wireguard with vlan bridge

lpetrov · Sun Apr 28, 2024 8:33 pm

I have following questions:
--WIREGUARD SETUP---
I would like to connect to setup wireguard tunnel. I need to be able to connect from this tunnel to devices on all vlans. VLAN 10 is my mngmnt network. Ideally I would like wireguard tunnel to have ip from this network.
-- FW SETUP--
Best way to restrict access to VLAN 12(servers) and VLAN 30(smarthome) for users on VLAN 100.
Current VLAN setup should stay the same.
Any help would be appreciated. Thank you.
Here is my current configuration:
# 2024-04-28 20:13:56 by RouterOS 7.14.1

# model = RB5009UG+S+

/interface bridge
add name=br-Uplink port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="POE swith /wi-fi" name=\
"ether1-LAN-Trunk(switch)"
set [ find default-name=ether2 ] comment=proxmox name=ether2-LAN-Trunk
set [ find default-name=ether3 ] comment="ABB IPS 2.1" name=ether3-LAN-Trunk
set [ find default-name=ether4 ] name=ether4-LAN
set [ find default-name=ether7 ] comment=mngmnt name=ether7-LAN-mngmnt
set [ find default-name=ether8 ] name=ether8-WAN-Static
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface vlan
add comment="Management VLAN" interface=br-Uplink name=Management-10 vlan-id=\
10
add comment="Smart Home VLAN" interface=br-Uplink name="Smart Home-30" \
vlan-id=30
add comment="Users VLAN" interface=br-Uplink name=Users-100 vlan-id=100
add comment="Servers VLAN" interface=br-Uplink name=vlan20-Servers vlan-id=20
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_management_pool ranges=192.168.10.242-192.168.10.249
add name=dhcp_users_pool ranges=192.168.100.100-192.168.100.249
add name=dhcp_smarthome_pool ranges=192.168.30.100-192.168.30.249
add name=dhcp_servers_pool ranges=192.168.12.242-192.168.12.254
/ip dhcp-server
add address-pool=dhcp_management_pool interface=Management-10 name=\
dhcp-management
add address-pool=dhcp_users_pool interface=Users-100 name=dhcp-users
add address-pool=dhcp_smarthome_pool interface="Smart Home-30" name=\
"dhcp-smart home"
add address-pool=dhcp_servers_pool interface=vlan20-Servers name=dhcp-servers
/interface bridge port
add bridge=br-Uplink comment="for KNX on the switch" interface=\
"ether1-LAN-Trunk(switch)" internal-path-cost=10 path-cost=10 pvid=30
add bridge=br-Uplink interface=ether2-LAN-Trunk pvid=20
add bridge=br-Uplink interface=ether3-LAN-Trunk pvid=30
add bridge=br-Uplink interface=ether4-LAN pvid=10
/ip firewall connection tracking
set udp-timeout=10s
/interface bridge vlan
add bridge=br-Uplink comment="Smart Home LAN" tagged=\
ether2-LAN-Trunk,br-Uplink untagged=\
"ether1-LAN-Trunk(switch),ether3-LAN-Trunk" vlan-ids=30
add bridge=br-Uplink comment="wifi users" tagged=\
"ether1-LAN-Trunk(switch),br-Uplink,ether2-LAN-Trunk" vlan-ids=100
add bridge=br-Uplink tagged=\
"ether1-LAN-Trunk(switch),br-Uplink,ether2-LAN-Trunk" vlan-ids=10
add bridge=br-Uplink tagged="ether1-LAN-Trunk(switch),br-Uplink" untagged=\
ether2-LAN-Trunk vlan-ids=20
/interface list member
add interface=ether8-WAN-Static list=WAN
add interface=Management-10 list=LAN
add interface=br-Uplink list=LAN
add interface=Users-100 list=LAN
/ip address
add address=XXX.XXX.32.41/24 interface=ether8-WAN-Static network=XXX.XXX.32.0
add address=192.168.12.1/24 interface=vlan20-Servers network=192.168.12.0
add address=192.168.100.1/24 interface=Users-100 network=192.168.100.0
add address=192.168.10.1/24 interface=Management-10 network=192.168.10.0
add address=192.168.30.1/24 interface="Smart Home-30" network=192.168.30.0
/ip dhcp-server lease
add address=192.168.10.250 client-id=1:d8:d0:90:1b:5b:af comment=\
"Lubo Yoga Wired" mac-address=D8:D0:90:1B:5B:AF server=dhcp-management
add address=192.168.10.6 client-id=1:1c:61:b4:14:a0:2c comment=\
"TP Link EAP 615 Bedroom" mac-address=1C:61:B4:14:A0:2C server=\
dhcp-management
add address=192.168.10.5 client-id=1:1c:61:b4:14:a9:a8 comment=\
"TP Link EAP 615 Living Room" mac-address=1C:61:B4:14:A9:A8 server=\
dhcp-management
add address=192.168.100.204 client-id=1:48:a6:b8:7:73:e2 comment="Sonos ARC" \
mac-address=48:A6:B8:07:73:E2 server=dhcp-users
add address=192.168.100.249 client-id=1:72:70:2a:fe:13:ab comment=\
"iPad Living Room" mac-address=72:70:2A:FE:13:AB server=dhcp-users
add address=192.168.100.203 client-id=1:54:2a:1b:23:ee:38 comment="Sonos SUB" \
mac-address=54:2A:1B:23:EE:38 server=dhcp-users
add address=192.168.100.202 client-id=1:f0:f6:c1:c5:cf:d4 comment=\
"Sonos ERA 300" mac-address=F0:F6:C1:C5:CF:D4 server=dhcp-users
add address=192.168.100.201 client-id=1:f0:f6:c1:c5:cf:58 comment=\
"Sonos ERA 300" mac-address=F0:F6:C1:C5:CF:58 server=dhcp-users
add address=192.168.30.2 client-id=1:2:78:7f:7f:66:2e comment=\
"Home Assistant" mac-address=02:78:7F:7F:66:2E server="dhcp-smart home"
add address=192.168.30.205 client-id=1:64:d2:c4:e1:f5:dc comment=\
"Apple TV Bedroom - Wireless" mac-address=64:D2:C4:E1:F5:DC server=\
"dhcp-smart home"
add address=192.168.30.3 comment="ABB IPS2.1 (KNX)" mac-address=\
00:0C:DE:93:50:5A server="dhcp-smart home"
add address=192.168.30.250 client-id=1:b0:a4:60:9a:8c:1a comment=\
"YOGA camelot" mac-address=B0:A4:60:9A:8C:1A server="dhcp-smart home"
add address=192.168.100.250 client-id=1:b0:a4:60:9a:8c:1a comment=\
"YOGA castle" mac-address=B0:A4:60:9A:8C:1A server=dhcp-users
add address=192.168.30.4 client-id=1:0:24:6d:2:a6:6c comment=1HOME \
mac-address=00:24:6D:02:A6:6C server="dhcp-smart home"
add address=192.168.30.5 client-id=1:64:d2:c4:d4:fb:c7 comment=\
"Apple TV Bedroom - Wired" mac-address=64:D2:C4:D4:FB:C7 server=\
"dhcp-smart home"
/ip dhcp-server network
add address=192.168.10.0/24 comment=mngmt gateway=192.168.10.1
add address=192.168.12.0/24 comment=servers gateway=192.168.12.1
add address=192.168.30.0/24 comment="smart home" gateway=192.168.30.1
add address=192.168.100.0/24 comment=users gateway=192.168.100.1
/ip dns
set servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=192.168.12.0/24 list=Servers
add address=192.168.100.0/24 list=Users
add address=192.168.30.0/24 list=SmartHome
add address=192.168.10.248/29 list=Admins
add address=192.168.12.0/24 list=LAN
add address=192.168.30.0/24 list=LAN
add address=192.168.10.0/24 list=LAN
add address=192.168.100.0/24 list=LAN
add address=192.168.12.248/29 list=Admins
add address=192.168.30.248/29 list=Admins
add address=192.168.100.248/29 list=Admins
add address=88.203.229.253 list=Svetulcho
/ip firewall filter
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="allow internet traffic" \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input in-interface-list=LAN
add action=accept chain=forward comment="Allow HTTPS from WAN to nginx proxy" \
dst-address=192.168.12.254 dst-port=443 in-interface=ether8-WAN-Static \
protocol=tcp
add action=accept chain=forward comment="Allow access from WAN to Plex" \
dst-address=192.168.12.140 dst-port=32400 in-interface=ether8-WAN-Static \
protocol=tcp
add action=accept chain=input comment="Svetulcho remote access" dst-port=8291 \
protocol=tcp src-address-list=Svetulcho
add action=drop chain=input comment="Drop All Incoming Traffic from WAN" \
in-interface=ether8-WAN-Static
add action=accept chain=forward comment="allow access from LAN to Plex" \
dst-address=192.168.12.140 dst-port=32400 protocol=tcp src-address-list=\
LAN
add action=drop chain=forward comment=\
"block users from access to servers LAN list" dst-address-list=Servers \
src-address=192.168.100.0/24
add action=drop chain=forward comment=\
"block Users access to Smart Home Network" dst-address-list=SmartHome \
src-address=192.168.100.0/24
add action=accept chain=input comment="Allow Access to Mikrotik for Admins" \
dst-port=22,23,8291,8728 protocol=tcp src-address=192.168.30.248/29
add action=accept chain=input comment="Allow Access to Mikrotik for Admins" \
dst-port=22,23,8291,8728 protocol=tcp src-address=192.168.10.248/29
add action=drop chain=input comment="Restrict Access to Mikrotik for LAN" \
dst-port=22,23,8291,8728 protocol=tcp src-address-list=LAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether8-WAN-Static
add action=dst-nat chain=dstnat comment="port 443 to nginx proxy" dst-port=\
443 in-interface=ether8-WAN-Static protocol=tcp to-addresses=\
192.168.12.254 to-ports=443
add action=dst-nat chain=dstnat comment="port 32400 to Plex" dst-port=32400 \
in-interface=ether8-WAN-Static protocol=tcp to-addresses=192.168.12.140 \
to-ports=32400
add action=masquerade chain=srcnat comment="hairpin rule for LAN interfaces" \
dst-address=192.168.12.0/24 src-address-list=LAN
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=XXX.XXX.32.1 routing-table=main \
suppress-hw-offload=no
/system clock
set time-zone-name=Europe/XXX
/system identity
set name=RB5009
/system note
set show-at-login=no
/tool sniffer
set filter-interface=ether2-LAN-Trunk

Sun Apr 28, 2024 10:25 pm

Please edit post and use proper tags for code.

anav · Sun Apr 28, 2024 11:52 pm

What you would like is not a valid requirement, what is valid is what traffic your users and yourself as admin need.
Thus the Wireguard IP is a unique IP address structure.
Through firewall rules you can decide which if any wireguard remote users have access to the router for config purposes and to the LANs as well.

You need to create the wireguard interface but suggested name is wireguard1 and port 14567

/ip address
add address=10.10.20.1/24 interface=wireguard1 network=10.10.20.0

Since you have a managment vlan create a MGMT interface.
Add your vlan to that interface
Add wireguard to that interface.

Create a firewall address list of authorized folks that can access the Router for config purposes
/ip firewall address-list { using mostly static dhcp leases }
add address=192.168.10.X/32 list=Authorized comment="admin desktop local"
add address=192.168.10.Y/32 l list=Authorized comment="admin laptop wired local"
add address=192.168.10.Z/32 l list=Authorized comment="admin laptop wifi local"
add address=10.10.20.2/32 list=Authorized comment="admin laptop remote wireguard"
add address=10.10.20.3/32 list=Authorized comment="admin smartphone/ipad remote wireguard"

/interface list
add name=LAN
add name=WAN
add name=MGMT

/interface list member
add interface=ether8-WAN-Static list=WAN
add interface=Management-10 list=LAN
add interface=br-Uplink list=LAN
add interface=Users-100 list=LAN
add interface=wireguard1 list=LAN
add interface=wireguard1 list=MGMT
add interface=Management-10 list=MGMT

add input chain=input action=accept in-interface-list=MGMT src-address-list=Authorized

FIXED Bridge ports Bridge VLans ( assumes ethe2 and ether2 are trunk ports not hybrid ports and ether4 is an access port ).
/interface bridge port
add bridge=br-Uplink ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether1-LAN-Trunk comment="KNX switch"
add bridge=br-Uplink ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether2-LAN-Trunk
add bridge=br-Uplink ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether3-LAN-Trunk
add bridge=br-Uplink ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether4-LAN pvid=10

/interface bridge vlan
add bridge=br-Uplink tagged=br-Uplink,ether2-LAN-Trunk,ether3-LAN-Trunk vlan-id=20,30,100
add bridge=br-Uplink tagged=br-Uplink,ether2-LAN-Trunk,ether2-LAN-trunk untagged=ether4-LAN vlan-ids=10

Fixed firewall rules.

This is not a legitimate rule or at least the right way to accomplish reaching a server.............. remove. Perhaps you mean to do this in port fowarding dstnat rules ??
add action=accept chain=forward comment="Allow HTTPS from WAN to nginx proxy" \
dst-address=192.168.12.254 dst-port=443 in-interface=ether8-WAN-Static \
protocol=tcp

This is not a secure rule, use wireguard to access router and then config so assume its temporary until you get wireguard acccess.........
add action=accept chain=input comment="Svetulcho remote access" dst-port=8291 \
protocol=tcp src-address-list=Svetulcho Also recommend you change from default port!!

/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow access from LAN to Plex" \
dst-address=192.168.12.140 dst-port=32400 protocol=tcp src-address-list=LAN
add action=accept chain=forward in-interface-list=MGMT src-address-list=Authorized out-interface-list=LAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all else"
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=input comment=connection-state=\
established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-port=14567 protocol=udp comment="wireguard handshake"
add input chain=input action=accept in-interface-list=MGMT src-address-list=Authorize
add action=accept chain=input in-interface-list=LAN comment="users to services" \
dst-port=53 protocol=udp
add action=accept chain=input in-interface-list=LAN comment="users to services" \
dst-port=53 protocol=tcp
add action=drop chain=input comment="Drop all else" { ensure this is the last rule you enter so you dont lock yourself out }

LOOKING AT NAT RULES IF YOU are going to have users in the same LAN as the servers reach the servers via DYNDNS URL and not direct LAN IP then you need hairpin nat rule.
IF, users are in different subnets, then you dont need hairpin nat rule.
Since you have segregated users from servers etc, it would seem you dont need hairpin nat rule

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether8-WAN-Static
add action=dst-nat chain=dstnat comment="port 443 to nginx proxy" dst-port=\
443 in-interface=ether8-WAN-Static protocol=tcp to-addresses=\
192.168.12.254 to-ports=443
add action=dst-nat chain=dstnat comment="port 32400 to Plex" dst-port=32400 \
in-interface=ether8-WAN-Static protocol=tcp to-addresses=192.168.12.140 \
to-ports=32400

lpetrov · Mon Apr 29, 2024 10:50 am

I followed most of the suggestions, except some for VLAN's. I have unmanaged switch connected to my router and because of that I cannot apply all the filters. I have 2 wi-fi networks. One is VLAN 100 and the other VLAN 30 is for smarthome devices and my laptop only. Because wifi AP are powered thru POE on the switch I have to keep my bridge VLAN setup. I fixed the FW rules. I added wireguard tunnel.
I need to restrict access to VLAN30(smarthome) and VLAN20(servers) for users on VLAN100 with some exceptions. For instance 192.168.30.3:80 should accessible from LAN. Plex 192.168.12.140:32400 should be also accessible from LAN.

Current issues:
1.Still when connected thru this tunnel I cannot access anything. I can see on my windows PC that I'm connected to the tunnel, but no GW appears on the connection.
2.No internet connection for VLAN-30
3. Cannot ping any of servers on 192.168.12.0/24 and smart home devices 192.168.30.0/24

Here is my current config:
# 2024-04-29 10:43:47 by RouterOS 7.14.1
# software id = YDH9-P57P
#
# model = RB5009UG+S+

/interface bridge
add name=br-Uplink port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="POE swith /wi-fi" name=\
"ether1-LAN-Trunk(switch)"
set [ find default-name=ether2 ] comment=proxmox name=ether2-LAN-Trunk
set [ find default-name=ether3 ] comment="ABB IPS 2.1" name=ether3-LAN-Trunk
set [ find default-name=ether4 ] name=ether4-LAN
set [ find default-name=ether7 ] comment=mngmnt name=ether7-LAN-mngmnt
set [ find default-name=ether8 ] name=ether8-WAN-Static
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface wireguard
add listen-port=14567 mtu=1420 name=wireguard1
/interface vlan
add comment="Management VLAN" interface=br-Uplink name=Management-10 vlan-id=\
10
add comment="Smart Home VLAN" interface=br-Uplink name="Smart Home-30" \
vlan-id=30
add comment="Users VLAN" interface=br-Uplink name=Users-100 vlan-id=100
add comment="Servers VLAN" interface=br-Uplink name=vlan20-Servers vlan-id=20
/interface list
add name=LAN
add name=WAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_management_pool ranges=192.168.10.242-192.168.10.249
add name=dhcp_users_pool ranges=192.168.100.100-192.168.100.249
add name=dhcp_smarthome_pool ranges=192.168.30.100-192.168.30.249
add name=dhcp_servers_pool ranges=192.168.12.242-192.168.12.254
/ip dhcp-server
add address-pool=dhcp_management_pool interface=Management-10 name=\
dhcp-management
add address-pool=dhcp_users_pool interface=Users-100 name=dhcp-users
add address-pool=dhcp_smarthome_pool interface="Smart Home-30" name=\
"dhcp-smart home"
add address-pool=dhcp_servers_pool interface=vlan20-Servers name=dhcp-servers
/interface bridge port
add bridge=br-Uplink comment="unmanaged switch" interface=\
"ether1-LAN-Trunk(switch)" internal-path-cost=10 path-cost=10 pvid=30
add bridge=br-Uplink comment=proxmox interface=ether2-LAN-Trunk pvid=20
add bridge=br-Uplink comment="ABB IPS" frame-types=\
admit-only-untagged-and-priority-tagged interface=ether3-LAN-Trunk pvid=\
30
add bridge=br-Uplink comment="office(right socket)" frame-types=\
admit-only-untagged-and-priority-tagged interface=ether4-LAN pvid=10
/ip firewall connection tracking
set udp-timeout=10s
/interface bridge vlan
add bridge=br-Uplink tagged=ether2-LAN-Trunk,br-Uplink untagged=\
"ether1-LAN-Trunk(switch),ether3-LAN-Trunk" vlan-ids=30
add bridge=br-Uplink comment="wifi users" tagged=\
"ether1-LAN-Trunk(switch),br-Uplink,ether2-LAN-Trunk" vlan-ids=100
add bridge=br-Uplink tagged=\
"ether1-LAN-Trunk(switch),br-Uplink,ether2-LAN-Trunk" vlan-ids=10
add bridge=br-Uplink tagged="ether1-LAN-Trunk(switch),br-Uplink" untagged=\
ether2-LAN-Trunk vlan-ids=20
/interface list member
add interface=ether8-WAN-Static list=WAN
add interface=Management-10 list=LAN
add interface=br-Uplink list=LAN
add interface=Users-100 list=LAN
add interface=wireguard1 list=LAN
add interface=wireguard1 list=MGMT
add interface=Management-10 list=MGMT
/interface wireguard peers
add allowed-address=10.10.20.2/32 client-address=10.10.20.2/32 client-dns=\
8.8.8.8 client-endpoint=151.237.32.41 endpoint-port=14567 interface=\
wireguard1 public-key="zAP+f8dzG9G0mgJVwPVWNbpbH6+SMTnZxVlVN+sjAQ0="
/ip address
add address=XXX.XXX.32.41/24 interface=ether8-WAN-Static network=XXX.XXX.32.0
add address=192.168.12.1/24 interface=vlan20-Servers network=192.168.12.0
add address=192.168.100.1/24 interface=Users-100 network=192.168.100.0
add address=192.168.10.1/24 interface=Management-10 network=192.168.10.0
add address=192.168.30.1/24 interface="Smart Home-30" network=192.168.30.0
add address=10.10.20.1/24 interface=wireguard1 network=10.10.20.0
/ip dhcp-server lease
add address=192.168.10.250 client-id=1:d8:d0:90:1b:5b:af comment=\
"Lubo Yoga Wired" mac-address=D8:D0:90:1B:5B:AF server=dhcp-management
add address=192.168.10.6 client-id=1:1c:61:b4:14:a0:2c comment=\
"TP Link EAP 615 Bedroom" mac-address=1C:61:B4:14:A0:2C server=\
dhcp-management
add address=192.168.10.5 client-id=1:1c:61:b4:14:a9:a8 comment=\
"TP Link EAP 615 Living Room" mac-address=1C:61:B4:14:A9:A8 server=\
dhcp-management
add address=192.168.100.204 client-id=1:48:a6:b8:7:73:e2 comment="Sonos ARC" \
mac-address=48:A6:B8:07:73:E2 server=dhcp-users
add address=192.168.100.249 client-id=1:72:70:2a:fe:13:ab comment=\
"iPad Living Room" mac-address=72:70:2A:FE:13:AB server=dhcp-users
add address=192.168.100.203 client-id=1:54:2a:1b:23:ee:38 comment="Sonos SUB" \
mac-address=54:2A:1B:23:EE:38 server=dhcp-users
add address=192.168.100.202 client-id=1:f0:f6:c1:c5:cf:d4 comment=\
"Sonos ERA 300" mac-address=F0:F6:C1:C5:CF:D4 server=dhcp-users
add address=192.168.100.201 client-id=1:f0:f6:c1:c5:cf:58 comment=\
"Sonos ERA 300" mac-address=F0:F6:C1:C5:CF:58 server=dhcp-users
add address=192.168.30.2 client-id=1:2:78:7f:7f:66:2e comment=\
"Home Assistant" mac-address=02:78:7F:7F:66:2E server="dhcp-smart home"
add address=192.168.30.205 client-id=1:64:d2:c4:e1:f5:dc comment=\
"Apple TV Bedroom - Wireless" mac-address=64:D2:C4:E1:F5:DC server=\
"dhcp-smart home"
add address=192.168.30.3 comment="ABB IPS2.1 (KNX)" mac-address=\
00:0C:DE:93:50:5A server="dhcp-smart home"
add address=192.168.30.250 client-id=1:b0:a4:60:9a:8c:1a comment=\
"YOGA camelot" mac-address=B0:A4:60:9A:8C:1A server="dhcp-smart home"
add address=192.168.100.250 client-id=1:b0:a4:60:9a:8c:1a comment=\
"YOGA castle" mac-address=B0:A4:60:9A:8C:1A server=dhcp-users
add address=192.168.30.4 client-id=1:0:24:6d:2:a6:6c comment=1HOME \
mac-address=00:24:6D:02:A6:6C server="dhcp-smart home"
add address=192.168.30.5 client-id=1:64:d2:c4:d4:fb:c7 comment=\
"Apple TV Bedroom - Wired" mac-address=64:D2:C4:D4:FB:C7 server=\
"dhcp-smart home"
/ip dhcp-server network
add address=192.168.10.0/24 comment=mngmt gateway=192.168.10.1
add address=192.168.12.0/24 comment=servers gateway=192.168.12.1
add address=192.168.30.0/24 comment="smart home" gateway=192.168.30.1
add address=192.168.100.0/24 comment=users gateway=192.168.100.1
/ip dns
set servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=192.168.12.0/24 list=Servers
add address=192.168.100.0/24 list=Users
add address=192.168.30.0/24 list=SmartHome
add address=192.168.12.0/24 list=LAN
add address=192.168.30.0/24 list=LAN
add address=192.168.10.0/24 list=LAN
add address=192.168.100.0/24 list=LAN
add address=88.203.229.253 list=Svetulcho
add address=192.168.10.250 comment="admin local" list=Authorized
add address=192.168.30.250 comment="admin wifi" list=Authorized
add address=10.10.20.2 comment="admin remote wireguard" list=Authorized
add address=10.10.20.3 comment="admin remote ios wireguard" list=Authorized
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow access from LAN to Plex" \
dst-address=192.168.12.140 dst-port=32400 protocol=tcp src-address-list=\
LAN
add action=accept chain=forward in-interface-list=MGMT out-interface-list=LAN \
src-address-list=Authorized
add action=accept chain=forward comment="port forwarding" \
connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all else"
add action=accept chain=input comment=\
"accept established, related, untracked" connection-state=\
established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="wireguard handshake" dst-port=14567 \
protocol=udp
add action=accept chain=input comment="wireguard handshake" dst-port=14567 \
protocol=udp
add action=accept chain=input in-interface-list=MGMT src-address-list=\
Authorize
add action=accept chain=input comment="users to services" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="users to services" dst-port=53 \
in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether8-WAN-Static
add action=dst-nat chain=dstnat comment="port 443 to nginx proxy" dst-port=\
443 in-interface=ether8-WAN-Static protocol=tcp to-addresses=\
192.168.12.254 to-ports=443
add action=dst-nat chain=dstnat comment="port 32400 to Plex" dst-port=32400 \
in-interface=ether8-WAN-Static protocol=tcp to-addresses=192.168.12.140 \
to-ports=32400
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=XXX.XXX.32.1 routing-table=main \
suppress-hw-offload=no
/system clock
set time-zone-name=Europe
/system identity
set name=RB5009
/system note
set show-at-login=no
/tool sniffer
set filter-interface=ether2-LAN-Trunk

anav · Mon Apr 29, 2024 2:00 pm

Since your text does not match reality and the config is mixed up.
What is connected to each port
ether1 ( unmanaged switch / managed switch / dumb AP / smart AP, dumb device like PC )?
ether2 ( unmanaged switch / managed switch / dumb AP / smart AP, dumb device like PC )?
ether3 ( unmanaged switch / managed switch / dumb AP / smart AP, dumb device like PC )?
ether4 ( unmanaged switch / managed switch / dumb AP / smart AP, dumb device like PC )?
ether7 ( unmanaged switch / managed switch / dumb AP / smart AP, dumb device like PC )?

lpetrov · Mon Apr 29, 2024 3:22 pm

Ports:
eth1-unmannaged POE switch. On the switch I have smart home IP GW. I cannot change VLAN on this device.I also have AP's connected to VLAN10. On the AP I have 5Ghz on VLAN 30(smart home)
and 2.4GHz(VLAN 100 - home users. VLAN 30 must be untagged.
eth2-proxmox. I need VLAN 20(untagged) and VLAN 30
eth3- VLAN30 backup IP GW for smart home devices
eth4-VLAN 10 MGMT(my computer).

VLANS:
VLAN 10 -MGMT VLAN range 192.168.10.248/29 - Access to LAN and WAN
VLAN 20 Servers - Access to WAN
VLAN 30 Smart Home - Access to WAN. Range 192.168.30.248/29(wi-fi MGMT)
VLAN 100 Users - Access to WAN. Access to Plex 192.168.12.140:32400 and Home Assistant Server 192.168.30.3:80
I need wireguard client to have access to LAN like VLAN 10

mozerd · Mon Apr 29, 2024 3:47 pm

... what is valid is what traffic your users and yourself as admin need.

Excellent stuff 
......
......
anav

STOP in the name ov coding

And to innkeeping with your outstanding direction why is so hard for you not to use code tags which makes far easier to follow each of your coded step ... then perhap the people you are helping would follow your direction by also using code tags for their code

anav · Mon Apr 29, 2024 4:08 pm

I cannot help further as I dont support using an unmanaged switch for multiple vlans. Hopefully somebody else will.

jaclaz · Mon Apr 29, 2024 4:11 pm

I cannot help further as I dont support using an unmanaged switch for multiple vlans.

Conscientious objector?

anav · Mon Apr 29, 2024 4:13 pm

I cannot guarantee success when out of my element....... same with capsman, IPV6 etc..............

lpetrov · Mon Apr 29, 2024 4:19 pm

I cannot help further as I dont support using an unmanaged switch for multiple vlans. Hopefully somebody else will.

Please can you re-consider. I followed your instructions and now I'm stack in the middle. In my case the unmanaged switch is not the problem. The VLAN are passed thru. Disregard the switch setup. Please, I need help with FW and WG. Thanks.

anav · Mon Apr 29, 2024 5:08 pm

Okay, so lets say the vlans are all visible on the unmanged switch, I can pretend that LOL.
In any case the unmanaged switch needs to be passed as untagged and thus the port would have to be considered hybrid port.

That is for ether1,
what is the case for
ether2 also appears to be asking for hybrid, one untagged and one tagged, assuming your proxmox can handle it okay fair enough
ether3 - appears to be a an access port one untagged vlan
ether4 - appears to be a true access port only one untagged vlan

anav · Mon Apr 29, 2024 5:09 pm

STOP in the name ov coding

And to innkeeping with your outstanding direction why is so hard for you not to use code tags which makes far easier to follow each of your coded step ... then perhap the people you are helping would follow your direction by also using code tags for their code

[/quote]

I am doing you a favour, buildup up your scroll wheel finger ;-P

anav · Mon Apr 29, 2024 7:41 pm

MODIFIED NAMES TO MAKE SENSE

/interface ethernet
set [ find default-name=ether1 ] comment="POE swith /wi-fi" name=ether1-LAN-Hybrid
set [ find default-name=ether2 ] comment="proxmox" name=ether2-LAN-Hybrid
set [ find default-name=ether3 ] comment="ABB IPS 2.1" name=ether3-LAN-Access
set [ find default-name=ether4 ] name=ether4-LAN
set [ find default-name=ether7 ] comment="mngmnt" name=ether7-LAN-mngmnt
set [ find default-name=ether8 ] name=ether8-WAN-Static
set [ find default-name=sfp-sfpplus1 ] disabled=yes

...

FIXED

/interface bridge port
add bridge=br-Uplink comment="unmanaged switch poe"  interface=ether1-LAN-Hybrid  pvid=30
add bridge=br-Uplink comment="proxmox" interface=ether2-LAN-Hybrid pvid=20
add bridge=br-Uplink comment="ABB IPS" ingress-filtering=yes frame-types=\
admit-only-untagged-and-priority-tagged interface=ether3-LAN-Access pvid=\
30
add bridge=br-Uplink comment="office(right socket)" ingress-filtering=yes frame-types=\
admit-only-untagged-and-priority-tagged interface=ether4-LAN pvid=10[/i]
add bridge=br-Uplink comment="unknown" ingress-filtering=yes frame-types=\
admit-only-untagged-and-priority-tagged interface=ether7-LAN-mngmnt pvid=10

....

/interface bridge vlan
add bridge=br-Uplink tagged=br-Uplink,ether1-LAN-Hybrid,ether2-LAN-Hybrid \
untagged=ether4-LAN,ether7-LAN-mngmnt vlan-ids=10
add bridge=br-Uplink tagged=br-Uplink,ether1-LAN-Hybrid untagged=ether2-LAN-Hybrid vlan-ids=20
add bridge=br-Uplink tagged=br-Uplink,ether2-LAN-Trunk untagged=\
ether1-LAN-Hybrid,ether3-LAN-Access vlan-ids=30
add bridge=br-Uplink tagged=br-Uplink,ether1-LAN-Hybrid,ether2-LAN-Hybrid vlan-ids=100

FOR FILTER RULES YOU HAVE DUPLICATE input chain rule for wireguard get rid of one of them!
/ip firewall filter
add action=accept chain=input in-interface-list=MGMT src-address-list=\
Authorized

lpetrov · Mon Apr 29, 2024 8:14 pm

Thank you for your help. I followed the instructions.
My current problems are:
how to setup wireguard client to be a part of MGMT and setup GW?
how to give access to MGMT VLAN to all other VLANS?
Config after changes:
# 2024-04-29 20:18:58 by RouterOS 7.14.1
# software id = YDH9-P57P
#
# model = RB5009UG+S+

/interface bridge
add name=br-Uplink port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="POE swith /wi-fi" name=\
ether1-LAN-Hybrid
set [ find default-name=ether2 ] comment=proxmox name=ether2-LAN-Hybrid
set [ find default-name=ether3 ] comment="ABB IPS 2.1" name=ether3-LAN-Access
set [ find default-name=ether4 ] name=ether4-LAN
set [ find default-name=ether7 ] comment=mngmnt name=ether7-LAN-mngmnt
set [ find default-name=ether8 ] name=ether8-WAN-Static
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface wireguard
add listen-port=14567 mtu=1420 name=wireguard1
/interface vlan
add comment="Management VLAN" interface=br-Uplink name=Management-10 vlan-id=\
10
add comment="Smart Home VLAN" interface=br-Uplink name="Smart Home-30" \
vlan-id=30
add comment="Users VLAN" interface=br-Uplink name=Users-100 vlan-id=100
add comment="Servers VLAN" interface=br-Uplink name=vlan20-Servers vlan-id=20
/interface list
add name=LAN
add name=WAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_management_pool ranges=192.168.10.242-192.168.10.249
add name=dhcp_users_pool ranges=192.168.100.100-192.168.100.249
add name=dhcp_smarthome_pool ranges=192.168.30.100-192.168.30.249
add name=dhcp_servers_pool ranges=192.168.12.242-192.168.12.254
/ip dhcp-server
add address-pool=dhcp_management_pool interface=Management-10 name=\
dhcp-management
add address-pool=dhcp_users_pool interface=Users-100 name=dhcp-users
add address-pool=dhcp_smarthome_pool interface="Smart Home-30" name=\
"dhcp-smart home"
add address-pool=dhcp_servers_pool interface=vlan20-Servers name=dhcp-servers
/interface bridge port
add bridge=br-Uplink comment="unmanaged switch poe" interface=\
ether1-LAN-Hybrid internal-path-cost=10 path-cost=10 pvid=30
add bridge=br-Uplink comment=proxmox interface=ether2-LAN-Hybrid pvid=20
add bridge=br-Uplink comment="ABB IPS" frame-types=\
admit-only-untagged-and-priority-tagged interface=ether3-LAN-Access pvid=\
30
add bridge=br-Uplink comment="office(right socket)" frame-types=\
admit-only-untagged-and-priority-tagged interface=ether4-LAN pvid=10
add bridge=br-Uplink comment=unknown frame-types=\
admit-only-untagged-and-priority-tagged interface=ether7-LAN-mngmnt pvid=\
10
/ip firewall connection tracking
set udp-timeout=10s
/interface bridge vlan
add bridge=br-Uplink tagged=ether2-LAN-Hybrid,br-Uplink untagged=\
ether1-LAN-Hybrid,ether3-LAN-Access vlan-ids=30
add bridge=br-Uplink comment="wifi users" tagged=\
ether1-LAN-Hybrid,br-Uplink,ether2-LAN-Hybrid vlan-ids=100
add bridge=br-Uplink tagged=ether1-LAN-Hybrid,br-Uplink,ether2-LAN-Hybrid \
vlan-ids=10
add bridge=br-Uplink tagged=ether1-LAN-Hybrid,br-Uplink untagged=\
ether2-LAN-Hybrid vlan-ids=20
/interface list member
add interface=ether8-WAN-Static list=WAN
add interface=Management-10 list=LAN
add interface=br-Uplink list=LAN
add interface=Users-100 list=LAN
add interface=wireguard1 list=LAN
add interface=wireguard1 list=MGMT
add interface=Management-10 list=MGMT
/interface wireguard peers
add allowed-address=10.10.20.2/32 client-address=10.10.20.2/32 client-dns=\
8.8.8.8 client-endpoint=XXX.XXX.32.41 endpoint-port=14567 interface=\
wireguard1 public-key="zAP+f8dzG9G0mgJVwPVWNbpbH6+SMTnZxVlVN+sjAQ0="
/ip address
add address=XXX.XXX.32.41/24 interface=ether8-WAN-Static network=XXX.XXX.32.0
add address=192.168.12.1/24 interface=vlan20-Servers network=192.168.12.0
add address=192.168.100.1/24 interface=Users-100 network=192.168.100.0
add address=192.168.10.1/24 interface=Management-10 network=192.168.10.0
add address=192.168.30.1/24 interface="Smart Home-30" network=192.168.30.0
add address=10.10.20.1/24 interface=wireguard1 network=10.10.20.0
/ip dhcp-server lease
add address=192.168.10.250 client-id=1:d8:d0:90:1b:5b:af comment=\
"Lubo Yoga Wired" mac-address=D8:D0:90:1B:5B:AF server=dhcp-management
add address=192.168.10.6 client-id=1:1c:61:b4:14:a0:2c comment=\
"TP Link EAP 615 Bedroom" mac-address=1C:61:B4:14:A0:2C server=\
dhcp-management
add address=192.168.10.5 client-id=1:1c:61:b4:14:a9:a8 comment=\
"TP Link EAP 615 Living Room" mac-address=1C:61:B4:14:A9:A8 server=\
dhcp-management
add address=192.168.100.204 client-id=1:48:a6:b8:7:73:e2 comment="Sonos ARC" \
mac-address=48:A6:B8:07:73:E2 server=dhcp-users
add address=192.168.100.249 client-id=1:72:70:2a:fe:13:ab comment=\
"iPad Living Room" mac-address=72:70:2A:FE:13:AB server=dhcp-users
add address=192.168.100.203 client-id=1:54:2a:1b:23:ee:38 comment="Sonos SUB" \
mac-address=54:2A:1B:23:EE:38 server=dhcp-users
add address=192.168.100.202 client-id=1:f0:f6:c1:c5:cf:d4 comment=\
"Sonos ERA 300" mac-address=F0:F6:C1:C5:CF:D4 server=dhcp-users
add address=192.168.100.201 client-id=1:f0:f6:c1:c5:cf:58 comment=\
"Sonos ERA 300" mac-address=F0:F6:C1:C5:CF:58 server=dhcp-users
add address=192.168.30.2 client-id=1:2:78:7f:7f:66:2e comment=\
"Home Assistant" mac-address=02:78:7F:7F:66:2E server="dhcp-smart home"
add address=192.168.30.205 client-id=1:64:d2:c4:e1:f5:dc comment=\
"Apple TV Bedroom - Wireless" mac-address=64:D2:C4:E1:F5:DC server=\
"dhcp-smart home"
add address=192.168.30.3 comment="ABB IPS2.1 (KNX)" mac-address=\
00:0C:DE:93:50:5A server="dhcp-smart home"
add address=192.168.30.250 client-id=1:b0:a4:60:9a:8c:1a comment=\
"YOGA camelot" mac-address=B0:A4:60:9A:8C:1A server="dhcp-smart home"
add address=192.168.100.250 client-id=1:b0:a4:60:9a:8c:1a comment=\
"YOGA castle" mac-address=B0:A4:60:9A:8C:1A server=dhcp-users
add address=192.168.30.4 client-id=1:0:24:6d:2:a6:6c comment=1HOME \
mac-address=00:24:6D:02:A6:6C server="dhcp-smart home"
add address=192.168.30.5 client-id=1:64:d2:c4:d4:fb:c7 comment=\
"Apple TV Bedroom - Wired" mac-address=64:D2:C4:D4:FB:C7 server=\
"dhcp-smart home"
/ip dhcp-server network
add address=192.168.10.0/24 comment=mngmt gateway=192.168.10.1
add address=192.168.12.0/24 comment=servers gateway=192.168.12.1
add address=192.168.30.0/24 comment="smart home" gateway=192.168.30.1
add address=192.168.100.0/24 comment=users gateway=192.168.100.1
/ip dns
set servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=192.168.12.0/24 list=Servers
add address=192.168.100.0/24 list=Users
add address=192.168.30.0/24 list=SmartHome
add address=192.168.12.0/24 list=LAN
add address=192.168.30.0/24 list=LAN
add address=192.168.10.0/24 list=LAN
add address=192.168.100.0/24 list=LAN
add address=88.203.229.253 list=Svetulcho
add address=192.168.10.250 comment="admin local" list=Authorized
add address=192.168.30.250 comment="admin wifi" list=Authorized
add address=10.10.20.2 comment="admin remote wireguard" list=Authorized
add address=10.10.20.3 comment="admin remote ios wireguard" list=Authorized
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow access from LAN to Plex" \
dst-address=192.168.12.140 dst-port=32400 protocol=tcp src-address-list=\
LAN
add action=accept chain=forward in-interface-list=MGMT out-interface-list=LAN \
src-address-list=Authorized
add action=accept chain=forward comment="port forwarding" \
connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all else"
add action=accept chain=input comment=\
"accept established, related, untracked" connection-state=\
established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="wireguard handshake" dst-port=14567 \
protocol=udp
add action=accept chain=input in-interface-list=MGMT src-address-list=\
Authorize
add action=accept chain=input comment="users to services" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="users to services" dst-port=53 \
in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether8-WAN-Static
add action=dst-nat chain=dstnat comment="port 443 to nginx proxy" dst-port=\
443 in-interface=ether8-WAN-Static protocol=tcp to-addresses=\
192.168.12.254 to-ports=443
add action=dst-nat chain=dstnat comment="port 32400 to Plex" dst-port=32400 \
in-interface=ether8-WAN-Static protocol=tcp to-addresses=192.168.12.140 \
to-ports=32400
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=XXX.XXX.32.1 routing-table=main \
suppress-hw-offload=no
/system clock
set time-zone-name=Europe
/system identity
set name=RB5009
/system note
set show-at-login=no
/tool sniffer
set filter-interface=ether2-LAN-Hybrid

anav · Mon Apr 29, 2024 8:36 pm

(1) For Allowed IPs for your remote peer client remove the unecessary stuff should look like.

/interface wireguard peers
add allowed-address=10.10.20.2/32 interface=wireguard1 public-key="hidden"

(2) At client peer (at the client device ) for DNS put the interface of wireguard 10.10.20.1

(3) You already allow anyone on your authorized list to access the LAN by this rule.
add action=accept chain=forward in-interface-list=MGMT out-interface-list=LAN \
src-address-list=Authorized

Everything looks good.

lpetrov · Mon Apr 29, 2024 8:46 pm

here are the current issues:
VLAN 30 has no internet access, not sure aboute VLAN 20
under network adapters WG client NIC doesn't have GW set
My IP is 192.168.10.250, but I cannot access VLAN 20 and VLAN 30

anav · Mon Apr 29, 2024 9:25 pm

As I said, when you mess with standards ( trying to use an unmanaged switch for vlans ) results are not predictable and thus why I prefer not to get involved.

Smarhome30 or vlan30 does not have internet because you didnt give it LAN membership!!

/interface list member
add interface=ether8-WAN-Static list=WAN
add interface=Management-10 list=LAN
add interface=br-Uplink list=LAN <----- GET RID OF THIS
add interface="Smart Home-30" list=LAN ADD THIS
add interface=vlan20-Servers list=LAN ADD THIS
add interface=Users-100 list=LAN
add interface=wireguard1 list=LAN
add interface=wireguard1 list=MGMT
add interface=Management-10 list=MGMT

anav · Mon Apr 29, 2024 9:36 pm

Dont understand this comment, can you explain in more detail please.
under network adapters WG client NIC doesn't have GW set

The WG client device needs the following
Create a WG interface and provide a public key ) this key will go in the allowed IPs on the mikrotik device for peer public key
Will also include an IP address and and interface name could be wgremote1

Under its allowed IPs you want either
allowed-addresses=10.20.20.0/24,subnet1,subnet2,subnet3 endpoint-address=X.X.X.X endpoint-port=14567
persistent-keep-alive=35s interface=wgremote1 public-key=" ..public key generated by mt router goes here "

(where subnets represents the subnets you wish the user to be able to reach on the router)

If you want remote client to be able to acccess internet on your router as well then this changes to.
allowed-address=0.0.0.0/0 endpoint-address=X.X.X.X endpoint-port=14567
persistent-keep-alive=35s interface=wgremote1 public-key=" ..public key generated by mt router goes here "

+++++++++++++
In other words the peer device does not have a gateway to setup for wireguard.

lpetrov · Mon Apr 29, 2024 10:03 pm

Thank you. Now I have access from all VLANs to internet.
The only problem is Wireguard. Is still not working. When I setup wireguard I followed this instructions: https://www.bgocloud.com/knowledgebase/ ... tocol.html
Maybe I missed something. I triple checked everything, but not sure what I'm doing wrong.
It seems that I'm able to connect to MK but I cannot ping anything on VLANs and also 10.10.20.1. When I checked network adapters in windows under wg I don't see gateway entry.

anav · Mon Apr 29, 2024 11:39 pm

But you are not connecting MT CHR? That is for a cloud server.
You have your own MT and the user is connecting directly to the router.

In any case those are generic instructions, I have provided the same info.
What You need to provide is the client wireguard settings.
Post it all but just use KKKKKK for the keys and use X.X.X.X for the endpoint address in allowed IPs.

lpetrov · Tue Apr 30, 2024 1:00 pm

I think I figured out the WG setup.
Now I have following question. My nginx proxy is at 192.168.12.254
What FW rule I have to create in order to expose this proxy to internet?

anav · Tue Apr 30, 2024 1:49 pm

Just 0.0.0.0/0 not sure what the other noise is after it.

Also missing persistent-keep-alive setting whatever it looks like on the client device.

anav · Tue Apr 30, 2024 1:51 pm

Post your config again but use code tags around it. The black square with white brackets inside it, on the same line as Bold and Underline etc....

lpetrov · Tue Apr 30, 2024 1:55 pm

I think I figured out the WG setup.
Now I have following questions.
My nginx proxy is at 192.168.12.254 port 443
My Plex server is at 192.168.12.140 port 32400
What FW rules I have to create in order to expose them to internet?

