain=forward comment="admin vlan access"  src-address-list=authorized  out-interface-list=LAN
add action=accept chain=forward comment="User1-RW1 vlan100 access"  dst-address=10.100.100.0/24 in-interface=wireguard1 src-address=172.16.0.2/32
add action=accept chain=forward comment="User2-RW2 vlan200 access"  dst-address=10.200.200.0/24 in-interface=wireguard1 src-address=172.16.0.3/32
add action=accept chain=forward comment="User3-RW3 vlan300 access"  dst-address=10.30.30.0/24 in-interface=wireguard1 src-address=172.16.0.4/32
add action=accept chain=forward comment="port forwarding"  connection-nat-state=dstnat  disabled=yes  { enable if required }
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip route
add dst-address=0.0.0.0/0 gateway=10.0.0.1  routing-table=main disabled=yes {  only required if you do NOT have default route=yes in IP DHCP client settings }
/tool mac-server mac-winbox
set allowed-interface-list=MGMT

anav · Tue Mar 19, 2024 6:42 pm

Each RW should have a setup such that
you have
client device generated public key, ==>>>> this gets inserted onto the router on the routers peer settings for the specific RW device
IP address ---> as we assigned in the peers settings on the router
allowed addresses.......
a. if the user also requires internet access then they should put 0.0.0.0 and nothing else for addresses as this covers ALL addresses.
otherwise if to specific subnet
b. 172.16.0.0/24,SUBNET1,SUBNET2 ( etc all the remote subnets they need to visit )

Allowed IPs at peer devices should also contain endpoint-address, endpoint port, public Key generated by MT router, persistent-keep-alive set to ..........25-45s

korg · Tue Mar 19, 2024 10:15 pm

anav.. many many thanks for your help!

still.. i have few questions regarding your description..

1.'Each RW should have a setup such that you have...' means what?
2.'IP address ---> as we assigned in the peers settings on the router....' i dont see the public dyndns address (as i will not have a static one) with which i will connect to the MT from 'outside'
3.'if the user also requires internet access then they should put 0.0.0.0 and nothing else for addresses as this covers ALL addresses.
otherwise if to specific subnet'.... where should i enter 0.0.0.0/0? The users will still need to have internet... something like here?
/interface wireguard peers
add allowed-address=0.0.0.0/0
4.'Allowed IPs at peer devices should also contain endpoint-address, endpoint port, public Key generated by MT router, persistent-keep-alive set to ..........25-45s' .. you mean endpoint address should be the IP address of the device they need to access?

tx

korg

anav · Tue Mar 19, 2024 11:57 pm

1.'Each RW should have a setup such that you have...' means what?

All the devices that are peers ( clients for handshank require basically the same setup )
they need endpoint address, endpoint port, public key of MAIN Router, persistent-keep alive.
As for allowed IPs, depends what the needs are ......as discussed.

2.'IP address ---> as we assigned in the peers settings on the router....' i dont see the public dyndns address (as i will not have a static one) with which i will connect to the MT from 'outside'
I was stating here that the IP address you set on the single devices ( client for hanshake, should be within the wireguard subnet described on the router ) as you can see I gave ( on the router config ) a separate wireguard IP, for each RW, this is the same IP you put on the client device for its wireguard IP.

3.'if the user also requires internet access then they should put 0.0.0.0 and nothing else for addresses as this covers ALL addresses.
otherwise if to specific subnet'.... where should i enter 0.0.0.0/0? The users will still need to have internet... something like here?
/interface wireguard peers
add allowed-address=0.0.0.0/0

YES, if the roadwarrior needs access to internet then put 0.0.0.0/0 that automatically includes all subnets ( hence why we put fw rules on the receiving end of wg traffic if needed )

4.'Allowed IPs at peer devices should also contain endpoint-address, endpoint port, public Key generated by MT router, persistent-keep-alive set to ..........25-45s' .. you mean endpoint address should be the IP address of the device they need to access?

ENDPOINT address is the
a. the publicly reachable IP address of the MT router (acting as server for handshake ) you can use your IP Cloud address if you so desire.
b. could be the reachable IP of the Router upstream from teh MT router (again IP cloud will work), and one needs to port forward the wireguard port to the LAN address of the MT router in this setup.

korg · Wed Mar 20, 2024 10:40 pm

anav... great help, great learning process! Many thanks!

I have something not from the my lab but from the 'real life' which i would like to ask you. I have an crs354 (in the script there are only 24 port not 48 as EVE is not allowing me to have a 48 port device) which does everything from the attached diagram. As a first step, i have added CRS112 which has a trunk port from/to crs354 and as 'extending' the network to another part of the customers building.
Now, i have tested crs354 (surely, within EVE lab) and all ports on CRS354 are doing as they should: every port is getting the correct ip subnet. CRS112 is connected to CRS354, is getting the mgmt network (and the correct vlan999 ip address on port 2,3 and 4 - Ap1, Ap2, Ap3) but i dont get the vlans on particular ethernet ports (ether 5, ether 6, ether7 - everything can be seen in the diagram). Could you pls take a look at my scripts (both CRS354-Spine and CRS112-Leaf1) as i can not find the logical error with the vlan transport. In the diagram is also another CRS326 with exist in reality but for now, I will skip its config as is should do 'almost the same as CRS112'. Also, have i setup WG RW's in the correct manner on CRS354?

