WG site-to-site.
Both Mikrotik routers on ROS 7.14.2
Main Router A:
- WAN: 123.456.789.1
- LAN: 192.168.201.1/24
-- FW address-list for WAN is "RB5009" on both routers.
-- FW address-list for LAN is "RB5009-LAN" on both routers.
- WG: 192.168.202.1/30
Remote Router B:
- WAN: 123.456.789.2
- LAN: 192.168.88.1/24
-- FW address-list for WAN is "Crawford" on both routers.
-- FW address-list for LAN is "Crawford-LAN" on both routers.
- WG: 192.168.202.2/30
Both Routers A & B can reach/communicate/access LAN to each network through wireguard (expected/intended).
What help is needed with:
1. Need to block Router B firewall list "wg-RB5009-out" from using Router B WAN.
2. Instead route Router B firewall list "wg-RB5009-out" through wireguard to Router A WAN.
Note: Firewall list "wg-RB5009-out" is not in any of the rules yet.
Main Router A config
Code: Select all
/interface bridge
add name="Lan Bridge"
/interface wireguard
add listen-port=23231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip firewall connection tracking
set loose-tcp-tracking=no tcp-established-timeout=1h
/ip settings
set max-neighbor-entries=4096 rp-filter=loose
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=ether2 list=WAN
add interface="Lan Bridge" list=LAN
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=192.168.88.0/24 endpoint-address=123.456.789.2 endpoint-port=23231 interface=wireguard1 public-key="**********************="
/ip address
add address=192.168.201.1/24 interface="Lan Bridge" network=192.168.201.0
add address=192.168.202.1/30 interface=wireguard1 network=192.168.202.0
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log-prefix=drop-invalid-input
add action=accept chain=input comment="defconf: accept to local loopback" dst-address=127.0.0.1
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="admin access" in-interface-list=LAN src-address-list=admin
add action=accept chain=input comment="allow LAN_to_router access" in-interface-list=LAN src-address-list=RB5009-LAN
add action=accept chain=input comment="allow LAN_to_router access" in-interface-list=LAN log=yes log-prefix=Crawford-WG-In src-address-list=Crawford-LAN
add action=accept chain=input comment="allow wireguard handshake for Crawford" dst-port=23231 protocol=udp src-address-list=Crawford
add action=drop chain=input comment="drop all else" log-prefix=drop-input
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log-prefix=drop-invalid
add action=accept chain=forward comment="internet access" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=accept chain=forward dst-address-list=RB5009-LAN in-interface=wireguard1 src-address-list=Crawford-LAN
add action=accept chain=forward dst-address-list=Crawford-LAN out-interface=wireguard1 src-address-list=RB5009-LAN
add action=drop chain=forward comment="drop all else" log=yes log-prefix=drop-all-else
/ip firewall mangle
add action=mark-connection chain=prerouting comment="Crawford - Connection Mark" in-interface-list=WAN log-prefix=Crawford-in new-connection-mark=Crawford-in passthrough=yes src-address-list=Crawford
add action=mark-connection chain=postrouting dst-address-list=Crawford log-prefix=Crawford-out new-connection-mark=Crawford-out out-interface-list=WAN passthrough=yes
add action=mark-connection chain=prerouting log-prefix=Crawford-LAN-in new-connection-mark=Crawford-LAN-in passthrough=yes src-address-list=Crawford-LAN
add action=mark-connection chain=postrouting dst-address-list=Crawford-LAN log-prefix=Crawford-LAN-out new-connection-mark=Crawford-LAN-out passthrough=yes
/ip firewall nat
add action=src-nat chain=srcnat comment=Masquerade out-interface-list=WAN to-addresses=123.456.789.1
add action=redirect chain=dstnat comment="Redirect DNS to Mikrotik DNS Server - TCP" dst-port=53 in-interface-list=LAN protocol=tcp
add action=redirect chain=dstnat comment="Redirect DNS to Mikrotik DNS Server - UDP" dst-port=53 in-interface-list=LAN protocol=udp
/ip route
add dst-address=192.168.88.0/24 gateway=wireguard1
Remote Router B config:
Code: Select all
/interface bridge
add name="Lan Bridge"
/interface wireguard
add listen-port=23231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip firewall connection tracking
set loose-tcp-tracking=no tcp-established-timeout=1h
/ip settings
set max-neighbor-entries=4096 rp-filter=loose tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=ether1 list=WAN
add interface="Lan Bridge" list=LAN
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=192.168.201.0/24 endpoint-address=123.456.789.1 endpoint-port=23231 interface=wireguard1 public-key="***********************************************="
/ip address
add address=192.168.88.1/24 interface="Lan Bridge" network=192.168.88.0
add address=192.168.202.2/30 interface=wireguard1 network=192.168.202.0
/ip firewall filter
add action=accept chain=input comment="allow access for RB5009" dst-port=23231 protocol=udp src-address-list=RB5009
add action=accept chain=input comment="allow access for RB5009" src-address-list=RB5009
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log-prefix=drop-invalid-input
add action=accept chain=input comment="defconf: accept to local loopback" dst-address=127.0.0.1
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="admin access" in-interface-list=LAN src-address-list=admin
add action=accept chain=input comment="allow LAN_to_router traffic" in-interface-list=LAN log-prefix=LAN-to-Router src-address-list=Crawford-LAN
add action=accept chain=input comment="allow LAN_to_router traffic" in-interface=wireguard1 log=yes log-prefix=RB5009-LAN src-address-list=RB5009-LAN
add action=drop chain=input comment="drop all else" log-prefix=drop-input
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes packet-mark=!Queue-list
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log-prefix=drop-invalid
add action=accept chain=forward comment="internet access" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=accept chain=forward dst-address-list=Crawford-LAN in-interface=wireguard1 src-address-list=RB5009-LAN
add action=accept chain=forward dst-address-list=RB5009-LAN out-interface=wireguard1 src-address-list=Crawford-LAN
add action=drop chain=forward comment="drop all else" log=yes
/ip firewall mangle
add action=mark-connection chain=prerouting comment="mark RB5009 connections" connection-mark=no-mark connection-state=new new-connection-mark=RB5009-in passthrough=no src-address-list=RB5009
add action=mark-connection chain=postrouting connection-mark=no-mark connection-state=new dst-address-list=RB5009 new-connection-mark=RB5009-out passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark connection-state=new new-connection-mark=RB5009-LAN-in passthrough=no src-address-list=RB5009-LAN
add action=mark-connection chain=postrouting connection-mark=no-mark connection-state=new dst-address-list=RB5009-LAN new-connection-mark=RB5009-LAN-out passthrough=no
/ip firewall nat
add action=src-nat chain=srcnat comment=Masquerade out-interface-list=WAN to-addresses=123.456.789.2
add action=redirect chain=dstnat comment="Redirect DNS to Mikrotik DNS Server - TCP" dst-port=53 in-interface-list=LAN protocol=tcp
add action=redirect chain=dstnat comment="Redirect DNS to Mikrotik DNS Server - UDP" dst-port=53 in-interface-list=LAN protocol=udp
/ip route
add dst-address=192.168.201.0/24 gateway=wireguard1