Community discussions

MikroTik App
 
wirelessadweb
just joined
Topic Author
Posts: 14
Joined: Sat Dec 22, 2012 8:16 am

Routing VLAN through Wireguard

Fri Jan 27, 2023 1:23 pm

Hi,

I am trying to complete a config with a VLAN being routed over a wireguard connection. In version 6 I set the mangle rules marked the routing and I could connect through a VPN. I am not getting the same results with 7, the Wireguard connection handshakes but I am not able to route the VLAN 20 over it.

# jan/27/2023 11:37:55 by RouterOS 7.7
# software id = 4ASX-S75S
#
# model = RBD53iG-5HacD2HnD
# serial number = F34E0F15C598
/interface bridge
add admin-mac=DC:2C:6E:BA:50:78 auto-mac=no comment=defconf name=bridge \
vlan-filtering=yes
/interface wireguard
add listen-port=9929 mtu=1400 name=wireguard1
/interface vlan
add interface=bridge name=LANvlan10 vlan-id=10
add interface=bridge name=MGT vlan-id=99
add interface=bridge name=UKvlan20 vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
/interface wifiwave2 channel
add frequency=2412,2432,2472 name=ch-2ghz width=20mhz
add frequency=5180,5260,5500 name=ch-5ghz width=20/40/80mhz
/interface wifiwave2 security
add authentication-types=wpa2-psk,wpa3-psk name=lan-sec
add authentication-types=wpa2-psk,wpa3-psk name=uk-sec
/interface wifiwave2 configuration
add country=France mode=ap name=conf_24 security=lan-sec ssid=lan
add channel=ch-5ghz country=France mode=ap name=conf_5 security=lan-sec ssid=\
lan
/interface wifiwave2
set [ find default-name=wifi1 ] channel=ch-2ghz channel.band=2ghz-n \
.skip-dfs-channels=10min-cac .width=20/40mhz configuration=conf_24 \
configuration.mode=ap disabled=no security=lan-sec
set [ find default-name=wifi2 ] channel.band=5ghz-ac .skip-dfs-channels=\
10min-cac .width=20/40/80mhz configuration=conf_24 configuration.mode=ap \
disabled=no
add channel=ch-2ghz configuration=conf_24 configuration.mode=ap disabled=no \
mac-address=DE:2C:6E:BA:50:7C master-interface=wifi1 name=wifi3 security=\
lan-sec
add channel=ch-5ghz configuration=conf_5 configuration.mode=ap disabled=no \
mac-address=DE:2C:6E:BA:50:7D master-interface=wifi2 name=wifi4 security=\
lan-sec
/ip pool
add name=dhcp_pool1 ranges=192.168.10.20-192.168.10.254
add name=dhcp_pool2 ranges=192.168.20.20-192.168.20.254
add name=dhcp_pool3 ranges=192.168.99.20-192.168.99.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=LANvlan10 name=dhcp1
add address-pool=dhcp_pool2 interface=UKvlan20 name=dhcp2
add address-pool=dhcp_pool3 interface=MGT name=dhcp3
/lora servers
add address=eu.mikrotik.thethings.industries down-port=1700 name=TTN-EU \
up-port=1700
add address=us.mikrotik.thethings.industries down-port=1700 name=TTN-US \
up-port=1700
add address=eu1.cloud.thethings.industries down-port=1700 name=\
"TTS Cloud (eu1)" up-port=1700
add address=nam1.cloud.thethings.industries down-port=1700 name=\
"TTS Cloud (nam1)" up-port=1700
add address=au1.cloud.thethings.industries down-port=1700 name=\
"TTS Cloud (au1)" up-port=1700
add address=eu1.cloud.thethings.network down-port=1700 name="TTN V3 (eu1)" \
up-port=1700
add address=nam1.cloud.thethings.network down-port=1700 name="TTN V3 (nam1)" \
up-port=1700
add address=au1.cloud.thethings.network down-port=1700 name="TTN V3 (au1)" \
up-port=1700
/routing table
add disabled=no fib name=UK
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether4 pvid=20
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=wifi1 pvid=10
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=wifi2 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=wifi3 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=wifi4 pvid=20
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether2 vlan-ids=10
add bridge=bridge tagged=ether2,bridge vlan-ids=20
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether5 list=LAN
add interface=LANvlan10 list=LAN
add interface=UKvlan20 list=LAN
add interface=wireguard1 list=WAN
add interface=MGT list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0,::/0 endpoint-address=xxxxxxxxxxxxxxxxxx \
endpoint-port=9929 interface=wireguard1 persistent-keepalive=25s \
public-key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
/ip address
add address=192.168.99.1/24 interface=MGT network=192.168.99.0
add address=192.168.10.1/24 interface=LANvlan10 network=192.168.10.0
add address=192.168.20.1/24 interface=UKvlan20 network=192.168.20.0
add address=172.27.97.181 interface=wireguard1 network=172.27.97.181
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=46.227.67.134,192.165.9.158 gateway=\
192.168.20.1
add address=192.168.99.0/24 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=Wireguard dst-port=9929 protocol=udp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=UK passthrough=yes \
src-address=192.168.20.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wireguard1
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard1 pref-src=\
"" routing-table=UK scope=30 suppress-hw-offload=no target-scope=10 \
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/routing rule
add action=lookup disabled=no src-address=192.168.20.0/24 table=UK
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=Aoint
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

If anyone could help me see where I have tripped up - I would be very greatful.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Routing VLAN through Wireguard

Fri Jan 27, 2023 2:07 pm

A couple of things, wireguard was not available on vers6, so the issue was with a different vpn type.
Second, no need to mangle with wireguard in most instances.

