Community discussions

MikroTik App
  4. RouterOS
  5. General

Wireguard Routing - OK for RaspberryPi HTML but not for Router access

Post Reply
 
howdey57
Member Candidate
Member Candidate
Topic Author
Posts: 127
Joined: Wed Dec 31, 2014 2:36 pm

Wireguard Routing - OK for RaspberryPi HTML but not for Router access

Sat Feb 25, 2023 11:06 am

I have been staring this problem for many days and am stuck and would like some help if possible please.

I have a Wireguard VPN connecting successfully between London (RB4011) and France (HAP ^2) both on v7.7.The config hasn't changed since I went to v7.7

I can:
  • Get to a RPi on 192.168.65.5 serving HTML and by SSH in France from a machine (eg 192.168.64.15) on the London network
  • If I connect to the London Router as a Roadwarrior, I can get to a server on 192.168.65.2 and the Router itself on 192.168.65.1
BUT I cannot get from a machine (eg 192.168.64.15) on the London network to the server on 192.168.65.2 or the Router itself on 192.168.65.1

Is there anything obvious in my configs that is stopping me do that?

You may notice that the Allowed IPs in France include 0.0.0.0/0 which I think I need if I want to direct certain French traffic through London using a different Routing table.

Thanks in advance, Charles
Network 02-2023.jpg

London
Code: Select all
# feb/25/2023 08:05:07 by RouterOS 7.7
# software id = YCNI-BQ6N
#
# model = RB4011iGS+5HacQ2HnD
# serial number = B8E30B14AB4C
/interface bridge add comment="Bridge for Guests" name=bridge-guest-66
/interface bridge add comment="Bridge for Machines" name=bridge-machine-68
/interface bridge add admin-mac=C4:AD:34:60:79:47 auto-mac=no comment="Bridge Main - defconf" name=bridge-main-64
/interface ethernet set [ find default-name=ether1 ] comment="To Internet 1" name="ether1 Internet" rx-flow-control=auto speed=100Mbps tx-flow-control=auto
/interface ethernet set [ find default-name=ether2 ] advertise=10M-half,10M-full name="ether2"
/interface ethernet set [ find default-name=ether4 ]  name="ether4"
/interface ethernet set [ find default-name=ether6 ] comment="To LondonPi" name="ether6 LondonPi"
/interface ethernet set [ find default-name=ether7 ] auto-negotiation=no 
/interface ethernet set [ find default-name=ether8 ] name="ether8"
/interface ethernet set [ find default-name=ether9 ] auto-negotiation=no comment="To UpUp Router" name="ether9 - UpUp"
/interface ethernet set [ find default-name=ether10 ] comment="To Up Router" name="ether10 - Up"
/interface ethernet set [ find default-name=sfp-sfpplus1 ] disabled=yes

/interface wireguard add comment="Wireguard to Road Warriors" listen-port=13232 mtu=1450 name=WireGuard_RoadWarriors
/interface wireguard add comment="Wireguard to France" listen-port=13231 mtu=1450 name=WireGuard_ToFrance

/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface list add name=2GHz
/interface list add name=5GHz

/ip pool add name=dhcp-pool-home-64 ranges=192.168.64.70-192.168.64.150
/ip pool add name=vpn-pool ranges=192.168.64.201-192.168.64.220
/ip pool add name=dhcp-pool-guest-66 ranges=192.168.66.151-192.168.66.250
/ip pool add name=dhcp-pool-machine-68 ranges=192.168.68.2-192.168.68.254
/ip dhcp-server add address-pool=dhcp-pool-home-64 interface=bridge-main-64 lease-script=LeaseNameAlignment lease-time=1h name=dhcp-home-64
/ip dhcp-server add address-pool=dhcp-pool-guest-66 interface=bridge-guest-66 lease-script=LeaseNameAlignment lease-time=1h name=dhcp-guest-66
/ip dhcp-server add address-pool=dhcp-pool-machine-68 interface=bridge-machine-68 lease-script=LeaseNameAlignment lease-time=1h name=dhcp-machine-68

/routing bgp template set default disabled=no output.network=bgp-networks
/routing ospf instance add disabled=no name=default-v2
/routing ospf area add disabled=yes instance=default-v2 name=backbone-v2

/interface bridge port add bridge=bridge-machine-68 comment=defconf ingress-filtering=no interface="ether2"
/interface bridge port add bridge=bridge-main-64 comment=defconf ingress-filtering=no interface=ether3
/interface bridge port add bridge=bridge-machine-68 comment=defconf ingress-filtering=no interface="ether4"
/interface bridge port add bridge=bridge-main-64 comment=defconf ingress-filtering=no interface=ether5
/interface bridge port add bridge=bridge-main-64 comment=defconf ingress-filtering=no interface="ether6"
/interface bridge port add bridge=bridge-main-64 comment=defconf ingress-filtering=no interface=ether7
/interface bridge port add bridge=bridge-main-64 comment=defconf ingress-filtering=no interface="ether8"
/interface bridge port add bridge=bridge-main-64 comment=defconf ingress-filtering=no interface="ether9 - UpUp"
/interface bridge port add bridge=bridge-main-64 comment=defconf ingress-filtering=no interface="ether10 - Up"
/interface bridge port add bridge=bridge-main-64 comment=defconf disabled=yes ingress-filtering=no interface=sfp-sfpplus1
/interface bridge port add bridge=bridge-main-64 comment=defconf disabled=yes ingress-filtering=no interface=wlan1
/interface bridge port add bridge=bridge-main-64 comment=defconf disabled=yes ingress-filtering=no interface=wlan2

/interface list member add comment=defconf interface=bridge-main-64 list=LAN
/interface list member add comment=defconf interface="ether1 Internet" list=WAN
/interface list member add interface=WireGuard_RoadWarriors list=LAN
/interface list member add interface=WireGuard_ToFrance list=LAN
/interface list member add interface=bridge-guest-66 list=LAN
/interface list member add interface=bridge-machine-68 list=LAN

/interface wireguard peers add allowed-address=192.168.65.0/24,192.168.64.0/24,192.168.1.0/24,10.255.255.0/24 comment="To France" interface=WireGuard_ToFrance public-key="KEY"
/interface wireguard peers add allowed-address=10.200.0.3/32 comment=L13 interface=WireGuard_RoadWarriors public-key="KEY"

set bridge=bridge-main-64 caps-man-addresses=127.0.0.1 discovery-interfaces=bridge-main-64 enabled=yes interfaces=wlan1,wlan2
/ip address add address=192.168.64.1/24 comment=defconf interface=bridge-main-64 network=192.168.64.0
/ip address add address=192.168.66.1/24 interface=bridge-guest-66 network=192.168.66.0
/ip address add address=10.255.255.1/30 interface=WireGuard_ToFrance network=10.255.255.0
/ip address add address=10.200.0.1/24 interface=WireGuard_RoadWarriors network=10.200.0.0
/ip address add address=192.168.68.1/24 interface=bridge-machine-68 network=192.168.68.0
/ip address add address=192.168.65.1/24 disabled=yes interface=WireGuard_ToFrance network=192.168.65.0
/ip cloud set ddns-enabled=yes
/ip dhcp-client add interface="ether1 Internet"
/ip dhcp-server network add address=192.168.64.0/24 comment="Main network" dns-server=192.168.64.10 gateway=192.168.64.1 ntp-server=192.168.64.1
/ip dhcp-server network add address=192.168.66.0/24 comment="Guest Network" dns-server=192.168.64.10 gateway=192.168.66.1
/ip dhcp-server network add address=192.168.68.0/24 comment="Machine Network" dns-server=192.168.64.10 gateway=192.168.68.1
/ip dns set servers=8.8.8.8,8.8.4.4
/ip firewall address-list add address=192.168.68.0/24 list=GuestNetwork
/ip firewall address-list add address=192.168.65.0/24 list=MainNetwork
/ip firewall address-list add address=192.168.64.13 list=Camera
/ip firewall address-list add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=224.0.0.0/4 comment=Multicast list=not_in_internet
/ip firewall address-list add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
/ip firewall address-list add address=10.100.0.0/24 list=MainNetwork
/ip firewall address-list add address=192.168.67.0/24 list=GuestNetwork
/ip firewall address-list add list=MainNetwork
/ip firewall address-list add address=192.168.66.0/24 list=GuestNetwork
/ip firewall address-list add address=10.255.255.0/30 list=MainNetwork
/ip firewall address-list add address=10.200.0.0/24 list=MainNetwork
/ip firewall address-list add address=192.168.64.0/24 list=AllowToRouter
/ip firewall address-list add address=192.168.65.0/24 list=AllowToRouter
/ip firewall address-list add address=10.200.0.0/24 list=AllowToRouter
/ip firewall address-list add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
/ip firewall address-list add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
/ip firewall address-list add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
/ip firewall address-list add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4

