Redirect Router B to Router A through wireguard

MTNick · Mon Apr 08, 2024 2:15 am

Greetings everyone. Need a little help redirecting a few devices in a firewall address list at a remote router through the main routers WAN using wireguard. The wireguard is configured as site-to-site. LANs are accessible on both sides as intended. Wireguard connectivity is not the issue. Below are the details

WG site-to-site.
Both Mikrotik routers on ROS 7.14.2

Main Router A:
- WAN: 123.456.789.1
- LAN: 192.168.201.1/24
-- FW address-list for WAN is "RB5009" on both routers.
-- FW address-list for LAN is "RB5009-LAN" on both routers.
- WG: 192.168.202.1/30

Remote Router B:
- WAN: 123.456.789.2
- LAN: 192.168.88.1/24
-- FW address-list for WAN is "Crawford" on both routers.
-- FW address-list for LAN is "Crawford-LAN" on both routers.
- WG: 192.168.202.2/30

Both Routers A & B can reach/communicate/access LAN to each network through wireguard (expected/intended).

What help is needed with:
1. Need to block Router B firewall list "wg-RB5009-out" from using Router B WAN.
2. Instead route Router B firewall list "wg-RB5009-out" through wireguard to Router A WAN.
Note: Firewall list "wg-RB5009-out" is not in any of the rules yet.

Main Router A config

/interface bridge
add name="Lan Bridge"
/interface wireguard
add listen-port=23231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip firewall connection tracking
set loose-tcp-tracking=no tcp-established-timeout=1h
/ip settings
set max-neighbor-entries=4096 rp-filter=loose
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=ether2 list=WAN
add interface="Lan Bridge" list=LAN
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=192.168.88.0/24 endpoint-address=123.456.789.2 endpoint-port=23231 interface=wireguard1 public-key="**********************="
/ip address
add address=192.168.201.1/24 interface="Lan Bridge" network=192.168.201.0
add address=192.168.202.1/30 interface=wireguard1 network=192.168.202.0
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log-prefix=drop-invalid-input
add action=accept chain=input comment="defconf: accept to local loopback" dst-address=127.0.0.1
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="admin access" in-interface-list=LAN src-address-list=admin
add action=accept chain=input comment="allow LAN_to_router access" in-interface-list=LAN src-address-list=RB5009-LAN
add action=accept chain=input comment="allow LAN_to_router access" in-interface-list=LAN log=yes log-prefix=Crawford-WG-In src-address-list=Crawford-LAN
add action=accept chain=input comment="allow wireguard handshake for Crawford" dst-port=23231 protocol=udp src-address-list=Crawford
add action=drop chain=input comment="drop all else" log-prefix=drop-input
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log-prefix=drop-invalid
add action=accept chain=forward comment="internet access" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=accept chain=forward dst-address-list=RB5009-LAN in-interface=wireguard1 src-address-list=Crawford-LAN
add action=accept chain=forward dst-address-list=Crawford-LAN out-interface=wireguard1 src-address-list=RB5009-LAN
add action=drop chain=forward comment="drop all else" log=yes log-prefix=drop-all-else
/ip firewall mangle
add action=mark-connection chain=prerouting comment="Crawford - Connection Mark" in-interface-list=WAN log-prefix=Crawford-in new-connection-mark=Crawford-in passthrough=yes src-address-list=Crawford
add action=mark-connection chain=postrouting dst-address-list=Crawford log-prefix=Crawford-out new-connection-mark=Crawford-out out-interface-list=WAN passthrough=yes
add action=mark-connection chain=prerouting log-prefix=Crawford-LAN-in new-connection-mark=Crawford-LAN-in passthrough=yes src-address-list=Crawford-LAN
add action=mark-connection chain=postrouting dst-address-list=Crawford-LAN log-prefix=Crawford-LAN-out new-connection-mark=Crawford-LAN-out passthrough=yes
/ip firewall nat
add action=src-nat chain=srcnat comment=Masquerade out-interface-list=WAN to-addresses=123.456.789.1
add action=redirect chain=dstnat comment="Redirect DNS to Mikrotik DNS Server - TCP" dst-port=53 in-interface-list=LAN protocol=tcp
add action=redirect chain=dstnat comment="Redirect DNS to Mikrotik DNS Server - UDP" dst-port=53 in-interface-list=LAN protocol=udp
/ip route
add dst-address=192.168.88.0/24 gateway=wireguard1

Remote Router B config:

/interface bridge
add name="Lan Bridge"
/interface wireguard
add listen-port=23231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip firewall connection tracking
set loose-tcp-tracking=no tcp-established-timeout=1h
/ip settings
set max-neighbor-entries=4096 rp-filter=loose tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=ether1 list=WAN
add interface="Lan Bridge" list=LAN
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=192.168.201.0/24 endpoint-address=123.456.789.1 endpoint-port=23231 interface=wireguard1 public-key="***********************************************="
/ip address
add address=192.168.88.1/24 interface="Lan Bridge" network=192.168.88.0
add address=192.168.202.2/30 interface=wireguard1 network=192.168.202.0
/ip firewall filter
add action=accept chain=input comment="allow access for RB5009" dst-port=23231 protocol=udp src-address-list=RB5009
add action=accept chain=input comment="allow access for RB5009" src-address-list=RB5009
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log-prefix=drop-invalid-input
add action=accept chain=input comment="defconf: accept to local loopback" dst-address=127.0.0.1
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="admin access" in-interface-list=LAN src-address-list=admin
add action=accept chain=input comment="allow LAN_to_router traffic" in-interface-list=LAN log-prefix=LAN-to-Router src-address-list=Crawford-LAN
add action=accept chain=input comment="allow LAN_to_router traffic" in-interface=wireguard1 log=yes log-prefix=RB5009-LAN src-address-list=RB5009-LAN
add action=drop chain=input comment="drop all else" log-prefix=drop-input
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes packet-mark=!Queue-list
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log-prefix=drop-invalid
add action=accept chain=forward comment="internet access" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=accept chain=forward dst-address-list=Crawford-LAN in-interface=wireguard1 src-address-list=RB5009-LAN
add action=accept chain=forward dst-address-list=RB5009-LAN out-interface=wireguard1 src-address-list=Crawford-LAN
add action=drop chain=forward comment="drop all else" log=yes
/ip firewall mangle
add action=mark-connection chain=prerouting comment="mark RB5009 connections" connection-mark=no-mark connection-state=new new-connection-mark=RB5009-in passthrough=no src-address-list=RB5009
add action=mark-connection chain=postrouting connection-mark=no-mark connection-state=new dst-address-list=RB5009 new-connection-mark=RB5009-out passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark connection-state=new new-connection-mark=RB5009-LAN-in passthrough=no src-address-list=RB5009-LAN
add action=mark-connection chain=postrouting connection-mark=no-mark connection-state=new dst-address-list=RB5009-LAN new-connection-mark=RB5009-LAN-out passthrough=no
/ip firewall nat
add action=src-nat chain=srcnat comment=Masquerade out-interface-list=WAN to-addresses=123.456.789.2
add action=redirect chain=dstnat comment="Redirect DNS to Mikrotik DNS Server - TCP" dst-port=53 in-interface-list=LAN protocol=tcp
add action=redirect chain=dstnat comment="Redirect DNS to Mikrotik DNS Server - UDP" dst-port=53 in-interface-list=LAN protocol=udp
/ip route
add dst-address=192.168.201.0/24 gateway=wireguard1