I am thanking you in advance for your time and effort

the diagram

WG-CRS354-CRS112-v1.jpg

CRS354 Spine Config


# mar/20/2024 20:26:39 by RouterOS 7.9.1
# software id = 
#
/interface bridge
add ingress-filtering=no name=bridge-main pvid=999 vlan-filtering=yes
/interface wireguard
add comment="Wireguard for RW's" listen-port=13299 mtu=1420 name=wireguard1 \
    private-key="lalalalala"
/interface vlan
add interface=bridge-main name=vlan100-corp vlan-id=100
add interface=bridge-main name=vlan200-guests vlan-id=200
add interface=bridge-main name=vlan300-cameras vlan-id=300
add interface=bridge-main name=vlan500-dali vlan-id=500
add interface=bridge-main name=vlan600-IoT1 vlan-id=600
add interface=bridge-main name=vlan700-POS vlan-id=700
add interface=bridge-main name=vlan800-IoT2 vlan-id=800
add interface=bridge-main name=vlan999-mgmt vlan-id=999
/interface list
add name=LAN
add name=Authorized
add name=WAN
add name=mgmt
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp-vlan100 ranges=10.10.100.100-10.10.100.200
add name=dhcp-vlan200 ranges=10.20.100.1-10.20.100.250
add name=dhcp-vlan300 ranges=10.30.100.100-10.30.100.150
add name=dhcp-vlan500 ranges=10.50.100.100-10.50.100.150
add name=dhcp-vlan600 ranges=10.60.100.100-10.60.100.150
add name=dhcp-vlan700 ranges=10.70.100.100-10.70.100.150
add name=dhcp-vlan800 ranges=10.80.100.100-10.80.100.150
add name=dhcp-vlan999 ranges=10.99.99.50-10.99.99.200
/ip dhcp-server
add address-pool=dhcp-vlan100 interface=vlan100-corp lease-time=4h name=\
    dhcp-corp
add address-pool=dhcp-vlan200 interface=vlan200-guests name=dhcp-guests
add address-pool=dhcp-vlan300 interface=vlan300-cameras lease-time=8h30m \
    name=dhcp-cameras
add address-pool=dhcp-vlan500 interface=vlan500-dali lease-time=8h name=\
    dhcp-dali
add address-pool=dhcp-vlan600 interface=vlan600-IoT1 lease-time=8h name=\
    dhcp-IoT1
add address-pool=dhcp-vlan700 interface=vlan700-POS lease-time=8h name=\
    dhcp-POS
add address-pool=dhcp-vlan800 interface=vlan800-IoT2 lease-time=8h name=\
    dhcp-IoT2
add address-pool=dhcp-vlan999 interface=vlan999-mgmt lease-time=8h name=\
    dhcp-mgmt
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge-main comment=Corp-vlan100 frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2 pvid=100
add bridge=bridge-main frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4 pvid=200
add bridge=bridge-main frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5 pvid=200
add bridge=bridge-main comment="AP's-vlan999" frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether6 pvid=999
add bridge=bridge-main frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether7 pvid=999
add bridge=bridge-main frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether8 pvid=999
add bridge=bridge-main comment="Camera's vlan300" frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether9 pvid=300
add bridge=bridge-main frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether10 pvid=300
add bridge=bridge-main comment=Dali-vlan500 frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether11 pvid=500
add bridge=bridge-main frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether12 pvid=500
add bridge=bridge-main comment=IpT1-vlan600 frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether13 pvid=600
add bridge=bridge-main frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether14 pvid=600
add bridge=bridge-main comment=POS frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether15 pvid=700
add bridge=bridge-main frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether16 pvid=700
add bridge=bridge-main frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether17 pvid=700
add bridge=bridge-main comment=IoT2-vlan800 frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether18 pvid=800
add bridge=bridge-main frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether19 pvid=800
add bridge=bridge-main comment="Trunk Connection to CRS326" \
    ingress-filtering=no interface=ether20 pvid=999
add bridge=bridge-main comment="Trunk Connection to CRS112" \
    ingress-filtering=no interface=ether21 pvid=999
add bridge=bridge-main comment="Spare trunk port" interface=ether22
add bridge=bridge-main comment="mgmt port" frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether24 pvid=999
add bridge=bridge-main frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3 pvid=100
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=bridge-main tagged=bridge-main vlan-ids=100
add bridge=bridge-main tagged=\
    bridge-main,ether6,ether7,ether8,ether20,ether21,ether24 vlan-ids=200
add bridge=bridge-main tagged=bridge-main untagged=\
    ether6,ether7,ether8,ether20,ether21,ether24 vlan-ids=999
add bridge=bridge-main tagged=\
    bridge-main,ether6,ether7,ether8,ether20,ether21,ether24 vlan-ids=300
add bridge=bridge-main tagged=\
    bridge-main,ether6,ether7,ether8,ether20,ether21,ether24 vlan-ids=500
add bridge=bridge-main tagged=\
    bridge-main,ether6,ether7,ether8,ether20,ether21,ether24 vlan-ids=600
add bridge=bridge-main tagged=\
    bridge-main,ether6,ether7,ether8,ether20,ether21,ether24 vlan-ids=700
add bridge=bridge-main tagged=bridge-main vlan-ids=800
/interface list member
add interface=ether1 list=WAN
add interface=vlan100-corp list=LAN
add interface=vlan300-cameras list=LAN
add interface=vlan200-guests list=LAN
add interface=vlan500-dali list=LAN
add interface=vlan600-IoT1 list=LAN
add interface=vlan700-POS list=LAN
add interface=vlan800-IoT2 list=LAN
add interface=vlan999-mgmt list=mgmt
add interface=ether22 list=mgmt
/interface wireguard peers
add allowed-address=172.16.0.2/32 comment="RW1 - vlan300" interface=\
    wireguard1 public-key="lalalala"
add allowed-address=172.16.0.3/32 comment="RW2 - 600" interface=wireguard1 \
    public-key="lalalala"
add allowed-address=172.16.0.4/32 comment="RW3 - vlan700" interface=\
    wireguard1 public-key="lalalala"
add allowed-address=172.16.0.5/32 comment="admin RW - vlan999" interface=\
    wireguard1 public-key="lalalala"
/ip address
add address=10.10.100.254/24 interface=vlan100-corp network=10.10.100.0
add address=10.20.100.254/24 interface=vlan200-guests network=10.20.100.0
add address=10.30.100.254/24 interface=vlan300-cameras network=10.30.100.0
add address=10.50.100.254/24 interface=vlan500-dali network=10.50.100.0
add address=10.60.100.254/24 interface=vlan600-IoT1 network=10.60.100.0
add address=10.70.100.254/24 interface=vlan700-POS network=10.70.100.0
add address=10.80.100.254/24 interface=vlan800-IoT2 network=10.80.100.0
add address=10.99.99.254/24 interface=vlan999-mgmt network=10.99.99.0
add address=192.168.55.5/24 comment="spare mgmt port" interface=ether22 \
    network=192.168.55.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.10.100.0/24 dns-server=10.10.100.254 gateway=10.10.100.254
add address=10.20.100.0/24 dns-server=10.20.100.254 gateway=10.20.100.254
add address=10.30.100.0/24 dns-server=10.30.100.254 gateway=10.30.100.254
add address=10.50.100.0/24 dns-server=10.50.100.254 gateway=10.50.100.254
add address=10.60.100.0/24 dns-server=10.60.100.254 gateway=10.60.100.254
add address=10.70.100.0/24 dns-server=10.70.100.254 gateway=10.70.100.254
add address=10.80.100.0/24 dns-server=10.80.100.254 gateway=10.80.100.254
add address=10.99.99.0/24 dns-server=10.99.99.254 gateway=10.99.99.254
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=172.16.0.200 comment="admin RW" list=Authorized
add address=192.168.55.5 comment="admin via emergence access" list=Authorized
add address=10.99.99.0/24 comment="allow to mgmt network" list=Authorized
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="wireguard handshake" dst-port=13299 \
    log=yes log-prefix=wg protocol=udp
add action=accept chain=input comment="admin only access" src-address-list=\
    Authorized
add action=accept chain=input comment="users to DNS" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="users to DNS" dst-port=53 \
    in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="Drop all else"
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward connection-state=\
    established,related,new,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet access" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward comment="admin vlan access" \
    out-interface-list=LAN src-address-list=Authorized
add action=accept chain=forward comment="User1-RW1 vlan300 access" \
    dst-address=10.30.100.100 in-interface=wireguard1 src-address=172.16.0.2
add action=accept chain=forward comment="User2-RW2 vlan600 access" \
    dst-address=10.60.100.100 in-interface=wireguard1 src-address=172.16.0.3
add action=accept chain=forward comment="User3-RW3 vlan700 access" \
    dst-address=10.70.100.100 in-interface=wireguard1 src-address=172.16.0.4
add action=accept chain=forward comment="User4-RW4 vlan999 access" \
    dst-address=10.99.99.0/24 in-interface=wireguard1 src-address=172.16.0.5
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat disabled=yes
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip route
add disabled=yes dst-address=0.0.0.0/0 gateway=10.0.0.1 routing-table=main
/system note
set show-at-login=no

CRS112-Leaf1 config

# mar/20/2024 20:26:56 by RouterOS 7.9.1
# software id = 
#
/interface bridge
add ingress-filtering=no name=bridge-leaf1-112 pvid=999 vlan-filtering=yes
/interface vlan
add interface=bridge-leaf1-112 name=vlan100-corp vlan-id=100
add interface=bridge-leaf1-112 name=vlan200-guests vlan-id=200
add interface=bridge-leaf1-112 name=vlan300-cameras vlan-id=300
add interface=bridge-leaf1-112 name=vlan500-dali vlan-id=500
add interface=bridge-leaf1-112 name=vlan600-IoT1 vlan-id=600
add interface=bridge-leaf1-112 name=vlan700-POS vlan-id=700
add interface=bridge-leaf1-112 name=vlan800-IoT2 vlan-id=800
add interface=bridge-leaf1-112 name=vlan999-mgmt vlan-id=999
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge-leaf1-112 ingress-filtering=no interface=ether1 pvid=999
add bridge=bridge-leaf1-112 ingress-filtering=no interface=ether2 pvid=999
add bridge=bridge-leaf1-112 ingress-filtering=no interface=ether3 pvid=999
add bridge=bridge-leaf1-112 ingress-filtering=no interface=ether4 pvid=999
add bridge=bridge-leaf1-112 ingress-filtering=no interface=ether5 pvid=100
add bridge=bridge-leaf1-112 ingress-filtering=no interface=ether6 pvid=200
add bridge=bridge-leaf1-112 ingress-filtering=no interface=ether7 pvid=700
/interface bridge vlan
add bridge=bridge-leaf1-112 tagged=ether1 untagged=bridge-leaf1-112 vlan-ids=\
    100
add bridge=bridge-leaf1-112 tagged=ether1 untagged=bridge-leaf1-112 vlan-ids=\
    200
add bridge=bridge-leaf1-112 tagged=ether1 untagged=bridge-leaf1-112 vlan-ids=\
    300
add bridge=bridge-leaf1-112 tagged=ether1 untagged=bridge-leaf1-112 vlan-ids=\
    500
add bridge=bridge-leaf1-112 tagged=ether1 untagged=bridge-leaf1-112 vlan-ids=\
    600
add bridge=bridge-leaf1-112 tagged=ether1 untagged=bridge-leaf1-112 vlan-ids=\
    700
add bridge=bridge-leaf1-112 vlan-ids=999
/ip dhcp-client
add interface=bridge-leaf1-112
/system identity
set name=Mikrotik-Leaf1-CRS112
/system note
set show-at-login=no

Thank you

korg

anav · Wed Mar 20, 2024 11:08 pm

The CRS112 has to be programmed differently......................
There are probably videos on it to be found.....
Also the MT docs should discuss - https://help.mikrotik.com/docs/pages/vi ... =103841836

CRS1xx VLAN Example

###############################################################################
# Recommended reading
# https://wiki.mikrotik.com/wiki/Manual:Basic_VLAN_switching
#
# Notes: Start with a reset (/system reset-configuration)
#
# Based on: https://forum.mikrotik.com/viewtopic.php?t=143620
###############################################################################

#######################################
# Naming
#######################################

# name the device being configured
/system identity set name="CRS1xx_Switch"

#######################################
# VLAN Overview
#######################################

# 10 = BLUE
# 20 = GREEN
# 30 = RED
# 99 = BASE (MGMT) VLAN

#######################################
# Bridge
#######################################

# create one bridge
/interface bridge add name=BR1 protocol-mode=none

# add "all" ports to this one bridge
/interface bridge port
add bridge=BR1 interface=ether1
add bridge=BR1 interface=ether2
add bridge=BR1 interface=ether3
add bridge=BR1 interface=ether4
# and so on until you get to 24 ...