/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=accept chain=forward comment="Access from LAN to DNS Server .10" dst-address=192.168.64.10 in-interface-list=LAN
/ip firewall filter add action=accept chain=forward dst-address=192.168.64.0/24 log=yes src-address=192.168.65.0/24
/ip firewall filter add action=accept chain=forward dst-address=192.168.65.0/24 log=yes src-address=192.168.64.0/24
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log-prefix="CH_Track invalid"
/ip firewall filter add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv4
/ip firewall filter add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall filter add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv4
/ip firewall filter add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp protocol=icmp
/ip firewall filter add action=drop chain=forward comment="Camera Out" log-prefix="Block Camera out:" out-interface-list=WAN src-address-list=Camera
/ip firewall filter add action=add-dst-to-address-list address-list=Catdoor_going_to address-list-timeout=none-static chain=forward comment="Cat Door" log-prefix=Cat src-address-list=CatDoor
/ip firewall filter add action=add-dst-to-address-list address-list=Alarm_going_to address-list-timeout=none-static chain=forward comment=Alarm log-prefix=Alarm src-address-list=Alarm
/ip firewall filter add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface-list=WAN log=yes log-prefix="CH_Track !public" src-address-list=not_in_internet
/ip firewall filter add action=drop chain=forward comment="Stop Machines getting to our stuff" disabled=yes out-interface-list=!WAN src-address=192.168.68.0/24
/ip firewall filter add action=accept chain=input comment="accept input established,related,untracked" connection-state=established,related,untracked log-prefix="accept input established,related,untracked"
/ip firewall filter add action=accept chain=input comment="Accept to Router" src-address-list=AllowToRouter
/ip firewall filter add action=jump chain=input comment="jump to ICMP filters" jump-target=icmp protocol=icmp
/ip firewall filter add action=accept chain=input comment="Accept NTP" dst-port=123 protocol=udp
/ip firewall filter add action=accept chain=input comment="Wireguard to France" dst-port=13231 log-prefix="CH_Track Wireguard" protocol=udp
/ip firewall filter add action=accept chain=input comment="Wireguard Roadwarriors" dst-port=13232 log-prefix="CH_Track Wireguard" protocol=udp
/ip firewall filter add action=add-src-to-address-list address-list=fulltimeGreylist address-list-timeout=none-static chain=input in-interface-list=WAN src-address-list=mygreylist3
/ip firewall filter add action=add-src-to-address-list address-list=mygreylist3 address-list-timeout=4h chain=input in-interface-list=WAN src-address-list=mygreylist2
/ip firewall filter add action=add-src-to-address-list address-list=mygreylist2 address-list-timeout=2h chain=input in-interface-list=WAN src-address-list=mygreylist
/ip firewall filter add action=add-src-to-address-list address-list=maybeBlacklist address-list-timeout=1h30m chain=input in-interface-list=WAN src-address-list=!whitelist
/ip firewall filter add action=drop chain=input comment="Last Rule; Drop Everything" log-prefix="CH_Track Last rule: Input"
/ip firewall filter add action=drop chain=forward comment="Drop everything else that has got through" in-interface-list=WAN log-prefix="CH_Track Last Rule: Forward: Drop"
/ip firewall filter add action=drop chain=output dst-address-list=myblacklist log=yes log-prefix="Drop FW Output"
/ip firewall filter add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
/ip firewall filter add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
/ip firewall filter add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
/ip firewall filter add action=accept chain=icmp comment="host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
/ip firewall filter add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
/ip firewall filter add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
/ip firewall filter add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
/ip firewall filter add action=drop chain=icmp comment="deny all other types"
/ip firewall filter add action=log chain=forward comment="Log last Accepted:" disabled=yes log-prefix="Last Accepted:"
/ip firewall nat add action=dst-nat chain=dstnat dst-address=!192.168.64.10 dst-port=53 protocol=udp src-address=!192.168.64.10 to-addresses=192.168.64.10
/ip firewall nat add action=dst-nat chain=dstnat dst-address=!192.168.64.10 dst-port=53 protocol=tcp src-address=!192.168.64.10 to-addresses=192.168.64.10
/ip firewall nat add action=masquerade chain=srcnat dst-address=192.168.64.10 dst-port=53 protocol=udp src-address=192.168.64.0/24
/ip firewall nat add action=masquerade chain=srcnat dst-address=192.168.64.10 dst-port=53 protocol=tcp src-address=192.168.64.0/24
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN src-address=0.0.0.0/0
/ip firewall raw add action=drop chain=prerouting log-prefix="Drop Raw" src-address-list=myblacklist
/ip firewall raw add action=drop chain=prerouting dst-address-list=myblacklist log=yes log-prefix="CH_Track Drop PreOut Raw"
/ip firewall raw add action=drop chain=output dst-address-list=myblacklist log=yes log-prefix="CH_Track Drop Output Raw"
/ip ipsec policy set 0 disabled=yes
/ip route add comment=FranceLondon disabled=no distance=1 dst-address=192.168.65.0/24 gateway=WireGuard_ToFrance pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=WireGuard_ToFrance pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
France
Code: Select all
# feb/25/2023 09:04:13 by RouterOS 7.7
# software id = KAE3-NN91
#
# model = RBD52G-5HacD2HnD-TC
# serial number = 8D15083D89AA
/interface bridge add admin-mac=CC:2D:E0:EB:1D:7A auto-mac=no comment=defconf name=bridge
/interface bridge add name=guest_bridge

/interface wireguard add comment="Interface in France to London" listen-port=13231 mtu=1450 name=WireGuard_ToUK

/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN

/ip pool add name=default-dhcp ranges=192.168.65.10-192.168.65.254
/ip pool add name=guest_dhcp ranges=192.168.67.10-192.168.67.254
/ip dhcp-server add address-pool=default-dhcp interface=bridge name=defconf
/ip dhcp-server add address-pool=guest_dhcp interface=guest_bridge name=guest_dhcp_67
/routing table add fib name=use-WG

