Community discussions

MikroTik App
 
User avatar
Frederick88
newbie
Topic Author
Posts: 49
Joined: Thu Jun 24, 2021 12:34 pm

isolate and route vlan through gateway-wireguard only

Mon May 16, 2022 12:18 pm

I have read
viewtopic.php?t=182340&sid=884e4039a897 ... bc61032f3d
which was very well written and detailed, thank you.

However I'm still having trouble trying to set up a WG connection and isolate one of my LANs to use this gateway only.

Example of what I'm trying to do;
• create WG connection to WG server
• create new LAN (vlan5 192.168.90.1/24)
• enforce and restrict vlan5 to route through gateway-WG only (including DNS)
• restrict vlan1 to route through default eth1 ISP gateway only

So effectively,
LAN | GATEWAY
vlan1 > eth1 (ISP internet)
vlan5 > gateway-wg (WIreGuard connection)

*Edit: changed vlan0 to vlan1. By "vlan1", I mean the default LAN.
Last edited by Frederick88 on Mon Apr 03, 2023 12:17 pm, edited 2 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: isolate and route vlan5 through gateway-wireguard only

Mon May 16, 2022 2:49 pm

Luv to help when you explain WTF vlan0 is??
Also unable to assist without the config?
/export file=anynameyouwish
 
User avatar
Frederick88
newbie
Topic Author
Posts: 49
Joined: Thu Jun 24, 2021 12:34 pm

Re: isolate and route vlan5 through gateway-wireguard only

Tue May 17, 2022 5:13 am

Luv to help when you explain WTF vlan0 is??
Also unable to assist without the config?
/export file=anynameyouwish
Thanks and sorry for bad terminology - by "vlan0" I mean the default LAN, which I guess should be called "vlan1"...

LAN 192.168.88.1/24 | native on ports eth2 to 10 | only use gateway of ISP connected to eth1 (default gateway)
LAN 192.168.90.1/24 | vlan5, tagged on ports eth5 & 10 | only use gateway of WG connection | also use different DNS address

What I'm struggling with is isolating 192.168.90.1/24 and routing all it's traffic through gateway wireguard1 and have different DNS for this LAN also.
# may/17/2022 12:00:11 by RouterOS 7.2.3
# software id = 7869-1V7U
#
# model = RB4011iGS+
/interface bridge
add admin-mac=3B:E3:2F:36:FG:D7 auto-mac=no comment=defconf \
    ingress-filtering=no name=bridge vlan-filtering=yes
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge name=vlan5 vlan-id=5
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp90 ranges=192.168.90.10-192.168.90.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=dhcp90 interface=vlan5 name=dhcp90
/port
set 0 name=serial0
set 1 name=serial1
/routing bgp template
set default disabled=no output.network=bgp-networks
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=ether5 vlan-ids=5
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan5 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=0.0.0.0/0,::/0 endpoint-address=159.148.147.196 \
    endpoint-port=1637 interface=wireguard1 persistent-keepalive=15s \
    public-key="DLKDJFDLKFJDLJN+dUsOQfn+lkjdfdIENZNCDLANHGAJHKJKJ+hk="
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
    192.168.88.0
add address=192.168.90.1/24 interface=vlan5 network=192.168.90.0
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
add address=192.168.90.0/24 dns-server=192.168.90.1 gateway=192.168.90.1
/ip dns
set allow-remote-requests=yes use-doh-server=https://1.1.1.1/dns-query \
    verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=104.16.248.249 name=cloudflare-dns.com
add address=104.16.249.249 name=cloudflare-dns.com
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=Xbox dst-port=80 in-interface=ether1 \
    protocol=tcp to-addresses=192.168.88.244 to-ports=80
add action=dst-nat chain=dstnat dst-port=88 in-interface=ether1 protocol=udp \
    to-addresses=192.168.88.244 to-ports=88
add action=dst-nat chain=dstnat dst-port=3074 in-interface=ether1 protocol=\
    udp to-addresses=192.168.88.244 to-ports=3074
add action=dst-nat chain=dstnat dst-port=3074 in-interface=ether1 protocol=\
    tcp to-addresses=192.168.88.244 to-ports=3074
add action=dst-nat chain=dstnat dst-port=53 in-interface=ether1 protocol=udp \
    to-addresses=192.168.88.244 to-ports=53
add action=dst-nat chain=dstnat dst-port=53 in-interface=ether1 protocol=tcp \
    to-addresses=192.168.88.244 to-ports=53
add action=dst-nat chain=dstnat dst-port=500 in-interface=ether1 protocol=udp \
    to-addresses=192.168.88.244 to-ports=500
add action=dst-nat chain=dstnat dst-port=3544 in-interface=ether1 protocol=\
    udp to-addresses=192.168.88.244 to-ports=3544
add action=dst-nat chain=dstnat dst-port=4500 in-interface=ether1 protocol=\
    udp to-addresses=192.168.88.244 to-ports=4500
add action=dst-nat chain=dstnat dst-port=6672 in-interface=ether1 protocol=\
    udp to-addresses=192.168.88.244 to-ports=6672
add action=dst-nat chain=dstnat dst-port=61455-61458 in-interface=ether1 \
    protocol=udp to-addresses=192.168.88.244 to-ports=61455-61458
# IP 192.168.88.244 is statically set on the Xbox
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl disabled=no
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether9 type=internal
add interface=ether1 type=external
/system clock
set time-zone-name=Australia/Melbourne
/system resource irq rps
set sfp-sfpplus1 disabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=vlan5,ether5
 
User avatar
Frederick88
newbie
Topic Author
Posts: 49
Joined: Thu Jun 24, 2021 12:34 pm

Re: isolate and route vlan5 through gateway-wireguard only

Mon May 23, 2022 5:59 am

is what I'm trying to achieve, possible with RouterOS 7?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: isolate and route vlan5 through gateway-wireguard only

Mon May 23, 2022 2:29 pm

Quick answer=YES, the issue or question that should be asked ---> is the configurer capable ;-PPP

I am used to working with all vlans if working with any vlans, anything else gets confusing right quick.
For example what are ether5 and ether10 connected to? Smart devices and if so which model?

Personally I would have at least two vlans, one for normal LAN traffic, one for whatever you are sending to ether 5, and perhaps a third for managment/trusted subnet etc.......

The config generally looks okay...

(1) Modify this to
/interface bridge vlan
add bridge=bridge tagged=bridge,ether5,ether10 vlan-ids=5

(2) IP addresses MISSING WIREGUARD ADDRESS and need to modify other............
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=192.168.90.1/24 interface=vlan5 network=192.168.90.0
add address=??????? interface=wireguard1

(3) Error in your icmp input chain rule, your comment is correct the settings wrong.
add action=drop chain=input comment="defconf: accept ICMP" protocol=icmp

add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp

(4) Not convinced you fully grasp firewall rules, for example take these two rules.....
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN


One says allow all LAN,
The other says block all not coming from LAN
+++++++++++++++++++++++++++++++++++++++++++
Conclusion there is overlap/redundancy. In fact you could drop the first rule with no change to outcome, however I advise otherwise.
Keep the first rule its fine. Modify the second rule keeping it as the last rule in the input chain ..... to
add action=drop chain=input comment="drop all else"

The difference is it drops ALL traffic to the router, not just wan to lan but anything else not allowed. Better security and clearer ruleset.
When you transition eventually to only allowing the admin access to the router, you will be in good shape.

(5) I would do the same for the forward chain, take this rule and make it clearer and not trying to do double duty half-assed.
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN


The clear rule is
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
Followed by, as the last rule in the forward chain
add action=drop chain=forward comment="drop all else"

In this manner its clear what the allow rule does for port forwarding and in the second rule you block ALL traffic not explicitly permitted by you!
This includes wan to lan, lan to wan and lan to lan. Much better security.