#######################################
# -- Access Ports --
#######################################

# ingress behavior, egress dynamically handled
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=10 ports=ether2
add customer-vid=0 new-customer-vid=20 ports=ether3
add customer-vid=0 new-customer-vid=30 ports=ether4

#######################################
# -- Trunk Ports --
#######################################

# ingress behavior
# L2 switching only, Bridge (aka switch1-cpu) not needed as tagged member (except for BASE_VLAN)
/interface ethernet switch vlan
add ports=ether1,ether2 vlan-id=10
add ports=ether1,ether3 vlan-id=20
add ports=ether1,ether4 vlan-id=30
add ports=switch1-cpu,ether1 vlan-id=99

# egress behavior
# L2 switching only, Bridge (aka switch1-cpu) not needed as tagged member (except for BASE_VLAN)
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether1 vlan-id=10
add tagged-ports=ether1 vlan-id=20
add tagged-ports=ether1 vlan-id=30
add tagged-ports=switch1-cpu,ether1 vlan-id=99

#######################################
# VLAN Security
#######################################

# drop traffic that does not follow the above port layout
/interface ethernet switch set forward-unknown-vlan=no


#######################################
# IP Addressing & Routing
#######################################

# LAN facing Switch's IP address on a BASE_VLAN
/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=99
/ip address add address=192.168.0.2/24 interface=BASE_VLAN network=192.168.0.0

# The Router's IP this switch will use
/ip route add distance=1 gateway=192.168.0.1

#######################################
# MAC Server settings
#######################################

# Ensure only visibility and availability from BASE_VLAN, the MGMT network
/interface list add name=BASE
/interface list member add interface=BASE_VLAN list=BASE
/ip neighbor discovery-settings set discover-interface-list=BASE
/tool mac-server mac-winbox set allowed-interface-list=BASE
/tool mac-server set allowed-interface-list=BASE

........................................

korg · Wed Mar 20, 2024 11:22 pm

Ok, so you think, if i do 'the same config' on CRS326, with existing config of the CRS112 it should work? As.. i have never worked with the switch chip before...

korg · Wed Mar 20, 2024 11:27 pm

Is it too much to help me out on that config for CRS112?

anav · Thu Mar 21, 2024 2:40 am

Sorry I have no experience with the CRS1xx series. The only thing I can tell you is the concepts are the same.
There will be a trunk port carrying all the data vlans and management vlan from CRS326 to CRS1XX.
What will change is how to setup vlans but the rest of the noise should be similar.

The best thing to do is follow the example provided, the MT Docs and watch some videos, give it a stab and post back here with the results.

Amm0 · Thu Mar 21, 2024 3:45 am

Is it too much to help me out on that config for CRS112?

It should be work documented, which is similar to CRS3xx, but slightly different. Now all CRSxxx VLAN config is way different than using bridge on the hAP/cAP/RB5009/etc for VLANs...

But if you're testing this in EVE... it may be EVE support for a CRS1xx that's at issue – I dunno since I'm not the expert on EVE & the CRS1xx are kinda odd in overall scheme of hardware.... Is the issue happening in EVE, or in a real physical setup?

I ask since the CRS1xx things is they have the "most raw" interface for correctly setting VLAN — since everything should be done via /interface/ethernet/switch to set the physical switch chip for VLANs/etc. Your config seem to use the more generic "bridge VLAN filtering".... NOT the docs @anav links which show using "/interface ethernet switch" to configure the VLANs. So while this is different than most RouterOS devices, it is the way it's documented to use VLAN.

Now bridge VLAN filtering should work, but I'm not sure it's the "right way" on the CRS1xx. I don't use them, so I'd start with the docs. e.g. it's possible there are strange things that happen when you use bridge VLAN filtering on them, dunno. But your config is kinda permissive since it use "frame-types=allow-all" and "ingress-filtering=no", which is add complexity here since if there were VLAN troubles elsewhere, the CRS1xx just pass them along, potentially creating loops that disable ports in RSTP....

Anyway I presume Mikrotik show the /interface ethernet switch way for some good reason. Only down/flip side of doing it the "documented way" is I'm not sure that works in EVE, since your kinda setting the switch chip directly...

anav · Thu Mar 21, 2024 4:23 am

https://www.youtube.com/watch?v=swXS4sO8smE&t=151s

korg · Thu Mar 21, 2024 6:03 pm

Guys, you've been just great! Great community! So happy to be a part of it!
Let's continue.
I've configured now the CRS326 part and i get VLAN accessed in the corret manner.

This is the config (only crs354 and crs326 - no crs112)

