Community discussions

MikroTik App
 
dakush
just joined
Topic Author
Posts: 9
Joined: Wed Aug 10, 2022 1:33 am

Server behind router with wireguard client

Sun Aug 21, 2022 5:11 pm

This is my configuration:
  • Router MK
    WAN IP: dynamic, e.g. 80.80.80.80
    LAN: 192.168.50.0/24
    LAN IP: 192.168.50.1
    Connected to a VPN via a Wireguard client, LAN IP: 10.100.100.101 and WAN IP e.g. 90.90.90.90
  • Computer A
    IP: 192.168.50.2
    This computer runs a webserver that needs to be accessible from external connections (not only from LAN)
    When running scripts, accessing webs, etc., this computer needs to access the Internet via the router's WG client
  • There're other devices in the LAN but they're not relevant to this case (they access the Internet through the router's WG client)

The WG client is configured and working OK but I have this problem with the webserver on computer A: if I configure the MK to route computer A's traffic through the VPN, then the webserver on computer A is no longer accessible from the outside. I guess that's because the requests are addressed to the router's WAN IP (80.80.80.80), but the answers are returned through the WG client (so from the VPN WAN IP 90.90.90.90) and then the clients just drop those answers.

Is there any way to make the MK route computer A's traffic in 2 different ways, i.e. route the connections "initiated" by computer A (scripts, browsing, etc.) through the WG client, but route the "answers" from the webserver to external requests through the router's WAN IP? Thanks!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Server behind router with wireguard client

Mon Aug 22, 2022 8:50 pm

Yes, this sounds very much like a case for mangling.
What you want to do is mark the traffic coming in on the wan side of the local router heading with destination to that LAN server.
Then ensure that return traffic with that marking is routed back out the same WAN. In theory LOL.

TO confirm. ALL LAN users on the same subnet of the SERVER go out the remote wg router for internet?
To confirm, only the SERVER on the LAN requires both, to respond to incoming WAN connections correctly but to also to go to or be accessible through the wireguard connection?
To confirm, Do any of the local LAN users also connect to the local server and if so how.
a. by LANIP
b. by WANIP

YOu can see how tricky this can get without understanding all the nuances.

Depending upon your answers it may be possible to avoid mangling and do this with routes, routing tables, and routing rules.
 
dakush
just joined
Topic Author
Posts: 9
Joined: Wed Aug 10, 2022 1:33 am

Re: Server behind router with wireguard client

Tue Aug 23, 2022 12:32 am

TO confirm. ALL LAN users on the same subnet of the SERVER go out the remote wg router for internet?
Yes, currently all 192.168.50.0/24 users go out through the WG client (although this could change in the future, so it'd be better if the solution didn't need this to be necessarily true).
To confirm, only the SERVER on the LAN requires both, to respond to incoming WAN connections correctly but to also to go to or be accessible through the wireguard connection?
Also yes, because the server is the only machine on the LAN accepting incoming WAN connections (and only on ports 80,443)
To confirm, Do any of the local LAN users also connect to the local server and if so how.
a. by LANIP
b. by WANIP
Multiple LAN users access the server via both LANIP (e.g. some use a pihole installed on the server) and WANIP (e.g. some connect to the web server using its external domain name).
YOu can see how tricky this can get without understanding all the nuances.
Depending upon your answers it may be possible to avoid mangling and do this with routes, routing tables, and routing rules.
Tell me about it, lol ! I've thinking about this for days and yet I don't see a solution... I've even thinking about using 2 machines, one exclusively for the server (this machine wouldn't use the WG client) and another one for the rest of the stuff that needs the WG client. But even if I go that way, now I'm curious about whether this can be done or not!

Thanks a lot for your help.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Server behind router with wireguard client

Tue Aug 23, 2022 3:40 pm

OKay so I am assuming the Router hosting the server acts a wireguard client for the initial handshake. The other end has an accessible public IP.
What can you tell me about the remote end, MT router acting as wireguard server for the initial handshake or is this a third party vpn provider?

Will need FULL config of MT router ( just put in fake numbers for any actual public WANIP info )

Does the MT router (with the server) get static or dynamic WANIP address??
 
dakush
just joined
Topic Author
Posts: 9
Joined: Wed Aug 10, 2022 1:33 am

Re: Server behind router with wireguard client

Wed Aug 24, 2022 12:15 am


OKay so I am assuming the Router hosting the server acts a wireguard client for the initial handshake. The other end has an accessible public IP.
What can you tell me about the remote end, MT router acting as wireguard server for the initial handshake or is this a third party vpn provider?
It's a 3rd party provider so I don't have any information about their end, I only got the connection parameters (keys, etc.).

