I'm trying to set up WireGuard in RouterOS, following the official guide on the wiki, however I can't seem to even connect to it. I'd like to able to access devices in vlan_a through the WireGuard VPN.
To my understanding it seems like my firewall settings are off. Could anyone smarter than me please take a look and tell me what I'm doing wrong?
Thank you :)
Code: Select all
# 2024-04-26 17:05:52 by RouterOS 7.14.3
# model = RB962UiGS-5HacT2HnT
/interface bridge
add ingress-filtering=no name=bridge1 port-cost-mode=short protocol-mode=none \
vlan-filtering=yes
/interface wireguard
add listen-port=10111 mtu=1420 name=wg1
/interface vlan
add interface=bridge1 name=vlan_a vlan-id=10
add interface=bridge1 name=vlan_mgmt vlan-id=99
add interface=bridge1 name=vlan_b vlan-id=30
add interface=bridge1 name=vlan_c vlan-id=20
/interface list
add name=WAN
add name=VLAN_FORBID
add name=VLAN_ALLOW
add name=MGMT
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=sec_plk \
supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
country=etsi disabled=no frequency=auto mode=ap-bridge \
security-profile=sec_plk ssid=WiFi2 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX country=etsi disabled=no mode=ap-bridge \
security-profile=sec_plk ssid=WiFi5 wps-mode=disabled
/ip pool
add name=pool_a ranges=10.0.10.2-10.0.10.254
add name=pool_c ranges=10.0.20.2-10.0.20.254
add name=pool_b ranges=10.0.30.2-10.0.30.254
add name=pool_mgmt ranges=192.168.0.10-192.168.0.254
/ip dhcp-server
add address-pool=pool_a interface=vlan_a lease-time=1w name=\
dhcp_a
add address-pool=pool_c interface=vlan_c lease-time=10m name=dhcp_c
add address-pool=pool_b interface=vlan_b lease-time=1h name=\
dhcp_b
add address-pool=pool_mgmt interface=vlan_mgmt lease-time=10m name=dhcp_mgmt
/interface bridge port
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
interface=ether2 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
interface=ether3 internal-path-cost=10 path-cost=10 pvid=20
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
interface=wlan1 internal-path-cost=10 path-cost=10 pvid=30
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
interface=wlan2 internal-path-cost=10 path-cost=10 pvid=30
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
interface=ether4 internal-path-cost=10 path-cost=10 pvid=99
add bridge=bridge1 interface=ether5 pvid=11
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 vlan-ids=10
add bridge=bridge1 tagged=bridge1 vlan-ids=20
add bridge=bridge1 tagged=bridge1 vlan-ids=30
add bridge=bridge1 tagged=bridge1 vlan-ids=99
add bridge=bridge1 tagged=bridge1 vlan-ids=40
add bridge=bridge1 tagged=bridge1 vlan-ids=11
/interface list member
add interface=ether1 list=WAN
add interface=vlan_mgmt list=VLAN_ALLOW
add interface=vlan_a list=VLAN_FORBID
add interface=vlan_c list=VLAN_ALLOW
add interface=vlan_b list=VLAN_ALLOW
add interface=vlan_mgmt list=MGMT
add interface=wg1 list=VLAN_ALLOW
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.10.2/32 interface=wg1 public-key=\
/ip address
add address=192.168.0.1/24 interface=vlan_mgmt network=192.168.0.0
add address=192.168.8.111/24 interface=ether1 network=192.168.8.0
add address=10.0.10.1/24 interface=vlan_a network=10.0.10.0
add address=10.0.20.1/24 interface=vlan_c network=10.0.20.0
add address=10.0.30.1/24 interface=vlan_b network=10.0.30.0
add address=192.168.10.1/24 interface=wg1 network=192.168.10.0
/ip cloud
set update-time=no
/ip dhcp-server lease
add address=10.0.10.253 client-id=1:80:7c:62:b:7a:f6 comment=nvr mac-address=\
80:7C:62:0B:7A:F6 server=dhcp_a
add address=10.0.10.252 client-id=1:bc:5e:33:85:36:85 mac-address=\
BC:5E:33:85:36:85 server=dhcp_a
add address=10.0.10.251 client-id=1:bc:5e:33:85:36:84 mac-address=\
BC:5E:33:85:36:84 server=dhcp_a
add address=10.0.10.249 client-id=1:e0:ca:3c:97:1e:ed mac-address=\
E0:CA:3C:97:1E:ED server=dhcp_a
/ip dhcp-server network
add address=10.0.10.0/24 dns-none=yes gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=192.168.0.1 gateway=10.0.20.1
add address=10.0.30.0/24 dns-server=192.168.0.1 gateway=10.0.30.1
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add action=accept chain=input comment="Allow established, related" \
connection-state=established,related
add action=accept chain=input comment="allow wg" dst-port=10111 protocol=udp
add action=accept chain=input comment="allow wg traffic" src-address=\
192.168.10.0/24
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="VLANs with router service perms" \
in-interface-list=VLAN_ALLOW
add action=accept chain=input in-interface=vlan_mgmt
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow established, related" \
connection-state=established,related
add action=accept chain=forward comment="VLAN_ALLOW outside access" \
connection-state=new in-interface-list=VLAN_ALLOW out-interface-list=WAN
add action=accept chain=forward in-interface=vlan_mgmt out-interface=\
vlan_a
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masq" out-interface-list=\
WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set sip disabled=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.8.1
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=MGMT
/tool mac-server mac-winbox
set allowed-interface-list=MGMT