2024-03-21_16h57_36.png

Code CRS354

# mar/21/2024 15:58:24 by RouterOS 7.9.1
# software id = 
#
/interface bridge
add ingress-filtering=no name=bridge-main pvid=999 vlan-filtering=yes
/interface wireguard
add comment="Wireguard for RW's" listen-port=13299 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge-main name=vlan100-corp vlan-id=100
add interface=bridge-main name=vlan200-guests vlan-id=200
add interface=bridge-main name=vlan300-cameras vlan-id=300
add interface=bridge-main name=vlan500-dali vlan-id=500
add interface=bridge-main name=vlan600-IoT1 vlan-id=600
add interface=bridge-main name=vlan700-POS vlan-id=700
add interface=bridge-main name=vlan800-IoT2 vlan-id=800
add interface=bridge-main name=vlan999-mgmt vlan-id=999
/interface list
add name=LAN
add name=Authorized
add name=WAN
add name=mgmt
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp-vlan100 ranges=10.10.100.100-10.10.100.200
add name=dhcp-vlan200 ranges=10.20.100.1-10.20.100.250
add name=dhcp-vlan300 ranges=10.30.100.100-10.30.100.150
add name=dhcp-vlan500 ranges=10.50.100.100-10.50.100.150
add name=dhcp-vlan600 ranges=10.60.100.100-10.60.100.150
add name=dhcp-vlan700 ranges=10.70.100.100-10.70.100.150
add name=dhcp-vlan800 ranges=10.80.100.100-10.80.100.150
add name=dhcp-vlan999 ranges=10.99.99.50-10.99.99.200
/ip dhcp-server
add address-pool=dhcp-vlan100 interface=vlan100-corp lease-time=4h name=dhcp-corp
add address-pool=dhcp-vlan200 interface=vlan200-guests name=dhcp-guests
add address-pool=dhcp-vlan300 interface=vlan300-cameras lease-time=8h30m name=dhcp-cameras
add address-pool=dhcp-vlan500 interface=vlan500-dali lease-time=8h name=dhcp-dali
add address-pool=dhcp-vlan600 interface=vlan600-IoT1 lease-time=8h name=dhcp-IoT1
add address-pool=dhcp-vlan700 interface=vlan700-POS lease-time=8h name=dhcp-POS
add address-pool=dhcp-vlan800 interface=vlan800-IoT2 lease-time=8h name=dhcp-IoT2
add address-pool=dhcp-vlan999 interface=vlan999-mgmt lease-time=8h name=dhcp-mgmt
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge-main interface=ether4 pvid=200
add bridge=bridge-main interface=ether5 pvid=200
add bridge=bridge-main comment="AP's-vlan999" interface=ether6 pvid=999
add bridge=bridge-main interface=ether7 pvid=999
add bridge=bridge-main interface=ether8 pvid=999
add bridge=bridge-main comment="Camera's vlan300" interface=ether9 pvid=300
add bridge=bridge-main interface=ether10 pvid=300
add bridge=bridge-main comment=Dali-vlan500 interface=ether11 pvid=500
add bridge=bridge-main interface=ether12 pvid=500
add bridge=bridge-main comment=IpT1-vlan600 interface=ether13 pvid=600
add bridge=bridge-main interface=ether14 pvid=600
add bridge=bridge-main comment=POS interface=ether15 pvid=700
add bridge=bridge-main interface=ether16 pvid=700
add bridge=bridge-main interface=ether17 pvid=700
add bridge=bridge-main comment=IoT2-vlan800 interface=ether18 pvid=800
add bridge=bridge-main interface=ether19 pvid=800
add bridge=bridge-main comment="Trunk Connection to CRS326" ingress-filtering=no interface=ether20 pvid=999
add bridge=bridge-main comment="Trunk Connection to CRS112" ingress-filtering=no interface=ether21 pvid=999
add bridge=bridge-main comment="Spare trunk port" interface=ether22
add bridge=bridge-main comment="mgmt port" frame-types=admit-only-untagged-and-priority-tagged interface=ether24 pvid=999
add bridge=bridge-main interface=ether3 pvid=100
add bridge=bridge-main interface=ether2 pvid=100
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=bridge-main tagged=bridge-main,ether6,ether7,ether8,ether20,ether21,ether24 vlan-ids=100
add bridge=bridge-main tagged=bridge-main,ether6,ether7,ether8,ether20,ether21,ether24 vlan-ids=200
add bridge=bridge-main tagged=bridge-main untagged=ether6,ether7,ether8,ether20,ether21,ether24 vlan-ids=999
add bridge=bridge-main tagged=bridge-main,ether6,ether7,ether8,ether20,ether21,ether24 vlan-ids=300
add bridge=bridge-main tagged=bridge-main,ether6,ether7,ether8,ether20,ether21,ether24 vlan-ids=500
add bridge=bridge-main tagged=bridge-main,ether6,ether7,ether8,ether20,ether21,ether24 vlan-ids=600
add bridge=bridge-main tagged=bridge-main,ether6,ether7,ether8,ether20,ether21,ether24 vlan-ids=700
add bridge=bridge-main tagged=bridge-main vlan-ids=800
/interface list member
add interface=ether1 list=WAN
add interface=vlan100-corp list=LAN
add interface=vlan300-cameras list=LAN
add interface=vlan200-guests list=LAN
add interface=vlan500-dali list=LAN
add interface=vlan600-IoT1 list=LAN
add interface=vlan700-POS list=LAN
add interface=vlan800-IoT2 list=LAN
add interface=vlan999-mgmt list=mgmt
add interface=ether22 list=mgmt
/interface wireguard peers
add allowed-address=172.16.0.2/32 comment="RW1 - vlan300" interface=wireguard1 public-key=\
    "blalbala="
add allowed-address=172.16.0.3/32 comment="RW2 - 600" interface=wireguard1 public-key="blalbala+blalbala="
add allowed-address=172.16.0.4/32 comment="RW3 - vlan700" interface=wireguard1 public-key=\
    "blalbala="
add allowed-address=172.16.0.5/32 comment="admin RW - vlan999" interface=wireguard1 public-key=\
    "blalbala="
/ip address
add address=10.10.100.254/24 interface=vlan100-corp network=10.10.100.0
add address=10.20.100.254/24 interface=vlan200-guests network=10.20.100.0
add address=10.30.100.254/24 interface=vlan300-cameras network=10.30.100.0
add address=10.50.100.254/24 interface=vlan500-dali network=10.50.100.0
add address=10.60.100.254/24 interface=vlan600-IoT1 network=10.60.100.0
add address=10.70.100.254/24 interface=vlan700-POS network=10.70.100.0
add address=10.80.100.254/24 interface=vlan800-IoT2 network=10.80.100.0
add address=10.99.99.254/24 interface=vlan999-mgmt network=10.99.99.0
add address=192.168.55.5/24 comment="spare mgmt port" interface=ether22 network=192.168.55.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.10.100.0/24 dns-server=10.10.100.254 gateway=10.10.100.254
add address=10.20.100.0/24 dns-server=10.20.100.254 gateway=10.20.100.254
add address=10.30.100.0/24 dns-server=10.30.100.254 gateway=10.30.100.254
add address=10.50.100.0/24 dns-server=10.50.100.254 gateway=10.50.100.254
add address=10.60.100.0/24 dns-server=10.60.100.254 gateway=10.60.100.254
add address=10.70.100.0/24 dns-server=10.70.100.254 gateway=10.70.100.254
add address=10.80.100.0/24 dns-server=10.80.100.254 gateway=10.80.100.254
add address=10.99.99.0/24 dns-server=10.99.99.254 gateway=10.99.99.254
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=172.16.0.200 comment="admin RW" list=Authorized
add address=192.168.55.5 comment="admin via emergence access" list=Authorized
add address=10.99.99.0/24 comment="allow to mgmt network" list=Authorized
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="wireguard handshake" dst-port=13299 log=yes log-prefix=wg protocol=udp
add action=accept chain=input comment="admin only access" src-address-list=Authorized
add action=accept chain=input comment="users to DNS" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="users to DNS" dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="Drop all else"
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related,new,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet access" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="admin vlan access" out-interface-list=LAN src-address-list=Authorized
add action=accept chain=forward comment="User1-RW1 vlan300 access" dst-address=10.30.100.100 in-interface=wireguard1 src-address=\
    172.16.0.2
add action=accept chain=forward comment="User2-RW2 vlan600 access" dst-address=10.60.100.100 in-interface=wireguard1 src-address=\
    172.16.0.3
add action=accept chain=forward comment="User3-RW3 vlan700 access" dst-address=10.70.100.100 in-interface=wireguard1 src-address=\
    172.16.0.4
add action=accept chain=forward comment="User4-RW4 vlan999 access" dst-address=10.99.99.0/24 in-interface=wireguard1 src-address=\
    172.16.0.5
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat disabled=yes
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip route
add disabled=yes dst-address=0.0.0.0/0 gateway=10.0.0.1 routing-table=main
/system note
set show-at-login=no

Code CRS326

# mar/21/2024 15:53:14 by RouterOS 7.9.1
# software id = 
#
/interface bridge
add ingress-filtering=no name=bridge-leaf2-326 pvid=999 vlan-filtering=yes
/interface vlan
add interface=bridge-leaf2-326 name=vlan100-corp vlan-id=100
add interface=bridge-leaf2-326 name=vlan200-guests vlan-id=200
add interface=bridge-leaf2-326 name=vlan300-cameras vlan-id=300
add interface=bridge-leaf2-326 name=vlan500-dali vlan-id=500
add interface=bridge-leaf2-326 name=vlan600-IoT1 vlan-id=600
add interface=bridge-leaf2-326 name=vlan700-POS vlan-id=700
add interface=bridge-leaf2-326 name=vlan800-IoT2 vlan-id=800
add interface=bridge-leaf2-326 name=vlan999-mgmt vlan-id=999
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge-leaf2-326 ingress-filtering=no interface=ether1 pvid=999
add bridge=bridge-leaf2-326 ingress-filtering=no interface=ether2 pvid=999
add bridge=bridge-leaf2-326 ingress-filtering=no interface=ether3 pvid=999
add bridge=bridge-leaf2-326 ingress-filtering=no interface=ether4 pvid=300
add bridge=bridge-leaf2-326 ingress-filtering=no interface=ether5 pvid=600
add bridge=bridge-leaf2-326 ingress-filtering=no interface=ether6 pvid=700
add bridge=bridge-leaf2-326 ingress-filtering=no interface=ether7 pvid=700
/interface bridge vlan
add bridge=bridge-leaf2-326 tagged=ether1 untagged=bridge-leaf2-326 vlan-ids=100
add bridge=bridge-leaf2-326 tagged=ether1 untagged=bridge-leaf2-326 vlan-ids=200
add bridge=bridge-leaf2-326 tagged=ether1 untagged=bridge-leaf2-326 vlan-ids=300
add bridge=bridge-leaf2-326 tagged=ether1 untagged=bridge-leaf2-326 vlan-ids=500
add bridge=bridge-leaf2-326 tagged=ether1 untagged=bridge-leaf2-326 vlan-ids=600
add bridge=bridge-leaf2-326 tagged=ether1 untagged=bridge-leaf2-326 vlan-ids=700
add bridge=bridge-leaf2-326 vlan-ids=999
/ip dhcp-client
add interface=bridge-leaf2-326
/system identity
set name=Mikrotik-Leaf2-CRS326
/system note
set show-at-login=no

So, only this part...

WG-Diagram-more-routers-no-112.jpg

Is this VLAN approach good/correct?

Thanks for any help!

korg

korg · Thu Mar 21, 2024 6:30 pm

What i've just noticed, playing with my EVE lab that no matter if i connect to the vlan100 or vlan700 or whatever lan, i can easily ping other subnets. Example:
if i am in vlan 600 10.60.100.0/24 i can easily ping 10.10.100.0/24 or even 10.99.99.0/24 mgmt subnet.

So, assuming i've done something wrong in my config, what am i missing? (or is it the EVE thing)?

Tx

korg

anav · Thu Mar 21, 2024 7:52 pm

1. If you think about it, the subnet gateways are considered ROUTER interfaces and thus are normally reachable.
However no actual users or devices should be pingable/reachable.

2. Also be aware the 354 is switch and thus routing throughput will be limited.

3. Don't know why you are assigning any PVID on the bridge itself, not required??

4. Should normally be set to mgmt -
/ip neighbor discovery-settings
set discover-interface-list=all

5. I find the bridge ports and bridge vlans are incorrect on both devices.
and on the second device CRs326, the only vlan needing identification is the management one, the rest are just coming in ether1 and going their respective ports.
EDIT: I was looking at the wrong diagram and will have relook on the new diagram and comment in another post!!