Will need FULL config of MT router ( just put in fake numbers for any actual public WANIP info )
Here it goes:
/interface bridge
add admin-mac=xxxxxxxxxxxxx auto-mac=no comment=\
    "All-Ethernet-Ports Bridge" igmp-snooping=yes name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] comment=WAN name=ether1-gateway speed=\
    100Mbps
set [ find default-name=ether2 ] name=ether2-local speed=100Mbps
set [ find default-name=ether3 ] name=ether3-local speed=100Mbps
set [ find default-name=ether4 ] name=ether4-local speed=100Mbps
set [ find default-name=ether5 ] name=ether5-local speed=100Mbps
set [ find default-name=ether6 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether6-local
set [ find default-name=ether7 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether7-local
set [ find default-name=ether8 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether8-local
set [ find default-name=ether9 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether9-local
set [ find default-name=ether10 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether10-local
/interface wireguard
add listen-port=50000 mtu=1420 name=wireguard-client-VPN
/interface vlan
add comment=IPTV interface=ether1-gateway name=vlan2 vlan-id=2
add comment=VoIP interface=ether1-gateway name=vlan3 vlan-id=3
add comment="Internet Access" interface=ether1-gateway name=vlan6 vlan-id=6
/interface pppoe-client
add add-default-route=yes allow=pap,chap disabled=no interface=vlan6 \
    keepalive-timeout=60 max-mru=1492 max-mtu=1492 name=pppoe-out1 user=\
    user_name
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip dhcp-server option
add code=240 name=iptv_option value="xxxxxxxxxxxxxxxx"
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=dhcp ranges=192.168.50.204-192.168.50.249
/ip dhcp-server
add address-pool=dhcp bootp-support=dynamic interface=bridge-local \
    lease-time=1d name=dhcp_main
/port
set 0 name=serial0
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing rip instance
add afi=ipv4 disabled=no name=rip
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge-local ingress-filtering=no interface=ether2-local
add bridge=bridge-local ingress-filtering=no interface=ether6-local
add bridge=bridge-local hw=no ingress-filtering=no interface=sfp1
add bridge=bridge-local ingress-filtering=no interface=ether3-local
add bridge=bridge-local ingress-filtering=no interface=ether4-local
add bridge=bridge-local ingress-filtering=no interface=ether5-local
add bridge=bridge-local ingress-filtering=no interface=ether7-local
add bridge=bridge-local ingress-filtering=no interface=ether8-local
add bridge=bridge-local ingress-filtering=no interface=ether9-local
add bridge=bridge-local ingress-filtering=no interface=ether10-local
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes \
    use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192 tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set default-profile=default use-ipsec=yes
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment="External VPN" endpoint-address=\
    90.90.90.89 endpoint-port=50000 interface=wireguard-client-VPN \
    persistent-keepalive=25s public-key=\
    "public_key"
/ip address
add address=192.168.50.1/24 comment="default configuration" interface=\
    bridge-local network=192.168.50.0
add address=192.168.100.10/24 interface=ether1-gateway network=192.168.100.0
add address=10.10.10.10/10 comment=iptv interface=vlan2 network=\
    10.10.0.0
add address=10.100.100.101/24 comment="External VPN" interface=\
    wireguard-client-VPN network=10.100.100.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add add-default-route=no interface=vlan3 use-peer-ntp=no
/ip dhcp-server config
set store-leases-disk=never
/ip dhcp-server lease
add address=192.168.50.2 comment=server \
    mac-address=xxxxxxxxxxxxx server=dhcp_main
add address=192.168.50.3 comment=machine1 \
    mac-address=xxxxxxxxxxxxx server=dhcp_main
add address=192.168.50.4 comment=machine2 \
    mac-address=xxxxxxxxxxxxx server=dhcp_main
add address=192.168.50.200 comment="iptv stb" mac-address=\
    yyyyyyyyyyyyy server=dhcp_main
/ip dhcp-server network
add address=192.168.50.0/24 dns-server=9.9.9.9,208.67.222.222,1.1.1.1 \
    gateway=192.168.50.1 netmask=24
add address=192.168.50.200/29 comment="iptv stb" dhcp-option=\
    iptv_option dns-server=37.37.37.37 gateway=192.168.50.1 netmask=24
/ip dns
set allow-remote-requests=yes use-doh-server=https://9.9.9.9/dns-query \
    verify-doh-cert=yes
/ip dns static
add address=192.168.50.2 name=server.local
add address=192.168.50.2 name=pihole.local
/ip firewall address-list
add address=192.168.50.0/24 comment=\
    "# LAN and WAN lists are used for hairpin NAT" list=LAN
add address=xxxxxxxxxxxxx.sn.mynetname.net list=WAN
/ip firewall filter
add action=accept chain=output comment=\
    "rules to blacklis ftpt incorrect login attemps" content=\
    "530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=3h chain=output content="530 Login incorrect" \
    protocol=tcp
add action=drop chain=input dst-port=21 protocol=tcp src-address-list=\
    ftp_blacklist
add action=drop chain=input comment=\
    "Do not allow access to DNS server from outside the local network" \
    dst-port=53 in-interface=pppoe-out1 protocol=udp
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" \
    connection-state=established,related,untracked
add action=accept chain=input comment="accept vlan2 Iptv IGMP packets" \
    in-interface=vlan2 protocol=igmp
add action=accept chain=input comment=\
    "accept vlan2 Iptv multicast & broadcast traffic" dst-address-type=\
    !unicast in-interface=vlan2
add action=accept chain=input comment=\
    "accept vlan3 traffic for VoIP" in-interface=vlan3 src-address=\
    10.0.0.0/8
add action=drop chain=input comment="default configuration" in-interface=\
    pppoe-out1
add action=fasttrack-connection chain=forward comment="default configuration" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="default configuration" \
    connection-state=established,related
add action=drop chain=forward comment=\
    "drop all new unicast traffic from vlan2 Iptv not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new dst-address-type=\
    unicast in-interface=vlan2
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
/ip firewall mangle
add action=set-priority chain=postrouting new-priority=4 out-interface=vlan3 \
    passthrough=yes
add action=set-priority chain=postrouting new-priority=4 out-interface=vlan2 \
    passthrough=yes
add action=set-priority chain=postrouting new-priority=1 out-interface=\
    pppoe-out1 passthrough=yes
add action=mark-connection chain=prerouting comment=\
    "\"Mark connections for hairpin NAT\"" dst-address-list=WAN \
    new-connection-mark="Hairpin NAT" passthrough=yes src-address-list=LAN
add action=mark-connection chain=prerouting disabled=yes dst-address-list=WAN \
    new-connection-mark="Hairpin NAT" passthrough=yes src-address-list=WG
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
    "Hairpin NAT"
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=pppoe-out1
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=vlan2
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=vlan3
add action=dst-nat chain=dstnat comment=iptv dst-address-type=local \
    in-interface=vlan2 to-addresses=192.168.50.200
add action=dst-nat chain=dstnat comment="web with hairpin NAT" \
    dst-address-list=WAN dst-port=80 protocol=tcp to-addresses=192.168.50.2
add action=dst-nat chain=dstnat dst-address-list=WAN dst-port=443 protocol=\
    tcp to-addresses=192.168.50.2
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set pptp disabled=yes
/ip ipsec policy
set 0 disabled=yes
/ip proxy
set parent-proxy=0.0.0.0
/ip route
add disabled=no distance=255 dst-address=0.0.0.0/0 gateway=255.255.255.255
add disabled=no dst-address=0.0.0.0/0 gateway=wireguard-client-VPN \
    routing-table=wg-VPN suppress-hw-offload=no
/ip service
set telnet address=192.168.50.0/24
set ftp disabled=yes
set www address=192.168.50.0/24 port=3333
set ssh address=192.168.50.0/24
set api disabled=yes
set winbox address=192.168.50.0/24 port=4444
set api-ssl disabled=yes
/ip smb
set allow-guests=no interfaces=bridge-local
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge-local type=internal
add interface=pppoe-out1 type=external
/routing igmp-proxy
set query-interval=30m quick-leave=yes
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface=vlan2 upstream=yes
add interface=bridge-local
/routing rip interface-template
add disabled=no instance=rip interfaces=vlan3,vlan2 mode=passive
/routing rule
add action=lookup comment="LAN is always resolved with \"main\" table" \
    disabled=no dst-address=192.168.50.0/24 src-address=192.168.50.0/24 table=\
    main
add action=lookup comment="server via WG client" disabled=no \
    src-address=192.168.50.2/32 table=wg-VPN
add action=lookup comment="machine1 via WG client" disabled=no \
    src-address=192.168.50.3/32 table=wg-VPN
add action=lookup comment="machine2 via WG client" disabled=no \
    src-address=192.168.50.4/32 table=wg-VPN
    