anav · Mon Apr 08, 2024 2:55 am

Your explanation makes little sense especially these lines and because you dont provide complete config, hard to figure it out.

-- FW address-list for WAN is "RB5009" on both routers.
-- FW address-list for LAN is "RB5009-LAN" on both routers.

-- FW address-list for WAN is "Crawford" on both routers.
-- FW address-list for LAN is "Crawford-LAN" on both routers.

How can they be on both routers??
Do you meant there are four routers............but only showing two configs......

+++++++++++++++++++++++++++++++++++++++++++++++++++++

Your wireguard setup is too confusing. Only need endpoint and endpoint port at one end.........( the peer (client for handshake), also needs to have persistent-keep alive set.
The setup is not correct despite the belief that it is. There is no need for both input chain rules to allow traffic to same port.

Hence, I will wait for a network diagram and actual full configs for both or (four routers) ( less actual WANIP info, router serial number and any keys etc..)

MTNick · Mon Apr 08, 2024 3:57 am

Anav, adjusted. Hope this clears it up

Main Router A:
- WAN: 123.456.789.1 (made up WAN IP)
-- FW address-list for WAN is "RB5009" on both routers. (there is a firewall address list on both routers, A & B, that has Router A's WAN address, named RB5009)
- LAN: 192.168.201.1/24
-- FW address-list for LAN is "RB5009-LAN" on both routers. (there is a firewall address list on both routers, A & B, that has Router A's LAN address, named RB5009-LAN)
- WG: 192.168.202.1/30

Remote Router B:
- WAN: 123.456.789.2 (made up WAN IP)
-- FW address-list for WAN is "Crawford" on both routers. (there is a firewall address list on both routers, B & A, that has Router B's WAN address, named Crawford)
- LAN: 192.168.88.1/24
-- FW address-list for LAN is "Crawford-LAN" on both routers. (there is a firewall address list on both routers, B & A, that has Router B's LAN address, named Crawford-LAN)
- WG: 192.168.202.2/30

BTW, I used Mikrotik's website to configure wireguard & the firewall rules for wireguard here: https://help.mikrotik.com/docs/display/ROS/WireGuard On the website it states that endpoint is needed at both sites.

