I'm using an RB1100Dx4 and want to have VLAN network segmentation as it discribed on:
switch with a separate router configuration example : viewtopic.php?p=781603&sid=9288a9c66f40 ... 45#p706997
All is working great as VLAN or as WG router . What I want to do, is to have VPN WireGuard connected to VLAN.
I have added following command , and it's not working as expected and I could not get it as concept how to use WireGuard + VLAN .
Please, help me to marry them
I have attached adopted version of example router, where ISP pppoe conneced over VLAN10 as requested from ISP
and WIreGuard WG configured on 10.1.8.0/24.
How to make WG configured on all VLAN's or any taken one like BLUE/GREEN?
Code: Select all
#######################################
# Naming
#######################################
# name the device being configured
/system identity set name="Router"
#######################################
# VLAN Overview
#######################################
# 20 = BLUE
# 30 = GREEN
# 40 = RED
# 99 = BASE (MGMT) VLAN
#######################################
# Bridge
#######################################
# create one bridge, set VLAN mode off while we configure
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no
# WireGuard
/interface wireguard
add listen-port=13231 mtu=1420 name=WG
#######################################
#
# -- Trunk Ports --
#
#######################################
# ingress behavior
/interface bridge port
# Purple Trunk. Leave pvid set to default of 1
add bridge=BR1 interface=ether2
add bridge=BR1 interface=ether3
add bridge=BR1 interface=ether4
add bridge=BR1 interface=ether5
# egress behavior
/interface bridge vlan
# Purple Trunk. These need IP Services (L3), so add Bridge as member
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5 vlan-ids=20
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5 vlan-ids=30
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5 vlan-ids=40
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5 vlan-ids=99
#######################################
# IP Addressing & Routing
#######################################
# LAN facing router's IP address on the BASE_VLAN
/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=99
/ip address add address=192.168.0.1/24 interface=BASE_VLAN
# DNS server, set to cache for LAN
/ip dns set allow-remote-requests=yes servers="9.9.9.9"
# Yellow WAN facing port with IP Address provided by ISP
/interface vlan add interface=ether1 name=vlan10 vlan-id=10
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan10 name=pppoe-out1 \
use-peer-dns=yes user=******
#######################################
# IP Services
#######################################
# Blue VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=BLUE_VLAN vlan-id=20
/ip address add interface=BLUE_VLAN address=10.1.1.1/24
/ip pool add name=BLUE_POOL ranges=10.1.1.2-10.1.1.254
/ip dhcp-server add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE_DHCP disabled=no
/ip dhcp-server network add address=10.1.1.0/24 dns-server=192.168.0.1 gateway=10.1.1.1
# Green VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=GREEN_VLAN vlan-id=30
/ip address add interface=GREEN_VLAN address=10.1.2.1/24
/ip pool add name=GREEN_POOL ranges=10.1.2.2-10.1.2.254
/ip dhcp-server add address-pool=GREEN_POOL interface=GREEN_VLAN name=GREEN_DHCP disabled=no
/ip dhcp-server network add address=10.1.2.0/24 dns-server=192.168.0.1 gateway=10.1.2.1
# Red VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=RED_VLAN vlan-id=40
/ip address add interface=RED_VLAN address=10.1.3.1/24
/ip pool add name=RED_POOL ranges=10.1.3.2-10.1.3.254
/ip dhcp-server add address-pool=RED_POOL interface=RED_VLAN name=RED_DHCP disabled=no
/ip dhcp-server network add address=10.1.3.0/24 dns-server=192.168.0.1 gateway=10.1.3.1
#######################################
# Firewalling & NAT
# A good firewall for WAN. Up to you
# about how you want LAN to behave.
#######################################
# Use MikroTik's "list" feature for easy rule matchmaking.
/interface list add name=WAN
/interface list add name=VLAN
/interface list add name=BASE
/interface list member
add interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=BLUE_VLAN list=VLAN
add interface=GREEN_VLAN list=VLAN
add interface=RED_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
# WireGuard
/interface wireguard peers
add allowed-address=10.1.8.3/32 interface=WG \
persistent-keepalive=25s public-key=\
"**********"
# VLAN aware firewall. Order is important.
/ip firewall filter
##################
# INPUT CHAIN
##################
# WireGuard icmp , udp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" \
src-address=10.1.8.0/24
add chain=input action=accept connection-state=established,related comment="Allow Estab & Related"
# Allow VLANs to access router services like DNS, Winbox. Naturally, you SHOULD make it more granular.
add chain=input action=accept in-interface-list=VLAN comment="Allow VLAN"
# Allow BASE_VLAN full access to the device for Winbox, etc.
add chain=input action=accept in-interface=BASE_VLAN comment="Allow Base_Vlan Full Access"
add chain=input action=drop comment="Drop"
##################
# FORWARD CHAIN
##################
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"
# Allow all VLANs to access the Internet only, NOT each other
add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access only"
add chain=forward action=drop comment="Drop"
##################
# NAT
##################
/ip firewall nat
add chain=srcnat action=masquerade out-interface-list=WAN comment="Default masquerade"
# Nat for WireGuard address
add action=masquerade chain=srcnat src-address=10.1.1.0/24
add action=masquerade chain=srcnat src-address=10.1.8.0/24
#######################################
# VLAN Security
#######################################
# Only allow packets with tags over the Trunk Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether4]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether5]
#######################################
# MAC Server settings
#######################################
# Ensure only visibility and availability from BASE_VLAN, the MGMT network
/ip neighbor discovery-settings set discover-interface-list=BASE
/tool mac-server mac-winbox set allowed-interface-list=BASE
/tool mac-server set allowed-interface-list=BASE
#######################################
# Turn on VLAN mode
#######################################
/interface bridge set BR1 vlan-filtering=yes
Obviously I have to use firewall rules for VLAN10 as WAN.
If VLAN10 used as interface it's working as well , just not sure if it's best practice:
Code: Select all
/interface list member
add interface=VLAN10 list=WAN
Code: Select all
##################
# FORWARD CHAIN
##################
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"
# Allow all VLANs to access the Internet only, NOT each other
add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access only"
add chain=forward action=drop comment="Drop" ## <-- WareGuard can't pass this action