Does the MT router (with the server) get static or dynamic WANIP address??
My router gets a dynamic WANIP but it only changes on reboots. When I need to know what my WANIP is I just check my mikrotik's cloud domain "xxxxxx.sn.mynetname.net".
Thanks again!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Server behind router with wireguard client

Wed Aug 24, 2022 12:25 am

(1) Why are you using this??
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes \
use-ip-firewall-for-vlan=yes


In other words unless
a. you know what you are doing in MT configs cold, and
b. you have a specific reason that cannot be served by normal firewall filter chain rules,

Suggesting its not a good addition to the config!

(2) Recommend this be set to NONE, as it has unknown usage amongst folks here and has caused issues in the past.
/interface detect-internet
set detect-interface-list=all

(3) Why does your ether1 have an IP address ???
add address=192.168.100.10/24 interface=ether1-gateway network=192.168.100.0

I thought it was a pppoe dynamic setting using vlan6, aka there should be no address for ether1-gateway!!

(4) Why does your IPTV have an IP address on vlan2 on ether1. Was this assigned to you buy the ISP provider ??
(If so I would have thought just having the vlan would be good enough to tie into whatever setup boxes you have??
Okay I see a weird DHCP setting so assume these are requirements the ISP passed on to you for the router?

(5) who is providing VOIP over the ether1 port on vlan3, your ISP provider???

(6) Did you insert these settings for DHCP client?? There should be none as this is all handled by the pppoe settings part of the config.
Okay later on I see somehow that works for the VOIP client settings from your ISP provider ???
/ip dhcp-client
add add-default-route=no interface=vlan3 use-peer-ntp=no


(7) Very confusing that you have an IPTV network coming on on ether1 from some unknown provider, it has an address of 10.10.10 etc. and yet
you have some weird dhcp-server network setting (see below) and even worse a lease to an IPTV machine on the main subnet ???
ip dhcp-server network
add address=192.168.50.200/29 comment="iptv stb" dhcp-option=\
iptv_option dns-server=37.37.37.37 gateway=192.168.50.1 netmask=24


Clearly it all must work for you but I am trying to understand how IPTV comes into the router and reaches the main subnet and what happens next.
Who uses this IPTV etc........

(8) Which machine is the server you are talking about, machine1 or machine 2..............

(9) As far as firewall rules go, lets stick with defaults and whatever funky you need for VOIP,. IPTV etc. and lets dispense with the extra (garbage).
/ip firewall filter
add action=accept chain=input comment="default configuration" \
    connection-state=established,related,untracked
add action=drop chain=input comment="default configuration" \
    connection-state=invalid
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="accept vlan2 Iptv IGMP packets" \
    in-interface=vlan2 protocol=igmp
add action=accept chain=input comment=\
    "accept vlan2 Iptv multicast & broadcast traffic" dst-address-type=\
    !unicast in-interface=vlan2
add action=accept chain=input comment=\
    "accept vlan3 traffic for VoIP" in-interface=vlan3 src-address=\
    10.0.0.0/8
add action=accept chain=input in-interface=bridge-local
add action=drop chain=input comment="drop all else"
{Forward Chain}
add action=fasttrack-connection chain=forward comment="default configuration" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="default configuration" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
add action=accept chain=forward in-interface=bridge-local out-interface=pppoe-out1
add action=accept chain=forward in-interface=bridge-local out-interface=vlan2
add action=accept chain=forward in-interface=bridge-local out-interface=vlan3
add action=accept chain=forward comment="allow port forwarding of IPTV traffic" \
    connection-nat-state=dstnat dst-address-type=unicast in-interface=vlan2
add action=drop chain=forward comment="drop all else"

Note1: What I dont get is this rule. It seems pretty open ended but assuming its coming from the ISP??? If so why the source address as it is??? How does this work?
add action=accept chain=input comment=\
"accept vlan3 traffic for VoIP" in-interface=vlan3 src-address=\
10.0.0.0/8


Note2: Why is this forward chain rule referring to vlan2 ?? If you have users coming in from the WAN side they would be coming in your ISP internet traffic which is interface name pppoe-out1 or vlan6 ??? AND NOT VLAN2 that is your IPTV connection from the ISP ????
Okay after looking at the rule I see its for multicast, man this is so weird.......
add action=drop chain=forward comment=\
"drop all new unicast traffic from vlan2 Iptv not DSTNATed" \
connection-nat-state=!dstnat connection-state=new dst-address-type=\
unicast in-interface=vlan2


a much cleaner rule is the following
add action=accept chain=forward comment="allow port forwarding of IPTV traffic" \
connection-nat-state=dstnat dst-address-type=unicast in-interface=vlan2



Clearly lots going on that I am not familiar with but not unexpected. :-)

(10) By the way use of mangling normally means getting rid of the FASTRACK rule in the forward chain.
However, I see that most of the mangling is to ensure correct priority to meet up with ISP requirements on the vlans........ So not a problem.
I have not seen mangling used for hairpin nat rules.............. are you SURE its necessary??



(11) You have many sourcenat rule heading out the ethernet..................... PPPOE makes sense.
I suppose you need one for vlan2 (IPTV) and VOIP vlan3?? IF so you should get rid of the extra one (yellow).
Remember its only needed if you need the source IP address of the packet originating behind the router, to go out to IPTV or VOIP with the source address of the interface so identified.
Thus IPTV outbound originating traffic would get an IP of 10.10.10.10?? But There is no such address for VOIP so are you sure you need one for VLAN3 ???

add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
"Hairpin NAT"
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=pppoe-out1

add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether1-gateway ?????

add action=masquerade chain=srcnat comment="default configuration" \
out-interface=vlan2

add action=masquerade chain=srcnat comment="default configuration" \
out-interface=vlan3[/color] ??????????



