Community discussions

MikroTik App
 
HighTechLab
just joined
Topic Author
Posts: 5
Joined: Wed Mar 15, 2023 4:42 am
Location: Las Vegas
Contact:

Network discovery over wireguard

Sun Mar 19, 2023 5:32 am

I'd consider myself a newbie but I should give myself some credit for how far I've come...so I will try to be as detailed as possible however if I'm being an idiot, I can take constructive criticism.

At work, I have a CCR2004-16G-2S+ as our router. We have a static IP and routed /27 CIDR block of IPs (probably not relevant but may be helpful), served by Cox cable (but fiber coming in next month).

I setup 3 subnets. 192.168.2.0/24 for general devices/computers, 192.168.3.0/24 for security cameras and 192.168.4.0/24 for VOIP phones. This is working quite well!

I'm using two identical CRS354-48P-4S+2Q+ switches, one handles the general device/computers network and is essentially in its default configuration less a couple small tweaks. The second CRS has two bridges, and is split in half with the VOIP phones on ports 1-24 and the security cameras on port 25-48. Easy enough so far.

At home, I have a hAP AC3 (which by the way is AWESOME) that gets its WAN connection via Starlink (not so awesome but one of few options). I have the Starlink in bridge mode with the RJ45 adapter, The hAP is successfully operating as a router, passing traffic, firmware updated, all the good stuff. The LAN address range at home is 192.168.33.0/24

I have wireguard setup between work and home, and I have set a route, DST address=192.168.0.0/19 and gateway=wireguard1, and also added 192.168.0.0/19 to the allowed IP list at home. I can successfully access devices at work from my computer at home no problem.

While I, as the guy that setup the whole system have no problem referring to things by IP addresses that I have memorized, this is not the case for my partner that is used to accessing devices via network discovery (network tab in windows). He wants a better solution and I'm just thinking a bunch of desktop shortcuts, but I figured I'd ask a question here first -

Please help me understand, is the reason that none of the devices at either end of the wireguard tunnel show up via network discovery because network discovery only works for devices on the same subnet? I'm going to base the next paragraph on this assumption.

Again, learning here, and NAT is an area I struggle grasping. I was thinking, for the most important devices, could I set a NAT rule at home so that the devices on the other end of the tunnel appear as being on the same subnet to the computer at home? I have no idea if this is possible or how to go about it. I am assuming this is needed because wireguard documentation is explicit that you can't have the same network address on both ends of the tunnel...but is there a better way?

Look forward to any feedback and chance to learn!

Dexter
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Network discovery over wireguard

Sun Mar 19, 2023 9:35 am

Please help me understand, is the reason that none of the devices at either end of the wireguard tunnel show up via network discovery because network discovery only works for devices on the same subnet? I'm going to base the next paragraph on this assumption.

Depending in its implementation of this "discovery" very likely that is the root-cause.
And "Wireguard" is a routed solution, any broadcast/mDNS-multicast will not travel down to clients/peers as far as I understood since you have multiple IP-networks glued together.
Even further, mDNS would not even travel between your "camera" VLAN and other VLAN's locally on the office (it does not travel outside a given network)

This whole NAT thing will not work for eg. mDNS (very often used for discovery)

I can't imagine in this small setup you have that many devices, so I think some links/pointers/shortcuts on the PC of the partner is not a bad idea...
 
holvoetn
Forum Guru
Forum Guru
Posts: 5405
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Network discovery over wireguard

Sun Mar 19, 2023 10:31 am

Or an EOIP layer over wireguard.
Even ROMON works then.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Network discovery over wireguard

Sun Mar 19, 2023 11:34 am

Or an EOIP layer over wireguard.
Even ROMON works then.
Yes, but EoIP tunneling is bridging right ? So this means the user must "extend" his office LAN down to the home. What about the different VLAN's in the office.
Let's say IPCAM VLAN in the office and IOT/MEDIA VLAN in the office, both containing mDNS shouting stuff that you want to see at home.
How do you reconcile that back at the home location where you have a PC with a certain IP in a certain network-space ?
 
holvoetn
Forum Guru
Forum Guru
Posts: 5405
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Network discovery over wireguard

Sun Mar 19, 2023 11:42 am

Don't know.
I only used that eoip tunnel once with a setup over wireguard in France. It worked for what I needed.
Nobody was shouting there :lol:

I do agree with your previous statement though that it might be easier for such a small environment to setup dedicated links to the required ip addresses.
 
UpRunTech
Member Candidate
Member Candidate
Posts: 209
Joined: Fri Jul 27, 2012 12:11 pm

Re: Network discovery over wireguard

Sun Mar 19, 2023 12:00 pm

You can do it, I have Wireguard set up between my house and another house with mDNS and SSDP working between them too. The IP traffic flows between the subnets normally as routed traffic over the Wireguard link but uses EoIP over the link as well with bridge filtering.

EoIP with bridge filters are added here so *only* SSDP (good for things like UPNP/DLNA discovery for multimedia systems) and mDNS (many things including printer discover/Airprint, