I have the following:
Site A: Hex
Site B: Hex
Site C: Ubiquiti UDM Pro
Site D: Ubiquiti UDM SE
I would like to be able to have VPN connectivity between all sites always on.
I started with trying to get Sites A and C setup.
I installed Wireguard on the UDMP at site C with the following wg.conf:
[Interface]
PrivateKey = kByyxxxxxxxxxxxxxxxxx
ListenPort = 51820
Address = 10.10.200.1/32
[Peer]
PublicKey = xx27xxxxxxxxxxxxxxx
AllowedIPs = 10.10.100.0/24
PersistentKeepalive=20
Endpoint = aaaaa.dyndns.org:51820
I made an ACCEPT firewall rules for all traffic originating from 10.10.0.0/16 to anywhere; and another rule for all traffic from anywhere destined to 10.10.0.0/16
At Site A I have the following in my hex's config:
# nov/18/2022 10:49:26 by RouterOS 7.6
# software id = C3RH-692B
#
# model = RB750Gr3
/interface bridge
add name=Bridge-Port3
add admin-mac=bbbbbbbbb auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=51820 mtu=1420 name=212-Wireguard
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.2.100-192.168.2.200
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=1w3d name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE bridge-learning=no
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface sstp-server server
set default-profile=default-encryption
/interface wireguard peers
add endpoint-address=ccccc.dyndns.org endpoint-port=51820 interface=\
212-Wireguard persistent-keepalive=1h47m44s public-key=\
"LXHxxxxxxxxxx"
/ip address
add address=192.168.2.2/24 comment=defconf interface=bridge network=\
192.168.2.0
add address=192.168.30.2/24 interface=ether3 network=192.168.30.0
add address=10.10.100.1/24 interface=212-Wireguard network=10.10.100.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf gateway=192.168.2.2 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.2.2 comment=defconf name=router.lan
/ip firewall address-list
add address=aaaaaa.dyndns.org list=WAN
add address=192.168.2.0/24 list=LAN
/ip firewall filter
add action=accept chain=input comment=\
"NEW defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="NEW defconf: accept ICMP" protocol=\
icmp
add action=accept chain=forward in-interface=212-Wireguard log=yes
add action=accept chain=forward log=yes out-interface=212-Wireguard
add action=drop chain=input comment="NEW defconf: drop invalid" \
connection-state=invalid
add action=accept chain=input comment=NEW in-interface-list=LAN
add action=drop chain=input comment="NEW drop all else"
add action=fasttrack-connection chain=forward comment=\
"NEW defconf: fasttrack" connection-state=established,related hw-offload=\
yes
add action=accept chain=forward comment=\
"NEW defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="NEW allow port forwarding" \
connection-nat-state=dstnat log=yes
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="NEW defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=NEW
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
"Mark connection for hairpin NAT" dst-address-list=WAN \
new-connection-mark="Hairpin NAT" passthrough=yes src-address-list=LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
"Hairpin NAT"
add action=masquerade chain=srcnat comment="NEW defconf: masquerade" \
out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=192.168.2.176 dst-port=8123 log=\
yes protocol=tcp to-addresses=192.168.2.176
add action=src-nat chain=srcnat comment="new 8123" disabled=yes dst-address=\
192.168.2.176 dst-port=8123 protocol=tcp to-addresses=192.168.2.176
add action=src-nat chain=srcnat comment="new 5800" disabled=yes dst-port=5800 \
protocol=tcp to-addresses=192.168.2.22
add action=src-nat chain=srcnat comment="new 5900" disabled=yes dst-port=5900 \
protocol=tcp to-addresses=192.168.2.22
add action=dst-nat chain=dstnat comment="PORT FWD: 8123" dst-address-list=\
WAN dst-port=8123 protocol=tcp to-addresses=192.168.2.176 to-ports=8123
/ip route
add disabled=yes dst-address=0.0.0.0/0 gateway=192.168.2.1
/system clock
set time-zone-name=America/New_York
/system identity
set name=RouterOS
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool traffic-monitor
add interface=ether1 name=tmon1
Thank you!