.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Server behind router with wireguard client

Wed Aug 24, 2022 1:14 am

Sometimes its handy to have interface list for whole subnets and more so for groups of whole subnets.
for example.
/interface list
add name=WAN
/interface list members
add interface=pppoe-out1
add interface=vlan2
add interface=vlan3\

So one rule could be made for internet access, vice three required at the moment.
add chain=forward action=accept in-interface=bridge-local out-interface-list=WAN

Typically one also applies same to LAN.
add interface=bridge-local list=LAN
perhaps wireguard interface list=LAN
any other subnets etc list=LAN
and thus rule becomes

add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN

OR, one source nat rule...........
add chain=srcnat action=masquerade out-interface-list=WAN and done!!!!
 
dakush
just joined
Topic Author
Posts: 9
Joined: Wed Aug 10, 2022 1:33 am

Re: Server behind router with wireguard client

Fri Aug 26, 2022 1:32 am

First of all, thanks for going through my config in so much detail, it's really helpful.

Some context before answering your questions: my ISP (providing me with internet, voip and iptv) only support their own routers, so when you need/want to use a different device you're pretty much on your own. When they change or update something, there's a local community where we share configurations and hacks to try and keep up with those changes, so it's very likely that there're some things in my config that make no sense anymore (maybe they were in the past, and I just forgot to remove them when something new came up).

Anyway, let's go.

(1) Why are you using this??
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes \
use-ip-firewall-for-vlan=yes

I honestly don't know, lol. Can't remember why or when I decided that I needed those. I've just set everything to "no".

(2) Recommend this be set to NONE, as it has unknown usage amongst folks here and has caused issues in the past.
/interface detect-internet
set detect-interface-list=all
Done, thanks.

(3) Why does your ether1 have an IP address ???
add address=192.168.100.10/24 interface=ether1-gateway network=192.168.100.0

I thought it was a pppoe dynamic setting using vlan6, aka there should be no address for ether1-gateway!!
And you're probably right. Again, I don't know why that's there. I've just removed it.

(4) Why does your IPTV have an IP address on vlan2 on ether1. Was this assigned to you buy the ISP provider ??
(If so I would have thought just having the vlan would be good enough to tie into whatever setup boxes you have??
Okay I see a weird DHCP setting so assume these are requirements the ISP passed on to you for the router?
I'm not sure what you mean here... I only see 1 IP address for the IPTV ("/ip add address=10.10.10.10/10 comment=iptv interface=vlan2 network=10.10.0.0"). This is, as you figured out, assigned to each customer by the ISP, as well as the "weird DHCP setting" :)

(5) who is providing VOIP over the ether1 port on vlan3, your ISP provider???
Yes.

(6) Did you insert these settings for DHCP client?? There should be none as this is all handled by the pppoe settings part of the config.
Okay later on I see somehow that works for the VOIP client settings from your ISP provider ???
/ip dhcp-client
add add-default-route=no interface=vlan3 use-peer-ntp=no

Yes, I inserted that. It's apparently required by the ISP configuration (in the local community I told you about, this setting is on the "standard" configuration for this provider, so I've never investigated it too much).

(7) Very confusing that you have an IPTV network coming on on ether1 from some unknown provider, it has an address of 10.10.10 etc. and yet
you have some weird dhcp-server network setting (see below) and even worse a lease to an IPTV machine on the main subnet ???
ip dhcp-server network
add address=192.168.50.200/29 comment="iptv stb" dhcp-option=\
iptv_option dns-server=37.37.37.37 gateway=192.168.50.1 netmask=24


Clearly it all must work for you but I am trying to understand how IPTV comes into the router and reaches the main subnet and what happens next.
Who uses this IPTV etc........
Yes, the iptv set-top-box configuration is complicated. It's the most difficult item to configure with this particular ISP. Many people just let the original router (in bridge mode) handle the iptv and voip services to avoid the mess. This dhcp-server config is needed for the STB to (i) use the weird option we talked about before and (ii) use that particular DNS server, because it just doesn't work with any other.

(8) Which machine is the server you are talking about, machine1 or machine 2..............
The server is identified by... "server". :) For example: "/ip add address=192.168.50.2 comment=server mac-address=xxxxxxxxxxxxx server=dhcp_main". Yeah, maybe not the best name to read a configuration with "dns servers" and "dhcp servers", etc. Maybe I should change the name to "my_web_server" or something like that to make the config more readable.

(9) As far as firewall rules go, lets stick with defaults and whatever funky you need for VOIP,. IPTV etc. and lets dispense with the extra (garbage).
OK, I've followed your indications, **except** the last one
"add action=drop chain=forward comment="drop all else"
. As soon as I enable that filter 2 things happen:
1. The iptv stops working
2. The clients using the WG client (machine1, machine2) can't reach the Internet (only the LAN)

Note1: What I dont get is this rule. It seems pretty open ended but assuming its coming from the ISP??? If so why the source address as it is??? How does this work?
add action=accept chain=input comment=\
"accept vlan3 traffic for VoIP" in-interface=vlan3 src-address=\
10.0.0.0/8

You're right, it's probably some garbage left from some old configuration. I've deleted it.

Note2: Why is this forward chain rule referring to vlan2 ?? If you have users coming in from the WAN side they would be coming in your ISP internet traffic which is interface name pppoe-out1 or vlan6 ??? AND NOT VLAN2 that is your IPTV connection from the ISP ????
Okay after looking at the rule I see its for multicast, man this is so weird.......
add action=drop chain=forward comment=\
"drop all new unicast traffic from vlan2 Iptv not DSTNATed" \
connection-nat-state=!dstnat connection-state=new dst-address-type=\
unicast in-interface=vlan2


a much cleaner rule is the following
add action=accept chain=forward comment="allow port forwarding of IPTV traffic" \
connection-nat-state=dstnat dst-address-type=unicast in-interface=vlan2

Again, that forward chain rule is in the local community "recommended configuration". To be honest, I don't quite understand it either. It looks pretty useless, since it gets absolutely NO traffic (both the byte and packet counter always are at ZERO).