Main Router A

/interface bridge
add name="Lan Bridge"
/interface wireguard
add listen-port=23231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add comment="Main Pool" name=LAN ranges=192.168.201.20-192.168.201.80
/ip dhcp-server
add address-pool=LAN interface="Lan Bridge" name=dhcp1
/interface bridge port
add bridge="Lan Bridge" interface=ether1
add bridge="Lan Bridge" interface=ether3
add bridge="Lan Bridge" interface=ether4
add bridge="Lan Bridge" interface=ether5
add bridge="Lan Bridge" interface=ether6
add bridge="Lan Bridge" interface=ether7
add bridge="Lan Bridge" interface=ether8
/ip firewall connection tracking
set loose-tcp-tracking=no tcp-established-timeout=1h
/ip settings
set max-neighbor-entries=4096 rp-filter=loose
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=ether2 list=WAN
add interface="Lan Bridge" list=LAN
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=192.168.88.0/24 endpoint-address=123.456.789.2 endpoint-port=23231 interface=wireguard1 public-key="**********************="
/ip address
add address=192.168.201.1/24 interface="Lan Bridge" network=192.168.201.0
add address=192.168.202.1/30 interface=wireguard1 network=192.168.202.0
/ip dhcp-client
add interface=ether2 script=":if (\$bound=1) do={\r\
    \n:local gw \$\"gateway-address\"\r\
    \n/ip firewall address-list set [find where comment=\"AT&T ISP\"] address=\
    \$\"lease-address\"\r\
    \n/ip firewall nat set [find comment=\"Masquerade\"] to-addresses=\$\"leas\
    e-address\"\r\
    \n}" use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.201.0/24 dns-server=192.168.201.1 gateway=192.168.201.1 ntp-server=192.168.201.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.2,1.1.1.1,1.0.0.2,8.8.8.8
/ip firewall address-list
add address=123.456.789.2 list=Crawford
add address=192.168.88.0/24 list=Crawford-LAN
add address=123.456.789.1 comment="AT&T ISP" list=RB5009
add address=192.168.201.0/24 list=RB5009-LAN
add address=192.168.201.101-192.168.201.105 list=admin
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log-prefix=drop-invalid-input
add action=accept chain=input comment="defconf: accept to local loopback" dst-address=127.0.0.1
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="admin access" in-interface-list=LAN src-address-list=admin
add action=accept chain=input comment="allow LAN_to_router access" in-interface-list=LAN src-address-list=RB5009-LAN
add action=accept chain=input comment="allow LAN_to_router access" in-interface-list=LAN log=yes log-prefix=Crawford-WG-In src-address-list=Crawford-LAN
add action=accept chain=input comment="allow wireguard handshake for Crawford" dst-port=23231 protocol=udp src-address-list=Crawford
add action=drop chain=input comment="drop all else" log-prefix=drop-input
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log-prefix=drop-invalid
add action=accept chain=forward comment="internet access" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=accept chain=forward dst-address-list=RB5009-LAN in-interface=wireguard1 src-address-list=Crawford-LAN
add action=accept chain=forward dst-address-list=Crawford-LAN out-interface=wireguard1 src-address-list=RB5009-LAN
add action=drop chain=forward comment="drop all else" log=yes log-prefix=drop-all-else
/ip firewall mangle
add action=mark-connection chain=prerouting comment="Crawford - Connection Mark" in-interface-list=WAN log-prefix=Crawford-in new-connection-mark=Crawford-in passthrough=yes src-address-list=Crawford
add action=mark-connection chain=postrouting dst-address-list=Crawford log-prefix=Crawford-out new-connection-mark=Crawford-out out-interface-list=WAN passthrough=yes
add action=mark-connection chain=prerouting log-prefix=Crawford-LAN-in new-connection-mark=Crawford-LAN-in passthrough=yes src-address-list=Crawford-LAN
add action=mark-connection chain=postrouting dst-address-list=Crawford-LAN log-prefix=Crawford-LAN-out new-connection-mark=Crawford-LAN-out passthrough=yes
/ip firewall nat
add action=src-nat chain=srcnat comment=Masquerade out-interface-list=WAN to-addresses=123.456.789.1
add action=redirect chain=dstnat comment="Redirect DNS to Mikrotik DNS Server - TCP" dst-port=53 in-interface-list=LAN protocol=tcp
add action=redirect chain=dstnat comment="Redirect DNS to Mikrotik DNS Server - UDP" dst-port=53 in-interface-list=LAN protocol=udp
/ip route
add dst-address=192.168.88.0/24 gateway=wireguard1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/routing rule
add action=unreachable dst-address=10.0.0.0/8
add action=unreachable dst-address=169.254.0.0/16
add action=unreachable dst-address=172.16.0.0/12
add action=unreachable dst-address=192.0.0.0/24
add action=unreachable dst-address=192.0.2.0/24
add action=unreachable dst-address=192.88.99.0/24
add action=unreachable dst-address=198.18.0.0/15
add action=unreachable dst-address=198.51.100.0/24
add action=unreachable dst-address=203.0.113.0/24
add action=unreachable dst-address=233.252.0.0/24
add action=unreachable dst-address=240.0.0.0/5
add action=unreachable dst-address=248.0.0.0/6
add action=unreachable dst-address=252.0.0.0/7
add action=unreachable dst-address=254.0.0.0/8
/system clock
set time-zone-name=America/New_York
/system identity
set name=RB5009
/system logging
add disabled=yes topics=dns
add disabled=yes topics=wireguard
add action=email disabled=yes topics=warning
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes broadcast-addresses=192.168.201.255 enabled=yes multicast=yes
/system ntp client servers
add address=time.cloudflare.com
add address=0.north-america.pool.ntp.org
/system routerboard settings
set auto-upgrade=yes

Remote Router B:

/interface bridge
add name="Lan Bridge"
/interface wireguard
add listen-port=23231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add comment="Lan Bridge" name=LAN ranges=192.168.88.20-192.168.88.150
/ip dhcp-server
add address-pool=LAN interface="Lan Bridge" name=dhcp1
/interface bridge port
add bridge="Lan Bridge" interface=ether2
add bridge="Lan Bridge" interface=ether3
add bridge="Lan Bridge" interface=ether4
add bridge="Lan Bridge" interface=ether5
/ip firewall connection tracking
set loose-tcp-tracking=no tcp-established-timeout=1h
/ip settings
set max-neighbor-entries=4096 rp-filter=loose tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=ether1 list=WAN
add interface="Lan Bridge" list=LAN
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=192.168.201.0/24 endpoint-address=123.456.789.1 endpoint-port=23231 interface=wireguard1 public-key="***********************************************="
/ip address
add address=192.168.88.1/24 interface="Lan Bridge" network=192.168.88.0
add address=192.168.202.2/30 interface=wireguard1 network=192.168.202.0
/ip dhcp-client
add interface=ether1 script=":if (\$bound=1) do={\r\
    \n:local gw \$\"gateway-address\"\r\
    \n/ip firewall address-list set [find where comment=\"ISP1\"] address=\$\"\
    lease-address\"\r\
    \n/ip firewall nat set [find where comment=\"Masquerade\"] to-addresses=\$\
    \"lease-address\"\r\
    \n}" use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 ntp-server=192.168.201.1
/ip dns
set allow-remote-requests=yes max-concurrent-tcp-sessions=30 servers=76.76.2.2,76.76.10.2,1.1.1.2 use-doh-server=https://freedns.controld.com/p2 verify-doh-cert=yes
/ip dns static
add address=76.76.2.11 match-subdomain=yes name=https://freedns.controld.com/p2
/ip firewall address-list
add address=123.456.789.2 comment=ISP1 list=Crawford
add address=192.168.88.0/24 list=Crawford-LAN
add address=123.456.789.1 list=RB5009
add address=192.168.201.0/24 list=RB5009-LAN
add address=192.168.88.151-192.168.88.155 list=admin
/ip firewall filter
add action=accept chain=input comment="allow access for RB5009" dst-port=23231 protocol=udp src-address-list=RB5009
add action=accept chain=input comment="allow access for RB5009" src-address-list=RB5009
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log-prefix=drop-invalid-input
add action=accept chain=input comment="defconf: accept to local loopback" dst-address=127.0.0.1
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="admin access" in-interface-list=LAN src-address-list=admin
add action=accept chain=input comment="allow LAN_to_router traffic" in-interface-list=LAN log-prefix=LAN-to-Router src-address-list=Crawford-LAN
add action=accept chain=input comment="allow LAN_to_router traffic" in-interface=wireguard1 log=yes log-prefix=RB5009-LAN src-address-list=RB5009-LAN
add action=drop chain=input comment="drop all else" log-prefix=drop-input
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes packet-mark=!Queue-list
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log-prefix=drop-invalid
add action=accept chain=forward comment="internet access" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=accept chain=forward dst-address-list=Crawford-LAN in-interface=wireguard1 src-address-list=RB5009-LAN
add action=accept chain=forward dst-address-list=RB5009-LAN out-interface=wireguard1 src-address-list=Crawford-LAN
add action=drop chain=forward comment="drop all else" log=yes
/ip firewall mangle
add action=mark-connection chain=prerouting comment="mark RB5009 connections" connection-mark=no-mark connection-state=new new-connection-mark=RB5009-in passthrough=no src-address-list=RB5009
add action=mark-connection chain=postrouting connection-mark=no-mark connection-state=new dst-address-list=RB5009 new-connection-mark=RB5009-out passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark connection-state=new new-connection-mark=RB5009-LAN-in passthrough=no src-address-list=RB5009-LAN
add action=mark-connection chain=postrouting connection-mark=no-mark connection-state=new dst-address-list=RB5009-LAN new-connection-mark=RB5009-LAN-out passthrough=no
/ip firewall nat
add action=src-nat chain=srcnat comment=Masquerade out-interface-list=WAN to-addresses=123.456.789.2
add action=redirect chain=dstnat comment="Redirect DNS to Mikrotik DNS Server - TCP" dst-port=53 in-interface-list=LAN protocol=tcp
add action=redirect chain=dstnat comment="Redirect DNS to Mikrotik DNS Server - UDP" dst-port=53 in-interface-list=LAN protocol=udp
/ip route
add dst-address=192.168.201.0/24 gateway=wireguard1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/routing rule
add action=unreachable dst-address=10.0.0.0/8
add action=unreachable dst-address=169.254.0.0/16
add action=unreachable dst-address=172.16.0.0/12
add action=unreachable dst-address=192.0.0.0/24
add action=unreachable dst-address=192.0.2.0/24
add action=unreachable dst-address=192.88.99.0/24
add action=unreachable dst-address=198.18.0.0/15
add action=unreachable dst-address=198.51.100.0/24
add action=unreachable dst-address=203.0.113.0/24
add action=unreachable dst-address=233.252.0.0/24
add action=unreachable dst-address=240.0.0.0/5
add action=unreachable dst-address=248.0.0.0/6
add action=unreachable dst-address=252.0.0.0/7
add action=unreachable dst-address=254.0.0.0/8
/system identity
set name=Crawford-hEX
/system logging
add disabled=yes topics=dns
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes broadcast-addresses=192.168.88.255 enabled=yes multicast=yes
/system ntp client servers
add address=162.159.200.123
add address=162.159.200.1
add address=198.71.50.75
add address=64.6.144.6
/system routerboard settings
set auto-upgrade=yes