/interface bridge port add bridge=bridge comment=defconf interface=ether2_Powerline
/interface bridge port add bridge=bridge comment=defconf interface=ether3_Twister
/interface bridge port add bridge=bridge comment=defconf interface=ether4_LegoPi
/interface bridge port add bridge=bridge comment=defconf interface=ether5
/interface bridge port add bridge=bridge comment=defconf interface="wlan1 2GHz"
/interface bridge port add bridge=bridge comment=defconf interface="wlan2 5GHz"
/interface bridge port add bridge=guest_bridge ingress-filtering=no interface=guest_67_2ghz
/interface bridge port add bridge=guest_bridge ingress-filtering=no interface=guest_67_5ghz
/interface bridge port add bridge=bridge interface=athome_down
/interface list member add comment=defconf interface=bridge list=LAN
/interface list member add comment=defconf interface=ether1_SFR list=WAN
/interface list member add interface=WireGuard_ToUK list=LAN
/interface list member add interface=guest_bridge list=LAN

/interface wireguard peers add allowed-address=0.0.0.0/0 comment="To London" endpoint-address=London endpoint-port=13231 interface=WireGuard_ToUK persistent-keepalive=25s public-key="KEY"

/ip address add address=192.168.65.1/24 comment=defconf interface=bridge network=192.168.65.0
/ip address add address=192.168.67.1/24 interface=guest_bridge network=192.168.67.0
/ip address add address=10.255.255.2/30 interface=WireGuard_ToUK network=10.255.255.0

/ip dhcp-client add add-default-route=no comment=defconf interface=ether1_SFR

/ip dhcp-server network add address=192.168.65.0/24 comment=defconf dns-server=9.9.9.9,149.112.112.112 gateway=192.168.65.1 netmask=24 ntp-server=192.168.1.1
/ip dhcp-server network add address=192.168.67.0/24 dns-server=9.9.9.9,149.112.112.112 gateway=192.168.67.1 ntp-server=192.168.1.1
/ip dns set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8,4.4.4.4
/ip firewall address-list add address=192.168.65.12 comment="Back Door" list=Camera
/ip firewall address-list add address=192.168.65.7 comment=R4 list=Camera
/ip firewall address-list add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=224.0.0.0/4 comment=Multicast list=not_in_internet
/ip firewall address-list add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
/ip firewall address-list add address=8.8.8.8 list=CameraAllowed
/ip firewall address-list add address=192.168.1.254 list=whitelist
/ip firewall address-list add address=8.8.4.4 list=CameraAllowed
/ip firewall address-list add address=192.168.65.15 comment=Garden list=Camera
/ip firewall address-list add address=9.9.9.9 list=CameraAllowed
/ip firewall address-list add address=10.200.0.0/24 list=AllowedToRouter
/ip firewall address-list add address=192.168.64.0/24 list=AllowedToRouter
/ip firewall address-list add address=192.168.65.0/26 list=AllowedToRouter
/ip firewall address-list add address=80.6.235.129 list=AllowedToRouter
/ip firewall address-list add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
/ip firewall address-list add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
/ip firewall address-list add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
/ip firewall address-list add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
/ip firewall address-list add address=192.168.1.1 list=whitelist
/ip firewall address-list add address=192.168.65.0/26 comment="IP Range 2-62" list=whitelist
/ip firewall address-list add address=192.168.64.0/24 list=whitelist
/ip firewall address-list add disabled=yes list=whitelist
/ip firewall address-list add address=192.168.65.0/26 list=TrustedIPaddresss
/ip firewall address-list add address=192.168.64.0/24 list=TrustedIPaddresss
/ip firewall address-list add address=80.6.235.129 list=TrustedIPaddresss
/ip firewall address-list add address=10.200.0.0/24 list=TrustedIPaddresss
/ip firewall address-list add address=192.168.1.1 list=TrustedIPaddresss
/ip firewall address-list add address=192.168.67.0/24 list=GuestIP
/ip firewall address-list add address=192.168.65.192/26 list=GuestIP
/ip firewall address-list add address=192.168.65.64/26 disabled=yes list=GuestIP
/ip firewall address-list add address=192.168.65.128/26 list=GuestIP
/ip firewall address-list add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
/ip firewall address-list add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
/ip firewall address-list add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
/ip firewall address-list add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
/ip firewall address-list add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
/ip firewall address-list add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
/ip firewall address-list add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
/ip firewall address-list add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
/ip firewall address-list add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
/ip firewall address-list add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
/ip firewall address-list add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
/ip firewall address-list add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
/ip firewall address-list add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
/ip firewall address-list add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=not_global_ipv4
/ip firewall address-list add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
/ip firewall address-list add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
/ip firewall address-list add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
/ip firewall address-list add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
/ip firewall address-list add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
/ip firewall address-list add address=129.41.46.4 list=Winbox_attempt

/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=127.0.0.1
/ip firewall filter add action=add-src-to-address-list address-list=Winbox_attempt address-list-timeout=none-static chain=input comment="Winbox attempts " dst-port=8291 log=yes log-prefix="8291 attempt" protocol=tcp src-address-list=!TrustedIPaddresss
/ip firewall filter add action=accept chain=input comment="Accept Winbox" dst-port=8291 log=yes log-prefix="CH_Track: Allow in Winbox" protocol=tcp src-address-list=TrustedIPaddresss
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=accept chain=forward dst-address=192.168.64.0/24 log=yes src-address=192.168.65.0/24
/ip firewall filter add action=accept chain=forward dst-address=192.168.65.0/24 log=yes src-address=192.168.64.0/24
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="Accept to Router" src-address-list=TrustedIPaddresss
/ip firewall filter add action=accept chain=input comment="Wireguard to London" dst-port=13231 log-prefix="CH_Track Wireguard 13231" protocol=udp
/ip firewall filter add action=log chain=input comment="Track Dodgy SSH" dst-port=22 log-prefix="CH_Track Dodgy SSH" protocol=tcp src-address=!192.168.64.6
/ip firewall filter add action=accept chain=input comment="Accept SSH" dst-port=22 log=yes log-prefix="CH_Track: Allow in SSH" protocol=tcp src-address-list=TrustedIPaddresss
/ip firewall filter add action=add-src-to-address-list address-list=maybeBlacklist address-list-timeout=none-dynamic chain=input comment="defconf: drop all not coming from LAN" src-address-list=!whitelist
/ip firewall filter add action=drop chain=input comment="Last Rule: Drop Everything" log-prefix=Last
/ip firewall filter add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp protocol=icmp
/ip firewall filter add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv4
/ip firewall filter add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv4
/ip firewall filter add action=drop chain=forward comment="Stop Guests getting to our stuff" out-interface-list=!WAN src-address-list=GuestIP
/ip firewall filter add action=add-dst-to-address-list address-list=CameraGoingTo address-list-timeout=none-static chain=forward comment="Log Cameras going out" dst-address-list=!CameraAllowed log-prefix=Camera: out-interface-list=WAN src-address-list=Camera
/ip firewall filter add action=drop chain=forward comment="Stop Cameras going out" dst-address-list=!CameraAllowed log-prefix=Camera: out-interface-list=WAN src-address-list=Camera
/ip firewall filter add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface-list=WAN src-address-list=not_in_internet
/ip firewall filter add action=log chain=output disabled=yes dst-address=10.200.0.2
/ip firewall filter add action=log chain=output disabled=yes dst-port=13231 protocol=udp
/ip firewall filter add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
/ip firewall filter add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
/ip firewall filter add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
/ip firewall filter add action=accept chain=icmp comment="host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
/ip firewall filter add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
/ip firewall filter add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
/ip firewall filter add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
/ip firewall filter add action=drop chain=icmp comment="deny all other types"
/ip firewall filter add action=log chain=forward comment="Log last Accepted:" disabled=yes log-prefix="Last Accepted:"
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip firewall raw add action=drop chain=prerouting comment="For Packets coming from Blacklist" src-address-list=Blacklist
/ip firewall raw add action=drop chain=prerouting comment="For Packets passing through the Router" dst-address-list=Blacklist log-prefix="Raw Pre Drop"
/ip firewall raw add action=drop chain=output comment="For Packets originating from the Router" dst-address-list=Blacklist log=yes log-prefix="Raw Output Drop:"
/ip firewall raw add action=accept chain=prerouting comment="defconf: enable for transparent firewall"
/ip firewall raw add action=accept chain=prerouting comment="defconf: accept DHCP discover" dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=udp src-address=0.0.0.0 src-port=68
/ip firewall raw add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_ipv4
/ip firewall raw add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_ipv4
/ip firewall raw add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_src_ipv4
/ip firewall raw add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_dst_ipv4
/ip firewall raw add action=accept chain=prerouting comment="Charlie: accept everything else from SFR" src-address=192.168.1.0/24
/ip firewall raw add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_global_ipv4
/ip firewall raw add action=drop chain=prerouting comment="defconf: drop forward to local lan from WAN" dst-address=192.168.65.0/24 in-interface-list=WAN
/ip firewall raw add action=drop chain=prerouting comment="defconf: drop local if not from default IP range" disabled=yes in-interface-list=LAN src-address=!192.168.65.0/24
/ip firewall raw add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 protocol=udp
/ip firewall raw add action=jump chain=prerouting comment="defconf: jump to ICMP chain" jump-target=icmp4 protocol=icmp
/ip firewall raw add action=jump chain=prerouting comment="defconf: jump to TCP chain" jump-target=bad_tcp protocol=tcp
/ip firewall raw add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN
/ip firewall raw add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN
/ip firewall raw add action=drop chain=prerouting comment="defconf: drop the rest"
/ip firewall raw add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
/ip firewall raw add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
/ip firewall raw add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
/ip firewall raw add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
/ip firewall raw add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
/ip firewall raw add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
/ip firewall raw add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
/ip firewall raw add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 protocol=tcp
/ip firewall raw add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 limit=5,10:packet protocol=icmp
/ip firewall raw add action=accept chain=icmp4 comment="defconf: net unreachable" icmp-options=3:0 protocol=icmp
/ip firewall raw add action=accept chain=icmp4 comment="defconf: host unreachable" icmp-options=3:1 protocol=icmp
/ip firewall raw add action=accept chain=icmp4 comment="defconf: protocol unreachable" icmp-options=3:2 protocol=icmp
/ip firewall raw add action=accept chain=icmp4 comment="defconf: port unreachable" icmp-options=3:3 protocol=icmp
/ip firewall raw add action=accept chain=icmp4 comment="defconf: fragmentation needed" icmp-options=3:4 protocol=icmp
/ip firewall raw add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=5,10:packet protocol=icmp
/ip firewall raw add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=11:0-255 protocol=icmp
/ip firewall raw add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp
/ip ipsec policy set 0 disabled=yes

/ip route add disabled=no distance=1 dst-address=192.168.64.0/24 gateway=WireGuard_ToUK pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no dst-address=10.200.0.0/24 gateway=WireGuard_ToUK routing-table=main suppress-hw-offload=no
/ip route add comment="So certain source IPs go through the WG VPN - look in Routing Rules" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=WireGuard_ToUK pref-src=0.0.0.0 routing-table=use-WG scope=10 suppress-hw-offload=no target-scope=10
/ip route add disabled=no dst-address=1.1.1.1/32 gateway=192.168.1.1 routing-table=main scope=10 suppress-hw-offload=no
/ip route add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=1.1.1.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=11
/ip route add disabled=no dst-address=1.0.0.1/32 gateway=SFR_SIM routing-table=main scope=10 suppress-hw-offload=no
/ip route add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=SFR_SIM routing-table=main scope=30 suppress-hw-offload=no target-scope=11

/routing rule add action=lookup-only-in-table comment="Pixel 5" disabled=yes src-address=192.168.65.20/32 table=use-WG
/routing rule add action=lookup-only-in-table comment=TV disabled=yes src-address=192.168.65.26/32 table=use-WG
/routing rule add action=lookup-only-in-table comment=T480 disabled=yes src-address=192.168.65.18/32 table=use-WG
You do not have the required permissions to view the files attached to this post.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19325
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Wireguard Routing - OK for RaspberryPi HTML but not for Router access

Sat Feb 25, 2023 6:31 pm

Just looking at your diagram I see issues.
The road warrior allowed IPs is wrong!

Allowed IPs or addresses at a peer are to IDENTIFY remote user/devices/subnets
a. that are destination addresses of local users
b. addresses of incoming remote users/devices/subnets
and THUS NOT LOCAL addresses

So you should be able to see right away the allowed Ips of the road warrior should not be its own Wireguard address!!!
In fact you should ask yourself where does the road warrior need to go, and the destination addresses answers would be
probably 192.168.64.0/24 and possibly 192.168.65.0/24

Similarly On the RB4011, the peer settings for the road warrior should simply be its WIREGUARD ADDRESS. (what incoming remote address is valid )
Clearly the 192.168.64.0 is local to the RB4011 and thus disqualifies this as bonafide allowed IP, on the rb4011.

I could see where 192.168.1.0 might seem legitimate to you but remember WG is peer to peer, and 192.168.1.0 describes an address that would be applicable for the peer settings to the HAP2.
Top
 
howdey57
Member Candidate
Member Candidate
Topic Author
Posts: 127
Joined: Wed Dec 31, 2014 2:36 pm

Re: Wireguard Routing - OK for RaspberryPi HTML but not for Router access

Sat Feb 25, 2023 8:32 pm

Thanks Anav.

I have confused us both. I apologise. I checked the Roadwarrior Allowed IPs and realise my diagram was wrong!! I was puzzled by your response because Roadwarrior is the bit that actually works! I've amended the diagram to reflect the config above.

The bit that doesn't work is the HTML/winbox access from 192.168.64.15 to either the router (192.168.65.1) or a server (on 192.168.65.2). When I winbox into 192.168.65.1, I seem to log in successfully but then don't get any data. I can get to a webserver on a Raspberry Pi on 192.168.65.5. It's really strange that I can SSH into the router from the 64.0 network, and ping to it but not get port 80 traffic.

It's almost like there is something wrong with v7.7 but I wonder if you can spot anything wrong with Addresses, Routes or DNS (or something else)?

Charles
Network 02-2023 2.jpg
You do not have the required permissions to view the files attached to this post.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19325
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Wireguard Routing - OK for RaspberryPi HTML but not for Router access

Sat Feb 25, 2023 10:18 pm

Looking at the diagrams nothing pops out.
the allowed IPs on the RB4011 for the wireguard IP address for the Peer client (the hapac) should be 10.255.255.2 not the subnet.

Other than that you have some weird assed bridge settings and multiple addressed defined to the wireguard that I dont use and dont understand, likely legit, but I on purpose dont put multiple addresses on same interface as I like to keep things clean and simple.

Also I dont see why you have two wireguard interfaces, you should only need one.

Also dont see where you let the .64 user explicitly into the tunnel in firewall rules....

Personally, its too messy to figure out much.
I would get rid of 2/3rds of the crap firewall rules, start from defaults and only add traffic you need.
Also change to one wireguard interface.
Top
 
howdey57
Member Candidate
Member Candidate
Topic Author
Posts: 127
Joined: Wed Dec 31, 2014 2:36 pm

Re: Wireguard Routing - OK for RaspberryPi HTML but not for Router access

Sun Feb 26, 2023 2:56 pm

anav,

I took up your suggestion of redoing my firewall rules - a job I had been meaning to do for a while. I followed your firewall post.