I've tried to remove that rule and use yours
add action=accept chain=forward comment="allow port forwarding of IPTV traffic" \
    connection-nat-state=dstnat dst-address-type=unicast in-interface=vlan2
but I don't see any traffic either.

So even without my rule and without yours everything seems to work ok... (which sounds logical since none of them was seeing any traffic).

(10) I have not seen mangling used for hairpin nat rules.............. are you SURE its necessary??
It seems to be, since if I disable it I can't access my webs from the LAN (the webs are hosted on my server at 192.168.50.2). I don't know if there's a better way, this just works for me :)

(11) You have many sourcenat rule heading out the ethernet..................... PPPOE makes sense.
I suppose you need one for vlan2 (IPTV) and VOIP vlan3?? IF so you should get rid of the extra one (yellow).
The rules for vlan2 & vlan3 are, again, what the local community recommends for this ISP. I've just tried to disable them and everything seems to work OK (although in this case, the counters DID register some traffic... not a lot, but it was not zero). I don't know, like I said the iptv STB is a nightmare to configure, so maybe I leave the vlan2 rule enabled just in case, maybe it's just needed for firmware updates, or some bullshit with the ISP from time to time.

I'm also following your advice about making interface lists. I hadn't used them ever but they look useful to simplify configs.

Thanks again for all your help!
 
dakush
just joined
Topic Author
Posts: 9
Joined: Wed Aug 10, 2022 1:33 am

Re: Server behind router with wireguard client

Tue Aug 30, 2022 5:38 pm

What you want to do is mark the traffic coming in on the wan side of the local router heading with destination to that LAN server.
Then ensure that return traffic with that marking is routed back out the same WAN. In theory LOL.
[...]
Depending upon your answers it may be possible to avoid mangling and do this with routes, routing tables, and routing rules.
So, this is what I've tried (spoiler alert: it doesn't work):
  • Use mangle to mark all WAN incoming traffic on tcp ports 80,443 (those ports are already NATed to the webserver):
    add action=mark-routing chain=prerouting dst-address-list=WAN dst-port=80 new-routing-mark=webserver passthrough=yes protocol=tcp
    add action=mark-routing chain=prerouting dst-address-list=WAN dst-port=443 new-routing-mark=webserver passthrough=yes protocol=tcp
    
  • Create a new routing table for the webserver-marked traffic
    /routing table add fib name=webserver
    
  • Add a new route for all the webserver-marked traffic to use pppoe-out1
    add distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 pref-src="" routing-table=webserver scope=30 suppress-hw-offload=no target-scope=10
    
  • Add a new routing rule for the webserver-marked traffic to use the webserver table
    add action=lookup comment="Webserver traffic can't go out through the VPN gateway" routing-mark=webserver table=webserver
    
I see traffic in the mangle mark, but like I said the end result is that it doesn't work. So if I don't use the WG client the webserver works OK, but if I connect my server throught the WG client then it's unreachable from the outside. Any suggestions? Thanks!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Server behind router with wireguard client

Tue Aug 30, 2022 6:53 pm

Okay so to clarify.

(1) Router A, has a webserver..........
Without wireguard external users can come in through the WAN port and reach the server.

(2) However you also want remote wireguard users, from Router B, to also be able to reach the server after coming out of the tunnel.

(3) Question, Do local users on Router A also need access to the server and if so HOW do they do so?
a. by LANIP or
b. by WANIP

If the answer to b. is YES, are the users in the same or different subnet than the server?

(4) Do the local users that need access to the local server also have other routing requirements (are they also entering the wireguard tunnel outbound for example).

++++++++++++++++++++++++++++
It sounds like that return traffic to external users coming in on the WAN may be hijacked out to the wireguard tunnel, instead of going back out the WAN.
This would be the case if the server is on a subnet, that you are sending out/routing the wireguard tunnel for internet traffic for example at Router B.
 
dakush
just joined
Topic Author
Posts: 9
Joined: Wed Aug 10, 2022 1:33 am

Re: Server behind router with wireguard client

Wed Aug 31, 2022 2:08 am

Okay so to clarify.

(1) Router A, has a webserver..........
Without wireguard external users can come in through the WAN port and reach the server.

(2) However you also want remote wireguard users, from Router B, to also be able to reach the server after coming out of the tunnel.
No, I don't have any remote WG users. I'll try to explain again the situation, I admit it's a bit... peculiar.

- I have a webserver on machine1 on 192.168.50.2 behind router A on 192.168.50.1 (LAN 192.168.50.0/24 with multiple clients, but only machine1 receives incoming connections)
- Everything works fine and external users can reach the webserver. No problem with this configuration.

Now, I've configured a WG client (to an external VPN provider) on router A and I want all my clients on 192.168.50.0/24 (including machine1 which hosts the webserver) to reach the Internet through that WG client.

The problem is that, when machine1 goes out through the WG client, the webserver isn't accessible anymore (I guess, like you say below, because clients send their requests to router A's public IP, but they get the responses from the VPN provider's IP).

(3) Question, Do local users on Router A also need access to the server and if so HOW do they do so?
a. by LANIP or
b. by WANIP

If the answer to b. is YES, are the users in the same or different subnet than the server?
Local users currently access the webserver by WAN IP (with Hairpin NAT). They all are on the same subnet (there's only a subnet 192.168.50.0/24 for all my clients, including the webserver).

(4) Do the local users that need access to the local server also have other routing requirements (are they also entering the wireguard tunnel outbound for example).
Yes, local clients also need to access the Internet, and they do so through the WG client on router A.

++++++++++++++++++++++++++++
It sounds like that return traffic to external users coming in on the WAN may be hijacked out to the wireguard tunnel, instead of going back out the WAN.
This would be the case if the server is on a subnet, that you are sending out/routing the wireguard tunnel for internet traffic for example at Router B.
That's what I think, too. External clients send a request to my WAN IP but (when machine1 is using the WG client) they receive a response from the VPN provider's IP.

The problem is how to achieve both (1) to route those "answers" from the webserver through the WAN, and (2) to send the connections "initiated" by the machine1 through the WG client... Currently I have to choose, and since my priority is to have the webserver accessible for outside clients, I keep machine1 disconnected from the WG client.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Server behind router with wireguard client

Wed Aug 31, 2022 8:36 am

First I'd disable the fasttrack rule.
Then I'd try to mark only new connections from 192.168.50.2 (or all your LAN clients?) to the wild wild internet (excluding local destinations) and route them to go out via the wg tunnel, so that your normal incoming ones to be handled by the default route, just a thought. I have no ideea if it'll work or not.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Server behind router with wireguard client

Wed Aug 31, 2022 9:32 pm

Znevna, this encapsulates the issue and is what my thinking is, just not a mangling genius to carry it out...............