anav · Mon Apr 08, 2024 3:19 pm

Which WAN, A or B has a public IP, static or dynamic that is reachable.
If neither does, does one of them have an upstream ISP router that you can forward a port on?
If both have a publicly reachable IP, which one do you want to act as initiation peer ( client for handshake) and which one do you want to be the receipient peer ( server for handshake)?

MTNick · Mon Apr 08, 2024 3:37 pm

Which WAN, A or B has a public IP, static or dynamic that is reachable.
If neither does, does one of them have an upstream ISP router that you can forward a port on?
If both have a publicly reachable IP, which one do you want to act as initiation peer ( client for handshake) and which one do you want to be the receipient peer ( server for handshake)?

Routers A & B have dynamic public IP's that are reachable.
Main Router A is the main router
Remote Router B is a client of Router A
Routers A & B should be able to communicate/access each other's devices on the network (which they do already)
192.168.88.5 should use Router A ISP for internet via wireguard

Not much of a diagram but I attempted it

Screen Shot 2024-04-08 at 6.15.03 PM copy.png

llamajaja · Tue Apr 09, 2024 10:27 pm

Router A:

Modify Allowed IPs so looks like:
/interface wireguard peers
add allowed-address=192.168.202.2/32,192.168.88.0/24 interface=wireguard1 public-key="**********************="

/
/ip dns
set allow-remote-requests=yes servers=1.1.1.2,1.1.1.1,1.0.0.2,8.8.8.8

/ip firewall filter
add action=accept chain=input comment="allow LAN_to_router access" in-interface-list=LAN src-address-list=RB5009-LAN
WHY> The whole reason for using wireguard is to safely access the router. The rule above bypasses wireguard and is a direct and potentially dangerous connection!
What you need to do is allow wireguard access for the remote user who is an admin be it their wireguard from home OR the local IP at the remote router B!
We do not want every user from the LAN on router B to be able to access the input chain either!!!

add action=accept chain=input comment="allow LAN_to_router access" in-interface-list=LAN log=yes log-prefix=Crawford-WG-In src-address-list=Crawford-LAN

add action=accept chain=input comment="allow wireguard handshake for Crawford" dst-port=23231 protocol=udp src-address-list=Crawford
FINE BUT LIMITING, lets say you as admin or in a hotel room on your laptop or in the cafe on your smartphone and need to reach the router. You cannot, and can only reach RouterA, or Router for that matter if physically behind Router B................. limiting!!

What you need is admin access list to access input chain, make sure any remote LANIPs needed are added to list, and any wireguard remote devices that the admin uses.......

These are okay,you are allowing the remote LAN to access local LAN, and allowing local LAn to enter tunnel!!
add action=accept chain=forward dst-address-list=RB5009-LAN in-interface=wireguard1 src-address-list=Crawford-LAN
add action=accept chain=forward dst-address-list=Crawford-LAN out-interface=wireguard1 src-address-list=RB5009-LAN

WHY are you mangling??????
/ip firewall mangle

SRCNAT RULE comment is WRONG, not masquerade LOL
ALSO WHY are you redirecting dstnat ?? purpose ???
/ip firewall nat
add action=src-nat chain=srcnat comment=Masquerade out-interface-list=WAN to-addresses=123.456.789.1
add action=redirect chain=dstnat comment="Redirect DNS to Mikrotik DNS Server - TCP" dst-port=53 in-interface-list=LAN protocol=tcp
add action=redirect chain=dstnat comment="Redirect DNS to Mikrotik DNS Server - UDP" dst-port=53 in-interface-list=LAN protocol=udp

GOOD
/ip route
add dst-address=192.168.88.0/24 gateway=wireguard1

llamajaja · Tue Apr 09, 2024 10:33 pm

Router B.