6. In terms of firewall rules all seems in order although I do have to question one thing. YOu have identifed all the RWs RW1-172.16.0.2 thru RW3-172.16.0.4 and RW4_Admin - 172.16.0.5

So who the heck is this???
/ip firewall address-list
add address=172.16.0.200 comment="admin RW" list=Authorized
add address=192.168.55.5 comment="admin via emergence access" list=Authorized
add address=10.99.99.0/24 comment="allow to mgmt network" list=Authorized

If what I suspect is your firewall address list contain a TYPO, and it should be 172.16.0.5, then clearly the last firewall rule is not needed as you already have a rule allowing the admin to all vlans!!

add action=accept chain=forward comment="User4-RW4 vlan999 access" dst-address=10.99.99.0/24 in-interface=wireguard1 src-address=\
172.16.0.5

7. why do you have an authorized interface list name. You have that name already used for firewall address list .......... remove it.

8. You need to add wireguard to the Interface list members for two reasons, so RW will be able to access internet if required and also access router DNS services.
add interface=wireguard1 list=LAN

9. Add this entry
/tool mac-server mac-winbox
set allowed-interface-list=mgmt

anav · Thu Mar 21, 2024 8:51 pm

Before I can make sense of bridge ports and vlans you have to get your story straight on diagrams, not sure if intentionally aim to confuse

You claim APS 1-5 by your diagram and in orang text seem to indicate they are on ports 10-18 (9 etherports) carrying vlan100,200
So which is it FIVE APS on ports 10-14 for example, or 9 APs
Heck your text in the middle block is different again it states or identifies only 3 APs on ports 6-8

In your text box you identify ethe20/21 going to 326/112, vlan999 is just one port going on the trunk so no need to highlight it, confusing

Going back to your orange text claiming etheports 10-18 for vlans100/200 contradicts the middle text box that clearly shows 10-18 having different vlan use ????

korg · Fri Mar 22, 2024 12:16 pm

1. on my eve lab the clients can ping one another: address 10.30.100.150 can ping 10.70.100.150.. which is not ok
2.i See
3.shouldn't it be? So i am telling that the bridge on 354 is carrying 999 as a mgmt.
4.done
5.adding a new diagram...
6.yes... typo.. corrected in the new script
7.done
8.done
9.done

korg · Fri Mar 22, 2024 12:27 pm

anav: You claim APS 1-5 by your diagram and in orang text seem to indicate they are on ports 10-18 (9 etherports) carrying vlan100,200
So which is it FIVE APS on ports 10-14 for example, or 9 APs
Heck your text in the middle block is different again it states or identifies only 3 APs on ports 6-8

me: i think you are looking now at the wrong diagram.. and therefor, pls consider only this last one... (which i'll add after this post).

anav: In your text box you identify ethe20/21 going to 326/112, vlan999 is just one port going on the trunk so no need to highlight it, confusing

Going back to your orange text claiming etheports 10-18 for vlans100/200 contradicts the middle text box that clearly shows 10-18 having different vlan use ????

me: i will post new diagram and new code

korg · Fri Mar 22, 2024 12:40 pm

WG-Diagram-more-routers-no-112v2.jpg

CRS354 Spine

# software id = 
#
/interface bridge
add ingress-filtering=no name=bridge-main pvid=999 vlan-filtering=yes
/interface wireguard
add comment="Wireguard for RW's" listen-port=13299 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge-main name=vlan100-corp vlan-id=100
add interface=bridge-main name=vlan200-guests vlan-id=200
add interface=bridge-main name=vlan300-cameras vlan-id=300
add interface=bridge-main name=vlan500-dali vlan-id=500
add interface=bridge-main name=vlan600-IoT1 vlan-id=600
add interface=bridge-main name=vlan700-POS vlan-id=700
add interface=bridge-main name=vlan800-IoT2 vlan-id=800
add interface=bridge-main name=vlan999-mgmt vlan-id=999
/interface list
add name=LAN
add name=WAN
add name=mgmt
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp-vlan100 ranges=10.10.100.100-10.10.100.200
add name=dhcp-vlan200 ranges=10.20.100.1-10.20.100.250
add name=dhcp-vlan300 ranges=10.30.100.100-10.30.100.150
add name=dhcp-vlan500 ranges=10.50.100.100-10.50.100.150
add name=dhcp-vlan600 ranges=10.60.100.100-10.60.100.150
add name=dhcp-vlan700 ranges=10.70.100.100-10.70.100.150
add name=dhcp-vlan800 ranges=10.80.100.100-10.80.100.150
add name=dhcp-vlan999 ranges=10.99.99.50-10.99.99.200
/ip dhcp-server
add address-pool=dhcp-vlan100 interface=vlan100-corp lease-time=4h name=dhcp-corp
add address-pool=dhcp-vlan200 interface=vlan200-guests name=dhcp-guests
add address-pool=dhcp-vlan300 interface=vlan300-cameras lease-time=8h30m name=dhcp-cameras
add address-pool=dhcp-vlan500 interface=vlan500-dali lease-time=8h name=dhcp-dali
add address-pool=dhcp-vlan600 interface=vlan600-IoT1 lease-time=8h name=dhcp-IoT1
add address-pool=dhcp-vlan700 interface=vlan700-POS lease-time=8h name=dhcp-POS
add address-pool=dhcp-vlan800 interface=vlan800-IoT2 lease-time=8h name=dhcp-IoT2
add address-pool=dhcp-vlan999 interface=vlan999-mgmt lease-time=8h name=dhcp-mgmt
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge-main interface=ether4 pvid=200
add bridge=bridge-main interface=ether5 pvid=200
add bridge=bridge-main comment="AP's-vlan999" interface=ether6 pvid=999
add bridge=bridge-main interface=ether7 pvid=999
add bridge=bridge-main interface=ether8 pvid=999
add bridge=bridge-main comment="Camera's vlan300" interface=ether9 pvid=300
add bridge=bridge-main interface=ether10 pvid=300
add bridge=bridge-main comment=Dali-vlan500 interface=ether11 pvid=500
add bridge=bridge-main interface=ether12 pvid=500
add bridge=bridge-main comment=IpT1-vlan600 interface=ether13 pvid=600
add bridge=bridge-main interface=ether14 pvid=600
add bridge=bridge-main comment=POS interface=ether15 pvid=700
add bridge=bridge-main interface=ether16 pvid=700
add bridge=bridge-main interface=ether17 pvid=700
add bridge=bridge-main comment=IoT2-vlan800 interface=ether18 pvid=800
add bridge=bridge-main interface=ether19 pvid=800
add bridge=bridge-main comment="Trunk Connection to CRS326" ingress-filtering=no interface=ether20 pvid=999
add bridge=bridge-main comment="Trunk Connection to CRS112" ingress-filtering=no interface=ether21 pvid=999
add bridge=bridge-main comment="Spare trunk port" interface=ether22
add bridge=bridge-main comment="mgmt port" frame-types=admit-only-untagged-and-priority-tagged interface=ether24 pvid=999
add bridge=bridge-main interface=ether3 pvid=100
add bridge=bridge-main interface=ether2 pvid=100
/ip neighbor discovery-settings
set discover-interface-list=mgmt
/interface bridge vlan
add bridge=bridge-main tagged=bridge-main,ether6,ether7,ether8,ether20,ether21,ether24 vlan-ids=100
add bridge=bridge-main tagged=bridge-main,ether6,ether7,ether8,ether20,ether21,ether24 vlan-ids=200
add bridge=bridge-main tagged=bridge-main untagged=ether6,ether7,ether8,ether20,ether21,ether24 vlan-ids=999
add bridge=bridge-main tagged=bridge-main,ether6,ether7,ether8,ether20,ether21,ether24 vlan-ids=300
add bridge=bridge-main tagged=bridge-main,ether6,ether7,ether8,ether20,ether21,ether24 vlan-ids=500
add bridge=bridge-main tagged=bridge-main,ether6,ether7,ether8,ether20,ether21,ether24 vlan-ids=600
add bridge=bridge-main tagged=bridge-main,ether6,ether7,ether8,ether20,ether21,ether24 vlan-ids=700
add bridge=bridge-main tagged=bridge-main vlan-ids=800
/interface list member
add interface=ether1 list=WAN
add interface=vlan100-corp list=LAN
add interface=vlan300-cameras list=LAN
add interface=vlan200-guests list=LAN
add interface=vlan500-dali list=LAN
add interface=vlan600-IoT1 list=LAN
add interface=vlan700-POS list=LAN
add interface=vlan800-IoT2 list=LAN
add interface=vlan999-mgmt list=mgmt
add interface=ether22 list=mgmt
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=172.16.0.2/32 comment="RW1 - vlan300" interface=wireguard1 public-key="zlalalalala="
add allowed-address=172.16.0.3/32 comment="RW2 - 600" interface=wireguard1 public-key="lalalalala"
add allowed-address=172.16.0.4/32 comment="RW3 - vlan700" interface=wireguard1 public-key="lalalalala"
add allowed-address=172.16.0.5/32 comment="admin RW - vlan999" interface=wireguard1 public-key="lalalalala="
/ip address
add address=10.10.100.254/24 interface=vlan100-corp network=10.10.100.0
add address=10.20.100.254/24 interface=vlan200-guests network=10.20.100.0
add address=10.30.100.254/24 interface=vlan300-cameras network=10.30.100.0
add address=10.50.100.254/24 interface=vlan500-dali network=10.50.100.0
add address=10.60.100.254/24 interface=vlan600-IoT1 network=10.60.100.0
add address=10.70.100.254/24 interface=vlan700-POS network=10.70.100.0
add address=10.80.100.254/24 interface=vlan800-IoT2 network=10.80.100.0
add address=10.99.99.254/24 interface=vlan999-mgmt network=10.99.99.0
add address=192.168.55.5/24 comment="spare mgmt port" interface=ether22 network=192.168.55.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.10.100.0/24 dns-server=10.10.100.254 gateway=10.10.100.254
add address=10.20.100.0/24 dns-server=10.20.100.254 gateway=10.20.100.254
add address=10.30.100.0/24 dns-server=10.30.100.254 gateway=10.30.100.254
add address=10.50.100.0/24 dns-server=10.50.100.254 gateway=10.50.100.254
add address=10.60.100.0/24 dns-server=10.60.100.254 gateway=10.60.100.254
add address=10.70.100.0/24 dns-server=10.70.100.254 gateway=10.70.100.254
add address=10.80.100.0/24 dns-server=10.80.100.254 gateway=10.80.100.254
add address=10.99.99.0/24 dns-server=10.99.99.254 gateway=10.99.99.254
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=172.16.0.5 comment="admin RW" list=Authorized
add address=192.168.55.5 comment="admin via emergence access" list=Authorized
add address=10.99.99.0/24 comment="allow to mgmt network" list=Authorized
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="wireguard handshake" dst-port=13299 log=yes log-prefix=wg protocol=udp
add action=accept chain=input comment="admin only access" src-address-list=Authorized
add action=accept chain=input comment="users to DNS" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="users to DNS" dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="Drop all else"
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related,new,untracked
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward in-interface-list=LAN out-interface-list=LAN
add action=accept chain=forward comment="internet access" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="admin vlan access" out-interface-list=LAN src-address-list=Authorized
add action=accept chain=forward comment="User1-RW1 vlan300 access" dst-address=10.30.100.100 in-interface=wireguard1 src-address=172.16.0.2
add action=accept chain=forward comment="User2-RW2 vlan600 access" dst-address=10.60.100.100 in-interface=wireguard1 src-address=172.16.0.3
add action=accept chain=forward comment="User3-RW3 vlan700 access" dst-address=10.70.100.100 in-interface=wireguard1 src-address=172.16.0.4
add action=accept chain=forward comment="User4-RW4 vlan999 access" dst-address=10.99.99.0/24 in-interface=wireguard1 src-address=172.16.0.5
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat disabled=yes
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip route
add disabled=yes dst-address=0.0.0.0/0 gateway=10.0.0.1 routing-table=main
/system note
set show-at-login=no
/tool mac-server mac-winbox
set allowed-interface-list=mgmt