1. external remote users come in local WAN to access server on LANA.
2. internal local users on LANB also access server on LANA
3. Third party WG in use forcing all LANB users to go out internet.
4. Server, ON LAN A, also needs to access internet through the WG tunnel.

Question: How to ensure local users can access server and the return traffic to them reaches them, and return traffic for external users goes back out local WAN.

Solution:
add dst-address=0.0.0.0/0 gwy=ISPgateway table=main
add dst-address=0.0.0.0/0 gwy=wginterface table=useWG

Order is important!
/routing rule add dst-address=IPofServer action=lookup-only-in-table table=main { local users will not go out tunnel and will access the local server }
/routing rule add src-address=LANB_subnet action=lookup-only-in-table table=useWG { local users will not go out tunnel and will access the local server }
/routing rule add src-address=IPofServer action=lookup-only-in-table table=useWG { any traffic originating on the server will be pushed out the tunnel }

+++++++++++++++++++++++++++++++++++++++++++++

However I am not sure how external remote user traffic coming in the WANIP will be considered. The router will route to the server via DAC.............. I believe the responses will still be forced out the wg tunnel incorrectly.

THus we may have to mangle............ But first
A. create a table to use as the new routing-mark (so its available from the pull down selection)
/routing table add name=ReturnWAN fib

B. mark the connection for external wan users......
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address=IPofServer in-interface=WAN new-connection-mark=CaptureExternalUsers passthrough=yes

C. attach the connection mark to a new routing mark (which will be used in routing rule).
add action=mark-routing chain=prerouting connection-mark=CaptureExternalUsers new routing-mark=ReturnWAN passthrough=no

Then have a routing rule placed above the other three noted above.
/routing rule add routing-mark=ReturnWAN action=lookup-only-in-table table=main
/routing rule add dst-address=IPofServer action=lookup-only-in-table table=main { local users will not go out tunnel and will access the local server }
/routing rule add src-address=LANB_subnet action=lookup-only-in-table table=useWG { local users will not go out tunnel and will access the local server }
/routing rule add src-address=IPofServer action=lookup-only-in-table table=useWG { any traffic originating on the server will be pushed out the tunnel }


Thus any packets associated with coming in on the local WAN that are headed for the server get marked.
When it comes time to route those packets, the router knows to choose table=main and they will go out main WAN, vice the tunnel.
Last edited by anav on Thu Sep 01, 2022 3:37 am, edited 4 times in total.
 
dakush
just joined
Topic Author
Posts: 9
Joined: Wed Aug 10, 2022 1:33 am

Re: Server behind router with wireguard client

Wed Aug 31, 2022 9:47 pm

First I'd disable the fasttrack rule.
Then I'd try to mark only new connections from 192.168.50.2 (or all your LAN clients?) to the wild wild internet (excluding local destinations) and route them to go out via the wg tunnel, so that your normal incoming ones to be handled by the default route, just a thought. I have no ideea if it'll work or not.
Thanks. I've disabled the fastrack rule and marked new connections from 192.168.50.2 to the evil internet:
/ip firewall mangle add action=mark-connection chain=forward connection-state=new new-connection-mark=webserver out-interface=pppoe-out1 passthrough=yes src-address=192.168.50.2

I already had a route for the WG client:
/ip route add dst-address=0.0.0.0/0 gateway=wireguard-client routing-table=wg-client suppress-hw-offload=no

Now, how do I route the marked connections through the WG client? I tried using routing rules, but the only fields I see there are src-address, dst-address, routing-mark and interface (so I can't use the connection marks). Thanks again.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Server behind router with wireguard client

Wed Aug 31, 2022 10:04 pm

Look at my post above, I addressed what you need.
 
dakush
just joined
Topic Author
Posts: 9
Joined: Wed Aug 10, 2022 1:33 am

Re: Server behind router with wireguard client

Thu Sep 01, 2022 2:30 am

Look at my post above, I addressed what you need.

Sorry, I missed it... and I shouldn't have because it works!!!! Yes sir!!

EDIT: Just a couple of things out of curiosity.

When creating the mangle:
add action=mark-routing chain=prerouting routing-mark=no-mark connection-mark=CaptureExternalUsers new routing-mark=ReturnWAN passthrough=no

I couldn't set the option "routing-mark=no-mark" because the only routing mark available I have is "main" (so I just didn't set that option at all, I don't know if that's critical).

Also, to be able to use the "ReturnWAN" mark I had to create first a routing table with that name (the "routing mark" menu only shows the marks with a routing table, I don't know if that's standard behavior on routerOS or if I'm doing something wrong).

Anyway, I'm still testing to make sure every possible situation works but so far so good. Thank you so much!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Server behind router with wireguard client

Thu Sep 01, 2022 3:31 am

Hmm interesting can you post the latest config..........

For the routing mark,
Concur, you are right it seems I may have been mixing up connection mark which does have that option.

You did the right thing by creating the table ReturnWAN to use as a pulldown option for NEW ROUTING mark when creating the mangle rule for the routing mark.
That was my omission.

Ive edited the above post so anyone following or using it will have the right info............

So happy you got it going!!!!
 
dakush
just joined
Topic Author
Posts: 9
Joined: Wed Aug 10, 2022 1:33 am

Re: Server behind router with wireguard client

Sat Sep 03, 2022 1:21 am

Happy to help others, I'm attaching my config below.