However the same issue remains: when connected via Roadwarrior (on 10.200.0.3), I can get to the French router on 192.168.65.1, but when using a laptop on the London network (192.168.64.15), I cannot reach the French router on 192.168.65.1

I would be very grateful if you could have a look at the cleaned up configs below. I put in a specific forward (below) but suspect it is wrong.
/ip firewall filter add action=accept chain=forward dst-address=192.168.64.0/24 src-address=192.168.65.0/24

Thank you in advance

Charles

London
Code: Select all

/interface wireguard add comment="Wireguard to Road Warriors" listen-port=13232 mtu=1450 name=WireGuard_RoadWarriors
/interface wireguard add comment="Wireguard to France" listen-port=13231 mtu=1450 name=WireGuard_ToFrance

/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface list add name=2GHz
/interface list add name=5GHz

/interface list member add comment=defconf interface=bridge-main-64 list=LAN
/interface list member add comment=defconf interface="ether1 Internet" list=WAN
/interface list member add interface=WireGuard_RoadWarriors list=LAN
/interface list member add interface=WireGuard_ToFrance list=LAN
/interface list member add interface=WireGuard_ToMittens list=LAN
/interface list member add interface=bridge-guest-66 list=LAN
/interface list member add interface=bridge-machine-68 list=LAN

/interface wireguard peers add allowed-address=192.168.65.0/24,10.255.255.2/30,192.168.1.0/24 comment="To France" interface=WireGuard_ToFrance public-key="KEY"
/interface wireguard peers add allowed-address=10.200.0.3/32 comment=L13 interface=WireGuard_RoadWarriors public-key="KEY"
/interface wireguard peers add allowed-address=10.200.0.4/32 comment="T480" interface=WireGuard_RoadWarriors public-key="KEY"

set bridge=bridge-main-64 caps-man-addresses=127.0.0.1 discovery-interfaces=bridge-main-64 enabled=yes interfaces=wlan1,wlan2

/ip address add address=192.168.64.1/24 comment=defconf interface=bridge-main-64 network=192.168.64.0
/ip address add address=192.168.66.1/24 interface=bridge-guest-66 network=192.168.66.0
/ip address add address=10.255.255.1/30 interface=WireGuard_ToFrance network=10.255.255.0
/ip address add address=10.200.0.1/24 interface=WireGuard_RoadWarriors network=10.200.0.0
/ip address add address=192.168.68.1/24 interface=bridge-machine-68 network=192.168.68.0

/ip dhcp-server network add address=192.168.64.0/24 comment="Main network" dns-server=192.168.64.10 gateway=192.168.64.1 netmask=24 ntp-server=192.168.64.1

/ip dns set servers=8.8.8.8,8.8.4.4

/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input comment="Allow LAN DNS&NTP queries-UDP" dst-port=53,123 in-interface-list=LAN protocol=udp
/ip firewall filter add action=accept chain=input comment="Allow LAN DNS&NTP queries-TCP" dst-port=53,123 in-interface-list=LAN protocol=tcp
/ip firewall filter add action=accept chain=input comment="defconf: Allowed to Router (HTML, SSH, Winbox)" dst-port=80,22,8291 in-interface-list=!WAN protocol=tcp src-address-list=AllowToRouter
/ip firewall filter add action=accept chain=input comment="Wireguard from France, M&D and Roadwarriors" dst-port=13231,13232,13233 log-prefix="CH_Track Wireguard" protocol=udp
/ip firewall filter add action=add-src-to-address-list address-list=fulltimeGreylist address-list-timeout=none-static chain=input in-interface-list=WAN src-address-list=mygreylist3
/ip firewall filter add action=add-src-to-address-list address-list=mygreylist3 address-list-timeout=4h chain=input in-interface-list=WAN src-address-list=mygreylist2
/ip firewall filter add action=add-src-to-address-list address-list=mygreylist2 address-list-timeout=2h chain=input in-interface-list=WAN src-address-list=mygreylist
/ip firewall filter add action=add-src-to-address-list address-list=maybeBlacklist address-list-timeout=1h30m chain=input in-interface-list=WAN src-address-list=!whitelist
/ip firewall filter add action=reject chain=input in-interface-list=LAN reject-with=icmp-admin-prohibited
/ip firewall filter add action=drop chain=input comment="defconf: drop all else"

/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="Camera Out" log-prefix="Block Camera out:" out-interface-list=WAN src-address-list=Camera
/ip firewall filter add action=accept chain=forward comment="defconf: allow internet traffic" in-interface-list=LAN out-interface-list=WAN
/ip firewall filter add action=accept chain=forward comment="Access from trusted IPs to LAN" out-interface-list=LAN src-address-list=AllowToRouter
/ip firewall filter add action=accept chain=forward comment="Access from LAN to DNS Server .10" dst-address=192.168.64.10 in-interface-list=LAN
/ip firewall filter add action=reject chain=forward comment="defconf: reject all from LAN that have got this far" in-interface-list=LAN log=yes reject-with=icmp-admin-prohibited
/ip firewall filter add action=drop chain=forward comment="defconf: drop everything else"

/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN

/ip route add comment=FranceLondon disabled=no distance=1 dst-address=192.168.65.0/24 gateway=WireGuard_ToFrance pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=WireGuard_ToFrance pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
France
Code: Select all

/interface wireguard add comment="Interface in France to London" listen-port=13231 mtu=1450 name=WireGuard_ToUK

/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface lte apn set [ find default=yes ] ip-type=ipv4 use-network-apn=no

/interface list member add comment=defconf interface=bridge-main-65 list=LAN
/interface list member add comment=defconf interface=ether1_SFR list=WAN
/interface list member add interface=WireGuard_ToUK list=LAN
/interface list member add interface=bridge-guest-67 list=LAN
/interface list member add interface=SFR_SIM list=WAN

/interface wireguard peers add allowed-address=10.255.255.1/30,192.168.64.0/24,10.200.0.0/24 comment="To London" endpoint-address=London endpoint-port=13231 interface=WireGuard_ToUK persistent-keepalive=25s public-key="KEY"

/ip address add address=192.168.65.1/24 comment=defconf interface=bridge-main-65 network=192.168.65.0
/ip address add address=192.168.67.1/24 interface=bridge-guest-67 network=192.168.67.0
/ip address add address=10.255.255.2/30 interface=WireGuard_ToUK network=10.255.255.0

/ip dhcp-server network add address=192.168.65.0/24 comment=defconf dns-server=9.9.9.9,149.112.112.112 gateway=192.168.65.1 netmask=24 ntp-server=192.168.1.1

/ip dns set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8,4.4.4.4

/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input comment="Allow LAN DNS&NTP queries-UDP" dst-port=53,123 in-interface-list=LAN protocol=udp
/ip firewall filter add action=accept chain=input comment="Allow LAN DNS&NTP queries-TCP" dst-port=53,123 in-interface-list=LAN protocol=tcp
/ip firewall filter add action=accept chain=input comment="defconf: Allowed to Router (HTML, SSH, Winbox)" dst-port=80,22,8291 in-interface-list=!WAN protocol=tcp src-address-list=AllowedToRouter
/ip firewall filter add action=reject chain=input comment="defconf: reject all from LAN that have got this far" in-interface-list=LAN log=yes log-prefix=Reject reject-with=icmp-admin-prohibited
/ip firewall filter add action=drop chain=input comment="defconf: drop all else"