(1) The bridge vlan settings I would modify so they match up more clearly with bridge port settings.......... and you have an error as well.

/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether2 vlan-ids=10
add bridge=bridge tagged=ether2,bridge vlan-ids=20


/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether2,ether3,wifi1,wifi2 vlan-ids=10
add bridge=bridge tagged=bridge untagged=ether4,wifi3,wifi4 vlan-ids=20

(2) Remove the BRIDGE as an interface list member, the vlans are what are used.

(3) Change wg address to
add address=172.27.97.181/24 interface=wireguard1 network=172.27.97.0

(4) /ip neighbor discovery-settings
set discover-interface-list=admin SEE #6c

(5) what is the purpose of this rule........... It is only required if the router is acting as a server for the initial handshake? I thought it was a client going to a third party server???
/ip firewall filter
add action=accept chain=input comment=Wireguard dst-port=9929 protocol=udp


(6) What is the purpose of having a MGT, and ether5 access for the admiin to config the router but then let everyone potentially have access to config the router.........??
Change this.......
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN


TO
(a)
add action=accept chain=input in-interface=MGT
add action=accept chain=input in-interface=ether5
( edit: forget to add this initially )
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp
add action=accepot chain=input in-interface-list=LAN dst-port=53 protocol=udp


(b)
where this is also true......
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=WAN
add interface=ether5 list=LAN
add interface=LANvlan10 list=LAN
add interface=UKvlan20 list=LAN
add interface=MGT list=LAN

add interface=MGT list=admin
add interface=ether5 list=admin


(c)
and since you dont use the VLAN list for anything...... change it to admin
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=admin


(7) more clearly stated as a requirement would have been to state that you want only UKvlan to go out the tunnel.
THUS REMOVE ALL MANGLING> as the rest of the rules are already in place!!

a. you already have the table =UK
b. you already have the IP route
c. you already have the routing rule
/routing rule
add action=lookup disabled=no src-address=192.168.20.0/24 table=UK

note1: if you never wanted the UK subnet to use the local wan if the tunnel was down, then use action=lookup-only-in-table
note2: if your UK subnet still needs access to the other subnets then you will need additional routing rules but not known/communicated.

(8) TO
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=admin

(9) I am assuming you want all VLANS to be able to reach all VLANs at layer 3?
Your firewall rules in the forward chain only block wan to lan, and thats it!
Highly recommend change this
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN


TO
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface=UKvlan20 out-interface=wireguard1
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"


(10) I note that you added Wireguard to the interface list of WAN...............
Therefore you do not require the additional source nat rule for wireguard................its redundant.
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wireguard1
Last edited by anav on Fri Jan 27, 2023 8:13 pm, edited 2 times in total.
 
wirelessadweb
just joined
Topic Author
Posts: 14
Joined: Sat Dec 22, 2012 8:16 am

Re: Routing VLAN through Wireguard

Fri Jan 27, 2023 7:22 pm

Perfect thank you. Applied the detail and it works thank you - and increased my understanding. Very much appreciated.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Routing VLAN through Wireguard

Fri Jan 27, 2023 8:14 pm

I forgot to add ether5 as able to access the config on the input chain, ive added it in above.
If your understanding was increased, hopefully you picked the omission up on your own LOL.
 
wirelessadweb
just joined
Topic Author
Posts: 14
Joined: Sat Dec 22, 2012 8:16 am

Re: Routing VLAN through Wireguard

Fri Jan 27, 2023 9:36 pm

Have not tidied up yet the Wireguard provider I am using has a few issues with their UK servers, some web sites unavailabe. I will get on it thanks again.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Routing VLAN through Wireguard

Fri Jan 27, 2023 9:56 pm

(1) If the issues are DNS related, then suggest the following
add address=192.168.20.0/24 dns-server=46.227.67.134 gateway=192.168.20.1

In other words drop the other one you had 192. something........... assuming this is the dns server that the wireguard provider gave you ???

(2) If its MTU related first try this.......
a. If they specify MTU settings then ensure the MT wireguard MTU settings match. OKAY I SEE YOU HAVE MTU set to 1400 ??
I am assuming this is what the provider said to use ???

b. Try changing mikrotik settings to 1420 and again at 1500 and see if it makes a difference.

c. If that doesnt work using an MTU 1400/1420/1500 see if any of those three settings work with the following.
/ip firewall mangle
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn


d. If that doesnt work, try with MTU of 1400/1420 and then 1500 on MT on wireguard settings........
/ip firewall mangle
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=1400 out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn


.......... GLUCK

Who is online

Users browsing this forum: Bing [Bot], BioMax, Fogga, itvisionpk, mszru and 40 guests