You'll see that now I've also added a WG server (I felt sooo powerful when my problem was fixed!!!). This way, local clients can connect to LAN even from outside. And, to make things more interesting, I'm allowing those users (connected to my WG server) to go out to the Internet using the WG client configured on the MK. Best of all? Everything works! :)

A question, just for learning purposes. Based on your answer, I'm using these 2 rules to mark connections (and allow access to the LAN server when it's using the WG client):
add action=mark-connection chain=prerouting comment="When the LAN server is us\
    ing the WG client -> make that server accessible through its public IP (WA\
    N address)" connection-mark=no-mark dst-address-list=WAN in-interface=\
    !bridge-local new-connection-mark=external-access-when-server-using-VPN \
    passthrough=yes
add action=mark-connection chain=prerouting comment="When the LAN server is us\
    ing the WG client -> make that server accessible through its local IP for \
    clients connected to our WG server" connection-mark=no-mark dst-address=\
    192.168.50.2 in-interface=wireguard-server \
    new-connection-mark=external-access-when-server-using-VPN passthrough=yes


I need 2 rules because the LAN server can now receive 2 types of connections:
- "external users" sending requests to the LAN server's public IP (my WAN address)
- "local users" connected to my WG server and going out through the WG client, and sending requests to the LAN server's local address (192.168.50.2)

The question is: could I change those 2 rules by just this one? I've tested it and it works, but I don't know if this rule is "worse" than the other 2 in terms of performance, or efficacy... The basic change is using "forward" chains instead of "prerouting", because that way I can just use the server's local IP for any connection. Anyway, I'd like to know your oppinion. The rule is:
add action=mark-connection chain=forward comment="When the LAN server is us\
    ing the WG client -> make that server accessible both at WAN and Local IP" \
    connection-mark=no-mark dst-address=192.168.50.2 in-interface=!bridge-local \
    new-connection-mark=external-access-when-server-using-VPN passthrough=yes

EDIT: Later I found that my rule gives me some problems, not with incoming connections but with outgoing (i.e. when I need to connect to the Internet from my server... it's weird, because webpages start to load but then they stop. Anyways, with your rules I don't have any problem so I've kept them in my final config.


And as promised, this is my full configuration with everything working. Thanks SO much for your help!
/interface bridge
add admin-mac="admin-mac" auto-mac=no comment=\
    "All-Ethernet-Ports Bridge" igmp-snooping=yes name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] comment=WAN name=ether1-gateway speed=\
    100Mbps
set [ find default-name=ether2 ] name=ether2-local speed=100Mbps
set [ find default-name=ether3 ] name=ether3-local speed=100Mbps
set [ find default-name=ether4 ] name=ether4-local speed=100Mbps
set [ find default-name=ether5 ] name=ether5-local speed=100Mbps
set [ find default-name=ether6 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether6-local
set [ find default-name=ether7 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether7-local
set [ find default-name=ether8 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether8-local
set [ find default-name=ether9 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether9-local
set [ find default-name=ether10 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether10-local
/interface wireguard
add listen-port="port_x" mtu=1420 name=wireguard-server
add listen-port="port_y" mtu=1420 name=wireguard-client
/interface vlan
add comment=IPTV interface=ether1-gateway name=vlan2 vlan-id=2
add comment=VoIP interface=ether1-gateway name=vlan3 vlan-id=3
add comment="Internet Access" interface=ether1-gateway name=vlan6 vlan-id=6
/interface pppoe-client
add add-default-route=yes allow=pap,chap disabled=no interface=vlan6 \
    keepalive-timeout=60 max-mru=1492 max-mtu=1492 name=pppoe-out1 user=\
    "username"
/interface list
add comment="Vlan2 (iptv) & Vlan3 (VoIP)" name=vlan2&3
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip dhcp-server option
add code=240 name=iptv_option value=\
    "':::::239.0.2.10:22222:v6.0:239.0.2.30:22222'"
/ip pool
add name=dhcp ranges=192.168.50.205-192.168.50.249
/ip dhcp-server
add address-pool=dhcp bootp-support=dynamic interface=bridge-local \
    lease-time=1d name=dhcp_main
/port
set 0 name=serial0
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing rip instance
add afi=ipv4 disabled=no name=rip
/routing table
add comment="Access to WG client via WG server" \
    disabled=no fib name=wg-client
add comment="External access to webserver when using WG client" \
    disabled=no fib name=returnWAN
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge-local ingress-filtering=no interface=ether2-local
add bridge=bridge-local ingress-filtering=no interface=ether6-local
add bridge=bridge-local hw=no ingress-filtering=no interface=sfp1
add bridge=bridge-local ingress-filtering=no interface=ether3-local
add bridge=bridge-local ingress-filtering=no interface=ether4-local
add bridge=bridge-local ingress-filtering=no interface=ether5-local
add bridge=bridge-local ingress-filtering=no interface=ether7-local
add bridge=bridge-local ingress-filtering=no interface=ether8-local
add bridge=bridge-local ingress-filtering=no interface=ether9-local
add bridge=bridge-local ingress-filtering=no interface=ether10-local
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192 tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=pppoe-out1 list=WAN
add interface=bridge-local list=LAN
add interface=vlan2 list=vlan2&3
add interface=vlan3 list=vlan2&3
add interface=wireguard-server list=LAN
/interface wireguard peers
add allowed-address=192.168.51.2/32 comment=machine1 interface=\
    wireguard-server public-key="key1"
add allowed-address=192.168.52.3/32 comment=machine2 interface=\
    wireguard-server public-key="key2"
/ip address
add address=192.168.50.1/24 comment="default configuration" interface=\
    bridge-local network=192.168.50.0
add address="From_ISP_config" comment=IPTV interface=vlan2 network=\
    "From_ISP_config"
add address=192.168.51.1/24 interface=wireguard-server network=\
    192.168.51.0
add address="From_VPN_Provider" comment="External WG VPN" interface=\
    wireguard-client network="From_VPN_Provider"
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add add-default-route=no interface=vlan3 use-peer-ntp=no
/ip dhcp-server config
set store-leases-disk=never
/ip dhcp-server lease
add address=192.168.50.2 client-id=xxxxxxxxxxxxxx comment=LAN-server \
    mac-address=yyyyyyyyyyyyyy server=dhcp_main
add address=192.168.50.3 client-id=xxxxxxxxxxxxxx comment=machine1 \
    mac-address=yyyyyyyyyyyyyy server=dhcp_main
add address=192.168.50.4 client-id=xxxxxxxxxxxxxxx comment=machine2 \
    mac-address=yyyyyyyyyyyyyy server=dhcp_main
/ip dhcp-server network
add address=192.168.50.0/24 dns-server=9.9.9.9,208.67.222.222,1.1.1.1 \
    gateway=192.168.50.1 netmask=24
add address=192.168.50.200/30 comment=IPTV-STB dhcp-option=\
    iptv_option dns-server="From_ISP_config" gateway=192.168.50.1 netmask=24
/ip dns
set allow-remote-requests=yes use-doh-server=https://9.9.9.9/dns-query \
    verify-doh-cert=yes
/ip firewall address-list
add address=192.168.50.0/24 comment=\
    "# LAN and WAN are lists used for hairpin NAT" list=LAN
add address=xxxxxxxxxxxxxx.sn.mynetname.net list=WAN
/ip firewall filter
add action=accept chain=output comment=\
    "rules to blacklis ftpt incorrect login attemps" content=\
    "530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=3h chain=output content="530 Login incorrect" \
    protocol=tcp
add action=drop chain=input dst-port=21 protocol=tcp src-address-list=\
    ftp_blacklist
add action=drop chain=input comment=\
    "Do not allow access to DNS server from outside the local network" \
    dst-port=53 in-interface=pppoe-out1 protocol=udp
add action=accept chain=input comment="default configuration" \
    connection-state=established,related,untracked
add action=accept chain=input comment="default configuration" protocol=icmp
add action=drop chain=input comment="default configuration" connection-state=\
    invalid
add action=accept chain=input comment=wireguard-server dst-port=\
    port_x protocol=udp
add action=accept chain=input comment="accept vlan2 Iptv IGMP packets" \
    in-interface=vlan2 protocol=igmp
add action=accept chain=input comment=\
    "accept vlan2 & vlan3 (Iptv & VoIP) multicast & broadcast traffic" \
    dst-address-type=!unicast in-interface-list=vlan2&3
add action=accept chain=input comment="default configuration" in-interface=\
    bridge-local
add action=drop chain=input comment="default configuration --> drop all else" \
    in-interface=pppoe-out1
add action=fasttrack-connection chain=forward comment="default configuration" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="default configuration" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
add action=accept chain=forward comment="default configuration" in-interface=\
    bridge-local out-interface=pppoe-out1
add action=accept chain=forward comment="default configuration" in-interface=\
    bridge-local out-interface-list=vlan2&3
add action=drop chain=forward comment="drop all new unicast traffic from vlan2\
    \_& vlan3 (Iptv & VoIP) not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new dst-address-type=unicast in-interface-list=vlan2&3
/ip firewall mangle
add action=set-priority chain=postrouting comment="Interface priorities" \
    new-priority=5 out-interface=vlan3 passthrough=yes
add action=set-priority chain=postrouting new-priority=4 out-interface=vlan2 \
    passthrough=yes
add action=set-priority chain=postrouting new-priority=1 out-interface=\
    pppoe-out1 passthrough=yes
add action=mark-connection chain=prerouting comment=\
    "\"Mark connections for hairpin NAT\"" dst-address-list=WAN dst-port=80 \
    new-connection-mark="Hairpin NAT" passthrough=yes protocol=tcp \
    src-address-list=LAN
add action=mark-connection chain=prerouting dst-address-list=WAN dst-port=443 \
    new-connection-mark="Hairpin NAT" passthrough=yes protocol=tcp \
    src-address-list=LAN
add action=mark-connection chain=prerouting comment="When the LAN server is us\
    ing the WG client -> make that server accessible through its public IP (WA\
    N address)" connection-mark=no-mark dst-address-list=WAN in-interface=\
    !bridge-local new-connection-mark=external-access-when-server-using-VPN \
    passthrough=yes
add action=mark-connection chain=prerouting comment="When the LAN server is us\
    ing the WG client -> make that server accessible through its local IP for \
    clients connected to our WG server" connection-mark=no-mark dst-address=\
    192.168.50.2 in-interface=wireguard-server \
    new-connection-mark=external-access-when-server-using-VPN passthrough=yes
add action=mark-routing chain=prerouting comment="Mark with a routing mark the\
    \_connections marked before (to apply later routing rules)" \
    connection-mark=external-access-when-server-using-VPN new-routing-mark=\
    returnWAN passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
    "Hairpin NAT"
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=pppoe-out1
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface-list=vlan2&3
add action=masquerade chain=srcnat comment=\
    "Remote clients of our WG server can go out through the WG client" out-interface=\
    wireguard-client
add action=dst-nat chain=dstnat comment=VOD dst-address-type=local \
    in-interface=vlan2 to-addresses=192.168.50.200
add action=dst-nat chain=dstnat comment="web with hairpin NAT" \
    dst-address-list=WAN dst-port=80 protocol=tcp to-addresses=192.168.50.2
add action=dst-nat chain=dstnat dst-address-list=WAN dst-port=443 protocol=\
    tcp to-addresses=192.168.50.2
add action=dst-nat chain=dstnat comment=\
    "rtmp access to nginx with hairpin NAT" dst-address-list=WAN dst-port=\
    "port_z" protocol=tcp to-addresses=192.168.50.2
/ip proxy
set parent-proxy=0.0.0.0
/ip route
add disabled=no distance=255 dst-address=0.0.0.0/0 gateway=255.255.255.255
add disabled=no dst-address=0.0.0.0/0 gateway=\
    wireguard-client routing-table=wg-client
    suppress-hw-offload=no
/ip smb
set allow-guests=no interfaces=bridge-local
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge-local type=internal
add interface=pppoe-out1 type=external
/routing igmp-proxy
set query-interval=30m quick-leave=yes
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface=vlan2 upstream=yes
add interface=bridge-local
/routing rip interface-template
add disabled=no instance=rip interfaces=vlan3,vlan2 mode=passive
/routing rule
add action=lookup comment="LAN is always resolved with \"main\" table" \
    disabled=no dst-address=192.168.50.0/24 table=main
add action=lookup-only-in-table comment="When accessed from the outside, the s\
    erver always answers via the main table" disabled=no routing-mark=\
    returnWAN table=main
add action=lookup comment="machine1 via WG client when in LAN" disabled=no src-address=\
    192.168.50.2/32 table=wg-client
add action=lookup comment="machine1 via WG client when connected to WG server" disabled=no src-address=\
    192.168.51.2/32 table=wg-client
add action=lookup comment="machine2 via WG client when in LAN" disabled=no \
    src-address=192.168.50.3/32 table=wg-client
add action=lookup comment="machine2 via WG client when connected to WG server" disabled=no \
    src-address=192.168.51.3/32 table=wg-client

Who is online

Users browsing this forum: flapviv, menyarito, mkx, Semrush [Bot] and 80 guests