/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="Stop Cameras going out" dst-address-list=!CameraAllowed log-prefix=Camera: out-interface-list=WAN src-address-list=Camera
/ip firewall filter add action=accept chain=forward dst-address=192.168.64.0/24 src-address=192.168.65.0/24
/ip firewall filter add action=accept chain=forward comment="defconf: allow internet traffic" in-interface-list=LAN out-interface-list=WAN
/ip firewall filter add action=accept chain=forward comment="Access from trusted IPs to LAN" log=yes log-prefix=ch3 out-interface-list=LAN src-address-list=AllowedToRouter
/ip firewall filter add action=accept chain=forward comment="Access from LAN to DNS Server .10" dst-address=192.168.64.10 in-interface-list=LAN
/ip firewall filter add action=reject chain=forward comment="defconf: reject all from LAN that have got this far" in-interface-list=LAN log=yes log-prefix=Reject reject-with=icmp-admin-prohibited
/ip firewall filter add action=drop chain=forward comment="defconf: drop everything else"

/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN

/ip route add disabled=no distance=1 dst-address=192.168.64.0/24 gateway=WireGuard_ToUK pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no distance=1 dst-address=10.200.0.0/24 gateway=WireGuard_ToUK pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add comment="So certain source IPs go through the WG VPN - look in Routing Rules" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=WireGuard_ToUK pref-src=0.0.0.0 routing-table=use-WG scope=10 suppress-hw-offload=no target-scope=10
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19325
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Wireguard Routing - OK for RaspberryPi HTML but not for Router access

Sun Feb 26, 2023 5:13 pm

(not NTP is only on udp rule of router services, DNS is both udp and tcp)

(1) On london add firewall rule........... in the shown position.
/ip firewall filter
...
add action=accept chain=forward comment="defconf: allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward src-address=192.168.64.15/32 dst-address=192.168.65.2/32 out-interface=WireGuard_ToFrance
add action=accept chain=forward comment="defconf: allow internet traffic" in-interface-list=LAN out-interface-list=WAN
...

(2) On France Router....... Position indicated..........
/ip firewall filter
..........
action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
action=accept chain=forward in-interface=WireGuard-ToUK src-address=192.168.64.15/32 dst-address=192.168.65.2
action=drop chain=forward comment="Stop Cameras going out" dst-address-list=!CameraAllowed log-prefix=Camera: out-interface-list=WAN src-address-list=Camera

(3) This rule on the France router or ROUTE makes no sense now at least during testing.
/ip route add comment="So certain source IPs go through the WG VPN - look in Routing Rules" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=WireGuard_ToUK pref-src=0.0.0.0 routing-table=use-WG scope=10 suppress-hw-offload=no target-scope=10

You changed your allowed IPs from 0.0.0.0/0 to particular LAN connections and of course the standard wireguard address type. Which is all good for now.
Just disable the Ip route ( plus I saw no routing rule in your config )
Top
 
howdey57
Member Candidate
Member Candidate
Topic Author
Posts: 127
Joined: Wed Dec 31, 2014 2:36 pm

Re: Wireguard Routing - OK for RaspberryPi HTML but not for Router access

Sun Feb 26, 2023 7:15 pm

anav,

No Joy!! I still can't get to 192.168.65.1 from 192.168.64.15. I also attach a snip of the traceroute back.
Screenshot 2023-02-26 170558.jpg
To remind you, the French router is behind another one provided by the ISP. It's not sophisticated and whilst I can port forward, I can't Route.

Any other ideas? In some of your posts, you talk of srcnat. Should the one I have be adequate (it is a Masquerade).

Your 3rd point about the weird route. That is so I can force the TV in France to go through the UK (Netflix etc). There are some corresponding rules. I've disabled the route for the mo.

Charles
You do not have the required permissions to view the files attached to this post.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19325
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Wireguard Routing - OK for RaspberryPi HTML but not for Router access

Sun Feb 26, 2023 8:24 pm

Okay no harm no foul.
The only problem with the ISP in front of the French router is if you were using the internet of the french router for incoming wireguard users, NOT the case. Its French users going out UK WAN.

So the client is safe, and does not need a publicly accessible WANIP.You reach out from the MT router, through the ISP router and establish a connection via wireguard this is working fine.
Need to ENSURE!!
On the french side on peer settings you have allowed address of 0.0.0.0/0 which covers all possibilities, OR
local subnet IPs on UK side and wireguard IP subnet, as entries for allowed-ip=192.168.64.0/24,10.255.255.0/30

As well!
You have a firewall rule stating allow local subnet 192.168.65.0/24 to enter the tunnel src-address=192.168.65.0/24 out-interface=WireGuard_ToUK
You have a firewall rule stating allow remote subnet 192.168.64.0/24 to exit the tunnel src-address=192.168.64.0/24 in-interface=WireGuard_ToUK dst-address=192.168.65.0/24
You have a firewall rule stating allow remote subnet 192.168.64.0/24 to exit the tunnel src-address=192.168.64.0/24 in-interface=WireGuard_ToUK dst-address=192.168.1.0/24


Plus!!
TWO Purposed IP ROUTE - You have an IP route to let your router know to route through the tunnel for the remote LAN subnet either because its a destination address for local subnets, OR because remote subnets will be visiting you and need their RETURN traffic routed appropriately
add dst-address=192.168.64.0/24 gwy=WireGuard_ToUK routing-table=main

With that all in place it should work from the French Perspective.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

At the UK router. similar thinking.

Allowed-ips=10.255.255.2/32,192.168.65.0/24

Firewall rules.....
src-address=192.168.64.0/24 out-interface=WireGuard_ToFrance { covers going to both subnets and finessed at other end }
src-address=192.168.65.0/24 in-interface=WireGuard_ToFrance dst-address=192.168.64.0/24

IP routes
add dst-address=192.168.65.0/24 gwy=WireGuard_ToFrance routing-table=main
add dst-address=192.168.1.0/24 gwy=WireGuard_ToFrance routing-table=main
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19325
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Wireguard Routing - OK for RaspberryPi HTML but not for Router access

Sun Feb 26, 2023 8:27 pm

Publish your latest for both configs for review.
Top
 
howdey57
Member Candidate
Member Candidate
Topic Author
Posts: 127
Joined: Wed Dec 31, 2014 2:36 pm

Re: Wireguard Routing - OK for RaspberryPi HTML but not for Router access

Sun Feb 26, 2023 10:58 pm

Still not working!! Very Strange. Can't get from 192.168.64.15 to 192.168.65.1

Have I got the AllowedIPs correct, especially the 10.2555.255.0/30 - 10.2555.255.1/32 - 10.2555.255.2/32 ones?