From WG client how to access Winbox?

lpetrov · Tue Apr 30, 2024 3:04 pm

[Interface]
PrivateKey = KKKKKK
Address = 10.10.20.2/32
DNS = 8.8.8.8

[Peer]
PublicKey = KKKKKKKKK
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = XXX.XXX.XXX.XXX:14567

anav · Tue Apr 30, 2024 4:02 pm

Why do you still have 0.0.0.0/0, :00
Should be just
0.0.0.0/0

I meant the router config in code blocks LOL.
Your wireguard should already be able to reach the router via winbox.
Simply connect to the tunnel as you normally do.
Then open winbox on the client device and at the top put the particulars as follows:
10.10.20.1:winbox port

You have port forwarding already setup and they should be reachable now.

lpetrov · Tue Apr 30, 2024 6:07 pm

Actually, right now only way to connect to MK with winbox is with MAC address. I removed ::/0 for wg client. You're right. - port forwarding is working just fine.

anav · Tue Apr 30, 2024 6:48 pm

Not correct. If you are on behind your router instead of mac address
type in the interface address you are on:

192.168.10.1:winboxport

and you should gain access to the config.

Open winbox see the available devices down below and the IP address shown.
Use that IPaddress and the winbox port as per the example above...

+++++++++++++++++++++++++++++
okay add a few things to the config.

/ip neighbor discovery-settings
set discover-interface-list=MGMT

Then try again.
If not then add the following

/tool mac-server mac-winbox
set allowed-interface-list=MGMT

lpetrov · Wed May 01, 2024 9:56 am

I added both lines. No luck.
Here is the current configuration:

# 2024-05-01 09:49:50 by RouterOS 7.14.1
# software id = YDH9-P57P
#
# model = RB5009UG+S+

/interface bridge
add name=br-Uplink port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="POE swith /wi-fi" name=\
    ether1-LAN-Hybrid
set [ find default-name=ether2 ] comment=proxmox name=ether2-LAN-Hybrid
set [ find default-name=ether3 ] comment="ABB IPS 2.1" name=ether3-LAN-Access
set [ find default-name=ether4 ] name=ether4-LAN
set [ find default-name=ether7 ] comment=mngmnt name=ether7-LAN-mngmnt
set [ find default-name=ether8 ] name=ether8-WAN-Static
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface wireguard
add listen-port=14567 mtu=1420 name=wireguard1
/interface vlan
add comment="Management VLAN" interface=br-Uplink name=Management-10 vlan-id=\
    10
add comment="Smart Home VLAN" interface=br-Uplink name="Smart Home-30" \
    vlan-id=30
add comment="Users VLAN" interface=br-Uplink name=Users-100 vlan-id=100
add comment="Servers VLAN" interface=br-Uplink name=vlan20-Servers vlan-id=20
/interface list
add name=LAN
add name=WAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_management_pool ranges=192.168.10.242-192.168.10.249
add name=dhcp_users_pool ranges=192.168.100.100-192.168.100.249
add name=dhcp_smarthome_pool ranges=192.168.30.100-192.168.30.249
add name=dhcp_servers_pool ranges=192.168.12.242-192.168.12.254
/ip dhcp-server
add address-pool=dhcp_management_pool interface=Management-10 name=\
    dhcp-management
add address-pool=dhcp_users_pool interface=Users-100 name=dhcp-users
add address-pool=dhcp_smarthome_pool interface="Smart Home-30" name=\
    "dhcp-smart home"
add address-pool=dhcp_servers_pool interface=vlan20-Servers name=dhcp-servers
/interface bridge port
add bridge=br-Uplink comment="unmanaged switch poe" interface=\
    ether1-LAN-Hybrid internal-path-cost=10 path-cost=10 pvid=30
add bridge=br-Uplink comment=proxmox interface=ether2-LAN-Hybrid pvid=20
add bridge=br-Uplink comment="ABB IPS" frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3-LAN-Access pvid=\
    30
add bridge=br-Uplink comment="office(right socket)" frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4-LAN pvid=10
add bridge=br-Uplink comment=unknown frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether7-LAN-mngmnt pvid=\
    10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=br-Uplink tagged=ether2-LAN-Hybrid,br-Uplink untagged=\
    ether1-LAN-Hybrid,ether3-LAN-Access vlan-ids=30
add bridge=br-Uplink comment="wifi users" tagged=\
    ether1-LAN-Hybrid,br-Uplink,ether2-LAN-Hybrid vlan-ids=100
add bridge=br-Uplink tagged=ether1-LAN-Hybrid,br-Uplink,ether2-LAN-Hybrid \
    vlan-ids=10
add bridge=br-Uplink tagged=ether1-LAN-Hybrid,br-Uplink untagged=\
    ether2-LAN-Hybrid vlan-ids=20
/interface list member
add interface=ether8-WAN-Static list=WAN
add interface=Management-10 list=LAN
add disabled=yes interface=br-Uplink list=LAN
add interface=Users-100 list=LAN
add interface=wireguard1 list=LAN
add interface=wireguard1 list=MGMT
add interface=Management-10 list=MGMT
add interface="Smart Home-30" list=LAN
add interface=vlan20-Servers list=LAN
/interface wireguard peers
add allowed-address=10.10.20.2/32 comment=lubo-yoga interface=wireguard1 \
    public-key="KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK"
add allowed-address=10.10.20.3/32 comment=ios interface=wireguard1 \
    public-key="KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK"
/ip address
add address=XXX.XXX.32.41/24 interface=ether8-WAN-Static network=XXX.XXX.32.0
add address=192.168.12.1/24 interface=vlan20-Servers network=192.168.12.0
add address=192.168.100.1/24 interface=Users-100 network=192.168.100.0
add address=192.168.10.1/24 interface=Management-10 network=192.168.10.0
add address=192.168.30.1/24 interface="Smart Home-30" network=192.168.30.0
add address=10.10.20.1/24 interface=wireguard1 network=10.10.20.0
/ip dhcp-server lease
add address=192.168.10.250 client-id=1:d8:d0:90:1b:5b:af comment=\
    "Lubo Yoga Wired" mac-address=D8:D0:90:1B:5B:AF server=dhcp-management
add address=192.168.10.6 client-id=1:1c:61:b4:14:a0:2c comment=\
    "TP Link EAP 615 Bedroom" mac-address=1C:61:B4:14:A0:2C server=\
    dhcp-management
add address=192.168.10.5 client-id=1:1c:61:b4:14:a9:a8 comment=\
    "TP Link EAP 615 Living Room" mac-address=1C:61:B4:14:A9:A8 server=\
    dhcp-management
add address=192.168.100.204 client-id=1:48:a6:b8:7:73:e2 comment="Sonos ARC" \
    mac-address=48:A6:B8:07:73:E2 server=dhcp-users
add address=192.168.100.249 client-id=1:72:70:2a:fe:13:ab comment=\
    "iPad Living Room" mac-address=72:70:2A:FE:13:AB server=dhcp-users
add address=192.168.100.203 client-id=1:54:2a:1b:23:ee:38 comment="Sonos SUB" \
    mac-address=54:2A:1B:23:EE:38 server=dhcp-users
add address=192.168.100.202 client-id=1:f0:f6:c1:c5:cf:d4 comment=\
    "Sonos ERA 300" mac-address=F0:F6:C1:C5:CF:D4 server=dhcp-users
add address=192.168.100.201 client-id=1:f0:f6:c1:c5:cf:58 comment=\
    "Sonos ERA 300" mac-address=F0:F6:C1:C5:CF:58 server=dhcp-users
add address=192.168.30.2 client-id=1:2:78:7f:7f:66:2e comment=\
    "Home Assistant" mac-address=02:78:7F:7F:66:2E server="dhcp-smart home"
add address=192.168.30.205 client-id=1:64:d2:c4:e1:f5:dc comment=\
    "Apple TV Bedroom - Wireless" mac-address=64:D2:C4:E1:F5:DC server=\
    "dhcp-smart home"
add address=192.168.30.3 comment="ABB IPS2.1 (KNX)" mac-address=\
    00:0C:DE:93:50:5A server="dhcp-smart home"
add address=192.168.30.250 client-id=1:b0:a4:60:9a:8c:1a comment=\
    "YOGA camelot" mac-address=B0:A4:60:9A:8C:1A server="dhcp-smart home"
add address=192.168.100.250 client-id=1:b0:a4:60:9a:8c:1a comment=\
    "YOGA castle" mac-address=B0:A4:60:9A:8C:1A server=dhcp-users
add address=192.168.30.4 client-id=1:0:24:6d:2:a6:6c comment=1HOME \
    mac-address=00:24:6D:02:A6:6C server="dhcp-smart home"
add address=192.168.30.5 client-id=1:64:d2:c4:d4:fb:c7 comment=\
    "Apple TV Bedroom - Wired" mac-address=64:D2:C4:D4:FB:C7 server=\
    "dhcp-smart home"
/ip dhcp-server network
add address=192.168.10.0/24 comment=mngmt gateway=192.168.10.1
add address=192.168.12.0/24 comment=servers gateway=192.168.12.1
add address=192.168.30.0/24 comment="smart home" gateway=192.168.30.1
add address=192.168.100.0/24 comment=users gateway=192.168.100.1
/ip dns
set servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=192.168.12.0/24 list=Servers
add address=192.168.100.0/24 list=Users
add address=192.168.30.0/24 list=SmartHome
add address=192.168.12.0/24 list=LAN
add address=192.168.30.0/24 list=LAN
add address=192.168.10.0/24 list=LAN
add address=192.168.100.0/24 list=LAN
add address=88.203.229.253 list=Svetulcho
add address=192.168.10.250 comment="admin local" list=Authorized
add address=192.168.30.250 comment="admin wifi" list=Authorized
add address=10.10.20.2 comment="admin remote wireguard" list=Authorized
add address=10.10.20.3 comment="admin remote ios wireguard" list=Authorized
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow access from LAN to Plex" \
    dst-address=192.168.12.140 dst-port=32400 protocol=tcp src-address-list=\
    LAN
add action=accept chain=forward in-interface-list=MGMT out-interface-list=LAN \
    src-address-list=Authorized
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all else"
add action=accept chain=input comment=\
    "accept established, related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="wireguard handshake" dst-port=14567 \
    protocol=udp
add action=accept chain=input comment="Access for MGMT" in-interface-list=\
    MGMT src-address-list=Authorize
add action=accept chain=input comment="users to services" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="users to services" dst-port=53 \
    in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether8-WAN-Static
add action=dst-nat chain=dstnat comment="port 443 to nginx proxy" dst-port=\
    443 in-interface=ether8-WAN-Static protocol=tcp to-addresses=\
    192.168.12.254 to-ports=443
add action=dst-nat chain=dstnat comment="port 32400 to Plex" dst-port=32400 \
    in-interface=ether8-WAN-Static protocol=tcp to-addresses=192.168.12.140 \
    to-ports=32400
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=XXX.XXX.XXX.1 routing-table=main \
    suppress-hw-offload=no
/system clock
set time-zone-name=Europe/XXXXX
/system identity
set name=RB5009
/system note
set show-at-login=no
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
/tool sniffer
set filter-interface=ether2-LAN-Hybrid