CRS326 Leaf2

# mar/22/2024 10:36:47 by RouterOS 7.9.1
# software id = 
#
/interface bridge
add ingress-filtering=no name=bridge-leaf2-326 pvid=999 vlan-filtering=yes
/interface vlan
add interface=bridge-leaf2-326 name=vlan100-corp vlan-id=100
add interface=bridge-leaf2-326 name=vlan200-guests vlan-id=200
add interface=bridge-leaf2-326 name=vlan300-cameras vlan-id=300
add interface=bridge-leaf2-326 name=vlan500-dali vlan-id=500
add interface=bridge-leaf2-326 name=vlan600-IoT1 vlan-id=600
add interface=bridge-leaf2-326 name=vlan700-POS vlan-id=700
add interface=bridge-leaf2-326 name=vlan800-IoT2 vlan-id=800
add interface=bridge-leaf2-326 name=vlan999-mgmt vlan-id=999
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge-leaf2-326 ingress-filtering=no interface=ether1 pvid=999
add bridge=bridge-leaf2-326 ingress-filtering=no interface=ether2 pvid=999
add bridge=bridge-leaf2-326 ingress-filtering=no interface=ether3 pvid=999
add bridge=bridge-leaf2-326 ingress-filtering=no interface=ether4 pvid=999
add bridge=bridge-leaf2-326 ingress-filtering=no interface=ether5 pvid=100
add bridge=bridge-leaf2-326 ingress-filtering=no interface=ether6 pvid=200
add bridge=bridge-leaf2-326 ingress-filtering=no interface=ether7 pvid=700
/interface bridge vlan
add bridge=bridge-leaf2-326 tagged=ether1 untagged=bridge-leaf2-326 vlan-ids=100
add bridge=bridge-leaf2-326 tagged=ether1 untagged=bridge-leaf2-326 vlan-ids=200
add bridge=bridge-leaf2-326 tagged=ether1 untagged=bridge-leaf2-326 vlan-ids=300
add bridge=bridge-leaf2-326 tagged=ether1 untagged=bridge-leaf2-326 vlan-ids=500
add bridge=bridge-leaf2-326 tagged=ether1 untagged=bridge-leaf2-326 vlan-ids=600
add bridge=bridge-leaf2-326 tagged=ether1 untagged=bridge-leaf2-326 vlan-ids=700
add bridge=bridge-leaf2-326 vlan-ids=999
/ip dhcp-client
add interface=bridge-leaf2-326
/system identity
set name=Mikrotik-Leaf2-CRS326
/system note
set show-at-login=no

anav · Fri Mar 22, 2024 3:41 pm

1. No need to set pvid on bridge, its not the usual way.
2. No mention of port 23 so I made it another untagged access port for mngt, like ether24.
3. Speaking of ether24, unless its to a smart switch which you didnt indicate it should not be tagged on /interface bridge vlans
4. Ether22 is off bridge access, in case the bridge vlan filtering gets screwed up and your config access is not disturbed, so should not be on bridge.
5. If as per your diagram AP1-3 are carrying vlan100 and van200, then why are you also putting all the other vlans onto these APs, so I removed them.
6. You seem to have introduced a new firewall rule all on our own ???? Removed!!!
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related,new,untracked
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward in-interface-list=LAN out-interface-list=LAN Purpose of this ??????
add action=accept chain=forward comment="internet access" in-interface-list=LAN out-interface-list=WAN[/size]

7. Why did you keep the rule below? I specifically pointed out the logic that you have already allowed the admin coming in on wireguard access to all VLANS !!!
add action=accept chain=forward comment="User4-RW4 vlan999 access" dst-address=10.99.99.0/24 in-interface=wireguard1 src-address=172.16.0.5

Is useless because you have this as a rule above this!!
add action=accept chain=forward comment="admin vlan access" out-interface-list=LAN src-address-list=Authorized

/ip firewall address-list
add address=172.16.0.5 comment="admin RW" list=Authorized
add address=192.168.55.5 comment="admin via emergence access" list=Authorized
add address=10.99.99.0/24 comment="allow to mgmt network" list=Authorized