Missing two things:
/interface wireguard peers
add allowed-address=192.168.202.0/24,192.168.201.0/24 endpoint-address=123.456.789.1 endpoint-port=23231 interface=wireguard1 public-key="***********************************************="
persistent-keep-alive=35

have to move on, but probably similar firewall, mangle issues.....

MTNick · Wed Apr 10, 2024 12:54 am

Router B.

Missing two things:
/interface wireguard peers
add allowed-address=192.168.202.0/24,192.168.201.0/24 endpoint-address=123.456.789.1 endpoint-port=23231 interface=wireguard1 public-key="***********************************************="
persistent-keep-alive=35

have to move on, but probably similar firewall, mangle issues.....

Greetings llamajaja

I made the wireguard changes as you suggested. Below that are answers to your questions/concerns.

# 2024-04-09 17:31:25 by RouterOS 7.14.2
# software id = ******
#
# model = RB5009UG+S+
# serial number = ******
/interface wireguard peers
add allowed-address=192.168.202.2/32,192.168.88.0/24 endpoint-address=\
    123.456.789.2 endpoint-port=23231 interface=wireguard1 public-key=\
    "******************************"


Router B:
# 2024-04-09 17:34:40 by RouterOS 7.14.2
# software id = ******
#
# model = RB750Gr3
# serial number = ****
/interface wireguard peers
add allowed-address=192.168.202.1/32,192.168.201.0/24 endpoint-address=\
    123.456.789.1 endpoint-port=23231 interface=wireguard1 \
    persistent-keepalive=35s public-key=\
    "**************"

/ip firewall filter
add action=accept chain=input comment="allow LAN_to_router access" in-interface-list=LAN src-address-list=RB5009-LAN
WHY> The whole reason for using wireguard is to safely access the router. The rule above bypasses wireguard and is a direct and potentially dangerous connection!

The reason for this is that the RB5009 (Router A) is my home local router. My home router is the wireguard host.

We do not want every user from the LAN on router B to be able to access the input chain either!!!
add action=accept chain=input comment="allow LAN_to_router access" in-interface-list=LAN log=yes log-prefix=Crawford-WG-In src-address-list=Crawford-LAN

The reason for this is for testing. Crawford (Router B) is a trusted source. But I agree, my plan is to locked it down once everything is complete.

add action=accept chain=input comment="allow wireguard handshake for Crawford" dst-port=23231 protocol=udp src-address-list=Crawford
FINE BUT LIMITING, lets say you as admin or in a hotel room on your laptop or in the cafe on your smartphone and need to reach the router. You cannot, and can only reach RouterA, or Router for that matter if physically behind Router B................. limiting!!

At this time, it is the only wireguard I have going & need. This is intentional for now.

WHY are you mangling??????
/ip firewall mangle

LOL. For testing & making sure traffic is flowing. Mangle rules will be removed once everything is setup.

SRCNAT RULE comment is WRONG, not masquerade LOL
ALSO WHY are you redirecting dstnat ?? purpose ???
/ip firewall nat
add action=src-nat chain=srcnat comment=Masquerade out-interface-list=WAN to-addresses=123.456.789.1
add action=redirect chain=dstnat comment="Redirect DNS to Mikrotik DNS Server - TCP" dst-port=53 in-interface-list=LAN protocol=tcp
add action=redirect chain=dstnat comment="Redirect DNS to Mikrotik DNS Server - UDP" dst-port=53 in-interface-list=LAN protocol=udp

The comment is wrong. It used to be masquerade until I added a script in dhcp-client to update this rule's "to-address" when the dhcp lease address changes, to allow me to use src-nat instead of masquerade. It's found by comment, which I havent changed yet. The redirect are in place to redirect any DNS requests to the Mikrotik. If a local user, or device, has hard DNS set, the Mikrotik willl answer it instead of reaching out to the internet.

anav · Wed Apr 10, 2024 1:17 am

Understood, but for me adding extra rules like mangling can interfere with testing other things, especially if you have errors in the mangle. (compoundinig), not that there is,, just sayin.

Your first attempt at correction isnt right on both accounts......... attention to detail please!!!

Router A.
What I said..............
Modify Allowed IPs so looks like:
/interface wireguard peers
add allowed-address=192.168.202.2/32,192.168.88.0/24 interface=wireguard1 public-key="**********************="

What you have......... remove the extra stuff in orange.
/interface wireguard peers
add allowed-address=192.168.202.2/32,192.168.88.0/24 endpoint-address=\
123.456.789.2 endpoint-port=23231 interface=wireguard1 public-key=\

Router B

What I said..............
Modify Allowed IPs so looks like:
/interface wireguard peers
add allowed-address=192.168.202.0/24,192.168.201.0/24 endpoint-address=123.456.789.1 endpoint-port=23231 interface=wireguard1 public-key="***********************************************=" persistent-keep-alive=35

What you have...... modify the orange its wrong....
/interface wireguard peers
add allowed-address=192.168.202.1/32,192.168.201.0/24 endpoint-address=\
123.456.789.1 endpoint-port=23231 interface=wireguard1 \
persistent-keepalive=35s public-key=\
"**************"

MTNick · Wed Apr 10, 2024 2:07 am

Understood, but for me adding extra rules like mangling can interfere with testing other things, especially if you have errors in the mangle. (compoundinig), not that there is,, just sayin.

Your first attempt at correction isnt right on both accounts......... attention to detail please!!!

Greetings anav. I made the changes you suggested. Good news, I still have access lol.

# 2024-04-09 19:01:05 by RouterOS 7.14.2
# software id = *******
#
# model = RB5009UG+S+
# serial number = ************
/interface wireguard peers
add allowed-address=192.168.202.2/32,192.168.88.0/24 interface=wireguard1 \
    public-key="************************"



Router B:
# 2024-04-09 19:00:31 by RouterOS 7.14.2
# software id = *****
#
# model = RB750Gr3
# serial number = *******
/interface wireguard peers
add allowed-address=192.168.202.0/24,192.168.201.0/24 endpoint-address=\
    123.456.789.1 endpoint-port=23231 interface=wireguard1 \
    persistent-keepalive=35s public-key=\
    "********************************"

anav · Wed Apr 10, 2024 2:20 am

Yee of little faith LOL.