Thanks

Charles

London
Code: Select all
ip/firewall/filter/ export terse 
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input comment="Allow LAN DNS&NTP queries-UDP" dst-port=53,123 in-interface-list=LAN protocol=udp
/ip firewall filter add action=accept chain=input comment="Allow LAN DNS queries-TCP" dst-port=53 in-interface-list=LAN protocol=tcp
/ip firewall filter add action=accept chain=input comment="defconf: Allowed to Router (HTML, SSH, Winbox)" dst-port=80,22,8291 in-interface-list=!WAN protocol=tcp src-address-list=AllowToRouter
/ip firewall filter add action=accept chain=input comment="Wireguard from France and Roadwarriors" dst-port=13231,13232 log-prefix="CH_Track Wireguard" protocol=udp
/ip firewall filter add action=add-src-to-address-list address-list=fulltimeGreylist address-list-timeout=none-static chain=input in-interface-list=WAN src-address-list=mygreylist3
/ip firewall filter add action=add-src-to-address-list address-list=mygreylist3 address-list-timeout=4h chain=input in-interface-list=WAN src-address-list=mygreylist2
/ip firewall filter add action=add-src-to-address-list address-list=mygreylist2 address-list-timeout=2h chain=input in-interface-list=WAN src-address-list=mygreylist
/ip firewall filter add action=add-src-to-address-list address-list=maybeBlacklist address-list-timeout=1h30m chain=input in-interface-list=WAN src-address-list=!whitelist
/ip firewall filter add action=reject chain=input comment="defconf: reject all from LAN that have got this far" in-interface-list=LAN reject-with=icmp-admin-prohibited
/ip firewall filter add action=drop chain=input comment="defconf: drop all else"

/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="Stop cameras going out" log-prefix="Block Camera out:" out-interface-list=WAN src-address-list=Camera
/ip firewall filter add action=accept chain=forward comment="defconf: allow internet traffic" in-interface-list=LAN out-interface-list=WAN
/ip firewall filter add action=accept chain=forward comment="Allow 64.0 to France via WG" out-interface=WireGuard_ToFrance src-address=192.168.64.0/24
/ip firewall filter add action=accept chain=forward comment="Allow 64.0 to France via WG" dst-address=192.168.64.0/24 in-interface=WireGuard_ToFrance src-address=192.168.65.0/24
/ip firewall filter add action=accept chain=forward comment="Access from trusted IPs to LAN" out-interface-list=LAN src-address-list=AllowToRouter
/ip firewall filter add action=accept chain=forward comment="Access from LAN to DNS Server .10" dst-address=192.168.64.10 in-interface-list=LAN
/ip firewall filter add action=reject chain=forward comment="defconf: reject all from LAN that have got this far" in-interface-list=LAN log=yes reject-with=icmp-admin-prohibited
/ip firewall filter add action=drop chain=forward comment="defconf: drop everything else"

ip/firewall/nat export terse 
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN

ip/address export terse 
/ip address add address=192.168.64.1/24 comment=defconf interface=bridge-main-64 network=192.168.64.0
/ip address add address=192.168.66.1/24 interface=bridge-guest-66 network=192.168.66.0
/ip address add address=10.255.255.1/30 interface=WireGuard_ToFrance network=10.255.255.0
/ip address add address=10.200.0.1/24 interface=WireGuard_RoadWarriors network=10.200.0.0

ip/route/ export terse 
/ip route add comment=FranceLondon disabled=no distance=1 dst-address=192.168.65.0/24 gateway=WireGuard_ToFrance pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=WireGuard_ToFrance pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10

interface/wireguard/ export terse 
/interface wireguard add comment="Wireguard to Road Warriors" listen-port=13232 mtu=1450 name=WireGuard_RoadWarriors
/interface wireguard add comment="Wireguard to France" listen-port=13231 mtu=1450 name=WireGuard_ToFrance

/interface wireguard peers add allowed-address=192.168.65.0/24,10.255.255.2/32,192.168.1.0/24 comment="To France" interface=WireGuard_ToFrance public-key="key"
/interface wireguard peers add allowed-address=10.200.0.3/32 comment=L13 interface=WireGuard_RoadWarriors public-key="key"
France
Code: Select all
ip/firewall/filter/ export terse 
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input comment="Allow LAN DNS&NTP queries-UDP" dst-port=53,123 in-interface-list=LAN protocol=udp
/ip firewall filter add action=accept chain=input comment="Allow LAN DNS&NTP queries-TCP" dst-port=53,123 in-interface-list=LAN protocol=tcp
/ip firewall filter add action=accept chain=input comment="defconf: Allowed to Router (HTML, SSH, Winbox)" dst-port=80,22,8291 in-interface-list=!WAN protocol=tcp src-address-list=AllowedToRouter
/ip firewall filter add action=accept chain=input comment="defconf: Allowed to Router (Winbox) via SFR Router" dst-port=8291 log=yes protocol=tcp src-address-list=AllowedToRouter
/ip firewall filter add action=reject chain=input comment="defconf: reject all from LAN that have got this far" in-interface-list=LAN reject-with=icmp-admin-prohibited
/ip firewall filter add action=drop chain=input comment="defconf: drop all else"

/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="Stop Cameras going out" dst-address-list=!CameraAllowed log-prefix=Camera: out-interface-list=WAN src-address-list=Camera
/ip firewall filter add action=accept chain=forward comment="defconf: allow internet traffic" in-interface-list=LAN out-interface-list=WAN
/ip firewall filter add action=accept chain=forward comment="Allow 65.0 to London via WG" out-interface=WireGuard_ToUK src-address=192.168.65.0/24
/ip firewall filter add action=accept chain=forward comment="Allow 65.0 to London via WG" dst-address=192.168.65.0/24 in-interface=WireGuard_ToUK src-address=192.168.64.0/24
/ip firewall filter add action=accept chain=forward comment="Allow 65.0 to London via WG" dst-address=192.168.1.0/24 in-interface=WireGuard_ToUK src-address=192.168.64.0/24
/ip firewall filter add action=accept chain=forward comment="Access from trusted IPs to LAN" log-prefix=ch3 out-interface-list=LAN src-address-list=AllowedToRouter
/ip firewall filter add action=accept chain=forward comment="Access from LAN to DNS Server .10" dst-address=192.168.64.10 in-interface-list=LAN
/ip firewall filter add action=reject chain=forward comment="defconf: reject all from LAN that have got this far" in-interface-list=LAN log=yes log-prefix=Reject reject-with=icmp-admin-prohibited
/ip firewall filter add action=drop chain=forward comment="defconf: drop everything else"

ip/firewall/nat export terse 
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN

ip/address export terse 
/ip address add address=192.168.65.1/24 comment=defconf interface=bridge-main-65 network=192.168.65.0
/ip address add address=192.168.67.1/24 interface=bridge-guest-67 network=192.168.67.0
/ip address add address=10.255.255.2/30 interface=WireGuard_ToUK network=10.255.255.0

ip/route/ export terse 
/ip route add disabled=no distance=1 dst-address=192.168.64.0/24 gateway=WireGuard_ToUK pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no distance=1 dst-address=10.200.0.0/24 gateway=WireGuard_ToUK pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add comment="So certain source IPs go through the WG VPN - look in Routing Rules" disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=WireGuard_ToUK pref-src=0.0.0.0 routing-table=use-WG scope=10 suppress-hw-offload=no target-scope=10

interface/wireguard/ export terse 
/interface wireguard add comment="Interface in France to London" listen-port=13231 mtu=1450 name=WireGuard_ToUK
/interface wireguard peers add allowed-address=10.255.255.1/32,192.168.64.0/24,10.200.0.0/24 comment="To London" endpoint-address=london endpoint-port=13231 interface=WireGuard_ToUK persistent-keepalive=25s public-key="key"
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19325
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Wireguard Routing - OK for RaspberryPi HTML but not for Router access

Mon Feb 27, 2023 2:50 pm

France CLIENT
interface/wireguard/ export terse
/interface wireguard add comment="Interface in France to London" listen-port=13231 mtu=1450 name=WireGuard_ToUK
/interface wireguard peers add allowed-address=10.255.255.0/30,192.168.64.0/24,10.200.0.0/24 comment="To London" endpoint-address=london endpoint-port=13231 interface=WireGuard_ToUK persistent-keepalive=25s public-key="key"

UK SERVER is correct.