/interface bridge
add ingress-filtering=no name=bridge-main  vlan-filtering=yes
/interface wireguard
add comment="Wireguard for RW's" listen-port=13299 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge-main name=vlan100-corp vlan-id=100
add interface=bridge-main name=vlan200-guests vlan-id=200
add interface=bridge-main name=vlan300-cameras vlan-id=300
add interface=bridge-main name=vlan500-dali vlan-id=500
add interface=bridge-main name=vlan600-IoT1 vlan-id=600
add interface=bridge-main name=vlan700-POS vlan-id=700
add interface=bridge-main name=vlan800-IoT2 vlan-id=800
add interface=bridge-main name=vlan999-mgmt vlan-id=999
/interface list
add name=LAN
add name=WAN
add name=mgmt
/ip pool
add name=dhcp-vlan100 ranges=10.10.100.100-10.10.100.200
add name=dhcp-vlan200 ranges=10.20.100.1-10.20.100.250
add name=dhcp-vlan300 ranges=10.30.100.100-10.30.100.150
add name=dhcp-vlan500 ranges=10.50.100.100-10.50.100.150
add name=dhcp-vlan600 ranges=10.60.100.100-10.60.100.150
add name=dhcp-vlan700 ranges=10.70.100.100-10.70.100.150
add name=dhcp-vlan800 ranges=10.80.100.100-10.80.100.150
add name=dhcp-vlan999 ranges=10.99.99.50-10.99.99.200
/ip dhcp-server
add address-pool=dhcp-vlan100 interface=vlan100-corp lease-time=4h name=dhcp-corp
add address-pool=dhcp-vlan200 interface=vlan200-guests name=dhcp-guests
add address-pool=dhcp-vlan300 interface=vlan300-cameras lease-time=8h30m name=dhcp-cameras
add address-pool=dhcp-vlan500 interface=vlan500-dali lease-time=8h name=dhcp-dali
add address-pool=dhcp-vlan600 interface=vlan600-IoT1 lease-time=8h name=dhcp-IoT1
add address-pool=dhcp-vlan700 interface=vlan700-POS lease-time=8h name=dhcp-POS
add address-pool=dhcp-vlan800 interface=vlan800-IoT2 lease-time=8h name=dhcp-IoT2
add address-pool=dhcp-vlan999 interface=vlan999-mgmt lease-time=8h name=dhcp-mgmt
/interface bridge port
add bridge=bridge-main ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether2 pvid=200 comment=Corp
add bridge=bridge-main ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether3 pvid=200
add bridge=bridge-main ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether4 pvid=200
add bridge=bridge-main ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether5 pvid=200
add bridge=bridge-main ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether6  comment="AP1 Trunk"
add bridge=bridge-main ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether7  comment="AP2 Trunk"
add bridge=bridge-main ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether8  comment="AP3 Trunk"
add bridge=bridge-main ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether9 pvid=300 comment=Cameras
add bridge=bridge-main ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether10 pvid=300
add bridge=bridge-main ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether11 pvid=500 comment=Electrical
add bridge=bridge-main ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether12 pvid=500
add bridge=bridge-main ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether13 pvid=600 comment=iot1
add bridge=bridge-main ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether14 pvid=600
add bridge=bridge-main ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether15 pvid=700 comment=POS
add bridge=bridge-main ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether16 pvid=700
add bridge=bridge-main ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether17 pvid=700
add bridge=bridge-main ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether18 pvid=800 comment=iot2
add bridge=bridge-main ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether19 pvid=800
add bridge=bridge-main ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether20 comment="trunk to CRS326"
add bridge=bridge-main ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether21 comment="trunk to CRS112"
add bridge=bridge-main  ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether23 pvid=999 comment="spare"
add bridge=bridge-main  ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether24 pvid=999
/ip neighbor discovery-settings
set discover-interface-list=mgmt
/interface bridge vlan
add bridge=bridge-main tagged=bridge-main,ether6,ether7,ether8,ether20,ether21  untagged=ether2,ether3,ether4,ether5 vlan-ids=100
add bridge=bridge-main tagged=bridge-main,ether6,ether7,ether8,ether20,ether21,  vlan-ids=200
add bridge=bridge-main tagged=bridge-main,ether20,ether21  untagged=ether9,ether10 vlan-ids=300
add bridge=bridge-main tagged=bridge-main,ether20,ether21  untagged=ether11,ether12 vlan-ids=500
add bridge=bridge-main tagged=bridge-main,ether20,ether21  untagged=ether13,ether14,ether15 vlan-ids=600
add bridge=bridge-main tagged=bridge-main,ether20,ether21  untagged=ether15,ether16,ether17 vlan-ids=700
add bridge=bridge-main tagged=bridge-main,ether20,ether21  untagged=ether18,ether19  vlan-ids=800
add bridge=bridge-main tagged=bridge-main,ether6,ether7,ether8,ether20,ether21  untagged=ether23,ether24  vlan-ids=999
/interface list member
add interface=ether1 list=WAN
add interface=vlan100-corp list=LAN
add interface=vlan300-cameras list=LAN
add interface=vlan200-guests list=LAN
add interface=vlan500-dali list=LAN
add interface=vlan600-IoT1 list=LAN
add interface=vlan700-POS list=LAN
add interface=vlan800-IoT2 list=LAN
add interface=vlan999-mgmt list=mgmt
add interface=ether22 list=mgmt
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=172.16.0.2/32 comment="RW1 - vlan300" interface=wireguard1 public-key="zlalalalala="
add allowed-address=172.16.0.3/32 comment="RW2 - 600" interface=wireguard1 public-key="lalalalala"
add allowed-address=172.16.0.4/32 comment="RW3 - vlan700" interface=wireguard1 public-key="lalalalala"
add allowed-address=172.16.0.5/32 comment="admin RW - vlan999" interface=wireguard1 public-key="lalalalala="
/ip address
add address=10.10.100.254/24 interface=vlan100-corp network=10.10.100.0
add address=10.20.100.254/24 interface=vlan200-guests network=10.20.100.0
add address=10.30.100.254/24 interface=vlan300-cameras network=10.30.100.0
add address=10.50.100.254/24 interface=vlan500-dali network=10.50.100.0
add address=10.60.100.254/24 interface=vlan600-IoT1 network=10.60.100.0
add address=10.70.100.254/24 interface=vlan700-POS network=10.70.100.0
add address=10.80.100.254/24 interface=vlan800-IoT2 network=10.80.100.0
add address=10.99.99.254/24 interface=vlan999-mgmt network=10.99.99.0
add address=192.168.55.5/24 comment="spare mgmt port" interface=ether22 network=192.168.55.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.10.100.0/24 dns-server=10.10.100.254 gateway=10.10.100.254
add address=10.20.100.0/24 dns-server=10.20.100.254 gateway=10.20.100.254
add address=10.30.100.0/24 dns-server=10.30.100.254 gateway=10.30.100.254
add address=10.50.100.0/24 dns-server=10.50.100.254 gateway=10.50.100.254
add address=10.60.100.0/24 dns-server=10.60.100.254 gateway=10.60.100.254
add address=10.70.100.0/24 dns-server=10.70.100.254 gateway=10.70.100.254
add address=10.80.100.0/24 dns-server=10.80.100.254 gateway=10.80.100.254
add address=10.99.99.0/24 dns-server=10.99.99.254 gateway=10.99.99.254
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=172.16.0.5 comment="admin RW" list=Authorized
add address=192.168.55.5 comment="admin via emergence access" list=Authorized
add address=10.99.99.0/24 comment="allow to mgmt network" list=Authorized
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="wireguard handshake" dst-port=13299 log=yes log-prefix=wg protocol=udp
add action=accept chain=input comment="admin only access" src-address-list=Authorized
add action=accept chain=input comment="users to DNS" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="users to DNS" dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="Drop all else"
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related,new,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet access" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="admin vlan access" out-interface-list=LAN src-address-list=Authorized
add action=accept chain=forward comment="User1-RW1 vlan300 access" dst-address=10.30.100.100 in-interface=wireguard1 src-address=172.16.0.2
add action=accept chain=forward comment="User2-RW2 vlan600 access" dst-address=10.60.100.100 in-interface=wireguard1 src-address=172.16.0.3
add action=accept chain=forward comment="User3-RW3 vlan700 access" dst-address=10.70.100.100 in-interface=wireguard1 src-address=172.16.0.4
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat disabled=yes
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip route
add disabled=yes dst-address=0.0.0.0/0 gateway=10.0.0.1 routing-table=main
/system note
set show-at-login=no
/tool mac-server mac-winbox
set allowed-interface-list=mgmt

anav · Fri Mar 22, 2024 4:27 pm

CRS326

1. Same thing, get rid of pvid 999 on bridge itself.
2. Still cannot add

, you show 4 APs 6-8. Well not quite, you show two AP6s LOL so should be 6-9. How many ports do you use/state for this answer=ports 8-12 ( which is 8,9,10,11,12) 5 ports ????
( will assume you have five APs for config)

3. Missing OFF Bridge acccess on switch will set on port 22 again.
4. One does not UNTAG the bridge...............
5. One DOES tag the bridge but ONLY for the management vlan.
6. Only the management vlan is identified on the switch.
7. IP DHCP CLIENT Removed, assign a static IP from the managment VLAN
8. Missing several entries, added...........
..