anav · Wed May 01, 2024 4:00 pm

Nothing I can see......

lpetrov · Wed May 01, 2024 4:33 pm

Nothing I can see......

Misspelling in rule Acsess for MGMT. Instead of Authorized it was Authorize

Thank you for your help. Now my FW rules are not messy as before.

anav · Wed May 01, 2024 4:45 pm

Awesome, good catch, I thought I had found that earlier and thought I had put it in an earlier post but I often get distracted.

add action=accept chain=input comment="Access for MGMT" in-interface-list=\
MGMT src-address-list=Authorize <---

lpetrov · Wed May 01, 2024 5:00 pm

Now, I'm facing new issue.
When I try to connect with Winbox to 192.168.30.1 from my wireless IP 192.168.30.250 I cannot. I double checked and this IP is listed under Authorized.

The other thing I discovered is that when connected with WG I can connect to MK with all IP's not only 10.10.20.1

anav · Wed May 01, 2024 7:38 pm

If you are authorized, should be able to connect through any interface I imagine...............
NO guarantees on anything when using unmanaged switch LOL.

lpetrov · Wed May 01, 2024 11:09 pm

If you are authorized, should be able to connect through any interface I imagine...............
NO guarantees on anything when using unmanaged switch LOL.

I know that unmanaged switch it is a flow. And it is easy to be pointed as culprit for all the problems. But this issue has nothing to do with it.
The problem is with the rule:
chain=input action=accept src-address-list=Authorized in-interface-list=MGMT log=no log-prefix=""
wi-fi is not part of MGMT.
In this case even if I had managed switch in place the issue would be the same.
I guess I will have to decide vulnerability vs convenience.

Anyway. Now my MK rules are more readable and logical.
Thank you very much for your help.

mozerd · Wed May 01, 2024 11:40 pm

The problem is with the rule:
chain=input action=accept src-address-list=Authorized in-interface-list=MGMT log=no log-prefix=""
wi-fi is not part of MGMT.
I guess I will have to decide vulnerability vs convenience.

I have not looked at your config because I am far too lazy right now ….
The issue is not WiFi … the issue maybe what routerOS allows
So make sure that the ip address of your mgmt client is entered into
/ip/services/Winbox port/allowed ip’s
If it’s not entered there your Winbox client device will not be allowed

anav · Thu May 02, 2024 1:37 am

Your speaking gibberish.
Wifi is not a thing, you have a number of vlans, those are real.
If you mean vlan30 smarthome etc........ then of course anyone on that network has no capability to access the config nor should they.
Folks should be in the managment vlan to do so.

So what you are really saying is that YOU as ADMIN are often in vlan30 logging in on your PC or more likely laptop and may want to config the router whilst in that Subnet.
Thus do two things.....
a. add that address ( static set DHCP lease )

/ip firewall address-list
..........
..........
add address=192.168.10.250 comment="admin local" list=Authorized
add address=192.168.30.250 comment="admin wifi" list=Authorized
add address=10.10.20.2 comment="admin remote wireguard" list=Authorized
add address=10.10.20.3 comment="admin remote ios wireguard" list=Authorized
add address=192.168.30.XX comment="admin while on smarthome" list=Authorized

b. Modify the input chain rule so less restrictive
from:
add action=accept chain=input comment="Access for MGMT" in-interface-list=\
MGMT src-address-list=Authorized
TO:
add action=accept chain=input comment="Access for admin" src-address-list=Authorized

One last step........
Ensure this is changed to LAN

/tool mac-server mac-winbox
set allowed-interface-list=LAN

You have to ask yourself is it worth it, just because you want to be able to be in vlan30 and make changes?
I would say why are you not on the home LAN using wifi or setup wifi for vlan10 the management vlan.
I dont quite understand the scenario...........

+++++++++++++++++++++++++
@mozerd. Like in anything else MT, without any entry, all is allowed. The OP has no entries in winbox service entry ( probably just default port ) and thus all IPs are allowed.

mozerd · Thu May 02, 2024 11:14 am

@mozerd. Like in anything else MT, without any entry, all is allowed. The OP has no entries in winbox service entry ( probably just default port ) and thus all IPs are allowed.

You are so right ... thanks for the reminder ...
I like to use winbox service entry as an extra precaution for specific devices ... from my perspective just an extra layer of specific protection that is very nice to have ...

anav · Thu May 02, 2024 3:20 pm

Concur, it depends how many layers is 'enough' for the particular scenario.

Who is online