Other than that.......... would start looking at server itself, on PC, has windows or added firewalls in the way??
Top
 
howdey57
Member Candidate
Member Candidate
Topic Author
Posts: 127
Joined: Wed Dec 31, 2014 2:36 pm

Re: Wireguard Routing - OK for RaspberryPi HTML but not for Router access

Sat Mar 04, 2023 12:15 pm

anav

I've got it to work.
  • I removed all but one wireguard server and pointed all peers to that.
  • I changed the 10.255.255. addresses to 10.64.0. (just because)
  • I rebooted everything
The only thing I can think of is that v7.7 didn't allow traffic between wireguard servers.

The configs I ended up with are as follows.

Thank you for your help. It is much appreciated.

Charles

London
Code: Select all
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input comment="Allow LAN DNS&NTP queries-UDP" dst-port=53,123 in-interface-list=LAN protocol=udp
/ip firewall filter add action=accept chain=input comment="Allow LAN DNS queries-TCP" dst-port=53 in-interface-list=LAN protocol=tcp
/ip firewall filter add action=accept chain=input comment="defconf: Allowed to Router (HTML, SSH, Winbox)" dst-port=80,22,8291 in-interface-list=!WAN protocol=tcp src-address-list=AllowToRouter
/ip firewall filter add action=accept chain=input comment="Wireguard from France, M&D and Roadwarriors" dst-port=13233 log-prefix="CH_Track Wireguard" protocol=udp
/ip firewall filter add action=add-src-to-address-list address-list=fulltimeGreylist address-list-timeout=none-static chain=input in-interface-list=WAN src-address-list=mygreylist3
/ip firewall filter add action=add-src-to-address-list address-list=mygreylist3 address-list-timeout=4h chain=input in-interface-list=WAN src-address-list=mygreylist2
/ip firewall filter add action=add-src-to-address-list address-list=mygreylist2 address-list-timeout=2h chain=input in-interface-list=WAN src-address-list=mygreylist
/ip firewall filter add action=add-src-to-address-list address-list=maybeBlacklist address-list-timeout=1h30m chain=input in-interface-list=WAN src-address-list=!whitelist
/ip firewall filter add action=reject chain=input comment="defconf: reject all from LAN that have got this far" in-interface-list=LAN reject-with=icmp-admin-prohibited
/ip firewall filter add action=drop chain=input comment="defconf: drop all else"
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="Stop cameras going out" log-prefix="Block Camera out:" out-interface-list=WAN src-address-list=Camera
/ip firewall filter add action=accept chain=forward comment="defconf: allow internet traffic" in-interface-list=LAN out-interface-list=WAN
/ip firewall filter add action=accept chain=forward comment="Access from trusted IPs to LAN" out-interface-list=LAN src-address-list=AllowToRouter
/ip firewall filter add action=accept chain=forward comment="Access from LAN to DNS Server .10" dst-address=192.168.64.10 in-interface-list=LAN
/ip firewall filter add action=reject chain=forward comment="defconf: reject all from LAN that have got this far" in-interface-list=LAN log=yes log-prefix="Last reject:" reject-with=icmp-admin-prohibited
/ip firewall filter add action=drop chain=forward comment="defconf: drop everything else"

/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN

/ip address add address=192.168.64.1/24 comment=defconf interface=bridge-main-64 network=192.168.64.0
/ip address add address=192.168.66.1/24 interface=bridge-guest-66 network=192.168.66.0
/ip address add address=10.255.255.1/24 comment=France disabled=yes interface=WireGuard network=10.255.255.0
/ip address add address=10.200.0.1/24 comment=RoadWarriors interface=WireGuard network=10.200.0.0
/ip address add address=10.100.0.1/24 comment=Mittens interface=WireGuard network=10.100.0.0
/ip address add address=192.168.68.1/24 interface=bridge-machine-68 network=192.168.68.0
/ip address add address=10.64.0.1/24 comment=France interface=WireGuard network=10.64.0.0

/ip route add comment=FranceLondon disabled=no distance=1 dst-address=192.168.65.0/24 gateway=10.64.0.2 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add comment=FranceSFRRouter disabled=no distance=1 dst-address=192.168.1.0/24 gateway=10.64.0.2 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10

/interface wireguard add comment="Wireguard General Interface" listen-port=13233 mtu=1420 name=WireGuard

/interface wireguard peers add allowed-address=192.168.65.0/24,192.168.1.0/24,10.64.0.2/32 comment="To France" interface=WireGuard public-key=""
/interface wireguard peers add allowed-address=10.200.0.3/32 comment=L13 interface=WireGuard public-key=""

France
Code: Select all
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input comment="Allow LAN DNS&NTP queries-UDP" dst-port=53,123 in-interface-list=LAN protocol=udp
/ip firewall filter add action=accept chain=input comment="Allow LAN DNS queries-TCP" dst-port=53 in-interface-list=LAN protocol=tcp
/ip firewall filter add action=accept chain=input comment="defconf: Allowed to Router (HTML, SSH, Winbox)" dst-port=80,22,8291 in-interface-list=!WAN protocol=tcp src-address-list=AllowedToRouter
/ip firewall filter add action=accept chain=input comment="defconf: Allowed to Router (Winbox) via SFR Router" dst-port=8291 log=yes protocol=tcp src-address-list=AllowedToRouter
/ip firewall filter add action=reject chain=input comment="defconf: reject all from LAN that have got this far" in-interface-list=LAN reject-with=icmp-admin-prohibited
/ip firewall filter add action=drop chain=input comment="defconf: drop all else"
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="Stop Cameras going out" dst-address-list=!CameraAllowed log-prefix=Camera: out-interface-list=WAN src-address-list=Camera
/ip firewall filter add action=accept chain=forward comment="defconf: allow internet traffic" in-interface-list=LAN out-interface-list=WAN
/ip firewall filter add action=accept chain=forward comment="Access from trusted IPs to LAN" log-prefix=ch3 out-interface-list=LAN src-address-list=AllowedToRouter
/ip firewall filter add action=accept chain=forward comment="Access from LAN to DNS Server .10" dst-address=192.168.64.10 in-interface-list=LAN
/ip firewall filter add action=reject chain=forward comment="defconf: reject all from LAN that have got this far" in-interface-list=LAN log=yes log-prefix=Reject reject-with=icmp-admin-prohibited
/ip firewall filter add action=drop chain=forward comment="defconf: drop everything else"

/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN

/ip address add address=192.168.65.1/24 comment=defconf interface=bridge-main-65 network=192.168.65.0
/ip address add address=192.168.67.1/24 interface=bridge-guest-67 network=192.168.67.0
/ip address add address=10.255.255.2/24 disabled=yes interface=WireGuard_ToUK network=10.255.255.0
/ip address add address=10.64.0.2/24 interface=WireGuard_ToUK network=10.64.0.0


/ip route add disabled=no distance=1 dst-address=192.168.64.0/24 gateway=WireGuard_ToUK pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no distance=1 dst-address=10.200.0.0/24 gateway=WireGuard_ToUK pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add comment="So certain source IPs go through the WG VPN - look in Routing Rules" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=WireGuard_ToUK pref-src=0.0.0.0 routing-table=use-WG scope=10 suppress-hw-offload=no

/interface wireguard add comment="Interface in France to London" listen-port=13231 mtu=1420 name=WireGuard_ToUK
/interface wireguard peers add allowed-address=0.0.0.0/0 comment="To London" endpoint-address=xx endpoint-port=13233 interface=WireGuard_ToUK persistent-keepalive=25s public-key=""
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19325
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Wireguard Routing - OK for RaspberryPi HTML but not for Router access

Sat Mar 04, 2023 8:50 pm

Glad its working. Always good to simplify.
Top
Post Reply

Who is online

Users browsing this forum: Ahrefs [Bot], Amazon [Bot], MarkusT, Question and 135 guests
  4. RouterOS
  5. General