Now the next step is ensuring LAN from Router B, goes out the WAN of ROuter A for internet ( via the wireguard tunnel)??

MTNick · Wed Apr 10, 2024 2:37 am

Yee of little faith LOL.

Now the next step is ensuring LAN from Router B, goes out the WAN of ROuter A for internet ( via the wireguard tunnel)??

Yes, that's correct, but only for a single device 192.168.88.5. The rest of Router B devices/subnet to use Router B's internet.

anav · Wed Apr 10, 2024 3:00 am

The big change on Router B seeing as you want internet access but out Router A is changing Allowed IPs...........
Many other small changes............... read line by line
Simplified firewall rules!!!!
For single subnets avoid interface lists............ in general.

interface bridge
add name="Lan Bridge"
/interface wireguard
add listen-port=23231 mtu=1420 name=wireguardB
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add comment="Lan Bridge" name=LAN ranges=192.168.88.20-192.168.88.150
/routing table
add fib name=useWG
/ip dhcp-server
add address-pool=LAN interface="Lan Bridge" name=dhcp1
/interface bridge port
add bridge="Lan Bridge" interface=ether2
add bridge="Lan Bridge" interface=ether3
add bridge="Lan Bridge" interface=ether4
add bridge="Lan Bridge" interface=ether5
/ip firewall connection tracking
set loose-tcp-tracking=no tcp-established-timeout=1h
/ip settings
set max-neighbor-entries=4096 rp-filter=loose tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=ether1 list=WAN
add interface="Lan Bridge" list=LAN
add interface=wireguardB list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0   endpoint-address=123.456.789.1 endpoint-port=23231 \
    interface=wireguard1 public-key="***********************************************="  persistent-keepalive=35sec
/ip address
add address=192.168.88.1/24 interface="Lan Bridge" network=192.168.88.0
add address=192.168.202.2/30 interface=wireguardB network=192.168.202.0
/ip dhcp-client
add interface=ether1 script=":if (\$bound=1) do={\r\
    \n:local gw \$\"gateway-address\"\r\
    \n/ip firewall address-list set [find where comment=\"ISP1\"] address=\$\"\
    lease-address\"\r\
    \n/ip firewall nat set [find where comment=\"Masquerade\"] to-addresses=\$\
    \"lease-address\"\r\
    \n}" use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 ntp-server=192.168.201.1
/ip dns
set allow-remote-requests=yes max-concurrent-tcp-sessions=30 servers=76.76.2.2,76.76.10.2,1.1.1.2 use-doh-server=https://freedns.controld.com/p2 verify-doh-cert=yes
/ip dns static
add address=76.76.2.11 match-subdomain=yes name=https://freedns.controld.com/p2
/ip firewall address-list  { Use static set DHCP leases mostly }
add address=192.168.88.151/32  list=Authorized comment="admindDesktop" 
add address=192.168.88.152/32  list=Authorized comment="admin laptop"
add address=192.168.201.X/32 list=Authorized comment="admin when at router A"
add address=192.168.202.Y/32 list=Authorized comment="remote admin"  { laptop or smartphone ) when  you expand wireguard  }
add address=192.168.88.5/32 list=Excluded comment="LANIP going out wireguard for internet on router A"
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log-prefix=drop-invalid-input
add action=accept chain=input comment="defconf: accept to local loopback" dst-address=127.0.0.1
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="allow admin access for Config"  src-address-list=Authorized
add action=accept chain=input comment="LAN access to DNS/NTP services"  dst-port=53,123 protocol=udp in-interface-list=LAN
add action=accept chain=input comment="LAN access to DNS services"  dst-port=53 protocol=tcp in-interface-list=LAN
add action=drop chain=input comment="drop all else" log-prefix=drop-input
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes packet-mark=!Queue-list
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log-prefix=drop-invalid
add action=accept chain=forward comment="internet access" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=accept chain=forward comment="allow remote subnet to  local subnet" in-interface=wireguardB  dst-address=192.168.88.0/24  src-address-list=192.168.201.0/24
add action=accept chain=forward comment="allow local subnet enter tunnel" out-interface=wireguardB src-address=192.168.88.0/24
add action=drop chain=forward comment="drop all else" log=yes
/ip firewall nat
add action=src-nat chain=srcnat  out-interface-list=WAN to-addresses=123.456.789.2
add action=redirect chain=dstnat comment="Redirect DNS to Mikrotik DNS Server - TCP" dst-port=53 in-interface-list=LAN protocol=tcp   src-address-list=!excluded
add action=redirect chain=dstnat comment="Redirect DNS to Mikrotik DNS Server - UDP" dst-port=53 in-interface-list=LAN protocol=udp  src-address-list=!excluded
/ip route
add dst-address=192.168.201.0/24 gateway=wireguard1 routing-table=main
add dst-address=0.0.0.0/0 gateway=wireguardB routing-table=useWG
/routing rule
add src-address=192.168.88.5  action=lookup-only-in-table  table=useWG  { if WG is down, no internet traffic for 192.168.88.5 }
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/routing rule
add action=unreachable dst-address=10.0.0.0/8
add action=unreachable dst-address=169.254.0.0/16
add action=unreachable dst-address=172.16.0.0/12
add action=unreachable dst-address=192.0.0.0/24
add action=unreachable dst-address=192.0.2.0/24
add action=unreachable dst-address=192.88.99.0/24
add action=unreachable dst-address=198.18.0.0/15
add action=unreachable dst-address=198.51.100.0/24
add action=unreachable dst-address=203.0.113.0/24
add action=unreachable dst-address=233.252.0.0/24
add action=unreachable dst-address=240.0.0.0/5
add action=unreachable dst-address=248.0.0.0/6
add action=unreachable dst-address=252.0.0.0/7
add action=unreachable dst-address=254.0.0.0/8
/system identity
set name=Crawford-hEX
/system logging
add disabled=yes topics=dns
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes broadcast-addresses=192.168.88.255 enabled=yes multicast=yes
/system ntp client servers
add address=162.159.200.123
add address=162.159.200.1
add address=198.71.50.75
add address=64.6.144.6
/system routerboard settings
set auto-upgrade=yes

MTNick · Wed Apr 10, 2024 4:30 am

The big change on Router B seeing as you want internet access but out Router A is changing Allowed IPs...........
Many other small changes............... read line by line
Simplified firewall rules!!!!
For single subnets avoid interface lists............ in general.