THe blue colour clue is to tweak your thinking, and specifically if I have dropped all traffic as the last rule what traffic needs to be allowed ...........
answer ( placed above the last rule )
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN

(6) Too funny why do you have this setting?????
/tool mac-server mac-winbox
set allowed-interface-list=LAN


When you also have this setting!!
/ip service
set winbox disabled=yes


(7) Missing any IP routes...........
assuming you have one from your internet provider via IP DHCP client so its auto created <DAC>?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: isolate and route vlan5 through gateway-wireguard only

Mon May 23, 2022 3:04 pm

In summary, need a config clean up and for wireguard, a bit more work.
What IP address did the third party provider give you for router? Im assuming they did,
lets say its 10.10.20.3

then give yourself an IP address of 10.10.20.3/24 interface=wireguard1 etc.............
Since you want your LAN users to go out wireguard for internet you need two things.

a. firewall rule add chain=forward action=accept in-interface-list=LAN out-interface=wireguard1
b. a routing to force lan users out the wireguard tunnel instead of out the normal WANIP

/routing table add name=useWG1 fib
/routing rule add src-address=192.168.0.0/24 action=lookup table=useWG1

Your IP routes should look like something like
/ip routes
<DAC> distance=1 gateway=ISPgatewayIP table=main
distance=1 gateway=wireguard1 table=useWG1


To create the new route enter dst-address=0.0.0.0/0 gwy=wireguard1 table=useWG1

Note: the term lookup was used which means that if the wireguard tunnel is down for any reason the router will go to the main table and find the local WANIP for your users to use.
If you never wanted them to have a backup access to the local WANIP then select action=lookup-only-in-table on the routing rule.
Last edited by anav on Mon May 23, 2022 3:09 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: isolate and route vlan5 through gateway-wireguard only

Mon May 23, 2022 3:07 pm

Last item to have wireguard work.
Your LANIP has many IP addresses, none of them are related to the single IP address the third party provider gave you.
So when your lan users traffic reaches the other end of the tunnel, the third party provider will drop them ..................

Solution. Source nat. You need a second source nat rule that gives all traffic that is going to go out the tunnel, the source address that will be recognized at the other end, and we need to assign it on the way out the door so to speak.
add chain=srcnat action=masquerade out-interface=wireguard1
 
User avatar
Frederick88
newbie
Topic Author
Posts: 49
Joined: Thu Jun 24, 2021 12:34 pm

Re: isolate and route vlan5 through gateway-wireguard only

Tue May 24, 2022 2:29 pm

Appreciate your help, you've got me past a few hurdles I was stuck on and it's all making a bit more sense now, especially with firewall rules which I've cleaned up as you've suggested.. Cheers
-
I am used to working with all vlans if working with any vlans, anything else gets confusing right quick.
For example what are ether5 and ether10 connected to? Smart devices and if so which model?
ether10 to a WiFi AP (non MT), configured with SSID "default" over native VLAN untagged, and SSID "VPN" tagged vlan5.
ether5 will be a computer tagged with vlan5.. (I may also change ether5 to native vlan5 later).

- - - - -
What IP address did the third party provider give you for router? Im assuming they did,
lets say its 10.10.20.3
Yes - they gave me a /10 actually, 10.75.178.228/10.

To make things easier and remove the need for 192.168.90.0/24 network, can I use a /24 within the /10 on my side for vlan5 instead?

EG:
add address=10.75.178.1/24 interface=vlan5 network=10.75.178.0

/ip/pool/add name=WGlan ranges=10.75.178.1-10.75.178.254 comment="DHCP for local LAN of WG connection 10.75.178.1/24"
/ip/dhcp-server/add name=dhcpWGlan interface=vlan5 address-pool=WGlan

/routing table add name=useWG1 fib
/routing rule add src-address= 10.75.178.1/24 action=lookup-only-in-table table=useWG1

/ip/route/add dst-address=0.0.0.0/0 distance=1 gateway=%wireguard1 table=useWG1
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: isolate and route vlan5 through gateway-wireguard only

Tue May 24, 2022 5:03 pm

My understanding of your config is getting a bit better too LOL.

Ether10 is going to a wifi device that can read vlans? make/model please.
Dont use native vlan for anything further, it should not be in any discussion it should be transparent (vlan1).
You either are sending vlan traffic or subnet traffic on etherports or wlans.

Further, one would NOT be sending tagged traffic to a computer. A computer doesnt read vlan tags.
What you do is define a port to be an access port by which any traffic coming into the port is tagged with vlan 5 and any traffic heading back to the computer is untagged upon leaving the port.

Im astonished that the VPN provider would give you over 4,000 addresses for internet access vice ONE!
are you sure thats correct???

Dont mix up WIreguard addresses and subnet addresses (for vlan5) for now............ will look at the config further.......
So far it seems like a plausible approach............
 
User avatar
Frederick88
newbie
Topic Author
Posts: 49
Joined: Thu Jun 24, 2021 12:34 pm

Re: isolate and route vlan5 through gateway-wireguard only

Wed May 25, 2022 10:16 am

Im astonished that the VPN provider would give you over 4,000 addresses for internet access vice ONE!
are you sure thats correct???
Yeah I thought a /10 was quite a lot as well, but I've double checked config and that's what they've given me...

From my understanding, this just means that their side of the VPN will allow any traffic from an IP within this /10 range... so therefore, I should be able to distribute IPs from the /10 to my devices as I want?

EG: I can use 10.75.178.1/24 because it's within 10.75.178.228/10 interface address VPN has provided me.

- - -
Ether10 is going to a wifi device that can read vlans? make/model please.
I'm currently in the market to buy new WiFi6 AP - whatever I buy, I'll be making sure it's Network SSIDs will be 802.1Q compatible.

- - -
Further, one would NOT be sending tagged traffic to a computer. A computer doesnt read vlan tags.
What you do is define a port to be an access port by which any traffic coming into the port is tagged with vlan 5 and any traffic heading back to the computer is untagged upon leaving the port.
I'm using macOS, which will allow me to easily add a "virtual interface" for 802.1Q tagged traffic.
trunk port with native (untagged) vlan1, and tagged vlan5 : macOS will be able to obtain an IP address from each network from the one physical ethernet connection.

- - -

Please see picture attached which might better illustrate what I'm trying to achieve.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: isolate and route vlan5 through gateway-wireguard only

Wed May 25, 2022 2:47 pm

Awesome pic, understood on the macos! Will get back to you when free on the other Q.

Okay my best advice is not to believe the ISP gave you /10 for VPN. Its unheard of and forces them to do NAT for a whole wack of IPs.
I would encourage you to follow a safer approach and ASSUME that they only have you one IP ----> 10.75.178.228/32

Or you can try wireguard with lets say 10.75.178.5/32 and see if it gets through and works, if so then they really have given you a /10................

Can you confirm that for allowed IPs at their end they also have set /10? In other words they are doing NAT for shitload of potential IP addresses..........
 
User avatar
Frederick88
newbie
Topic Author
Posts: 49
Joined: Thu Jun 24, 2021 12:34 pm

Re: isolate and route vlan5 through gateway-wireguard only

Thu May 26, 2022 4:01 am

WireGuard VPN Configuration file (wg-vpn-server_UDP.conf) from the VPN Server Provider:
[Interface]
Address = 10.75.178.228/10
PrivateKey = blahPrivateKeyblahblah=
DNS = 10.64.0.1

[Peer]
PublicKey = blahPublicKeyblahblah=
PresharedKey = blahPresharedKeyblahblah=
Endpoint = endpoint.vpnserver.address:1637
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 15
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: isolate and route vlan5 through gateway-wireguard only

Thu May 26, 2022 1:20 pm

Well then your idea should work..........
If you post your latest config I will have a look.
 
User avatar
Frederick88
newbie
Topic Author
Posts: 49
Joined: Thu Jun 24, 2021 12:34 pm

Re: isolate and route vlan5 through gateway-wireguard only

Sun Jul 24, 2022 5:25 pm

It's been a while, so to summarise:

2 LANs on MikroTik:
vlan1 : routes via standard ISP WAN only
vlan5 : routes via WireGuard VPN connection only

EDIT:
Can i send you the actual WireGuard configuration file with private key for you to try, assuming you have a test environment? Might be easier than trying to troubleshoot my config?

I’m at the point i’m happy to pay someone to help. ive spent many hours and unfortunately, i think I'm out of my depth…
# jul/24/2022 23:23:01 by RouterOS 7.3.1
# software id = 7869-1V7U
#
# model = RB4011iGS+
# serial number = blahblah
/interface bridge
add admin-mac=2C:11:11:11:11:11 auto-mac=no comment=defconf \
    ingress-filtering=no name=bridge vlan-filtering=yes
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge name=wgLAN vlan-id=5
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcppoolvlan5 ranges=10.128.0.10-10.128.0.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=dhcppoolvlan5 interface=wgLAN name=dhcpvlan5
/port
set 0 name=serial0
set 1 name=serial1
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing table
add comment="WG1 Route table" disabled=no fib name=useWG1
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=ether10,ether5,ether6,bridge vlan-ids=5
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wgLAN list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=0.0.0.0/0,::/0 endpoint-address=159.148.147.196 \
    endpoint-port=1637 interface=wireguard1 persistent-keepalive=15s \
    public-key="blahblahblah="
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
    192.168.88.0
add address=10.128.0.1/24 interface=wgLAN network=10.128.0.0
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=10.128.0.0/24 comment=LANforWG dns-server=10.128.0.1 gateway=10.128.0.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes use-doh-server=https://1.1.1.1/dns-query \
    verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=104.16.248.249 name=cloudflare-dns.com
add address=104.16.249.249 name=cloudflare-dns.com
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="defconf: ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=accept chain=forward disabled=yes
add action=accept chain=forward comment="allow all from LAN to WAN" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface-list=LAN out-interface=\
    wireguard1
add action=drop chain=forward comment="drop all else"
add action=drop chain=input comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=Xbox dst-port=80 in-interface=ether1 \
    protocol=tcp to-addresses=192.168.88.244 to-ports=80
add action=dst-nat chain=dstnat dst-port=88 in-interface=ether1 protocol=udp \
    to-addresses=192.168.88.244 to-ports=88
add action=dst-nat chain=dstnat dst-port=3074 in-interface=ether1 protocol=\
    udp to-addresses=192.168.88.244 to-ports=3074
add action=dst-nat chain=dstnat dst-port=3074 in-interface=ether1 protocol=\
    tcp to-addresses=192.168.88.244 to-ports=3074
add action=dst-nat chain=dstnat dst-port=53 in-interface=ether1 protocol=udp \
    to-addresses=192.168.88.244 to-ports=53
add action=dst-nat chain=dstnat dst-port=53 in-interface=ether1 protocol=tcp \
    to-addresses=192.168.88.244 to-ports=53
add action=dst-nat chain=dstnat dst-port=500 in-interface=ether1 protocol=udp \
    to-addresses=192.168.88.244 to-ports=500
add action=dst-nat chain=dstnat dst-port=3544 in-interface=ether1 protocol=\
    udp to-addresses=192.168.88.244 to-ports=3544
add action=dst-nat chain=dstnat dst-port=4500 in-interface=ether1 protocol=\
    udp to-addresses=192.168.88.244 to-ports=4500
add action=dst-nat chain=dstnat dst-port=6672 in-interface=ether1 protocol=\
    udp to-addresses=192.168.88.244 to-ports=6672
add action=dst-nat chain=dstnat dst-port=61455-61458 in-interface=ether1 \
    protocol=udp to-addresses=192.168.88.244 to-ports=61455-61458
/ip firewall service-port
set sip disabled=yes
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard1 pref-src=\
    "" routing-table=useWG1 suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=https-cert disabled=no
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether9 type=internal
add interface=ether1 type=external
/routing rule
add action=lookup-only-in-table disabled=no src-address=10.128.0.0/24 table=\
    useWG1
/system resource irq rps
set sfp-sfpplus1 disabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=wgLAN,ether5
WireGuard conf file:
Interface
Address = 10.159.64.244/10
PrivateKey = blahblahblah=
DNS = 10.128.0.1, fd7d:76ee:e68f:a993::1

Peer
PublicKey = blahblahblah=
PresharedKey = blahblahblah =
Endpoint = blahblahblah:1637
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 15
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: isolate and route vlan5 through gateway-wireguard only

Sun Jul 24, 2022 7:23 pm

I will look at your config today.
The issue that is blocking me at the moment is DNS servers. Since your setup is a tad unique...............
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: isolate and route vlan5 through gateway-wireguard only

Sun Jul 24, 2022 8:20 pm

Fixed config,
I prefer always using only vlans, not a mix...........
..........
/interface bridge
add admin-mac=2C:11:11:11:11:11 auto-mac=no comment=defconf \
    ingress-filtering=no name=bridge vlan-filtering=yes
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge name=wgLAN vlan-id=5
add interface=bridge name=homeLAN vlan-id=11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcppoolvlan5 ranges=10.128.0.10-10.128.0.254
/ip dhcp-server
add address-pool=dhcp interface=homeLAN name=defconf
add address-pool=dhcppoolvlan5 interface=wgLAN name=dhcpvlan5
/routing table
add comment="WG1 Route table" disabled=no fib name=useWG1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=11
add bridge=bridge comment=defconf interface=ether3 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=11
add bridge=bridge comment=defconf interface=ether4 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=11
add bridge=bridge comment=defconf interface=ether5 ingress-filtering=yes frame-types=admit-only-tagged
add bridge=bridge comment=defconf interface=ether6 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=11
add bridge=bridge comment=defconf interface=ether7 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=11
add bridge=bridge comment=defconf interface=ether8 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=11
add bridge=bridge comment=defconf interface=ether9 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=11
add bridge=bridge comment=defconf interface=ether10 ingress-filtering=yes frame-types=admit-only-tagged
add bridge=bridge comment=defconf interface=sfp-sfpplus1 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=11
/interface bridge vlans
add bridge=bridge tagged=bridge,ether5,ether10 untagged=ether2,ether3,ether4,ether6,ether7,ether8,ether9,sfp-sfpplus  vlan-ids=11
add bridge=bridge tagged=bridge,ether5,ether10  vlan-ids=5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=wgLAN list=LAN
add interface=homeLAN list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=0.0.0.0/0,::/0 endpoint-address=159.148.147.196 \
    endpoint-port=1637 interface=wireguard1 persistent-keepalive=15s \
    public-key="blahblahblah="
/ip address
add address=192.168.88.1/24 comment=defconf interface=homeLAN network=\
    192.168.88.0
add address=10.128.0.1/24 interface=wgLAN network=10.128.0.0
add address=10.75.178.1/24 interface=wirequard1 
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=10.128.0.0/24 comment=LANforWG dns-server=10.64.0.1 gateway=10.128.0.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes use-doh-server=https://1.1.1.1/dns-query \
    verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=104.16.248.249 name=cloudflare-dns.com
add address=104.16.249.249 name=cloudflare-dns.com
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: ICMP" protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input  comment="Drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow all from LAN to WAN" \
    in-interface=homeLAN out-interface-list=WAN
add action=accept chain=forward in-interface=wgLAN out-interface=\
    wireguard1
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface-list=wireguard1
add action=dst-nat chain=dstnat comment=Xbox dst-port=80 in-interface=ether1 \
    protocol=tcp to-addresses=192.168.88.244 to-ports=80
add action=dst-nat chain=dstnat dst-port=88 in-interface=ether1 protocol=udp \
    to-addresses=192.168.88.244 to-ports=88
add action=dst-nat chain=dstnat dst-port=3074 in-interface=ether1 protocol=\
    udp to-addresses=192.168.88.244 to-ports=3074
add action=dst-nat chain=dstnat dst-port=3074 in-interface=ether1 protocol=\
    tcp to-addresses=192.168.88.244 to-ports=3074
add action=dst-nat chain=dstnat dst-port=53 in-interface=ether1 protocol=udp \
    to-addresses=192.168.88.244 to-ports=53
add action=dst-nat chain=dstnat dst-port=53 in-interface=ether1 protocol=tcp \
    to-addresses=192.168.88.244 to-ports=53
add action=dst-nat chain=dstnat dst-port=500 in-interface=ether1 protocol=udp \
    to-addresses=192.168.88.244 to-ports=500
add action=dst-nat chain=dstnat dst-port=3544 in-interface=ether1 protocol=\
    udp to-addresses=192.168.88.244 to-ports=3544
add action=dst-nat chain=dstnat dst-port=4500 in-interface=ether1 protocol=\
    udp to-addresses=192.168.88.244 to-ports=4500
add action=dst-nat chain=dstnat dst-port=6672 in-interface=ether1 protocol=\
    udp to-addresses=192.168.88.244 to-ports=6672
add action=dst-nat chain=dstnat dst-port=61455-61458 in-interface=ether1 \
    protocol=udp to-addresses=192.168.88.244 to-ports=61455-61458
/ip firewall service-port
set sip disabled=yes
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard1 pref-src=\
    "" routing-table=useWG1 suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=https-cert disabled=no
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether9 type=internal
add interface=ether1 type=external
/routing rule
add action=lookup-only-in-table disabled=no src-address=10.128.0.0/24 table=\
    useWG1
/system resource irq rps
set sfp-sfpplus1 disabled=no
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
Important snippets........ for wireguard.
/ip address
add address=192.168.88.1/24 comment=defconf interface=homeLAN network=\
192.168.88.0
add address=10.128.0.1/24 interface=wgLAN network=10.128.0.0

add address=10.75.178.1/24 interface=wirequard1

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN

add action=masquerade chain=srcnat out-interface-list=wireguard1

/ip dhcp-server network
add address=10.128.0.0/24 comment=LANforWG dns-server=10.64.0.1 gateway=10.128.0.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1


Also nuances on firewall rules, as ONLY the home network .88 (vlan11) needs internet access through the local router!
As well only the wireguard subnet, vlan5 needs permission to traverse to the tunnel!

add action=accept chain=forward comment="allow home subnet from LAN to WAN" \
in-interface=homeLAN out-interface-list=WAN
add action=accept chain=forward in-interface=wgLAN out-interface=wireguard1
 
User avatar
Frederick88
newbie
Topic Author
Posts: 49
Joined: Thu Jun 24, 2021 12:34 pm

Re: isolate and route vlan5 through gateway-wireguard only

Mon Apr 03, 2023 11:54 am

@anav
Much appreciate your previous configuration, works like a charm on a recently purchased hAP ax3...

I used the fresh default config of the hAP ax3 and added wireguard and VLAN configuration as you outlined previously, with the addition of another wireguard interface and LAN.. Massive help, thank you.

In summary:
  • VLAN 89 : "Home default" LAN 192.168.89.0/24. Routes through gateway WAN (eth1)
  • VLAN 50 : LAN 172.17.50.0/24. Routes through gateway wireguard50
  • VLAN 51 : LAN 172.17.51.0/24. Routes through gateway wireguard51
The config appears to work as intended - when I'm on VLAN 50, internet goes through wireguard50.. and when I'm on VLAN 51, internet goes through wireguard51..

However I do have some queries I'm hoping to clarify...
  1. I can ping devices across VLANs.. What's the best method in your opinion, for completely isolating one VLAN/LAN from another? From what I've researched, there are several ways.. Keeping in mind the hAP ax3 does not have hardware VLAN tables. Effectively want devices in each VLAN to be completely isolated, except for communicating out their respective gateways only.
  2. Both wireguard50 and wireguard51 interfaces have the same IP (as per wg config from provider).. although both interfaces seem to work, how can I be sure that traffic isn't getting mixed up between the wireguard interfaces and their respective VLANs?

    When I watch the IP Firewall Connections, Reply Src. Address = wireguard interface IP, which is the same for both wireguard50 & wireguard51, as expected due to the masquerade rule - but how does the router know the correct IP & VLAN the traffic is for since both wireguard interfaces have the same IP? I guess this is more of a routerOS / network routing question than config...
  3. Are my firewall rules secure?

# apr/03/2023 17:43:52 by RouterOS 7.8
# software id =
#
# model = C53UiG+5HPaxD2HPaxD
# serial number =
/interface bridge
add admin-mac=2F:2F:2F:2F:2F:2F auto-mac=no comment=defconf \
    ingress-filtering=no name=bridge vlan-filtering=yes

/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40/80mhz configuration.mode=ap .ssid=MikroTik-779659 \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration.mode=ap .ssid=MikroTik-24 \
    security.authentication-types=wpa2-psk,wpa3-psk

/interface wireguard
add comment="WireGuard VPN interface #50" listen-port=13232 mtu=1420 name=\
    wireguard50
add comment="WireGuard VPN interface #51" listen-port=13231 mtu=1420 name=\
    wireguard51

/interface vlan
add comment="Home LAN 192.168.89.0/24" interface=bridge name=homeVLAN89 \
    vlan-id=89
add comment="wireguard50 LAN 172.17.50.0/24" interface=bridge name=wgVLAN50 \
    vlan-id=50
add comment="wireguard51 LAN 172.17.51.0/24" interface=bridge name=wgVLAN51 \
    vlan-id=51

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface wifiwave2 configuration
add channel.band=5ghz-ax .skip-dfs-channels=disabled .width=20/40/80mhz \
    country="" datapath.vlan-id=50 disabled=no mode=ap name=wifiVLAN50 \
    security.authentication-types=wpa2-psk,wpa3-psk ssid=Test50
/interface wifiwave2
add configuration=wifiVLAN50 configuration.mode=ap datapath.bridge=bridge \
    .client-isolation=no .interface-list=LAN mac-address=55:55:55:55:55:55 \
    master-interface=wifi1 name=wifi3 security.authentication-types=wpa2-psk

/ip pool
add comment="Home LAN VLAN89" name=default-dhcp ranges=\
    192.168.89.10-192.168.89.254
add comment="wireguard50 LAN VLAN50" name=wgLAN50-pool ranges=\
    172.17.50.10-172.17.50.250
add comment="wireguard51 LAN VLAN51" name=wgLAN51-pool ranges=\
    172.17.51.10-172.17.51.250
/ip dhcp-server
add address-pool=default-dhcp interface=homeVLAN89 name=defconf
add address-pool=wgLAN50-pool comment="dhcp server for wgLAN50" interface=\
    wgVLAN50 name=dhcp-wgLAN50
add address-pool=wgLAN51-pool comment="dhcp server for wgLAN51" interface=\
    wgVLAN51 name=dhcp-wgLAN51
/port
set 0 name=serial0
/routing table
add comment="wgLAN50 route to wireguard50" disabled=no fib name=wg50route
add comment="wgLAN51 route to wireguard51" disabled=no fib name=wg51route
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2 pvid=89
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=89
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=51
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether5 pvid=50
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=wifi1 pvid=89
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=wifi2 pvid=89
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=15360
/interface bridge vlan
add bridge=bridge tagged=wifi3,bridge untagged=ether5 vlan-ids=50
add bridge=bridge tagged=bridge untagged=ether2,ether3,ether4 vlan-ids=89
add bridge=bridge tagged=bridge untagged=ether4 vlan-ids=51
/interface list member
add interface=homeVLAN89 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wgVLAN50 list=LAN
add interface=wgVLAN51 list=LAN

/interface wireguard peers

add allowed-address=0.0.0.0/0 comment="wg peer for wireguard50 interface" \
    endpoint-address=180.150.115.50 endpoint-port=1637 interface=wireguard50 \
    persistent-keepalive=15s public-key=\
    "blahpublickeyblah="

add allowed-address=0.0.0.0/0 comment="wg peer for wireguard51 interface" \
    endpoint-address=205.110.155.55 endpoint-port=1637 interface=wireguard51 \
    persistent-keepalive=15s public-key=\
    "blahpublickeyblah="

/ip address

add address=192.168.89.1/24 comment=defconf interface=homeVLAN89 network=\
    192.168.89.0

add address=172.17.50.1/24 comment="VLAN50 - LAN of wireguard50" interface=\
    wgVLAN50 network=172.17.50.0

add address=10.140.35.150 comment="wireguard50 interface address" interface=\
    wireguard50 network=10.128.0.0
# network is 10.128.0.0 because DNS on wireguard side is 10.128.0.1

add address=172.17.51.1/24 comment="VLAN51 - LAN of wireguard51" interface=\
    wgVLAN51 network=172.17.51.0

add address=10.140.35.150 comment="wireguard51 interface address" interface=\
    wireguard51 network=10.128.0.0
# network is 10.128.0.0 because DNS on wireguard side is 10.128.0.1

/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=172.17.50.0/24 comment="wgLAN50 network with wg DNS" dns-server=\
    10.128.0.1 gateway=172.17.50.1
add address=172.17.51.0/24 comment="wgLAN51 network with wg DNS" dns-server=\
    10.128.0.1 gateway=172.17.51.1
add address=192.168.89.0/24 comment=defconf dns-server=192.168.89.1 gateway=\
    192.168.89.1
/ip dns
set allow-remote-requests=yes use-doh-server=https://1.1.1.1/dns-query \
    verify-doh-cert=yes
/ip dns static
add address=192.168.89.1 comment=defconf name=router.lan
add address=104.16.249.249 name=cloudflare-dns.com
add address=104.16.248.249 name=cloudflare-dns.com

/ip firewall filter

add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked

add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid

add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp

add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1

add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN

add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec

add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes

add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked

add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid

add action=accept chain=forward comment="allow all from Home LAN to WAN" \
    in-interface=homeVLAN89 out-interface-list=WAN

add action=accept chain=forward comment=\
    "Forward wgLAN50 traffic to wireguard50 interface gateway" in-interface=\
    wgVLAN50 out-interface=wireguard50

add action=accept chain=forward comment=\
    "Forward wgLAN51 traffic to wireguard51 interface gateway" in-interface=\
    wgVLAN51 out-interface=wireguard51

add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN

add action=drop chain=forward comment="drop all else"

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN

add action=masquerade chain=srcnat comment="masq traffic from wgLAN50 to wireg\
    uard50 gateway, as IP of wireguard50 peer" out-interface=wireguard50

add action=masquerade chain=srcnat comment="masq traffic from wgLAN51 to wireg\
    uard51 gateway, as IP of wireguard51 peer" out-interface=wireguard51

/ip firewall service-port
set sip disabled=yes
set pptp disabled=yes

/ip route
add comment="Route wgVLAN50 through wireguard50 gateway" \
    disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard50 \
    pref-src="" routing-table=wg50route scope=30 suppress-hw-offload=no \
    target-scope=10

add comment="Route wgVLAN51 through wireguard51 gateway" \
    disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard51 \
    pref-src="" routing-table=wg51route scope=30 suppress-hw-offload=no \
    target-scope=10

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=https-cert disabled=no
set api disabled=yes
set api-ssl disabled=yes

/routing rule
add action=lookup-only-in-table comment=\
    "Route Src. wgLAN50 to wireguard50 interface" disabled=no src-address=\
    172.17.50.0/24 table=wg50route

add action=lookup-only-in-table comment=\
    "Route Src. wgLAN51 to wireguard51 interface" disabled=no src-address=\
    172.17.51.0/24 table=wg51route

/system logging
add disabled=yes topics=dns
add disabled=yes topics=wireguard
add disabled=yes topics=route
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: isolate and route vlan through gateway-wireguard only

Mon Apr 03, 2023 5:45 pm

Some really weird things going on in your config for sure.

(1) For VLAN separation at Layer3, firewall rules apply. Easiest is to drop all at the end of the forward chain.

(2) I am not a proponent of using any vlan settings in wifi if not necessary. Keep wifi settings for wifi.
Thus its very confusing for me to see datapath for vlan50 in the wifi config but also a datapath for bridge.
I dont recall making any of those specific settings on my wifi settings. Basically AP bridge mode was it.
So perhaps the datapath bridge is default and if so get rid of datapath vlan50 if you actually manually added it ???

(3) It appears you defined a wifi3? But dont see it on bridge ports? Okay I see it tagged on vlan50. That is unusual! What is wifi3 from the ax3 connecting to here ???

(4) ETher5 makes no sense to me, looking at your diagram not updated for all vlans you had vlan1 and vlan50 going to macos computer, now you only show vlan50 untagged????

(5) ERROR ERROR you have ether 4 being untagged for two vlans.... An access port can only have one port untagged!!!!

In summary you need to redraw your diagram so its accurate!!! and config appropriately.

(5) Yes wg is not correct, I suspect all traffic is going out one WG interface and not at all on the other but will work through your config.......
Okay, so you have two separate endpoints so thats good!!
You have both peer addresses with allowed IPs of 0.0.0.0/0 and is why having a separate wg interface is necessary. Otherwise, if same interface the router would always choose the first peer in the order and the second peer would never be used. So that is good!
I would extend keep alives to in the 30-45 sec range........

Addresses: Although tis possible to assign multiple addresses to the same interface, not so sure using the same address for two different interfaces is a good idea. In fact it makes little sense to me. Going back they stated to you a /10 address remember........ So not sure where this new one is coming from - ur flipping wg addresses without explanation is RUDE!

BASED ON PREVIOUS INFORMATION
Thus for wg50 use:
/ip address
address=10.75.178.228/24 interface=wireguard50 network=10.75.178.0

Thus for wg51 use:
address=10.159.64.244/24 interface=wireguard51 network=10.159.64.0

FOR DNS, only here........ as stated previously.........
add address=172.17.50.0/24 comment="wgLAN50 network with wg DNS" dns-server=\
10.64.0.1 gateway=172.17.50.1
add address=172.17.51.0/24 comment="wgLAN51 network with wg DNS" dns-server=\
10.128.0.1 gateway=172.17.51.1

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
USING THE LATEST INFORMATION----- Assuming they gave you only one address=10.140.35.150/10 who can keep up with you changing the truth???

Thus for wg50 use:
/ip address
address=10.140.35.150/24 comment="wireguard50 interface address" interface=\
wireguard50 network=10.140.35.0


Thus for wg51 use:
address=10.140.35.151/24 interface=wireguard51 network=10.140.35.0

FOR DNS, only here........ as stated previously.........
add address=172.17.50.0/24 comment="wgLAN50 network with wg DNS" dns-server=\
10.128.0.1 gateway=172.17.50.1
add address=172.17.51.0/24 comment="wgLAN51 network with wg DNS" dns-server=\
10.128.0.1 gateway=172.17.51.1

(6) what is this??
/ip dns
set allow-remote-requests=yes use-doh-server=https://1.1.1.1/dns-query \
verify-doh-cert=yes

You need to allow the router or whatever server you are using to find the DOH site so perhaps this......
/ip dns
set allow-remote-requests=yes servers=9.9.9.9 use-doh-server=https://1.1.1.1/dns-query \
verify-doh-cert=yes

Finally get rid of your IP static settings.

(7) Firewall rules were fine except for the default dstnat rule which is replaced with a a proper rule to allow dstnat. Fixed on the config below.

(8) Assuming your ether1 has default route selected in IP DHCP client as no route visible in config (expected). All looks good!

(9) Config Review:
/interface bridge
add admin-mac=2F:2F:2F:2F:2F:2F auto-mac=no comment=defconf \
ingress-filtering=no name=bridge vlan-filtering=yes

/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
10min-cac .width=20/40/80mhz configuration.mode=ap .ssid=MikroTik-779659 \
disabled=no security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
10min-cac .width=20/40mhz configuration.mode=ap .ssid=MikroTik-24 \
security.authentication-types=wpa2-psk,wpa3-psk

/interface wireguard
add comment="WireGuard VPN interface #50" listen-port=13232 mtu=1420 name=\
wireguard50
add comment="WireGuard VPN interface #51" listen-port=13231 mtu=1420 name=\
wireguard51

/interface vlan
add comment="Home LAN 192.168.89.0/24" interface=bridge name=homeVLAN89 \
vlan-id=89
add comment="wireguard50 LAN 172.17.50.0/24" interface=bridge name=wgVLAN50 \
vlan-id=50
add comment="wireguard51 LAN 172.17.51.0/24" interface=bridge name=wgVLAN51 \
vlan-id=51

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface wifiwave2 configuration
add channel.band=5ghz-ax .skip-dfs-channels=disabled .width=20/40/80mhz \
country="" datapath.vlan-id=50 disabled=no mode=ap name=wifiVLAN50 \
security.authentication-types=wpa2-psk,wpa3-psk ssid=Test50
/interface wifiwave2
add configuration=wifiVLAN50 configuration.mode=ap datapath.bridge=bridge \
.client-isolation=no .interface-list=LAN mac-address=55:55:55:55:55:55 \
master-interface=wifi1 name=wifi3 security.authentication-types=wpa2-psk

/ip pool
add comment="Home LAN VLAN89" name=default-dhcp ranges=\
192.168.89.10-192.168.89.254
add comment="wireguard50 LAN VLAN50" name=wgLAN50-pool ranges=\
172.17.50.10-172.17.50.250
add comment="wireguard51 LAN VLAN51" name=wgLAN51-pool ranges=\
172.17.51.10-172.17.51.250
/ip dhcp-server
add address-pool=default-dhcp interface=homeVLAN89 name=defconf
add address-pool=wgLAN50-pool comment="dhcp server for wgLAN50" interface=\
wgVLAN50 name=dhcp-wgLAN50
add address-pool=wgLAN51-pool comment="dhcp server for wgLAN51" interface=\
wgVLAN51 name=dhcp-wgLAN51
/port
set 0 name=serial0
/routing table
add comment="wgLAN50 route to wireguard50" disabled=no fib name=wg50route
add comment="wgLAN51 route to wireguard51" disabled=no fib name=wg51route
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether2 pvid=89
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether3 pvid=89
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether4 pvid=51
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether5 pvid=50
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=wifi1 pvid=89
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=wifi2 pvid=89
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=15360
/interface bridge vlan
add bridge=bridge tagged=wifi3,bridge untagged=ether5 vlan-ids=50
add bridge=bridge tagged=bridge untagged=ether2,ether3,ether4 vlan-ids=89
add bridge=bridge tagged=bridge untagged=ether4 vlan-ids=51
/interface list member
add interface=homeVLAN89 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wgVLAN50 list=LAN
add interface=wgVLAN51 list=LAN

/interface wireguard peers

add allowed-address=0.0.0.0/0 comment="wg peer for wireguard50 interface" \
endpoint-address=180.150.115.50 endpoint-port=1637 interface=wireguard50 \
persistent-keepalive=35s public-key=\
"blahpublickeyblah="

add allowed-address=0.0.0.0/0 comment="wg peer for wireguard51 interface" \
endpoint-address=205.110.155.55 endpoint-port=1637 interface=wireguard51 \
persistent-keepalive=40s public-key=\
"blahpublickeyblah="

/ip address

add address=192.168.89.1/24 comment=defconf interface=homeVLAN89 network=\
192.168.89.0

add address=172.17.50.1/24 comment="VLAN50 - LAN of wireguard50" interface=\
wgVLAN50 network=172.17.50.0

add address=172.17.51.1/24 comment="VLAN51 - LAN of wireguard51" interface=\
wgVLAN51 network=172.17.51.0

See above discussion on WG addresess. this section is SUSPECT.
add address=10.140.35.150 comment="wireguard50 interface address" interface=\
wireguard50 network=10.128.0.0
# network is 10.128.0.0 because DNS on wireguard side is 10.128.0.1 WRONG

add address=10.140.35.150 comment="wireguard51 interface address" interface=\
wireguard51 network=10.128.0.0
# network is 10.128.0.0 because DNS on wireguard side is 10.128.0.1 WRONG


/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=172.17.50.0/24 comment="wgLAN50 network with wg DNS" dns-server=\
10.128.0.1 gateway=172.17.50.1
add address=172.17.51.0/24 comment="wgLAN51 network with wg DNS" dns-server=\
10.128.0.1 gateway=172.17.51.1
add address=192.168.89.0/24 comment=defconf dns-server=192.168.89.1 gateway=\
192.168.89.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9 use-doh-server=https://1.1.1.1/dns-query \
verify-doh-cert=yes
/ip dns static (REMOVE ALL)
add address=192.168.89.1 comment=defconf name=router.lan
add address=104.16.249.249 name=cloudflare-dns.com
add address=104.16.248.249 name=cloudflare-dns.com


/ip firewall filter

add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked

add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid

add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp

add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1

add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN

add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec

add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes

add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked

add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid

add action=accept chain=forward comment="allow all from Home LAN to WAN" \
in-interface=homeVLAN89 out-interface-list=WAN

add action=accept chain=forward comment=\
"Forward wgLAN50 traffic to wireguard50 interface gateway" in-interface=\
wgVLAN50 out-interface=wireguard50

add action=accept chain=forward comment=\
"Forward wgLAN51 traffic to wireguard51 interface gateway" in-interface=\
wgVLAN51 out-interface=wireguard51

add action=accept chain=forward comment=connection-nat-state=dstnat

add action=drop chain=forward comment="drop all else"

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN

add action=masquerade chain=srcnat comment="masq traffic from wgLAN50 to wireg\
uard50 gateway, as IP of wireguard50 peer" out-interface=wireguard50

add action=masquerade chain=srcnat comment="masq traffic from wgLAN51 to wireg\
uard51 gateway, as IP of wireguard51 peer" out-interface=wireguard51

/ip firewall service-port
set sip disabled=yes
set pptp disabled=yes

/ip route
add comment="Route wgVLAN50 through wireguard50 gateway" \
disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard50 \
pref-src="" routing-table=wg50route scope=30 suppress-hw-offload=no \
target-scope=10

add comment="Route wgVLAN51 through wireguard51 gateway" \
disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard51 \
pref-src="" routing-table=wg51route scope=30 suppress-hw-offload=no \
target-scope=10

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=https-cert disabled=no
set api disabled=yes
set api-ssl disabled=yes

/routing rule
add action=lookup-only-in-table comment=\
"Route Src. wgLAN50 to wireguard50 interface" disabled=no src-address=\
172.17.50.0/24 table=wg50route

add action=lookup-only-in-table comment=\
"Route Src. wgLAN51 to wireguard51 interface" disabled=no src-address=\
172.17.51.0/24 table=wg51route

/system logging
add disabled=yes topics=dns
add disabled=yes topics=wireguard
add disabled=yes topics=route
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
Frederick88
newbie
Topic Author
Posts: 49
Joined: Thu Jun 24, 2021 12:34 pm

Re: isolate and route vlan through gateway-wireguard only

Tue Apr 04, 2023 7:14 am

(1) For VLAN separation at Layer3, firewall rules apply. Easiest is to drop all at the end of the forward chain.
I added the drop all. Can't ping devices on other VLANs, however I can ping the address of wireguard interface. Example, I'm on VLAN89 and can ping 10.140.35.150 (wireguard51 interface IP). Only VLAN51 should be able to ping 10.140.35.150.
.
(2) I am not a proponent of using any vlan settings in wifi if not necessary. Keep wifi settings for wifi.

(3) It appears you defined a wifi3? But dont see it on bridge ports? Okay I see it tagged on vlan50. That is unusual! What is wifi3 from the ax3 connecting to here ???
Thanks, have cleaned wifi config up now.. was my first play with MT wifi..
.
(5) ERROR ERROR you have ether 4 being untagged for two vlans.... An access port can only have one port untagged!!!!
you got me there.... :o
.
In summary you need to redraw your diagram so it's accurate!!! and config appropriately.
apologies, I should have taken the time previously to update diagram.. please see below :)
.
(5) Yes wg is not correct, I suspect all traffic is going out one WG interface and not at all on the other but will work through your config.......
Okay, so you have two separate endpoints so thats good!!

Addresses: Although tis possible to assign multiple addresses to the same interface, not so sure using the same address for two different interfaces is a good idea. In fact it makes little sense to me.
I have now obtained two different IPs for the wireguard interfaces... yay!

Appreciate your input. I have updated config (and added another LAN for IoT) and updated network diagram... also attached illustration of VLAN/gateway access rules I'm trying to achieve..

WireGuard seems to be working correctly.. for example, devices on VLAN50 are accessing internet via wireguard50, and devices on VLAN51 via wireguard51... my main concern is that devices from any VLAN can ping the wireguard gateways.. I feel like I need to isolate VLANs and gateways more than I currently have....
# RouterOS 7.8
#
# model = C53UiG+5HPaxD2HPaxD
# serial number =
/interface bridge
add admin-mac=2F:2F:2F:2F:2F:2F auto-mac=no comment=defconf \
    ingress-filtering=no name=bridge vlan-filtering=yes

/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    disabled .width=20/40/80mhz comment="SSID for default Home LAN 89" \
    configuration.mode=ap .ssid=MikroTik-LAN89 disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk

add comment="SSID for VLAN50 of wireguard50 gateway" configuration.mode=ap \
    .ssid=MikroTik-LAN50 disabled=no mac-address=\
    2F:2F:2F:2F:2F:2F master-interface=wifi1 name=wifi3-wgLAN50 \
    security.authentication-types=wpa2-psk,wpa3-psk

add comment="SSID for IoT VLAN90" configuration.mode=ap .ssid=MikroTik-IoT90 \
    disabled=no mac-address=2F:2F:2F:2F:2F:2F master-interface=wifi1 name=\
    wifi4-IoTLAN90 security.authentication-types=wpa2-psk,wpa3-psk

/interface wireguard
add comment="WireGuard VPN interface" listen-port=13232 mtu=1420 name=\
    wireguard50

add comment="WireGuard VPN interface" listen-port=13231 mtu=1420 name=\
    wireguard51

/interface vlan
add comment="IoT LAN 192.168.90.0/24" interface=bridge name=IoTVLAN90 \
    vlan-id=90

add comment="Home LAN 192.168.89.0/24" interface=bridge name=homeVLAN89 \
    vlan-id=89

add comment="wireguard50 LAN 172.17.50.0/24" interface=bridge name=wgVLAN50 \
    vlan-id=50

add comment="wireguard51 LAN 172.17.51.0/24" interface=bridge name=wgVLAN51 \
    vlan-id=51

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/ip pool
add comment="Home LAN VLAN89" name=default-dhcp ranges=\
    192.168.89.10-192.168.89.254
add comment="wireguard50 LAN VLAN50" name=wgLAN50-pool ranges=\
    172.17.50.10-172.17.50.250
add comment="wireguard51 LAN VLAN51" name=wgLAN51-pool ranges=\
    172.17.51.10-172.17.51.250
add comment="IoT LAN VLAN90" name=IoTLAN90-pool ranges=\
    192.168.90.10-192.168.90.250
/ip dhcp-server
add address-pool=default-dhcp comment="dhcp server for Home LAN 89" \
    interface=homeVLAN89 name=defconf
add address-pool=wgLAN50-pool comment="dhcp server for wgLAN50" interface=\
    wgVLAN50 name=dhcp-wgLAN50
add address-pool=wgLAN51-pool comment="dhcp server for wgLAN51" interface=\
    wgVLAN51 name=dhcp-wgLAN51
add address-pool=IoTLAN90-pool comment="dhcp server for IoT LAN 90" \
    interface=IoTVLAN90 name=dhcp-IoTLAN90
/port
set 0 name=serial0

/routing table
add comment="wgLAN50 route to wireguard50" disabled=no fib name=wg50route
add comment="wgLAN51 route to wireguard51" disabled=no fib name=wg51route

/interface bridge port
add bridge=bridge comment="Trunk all VLANs to RB4011" frame-types=\
    admit-only-vlan-tagged interface=ether2 pvid=89

add bridge=bridge comment="access port for VLAN50" frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=50

add bridge=bridge comment="access port for VLAN89 Home" frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=89

add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=wifi1 pvid=89

add bridge=bridge comment="wifi 2.4GHz radio disabled" frame-types=\
    admit-only-untagged-and-priority-tagged interface=wifi2 pvid=89

add bridge=bridge comment="Hybrid, native VLAN89, tagged VLAN51" interface=\
    ether5 pvid=89

add bridge=bridge comment="wifi3 for VLAN50" frame-types=\
    admit-only-untagged-and-priority-tagged interface=wifi3-wgLAN50 pvid=50

add bridge=bridge comment="wifi4 for IoT devices VLAN90" frame-types=\
    admit-only-untagged-and-priority-tagged interface=wifi4-IoTLAN90 pvid=90

/ip neighbor discovery-settings
set discover-interface-list=LAN

/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=15360

/interface bridge vlan
add bridge=bridge comment="tag eth2, untag eth3 wifi3" tagged=bridge,ether2 \
    untagged=ether3,wifi3-wgLAN50 vlan-ids=50

add bridge=bridge comment="tag eth2, untag eth4, eth5, wifi1" tagged=\
    bridge,ether2 untagged=ether4,ether5,wifi1 vlan-ids=89

add bridge=bridge comment="tag eth2, eth5" tagged=bridge,ether2,ether5 \
    vlan-ids=51

add bridge=bridge comment="tag eth2, untag wifi4" tagged=bridge,ether2 \
    untagged=wifi4-IoTLAN90 vlan-ids=90

/interface list member
add interface=homeVLAN89 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wgVLAN50 list=LAN
add interface=wgVLAN51 list=LAN
add interface=IoTVLAN90 list=LAN

/interface wireguard peers
add allowed-address=0.0.0.0/0 comment="wg peer for wireguard50 interface" \
    endpoint-address=180.150.115.50 endpoint-port=1637 interface=wireguard50 \
    persistent-keepalive=35s public-key=\
    "blahblahpublickey ="

add allowed-address=0.0.0.0/0 comment="wg peer for wireguard51 interface" \
    endpoint-address=205.110.155.55 endpoint-port=1637 interface=wireguard51 \
    persistent-keepalive=45s public-key=\
    "blahblahpublickey="

/ip address
add address=192.168.89.1/24 comment=defconf interface=homeVLAN89 network=\
    192.168.89.0

add address=172.17.50.1/24 comment="VLAN50 - LAN of wireguard50" interface=\
    wgVLAN50 network=172.17.50.0

add address=10.120.30.55 comment="wireguard50 interface address" interface=\
    wireguard50 network=10.120.30.55

add address=172.17.51.1/24 comment="VLAN51 - LAN of wireguard51" interface=\
    wgVLAN51 network=172.17.51.0

add address=10.140.35.150 comment="wireguard51 interface address" interface=\
    wireguard51 network=10.140.35.150

add address=192.168.90.1/24 comment="VLAN90 - LAN of IoT" interface=IoTVLAN90 \
    network=192.168.90.0

/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=172.17.50.0/24 comment="wgLAN50 network and wg DNS" dns-server=\
    10.128.0.1 gateway=172.17.50.1
add address=172.17.51.0/24 comment="wgLAN51 network and wg DNS" dns-server=\
    10.128.0.1 gateway=172.17.51.1
add address=192.168.89.0/24 comment=defconf dns-server=192.168.89.1 gateway=\
    192.168.89.1
add address=192.168.90.0/24 comment="IoTLAN90 network" dns-server=\
    192.168.90.1 gateway=192.168.90.1

/ip dns
set allow-remote-requests=yes use-doh-server=https://1.1.1.1/dns-query \
    verify-doh-cert=yes

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked

add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid

add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp

add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1

add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN

add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec

add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes

add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked

add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid

add action=accept chain=forward comment="allow all from Home LAN to WAN" \
    in-interface=homeVLAN89 out-interface-list=WAN

add action=accept chain=forward comment="allow all from IoT LAN to WAN" \
    in-interface=IoTVLAN90 out-interface-list=WAN

add action=accept chain=forward comment=\
    "Forward wgLAN50 traffic to wireguard50 interface gateway" in-interface=\
    wgVLAN50 out-interface=wireguard50

add action=accept chain=forward comment=\
    "Forward wgLAN51 traffic to wireguard51 interface gateway" in-interface=\
    wgVLAN51 out-interface=wireguard51

add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat

add action=accept chain=forward comment=\
    "allow Home LAN89 to access IoT LAN90" connection-state=\
    established,related,new,untracked in-interface=homeVLAN89 out-interface=\
    IoTVLAN90

add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed (DISABLED)" \
    connection-nat-state=!dstnat connection-state=new disabled=yes \
    in-interface-list=WAN

add action=drop chain=forward comment="drop all else"

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN

add action=masquerade chain=srcnat comment="masq traffic from wgLAN50 to wireg\
    uard50 gateway, as IP of wireguard50 peer" out-interface=wireguard50

add action=masquerade chain=srcnat comment="masq traffic from wgLAN51 to wireg\
    uard51 gateway, as IP of wireguard51 peer" out-interface=wireguard51

/ip firewall service-port
set sip disabled=yes
set pptp disabled=yes

/ip route
add comment="Route internet from wgVLAN50 through wireguard50 gateway" \
    disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard50 \
    pref-src="" routing-table=wg50route scope=30 suppress-hw-offload=no \
    target-scope=10

add comment="Route internet from wgVLAN51 through wireguard51 gateway" \
    disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard51 \
    pref-src="" routing-table=wg51route scope=30 suppress-hw-offload=no \
    target-scope=10

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=https-cert disabled=no
set api disabled=yes
set api-ssl disabled=yes

/routing rule
add action=lookup-only-in-table comment=\
    "Route Src. wgLAN50 to wireguard50 interface" disabled=no src-address=\
    172.17.50.0/24 table=wg50route

add action=lookup-only-in-table comment=\
    "Route Src. wgLAN51 to wireguard51 interface" disabled=no src-address=\
    172.17.51.0/24 table=wg51route

/system logging
add disabled=yes topics=dns
add disabled=yes topics=wireguard
add disabled=yes topics=route
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: isolate and route vlan through gateway-wireguard only

Tue Apr 04, 2023 4:48 pm

No need,
In fact you should be able to ping the gateway of any vlan from any vlan device and the wg interface.
The reason is that interfaces on the MT are considered Router interfaces and thus if one has connectivity to the router, then one should be able to ping the interfaces.

As you already discovered you cannot access any actual vlan devices/users because you have the drop all rule in place so no actual traffic can be accomplished unless you specifically allow it in the forward chain.

Nothing to worry about, glad its all working.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: isolate and route vlan through gateway-wireguard only

Tue Apr 04, 2023 5:32 pm

(1) Comment doesnt match the config line?? You are confused!! Make up your mind,
/interface bridge port
add bridge=bridge comment="Trunk all VLANs to RB4011" frame-types=\
admit-only-vlan-tagged interface=ether2 pvid=89


PVID is used for an access port going to a dumb device or a hybrid port.
Admit only vlan tagged means a trunk port only going to a smart device all tagged.
PVID is also use for a hybrid port scenario one untagged and one or more tagged but in this case frame types is ADMIT ALL.

So based on the diagram it should be as follows.
/interface bridge port
add bridge=bridge comment="Trunk all VLANs to RB4011" frame-types=\
admit-only-vlan-tagged ingress-filtering=yes interface=ether2


(2) Would add ingress-filtering=yes for all except ether5.

(3) Diagram missing wifi2

(4) Missing wifi2 here.......
add bridge=bridge comment="tag eth2, untag eth4, eth5, wifi1" tagged=\
bridge,ether2 untagged=ether4,ether5,wifi1,wifi2 vlan-ids=89


(5) Wireguard IP address structure wrong.
From:
add address=10.120.30.55 comment="wireguard50 interface address" interface=\
wireguard50 network=10.120.30.55
add address=10.140.35.150 comment="wireguard51 interface address" interface=\
wireguard51 network=10.140.35.1.50

TO:
add address=10.120.30.55/24 comment="wireguard50 interface address" interface=\
wireguard50 network=10.120.30.0
add address=10.140.35.150/24 comment="wireguard51 interface address" interface=\
wireguard51 network=10.140.35.0


(6) Still require a server so that the initial query to doh can be found by router.......
/ip dns
set allow-remote-requests=yes server=1.1.1.2 use-doh-server=https://1.1.1.1/dns-query \
verify-doh-cert=ye
s

(7) Could consider
/interface list
LOCAL-WAN

/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=homeVLAN89 list=LAN
add interface=wgVLAN50 list=LAN
add interface=wgVLAN51 list=LAN
add interface=IoTVLAN90 list=LAN
add interface=homeVLAN89 list=LOCAL-WAN
add interface=IoTVLAN90 list=LOCAL-WAN

FROM:
add action=accept chain=forward comment="allow all from Home LAN to WAN" \
in-interface=homeVLAN89 out-interface-list=WAN
add action=accept chain=forward comment="allow all from IoT LAN to WAN" \
in-interface=IoTVLAN90 out-interface-list=WAN

TO:
add action=accept chain=forward comment="traffic through local wan"\
in-interface-list=LOCAL-WAN out-interface-list=WAN


(8) You keep forgetting to remove this rule................ NOT required.
you have a proper port forwarding rule two rules above this one and you have the drop rule right after. GET RID OF IT!!!

add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed (DISABLED)" \
connection-nat-state=!dstnat connection-state=new disabled=yes \
in-interface-list=WAN
 
User avatar
Frederick88
newbie
Topic Author
Posts: 49
Joined: Thu Jun 24, 2021 12:34 pm

Re: isolate and route vlan through gateway-wireguard only

Wed Apr 05, 2023 3:33 am

No need, In fact you should be able to ping the gateway of any vlan from any vlan device and the wg interface.
The reason is that interfaces on the MT are considered Router interfaces and thus if one has connectivity to the router, then one should be able to ping the interfaces.

As you already discovered you cannot access any actual vlan devices/users because you have the drop all rule in place so no actual traffic can be accomplished unless you specifically allow it in the forward chain.
yeah you're right, I noticed I can ping all vlan gateways... Understood, thanks for explanation and reassurance.
.
(1) Comment doesnt match the config line?? You are confused!! Make up your mind,
/interface bridge port
add bridge=bridge comment="Trunk all VLANs to RB4011" frame-types=\
admit-only-vlan-tagged interface=ether2 pvid=89


PVID is used for an access port going to a dumb device or a hybrid port.
Admit only vlan tagged means a trunk port only going to a smart device all tagged.
PVID is also use for a hybrid port scenario one untagged and one or more tagged but in this case frame types is ADMIT ALL.

So based on the diagram it should be as follows.
/interface bridge port
add bridge=bridge comment="Trunk all VLANs to RB4011" frame-types=\
admit-only-vlan-tagged ingress-filtering=yes interface=ether2
interesting - the RouterOS export doesn't show parameters ingress-filtering= and frame-types=, when they're set to yes and admit-all respectively.. maybe this has changed in recent RouterOS version?...

For example, i tested with interface=wifi2:
[admin@MikroTik] /interface/bridge/port> add bridge=bridge comment="wifi 2.4GHz radio disabled" frame-types=admit-all ingress-filtering=yes interface=wifi2 pvid=89

[admin@MikroTik] /interface/bridge/port> export
# RouterOS 7.8
/interface bridge port
add bridge=bridge comment="Trunk all VLANs to RB4011" frame-types=admit-only-vlan-tagged interface=ether2 pvid=89
add bridge=bridge comment="access port for VLAN50" frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=50
add bridge=bridge comment="access port for VLAN89 Home" frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=89
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=wifi1 pvid=89
add bridge=bridge comment="Hybrid, native VLAN89, tagged VLAN51" ingress-filtering=no interface=ether5 pvid=89
add bridge=bridge comment="wifi3 for VLAN50" frame-types=admit-only-untagged-and-priority-tagged interface=wifi3-wgLAN50 pvid=50
add bridge=bridge comment="wifi4 for IoT devices VLAN90" frame-types=admit-only-untagged-and-priority-tagged interface=wifi4-IoTLAN90 pvid=90
add bridge=bridge comment="wifi 2.4GHz radio disabled" interface=wifi2 pvid=89
Regarding ether2 trunk port with PVID 89, does it matter since frame-types=admit-only-vlan-tagged ? I also noticed if PVID isn’t defined, RouterOS sets it to PVID 1 by default anyway... Thinking I might set the PVID to a random VLAN ID that doesn't exist at all...?
.
(2) Would add ingress-filtering=yes for all except ether5.
as shown above, ingress-filtering= is defaulted yes, but have now turned it off for ether5 hybrid port as you suggested thanks.
.
(3) Diagram missing wifi2

(4) Missing wifi2 here.......
add bridge=bridge comment="tag eth2, untag eth4, eth5, wifi1" tagged=\
bridge,ether2 untagged=ether4,ether5,wifi1,wifi2 vlan-ids=89
Had disabled the 2.4GHz wifi2 radio interface, will remove altogether to keep things tidy :wink:
.
(5) Wireguard IP address structure wrong.
From:
add address=10.120.30.55 comment="wireguard50 interface address" interface=\
wireguard50 network=10.120.30.55
add address=10.140.35.150 comment="wireguard51 interface address" interface=\
wireguard51 network=10.140.35.1.150

TO:
add address=10.120.30.55/24 comment="wireguard50 interface address" interface=\
wireguard50 network=10.120.30.0
add address=10.140.35.150/24 comment="wireguard51 interface address" interface=\
wireguard51 network=10.140.35.0
the single /32 IP address for each wireguard peer address seems to be working okay - is there any benefit to assigning a wider network, best practice etc?
.
(6) Still require a server so that the initial query to doh can be found by router.......
/ip dns
set allow-remote-requests=yes server=1.1.1.2 use-doh-server=https://1.1.1.1/dns-query \
verify-doh-cert=ye
s
Had a play with this and seems to work okay using 1.1.1.1 DoH server without any additional lookup... i guess because the address is an IP already? plus the certificate includes 1.1.1.1 as a legit address.
.
(8) You keep forgetting to remove this rule................ NOT required.
you have a proper port forwarding rule two rules above this one and you have the drop rule right after. GET RID OF IT!!!

add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed (DISABLED)" \
connection-nat-state=!dstnat connection-state=new disabled=yes \
in-interface-list=WAN
Had it disabled, but have now deleted it altogether to tidy things up :)

Who is online

Users browsing this forum: GoogleOther [Bot], Maxfadeev699 and 41 guests