I have questions, how do I pass all traffic into WireGuard Cloudflare VPN?
I follow this tutorial https://www.youtube.com/watch?v=2pFcVRaoscE, but when I add mangle or routing rule, my winbox disconnects from the router and cannot connect via IP.
In that tutorial, the wireguard traffic is only for a specific range of IP addresses, and some websites like this forum cannot be accessed.
I try to ask chat GPT, to help me, but none the answer work. https://chatgpt.com/share/671ac348-32ac ... 0cbbb24294
==== ==== ==== ==== ==== ====
Winbox cannot connect through an IP address.
Winbox can connect through an IP address.
Tplink Switch Vlan configuration.
the rsc config
# 2024-10-25 05:18:02 by RouterOS 7.16.1
# software id = #
#
# model = RB941-2nD
# serial number = #
/interface bridge
add admin-mac=# auto-mac=no comment=defconf \
ingress-filtering=no name=bridge port-cost-mode=short vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
country=indonesia distance=indoors frequency=auto installation=indoor \
mode=ap-bridge ssid=Scale wireless-protocol=802.11
/interface wireguard
add comment="Cloudflare WireGuard" listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add comment=guestconf interface=bridge name=vlan22 vlan-id=22
/interface bonding
add name=bonding1 slaves=ether3,ether4
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
mode=dynamic-keys supplicant-identity=MikroTik
add eap-methods="" name=guest supplicant-identity=""
/interface wireless
add keepalive-frames=disabled mac-address=# master-interface=\
wlan1 multicast-buffering=disabled name=wlan2 security-profile=guest \
ssid="Scale Guest" wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=\
0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d tur-thu=\
0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=guest-dhcp ranges=192.168.84.2-192.168.84.8
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
add address-pool=guest-dhcp interface=vlan22 lease-time=10m name=guestconf
/queue simple
add max-limit=1M/1M name=queue-guest target=vlan22
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add comment="Cloudflare WireGuard" disabled=no fib name=to-Cloudflare
/interface bridge port
add bridge=bridge comment=defconf disabled=yes ingress-filtering=no \
interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf disabled=yes ingress-filtering=no \
interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf disabled=yes ingress-filtering=no \
interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=pwr-line1 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1 \
internal-path-cost=10 path-cost=10
add bridge=bridge ingress-filtering=no interface=bonding1 internal-path-cost=\
10 path-cost=10
add bridge=bridge ingress-filtering=no interface=wlan2 internal-path-cost=10 \
path-cost=10 pvid=22
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=bridge,bonding1 untagged=wlan2 vlan-ids=22
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment="Cloudflare WireGuard" \
endpoint-address=engage.cloudflareclient.com endpoint-port=2408 \
interface=wireguard1 name="cloudflare wireguard" persistent-keepalive=35s \
public-key="#"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=192.168.84.1/28 comment=guestconf interface=vlan22 network=\
192.168.84.0
add address=192.168.100.100/24 comment=wan1 interface=ether1 network=\
192.168.100.0
add address=192.168.2.100/24 comment=wan2 interface=ether2 network=\
192.168.2.0
add address=172.16.0.2 comment="Cloudflare WireGuard" interface=wireguard1 \
network=172.16.0.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
add comment=defconf disabled=yes interface=ether2
/ip dhcp-server lease
add address=192.168.88.2 client-id=# mac-address=\
# server=defconf
add address=192.168.88.6 mac-address=# server=defconf
add address=192.168.88.3 client-id=# mac-address=\
# server=defconf
add address=192.168.88.4 client-id=# mac-address=\
# server=defconf
add address=192.168.88.5 mac-address=# server=defconf
/ip dhcp-server network
add address=192.168.84.0/28 comment=guestconf gateway=192.168.84.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
add address=192.168.100.1 name=wan1.logi.lo type=A
add address=192.168.2.1 name=wan2.logi.lo type=A
add address=192.168.88.6 name=stb1.logi.lo type=A
add address=127.0.0.1 name=stb2.logi.lo type=A
add address=192.168.88.4 name=eap1.logi.lo type=A
add address=192.168.100.254 name=cpe1.logi.lo type=A
add address=192.168.88.2 name=switch1.logi.lo type=A
add address=192.168.88.3 name=switch2.logi.lo type=A
add address=192.168.88.5 name=tlmr1.logi.lo type=A
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="guestconf: drop to ether2" \
in-interface=vlan22 out-interface=ether2
/ip firewall mangle
add action=change-mss chain=forward comment="Cloudflare WireGuard" new-mss=\
1380 out-interface=wireguard1 passthrough=no protocol=tcp tcp-flags=syn \
tcp-mss=1381-65535
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="Cloudflare WireGuard" \
out-interface=wireguard1
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip kid-control device
add mac-address=# name="Redmi-10C;2" user=""
add mac-address=# name="ESP-67B077;6" user=""
/ip route
add check-gateway=ping comment=Recursive disabled=no distance=1 dst-address=\
0.0.0.0/0 gateway=8.8.8.8 routing-table=main scope=10 \
suppress-hw-offload=no target-scope=12
add check-gateway=ping comment=Main disabled=no distance=1 dst-address=\
8.8.8.8/32 gateway=192.168.100.1 routing-table=main scope=10 \
suppress-hw-offload=no target-scope=11
add check-gateway=ping comment=Backup disabled=no distance=2 dst-address=\
0.0.0.0/0 gateway=192.168.2.1 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add comment="Cloudflare WireGuard" disabled=no distance=1 dst-address=\
0.0.0.0/0 gateway=wireguard1 routing-table=to-Cloudflare scope=30 \
suppress-hw-offload=no target-scope=10
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/routing rule
add action=lookup-only-in-table comment="Cloudflare WireGuard" disabled=no \
min-prefix=0 table=main
add action=lookup-only-in-table disabled=no src-address=192.168.88.0/24 \
table=to-Cloudflare
add action=lookup-only-in-table disabled=no src-address=192.168.84.0/28 \
table=to-Cloudflare
/system clock
set time-zone-name=Asia/Jakarta
/system note
set show-at-login=no
/system scheduler
add interval=2d name=reboot on-event="/system reboot" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2021-02-28 start-time=16:32:56
add interval=2h name="dns clear" on-event="/ip dns cache flush" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2021-02-28 start-time=16:35:12
add comment="trigger duckdns updater" interval=1m name="duckdns updater" \
on-event="/system script run duckdns" policy=read,write,policy,test \
start-time=startup
/system script
add comment="duckdns updater" dont-require-permissions=no name=duckdns owner=\
admin policy=read,write,policy,test source=":local resolvedIP [:resolve \"\
#.duckdns.org\"];\
\n:local currentIP [/ip cloud get public-address];\
\n:local currentIP [:pick \$currentIP 0 [:find \$currentIP \"/\"]];\
\n\
\n:if (\$resolvedIP != \$currentIP) do={\
\n :log info (\"Trying to update DuckDNS with actual IP \".\$currentIP.\
\", resolved IP is \".\$resolvedIP);\
\n :local response [/tool fetch url=(\"https://www.duckdns.org/update\?\
domains=#&token=\
\#&ip=\".\$currentIP) check-certificat\
e=yes as-value output=user];\
\n :if (\$response->\"status\" = \"finished\") do={\
\n :if (\$response->\"data\" = \"OK\") do={\
\n :log info (\"Successfully updated DuckDNS with new IP \".\$c\
urrentIP);\
\n } else={\
\n :log error (\"Failed to update DuckDNS with new IP \".\$curr\
entIP);\
\n }\
\n }\
\n}"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
any suggestions?
I'm still learning about network forgive me if I do lot of mistakes, thanks
My network configuration is figured in the attachments.