/interface bridge
add ingress-filtering=no name=bridge-leaf2-326 vlan-filtering=yes
/interface vlan
add interface=bridge-leaf2-326 name=vlan999-mgmt vlan-id=999
/interface list
add name=mgmt
/interface list members
add interface=vlan999-mgmt list=mgmt
add interface=ether22 list=mgmt
/interface bridge port
add bridge=bridge-leaf2-326 ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether1  comment="trunk port from 354"
add bridge=bridge-leaf2-326 ingress-filtering=yes frame-types=admit-only-priority-and-untagged  interface=ether2 pvid=100 comment=corp
add bridge=bridge-leaf2-326 ingress-filtering=yes frame-types=admit-only-priority-and-untagged  interface=ether3 pvid=100 
add bridge=bridge-leaf2-326 ingress-filtering=yes frame-types=admit-only-priority-and-untagged  interface=ether4 pvid=100
add bridge=bridge-leaf2-326 ingress-filtering=yes frame-types=admit-only-priority-and-untagged  interface=ether5 pvid=100 
add bridge=bridge-leaf2-326 ingress-filtering=yes frame-types=admit-only-priority-and-untagged  interface=ether6 pvid=100
add bridge=bridge-leaf2-326 ingress-filtering=yes frame-types=admit-only-priority-and-untagged  interface=ether7 pvid=100 
add bridge=bridge-leaf2-326 ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether8 comment="trunk to AP 6"
add bridge=bridge-leaf2-326 ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether9 comment="trunk to AP 7"
add bridge=bridge-leaf2-326 ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether10 comment="trunk to AP 8"
add bridge=bridge-leaf2-326 ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether11 comment="trunk to AP 9"
add bridge=bridge-leaf2-326 ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether12 comment="trunk to AP 10"
add bridge=bridge-leaf2-326 ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether13 pvid=600 comment=iot1
add bridge=bridge-leaf2-326 ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether14 pvid=600 
add bridge=bridge-leaf2-326 ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether15 pvid=300 comment=Camera
add bridge=bridge-leaf2-326 ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether16 pvid=300 
add bridge=bridge-leaf2-326 ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether17 pvid=300 
add bridge=bridge-leaf2-326 ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether18 pvid=700 comment=POS
add bridge=bridge-leaf2-326 ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether19 pvid=700 
add bridge=bridge-leaf2-326 ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether20 pvid=700
add bridge=bridge-leaf2-326 ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether24 pvid=999 comment=mgmt
/ip neighbor discovery-settings
set discover-interface-list=mgmt
/interface bridge vlan
add bridge=bridge-leaf2-326 tagged=ether1,ether8,ether9,ether10,ether11,ether12  untagged=ether2,ether3,ether4,ether5,ether6,ether7  vlan-ids=100
add bridge=bridge-leaf2-326 tagged=ether1,ether8,ether9,ether10,ether11,ether12  vlan-ids=200
add bridge=bridge-leaf2-326 tagged=ether1 untagged=ether15,ether16,ether17 vlan-ids=300
add bridge=bridge-leaf2-326 tagged=ether1 untagged=ether13,ether14 vlan-ids=600
add bridge=bridge-leaf2-326 tagged=ether1 untagged=ether18,ether19,ether20  vlan-ids=700
add bridge=bridge-leaf2-326 tagged=bridge-leaf2-326,ether1,ether8,ether9,ether10,ether11,ether12  untagged=ether24 vlan-ids=999
/ip dhcp-client
add disabled=yes
/ip dns
set allow-remote-requests=yes servers=10.99.99.254
/ip address
add address=10.99.99.253/24 interface=vlan999-mgmt network=10.99.99.0
add address=192.168.55.5/24 interface=ether22 network=192.168.55.0
/ip route
add dst-address=0.0.0.0/0  gateway=10.99.99.254 routing-table=main
/tool mac-server mac-winbox
set allowed-interface-list=mgmt

korg · Fri Mar 22, 2024 6:31 pm

Many thanks! This is now much better config! Thanks for this learning process!

I have tested all ehters withing EVE test lab and they are getting the correctly assigned subnet. What i've seen though, is that those clients can still ping each other.

2024-03-22_17h20_32.png

2024-03-22_17h22_48.png

Do i need an 'intervlan' firewall rule to block all traffice between all vlans except internet? sure, vlan999 should be able to connect to all vlans.

tx

korg

anav · Sat Mar 23, 2024 3:51 am

Please verify that a user from one vlan can access a device on another vlan ( OTHER THAN those allowed ) in other words if a user can ping a user, do the next step access the user device.
One should normally be able to ping the gateway of any vlan but I dont think you should be able to ping from user to user ??

Please confirm.

korg · Sat Mar 23, 2024 12:58 pm

Thanks again.

No device from vlan100-700 should be able to access or ping devices from another vlan unless accessing the network, i.e. any vlan from vlan999-mgmt. And on the vlan200 (guest network) i should isolate clients.

anav · Sat Mar 23, 2024 1:17 pm

According to the current rule setup.
This is the only traffic we are allowing.

a. anyone on the source address list Authorized should be able to ping and access any vlan user/device.
b. wg user1 has access to vlan300
c. wg user2 has access to vlan 600
d. wg user3 has access to vlan 700

From my understanding the gateways of every vlan are normally pingable by any user.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

But without seeing your latest config on the router 354, that you have implemented, its hard to say with certainty.

korg · Sat Mar 23, 2024 7:56 pm

Ok ... maybe I've explained clumsily...

i've implemented your configurations for both 354 and 326... not mine... and i saw .. testing in EVE.. that I could ping one client from 10.30.100.100 to 10.70.100.150

thats why i've metioned it

anav · Sat Mar 23, 2024 9:21 pm

Okay, no worries. Unfortunately that makes no sense to me as it shouldnt happen. As you can see by firewall rules, they are blocked at layer 3 by firewall rules
and the vlan structure blocks any level 2 traffic. so there is no logic

korg · Sat Mar 23, 2024 9:49 pm

Ok.. i will check it with a real devices as i have two of them here.. and will let you know...

Again great help!

korg · Thu Mar 28, 2024 11:45 am

@anav: do i miss the wg interface IP address in the 354-Spine config?:

/ip address
add address=10.10.100.254/24 interface=vlan100-corp network=10.10.100.0
add address=10.20.100.254/24 interface=vlan200-guests network=10.20.100.0
add address=10.30.100.254/24 interface=vlan300-cameras network=10.30.100.0
add address=10.50.100.254/24 interface=vlan500-dali network=10.50.100.0
add address=10.60.100.254/24 interface=vlan600-IoT1 network=10.60.100.0
add address=10.70.100.254/24 interface=vlan700-POS network=10.70.100.0
add address=10.80.100.254/24 interface=vlan800-IoT2 network=10.80.100.0
add address=10.99.99.254/24 interface=vlan999-mgmt network=10.99.99.0
add address=192.168.55.5/24 comment="spare mgmt port" interface=ether22 network=192.168.55.0

something like add address=172.16.0.254/24 interface=wireguard1 network=172.16.0.0

korg

korg · Thu Mar 28, 2024 12:59 pm

And also routes for each VLAN?

anav · Thu Mar 28, 2024 4:03 pm

Yup too funny, good pickup......
add address=172.16.0.1/24 interface=wireguard1 network=172.16.0.0

Vlan dont need routes? THey get routes when creating the vlan (ip address).
Do you mean a route out the router.....
/ip route
add disabled=yes dst-address=0.0.0.0/0 gateway=10.0.0.1 routing-table=main

korg · Fri Mar 29, 2024 1:19 pm

anav: Yup too funny, good pickup......
add address=172.16.0.1/24 interface=wireguard1 network=172.16.0.0

korg · Fri Mar 29, 2024 1:34 pm

anav: Yup too funny, good pickup......
add address=172.16.0.1/24 interface=wireguard1 network=172.16.0.0

me:

.. i was missing something

anav: Vlan dont need routes? They get routes when creating the vlan (ip address).
Do you mean a route out the router.....
/ip route
add disabled=yes dst-address=0.0.0.0/0 gateway=10.0.0.1 routing-table=main
me: yes.. i saw some YT how tos that, even if you connect to the wg interface, you are not able neither to ping nor to connect to the rw-X device itself unless you setup a route.

why is for the gateway 10.0.0.1?
should it be?
/ip route add disabled=no dst-address=10.30.100.0/24 gateway=wireguard1 (this is just example for the vlan300)
or am i wrong?

tx

korg

Amm0 · Fri Mar 29, 2024 2:22 pm

And also routes for each VLAN?

@anav means when you add an IP address to a VLAN, it includes a prefix like /24. That a subnet mask of 255.255.255.0. It will then automatically create a /24 "connected route" for test VLAN in /ip/route (marked with a "D"). A connected route means the router can use ARP on interface to find the host to route to. This is why VLANs are fully routable by default, unless restricted by firewall or routing rules. See https://help.mikrotik.com/docs/display/ ... ctedRoutes

In WG, routing is somewhat determined by the allowed-address field. If it's 0.0.0.0/0, then all of the routes on router are available. But all WG traffic is subject to firewall, so allowed-address is just what the client is even allowed to try against the router, the firewall still enforces any VLAN restrictions.

You do need ONE default gateway on router, e.g. 0.0.0.0/0 to upstream ISP. But all VLANs that use the router's VLAN IP as their default gateway, will then go out the router's default gateway. This is how IP routing works.

anav · Fri Mar 29, 2024 3:21 pm

Sorry to confuse, the route I mentioned I thought was for the one going to your ISP.
It was not clear to me if you were using DEFAULT-ROUTE=YES in the IP DHCP client settings

Who is online