Thanks anav!! Kinda figured a routing table would come in play for this.

To confirm, is the interface on wireguard peer supposed to be wireguard1? Or is that supposed to be wireguardB? Or, am I creating a new wireguardB interface? Reason for the questions is because of the wireguard configs below. Wireguard1 isn't in interfaces or addresses but listed in peer & in routes.

/interface wireguard
add listen-port=23231 mtu=1420 name=wireguardB
/interface list member
add interface=ether1 list=WAN
add interface="Lan Bridge" list=LAN
add interface=wireguardB list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0   endpoint-address=123.456.789.1 endpoint-port=23231 \
    interface=wireguard1 public-key="***********************************************="  persistent-keepalive=35sec
/ip address
add address=192.168.88.1/24 interface="Lan Bridge" network=192.168.88.0
add address=192.168.202.2/30 interface=wireguardB network=192.168.202.0
/ip route
add dst-address=192.168.201.0/24 gateway=wireguard1 routing-table=main
add dst-address=0.0.0.0/0 gateway=wireguardB routing-table=useWG

llamajaja · Wed Apr 10, 2024 5:07 pm

Sorry, I changed all your wireguard1 entries, on Router B, to wireguardB. Call me anal, but when looking at a config I want to know intuitively which of two or three or more configs I am looking at.
Using the same name on both RouterA and RouterB is not clear to me and thus prefer to distinguish. Personal habit.

They all have to be the same name regardless which one you choose to use.
I did forget to change the ip route for the remote subnet, so need to modify that later, to wireguardB

MTNick · Wed Apr 10, 2024 5:41 pm

Sorry, I changed all your wireguard1 entries, on Router B, to wireguardB. Call me anal, but when looking at a config I want to know intuitively which of two or three or more configs I am looking at.
Using the same name on both RouterA and RouterB is not clear to me and thus prefer to distinguish. Personal habit.

They all have to be the same name regardless which one you choose to use.
I did forget to change the ip route for the remote subnet, so need to modify that later, to wireguardB

Got it. Done! Makes total sense.

One more question, does the input chain on Router B need the rule below to allow Router A through?

/ip firewall filter
add action=accept chain=input comment="allow access for RB5009" dst-port=\
    23231 protocol=udp src-address=123.456.789.1

llamajaja · Wed Apr 10, 2024 7:16 pm

Nope the handshake is initiated on Router B and lands at the WAN on Router A, and thus why A needs the input chain rule only.

MTNick · Thu Apr 11, 2024 1:31 am

Greetings. Connectivity is good. The one specific device/IP is using the wireguard tunnel for internet on Router A. Cleaned up the firewall rules & address list. Removed the mangle rules as well.

Removed: I added 2 scripts to ping Router A LAN subnet via Router B wireguardB interface. What it'll do is when not alive, disable the route filter rule for "useWG", to allow use of Router B internet. When it comes back up, or is alive, it'll re-enable it. It's basically a failsafe if the tunnel is down.

So you're aware, and off topic, I added another script to disable DoH "verify certificate" after a reboot, then re-enable it 40sec later. The script allows the crl download after a reboot. It's a workaround but it's what I came up with that resolved the no internet after reboot if using DoH.

Update: Updated final Router B config. Removed the 2 scripts for "useWG" failover (noted above).

Router B config:

# 2024-04-10 17:30:31 by RouterOS 7.14.2
# software id = ******
#
# model = RB750Gr3
# serial number = ********
/interface bridge
add name="Lan Bridge"
/interface wireguard
add listen-port=23231 mtu=1420 name=wireguardB
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add comment="Lan Bridge" name=LAN ranges=192.168.88.20-192.168.88.150
/ip dhcp-server
add address-pool=LAN interface="Lan Bridge" name=dhcp1
/routing table
add disabled=no fib name=useWG
/certificate settings
set crl-download=yes crl-use=yes
/interface bridge port
add bridge="Lan Bridge" interface=ether2
add bridge="Lan Bridge" interface=ether3
add bridge="Lan Bridge" interface=ether4
add bridge="Lan Bridge" interface=ether5
/ip firewall connection tracking
set loose-tcp-tracking=no tcp-established-timeout=30m
/ip settings
set max-neighbor-entries=4096 rp-filter=loose tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=ether1 list=WAN
add interface="Lan Bridge" list=LAN
add interface=wireguardB list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=123.456.789.1 endpoint-port=\
    23231 interface=wireguardB persistent-keepalive=35s public-key=\
    "****************************************"
/ip address
add address=192.168.88.1/24 interface="Lan Bridge" network=192.168.88.0
add address=192.168.202.2/30 interface=wireguardB network=192.168.202.0
/ip dhcp-client
add interface=ether1 script=":if (\$bound=1) do={\r\
    \n:local gw \$\"gateway-address\"\r\
    \n/ip firewall address-list set [find where comment=\"ISP1\"] address=\$\"\
    lease-address\"\r\
    \n/ip firewall nat set [find where comment=\"Source NAT\"] to-addresses=\$\
    \"lease-address\"\r\
    \n}" use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.88.151 mac-address=blanked-out server=dhcp1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 \
    ntp-server=192.168.88.1
/ip dns
set allow-remote-requests=yes max-concurrent-tcp-sessions=30 servers=\
    76.76.2.2,76.76.10.2,1.1.1.2 use-doh-server=\
    https://freedns.controld.com/p2 verify-doh-cert=yes
/ip dns static
add address=76.76.2.11 match-subdomain=yes name=\
    https://freedns.controld.com/p2
/ip firewall address-list
add address=123.456.789.2 comment=ISP1 list=\
    Crawford
add address=123.456.789.1 comment="RB5009 Network" list=RB5009
add address=192.168.201.0/24 list=RB5009-LAN
add address=192.168.88.0/24 comment="Crawford Network" list=Crawford-LAN
add address=192.168.201.101-192.168.201.105 comment="remote admin" list=\
    Authorized
add address=192.168.88.151-192.168.88.155 comment="admin when at router A" \
    list=Authorized
add address=192.168.88.5 comment=\
    "LANIP going out wireguard for internet on router A" list=Excluded
add address=123.456.789.1 comment="remote admin" list=Authorized
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log-prefix=drop-invalid-input
add action=accept chain=input comment="defconf: accept to local loopback" \
    dst-address=127.0.0.1
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="allow admin access for Config" \
    src-address-list=Authorized
add action=accept chain=input comment="LAN access to DNS/NTP services" \
    dst-port=53,123 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="LAN access to DNS services" dst-port=\
    53,123 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else" log-prefix=drop-input
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log-prefix=drop-invalid
add action=accept chain=forward comment="internet access" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat
add action=accept chain=forward comment="allow remote subnet to local subnet" \
    dst-address-list=192.168.88.0/24 in-interface=wireguardB src-address-list=\
    192.168.201.0/24
add action=accept chain=forward comment="allow local subnet to enter tunnel" \
    out-interface=wireguardB src-address-list=192.168.88.0/24
add action=drop chain=forward comment="drop all else" log=yes log-prefix=\
    drop-all-forward
/ip firewall nat
add action=src-nat chain=srcnat comment="Source NAT" out-interface-list=WAN \
    to-addresses=123.456.789.2
add action=redirect chain=dstnat comment=\
    "Redirect DNS to Mikrotik DNS Server - TCP" dst-port=53 \
    in-interface-list=LAN protocol=tcp src-address-list=!Excluded
add action=redirect chain=dstnat comment=\
    "Redirect DNS to Mikrotik DNS Server - UDP" dst-port=53 \
    in-interface-list=LAN protocol=udp src-address-list=!Excluded
/ip route
add dst-address=192.168.201.0/24 gateway=wireguardB
add disabled=no dst-address=0.0.0.0/0 gateway=wireguardB routing-table=useWG \
    suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/routing rule
add action=unreachable dst-address=10.0.0.0/8
add action=unreachable dst-address=169.254.0.0/16
add action=unreachable dst-address=172.16.0.0/12
add action=unreachable dst-address=192.0.0.0/24
add action=unreachable dst-address=192.0.2.0/24
add action=unreachable dst-address=192.88.99.0/24
add action=unreachable dst-address=198.18.0.0/15
add action=unreachable dst-address=198.51.100.0/24
add action=unreachable dst-address=203.0.113.0/24
add action=unreachable dst-address=233.252.0.0/24
add action=unreachable dst-address=240.0.0.0/5
add action=unreachable dst-address=248.0.0.0/6
add action=unreachable dst-address=252.0.0.0/7
add action=unreachable dst-address=254.0.0.0/8
add action=lookup disabled=no src-address=192.168.88.5/32 \
    table=useWG
/system clock
set time-zone-name=America/New_York
/system identity
set name=Crawford-hEX
/system logging
add disabled=yes topics=dns
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes broadcast-addresses=192.168.88.255 enabled=yes multicast=\
    yes
/system ntp client servers
add address=162.159.200.123
add address=162.159.200.1
add address=198.71.50.75
add address=64.6.144.6
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add name=DoH-DNS-Startup on-event=DoH-DNS-Startup policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
/system script
add dont-require-permissions=no name=DoH-DNS-Startup policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    delay 5s\r\
    \n:log warning \"DoH-DNS-Startup script is running...\"\r\
    \n([/ip dns set verify-doh-cert=no] [:log warning \"Turning off DoH verify\
    -doh-cert to allow crl update\"])\r\
    \n:delay 40s\r\
    \n([/ip dns set verify-doh-cert=yes] [:log warning \"Turning DoH verify-do\
    h-cert back on\"])\r\
    \n:delay 5s\r\
    \n:log warning \"Flushing DNS cache\"\r\
    \n/ip dns cache flush\r\
    \n:delay 5s\r\
    \n:log warning \"DoH-DNS-Startup script is COMPLETE\"\r\
    \n/tool e-mail send to=\"*******************\" subject=\"\$[/syste\
    m identity get name] DoH-DNS-Startup\" body=\"Date: \$[/system clock get d\
    ate] \\r Time: \$[/system clock get time] \\r Device: \$[/system identity \
    get name] \\r Info: DoH-DNS-Startup script is complete\""

anav · Thu Apr 11, 2024 1:48 am

You will need to change the Routing Rule on Router B, the action option......... to just lookup

/routing rule src-address=LANIP action=lookup table=useWG

The current rule will prevent the router from using any other routing.
In other words, you DO NOT NEED any script to enable local use of the WAN on router B, by that user.
With action of lookup, if wireguard is not available, the router will go to the main table and see if a route is available, all good!!!

MTNick · Thu Apr 11, 2024 1:56 am

You will need to change the Routing Rule on Router B, the action option......... to just lookup

/routing rule src-address=LANIP action=lookup table=useWG

The current rule will prevent the router from using any other routing.
In other words, you DO NOT NEED any script to enable local use of the WAN on router B, by that user.
With action of lookup, if wireguard is not available, the router will go to the main table and see if a route is available, all good!!!

Done. Perfect! A lot better than running scripts lol. Router B config updated in previous post here: viewtopic.php?p=1069045#p1069045

Update: Forgot that Router A is already handled.

Thank you anav! Appreciate everything you do for the users of this forum

Redirect Router B to Router A through wireguard [SOLVED]

Redirect Router B to Router A through wireguard

Re: Redirect Router B to Router A through wireguard

Re: Redirect Router B to Router A through wireguard

Re: Redirect Router B to Router A through wireguard

Re: Redirect Router B to Router A through wireguard

Re: Redirect Router B to Router A through wireguard

Re: Redirect Router B to Router A through wireguard

Re: Redirect Router B to Router A through wireguard

Re: Redirect Router B to Router A through wireguard

Re: Redirect Router B to Router A through wireguard

Re: Redirect Router B to Router A through wireguard

Re: Redirect Router B to Router A through wireguard

Re: Redirect Router B to Router A through wireguard [SOLVED]

Re: Redirect Router B to Router A through wireguard

Re: Redirect Router B to Router A through wireguard

Re: Redirect Router B to Router A through wireguard

Re: Redirect Router B to Router A through wireguard

Re: Redirect Router B to Router A through wireguard

Re: Redirect Router B to Router A through wireguard

Re: Redirect Router B to Router A through wireguard

Who is online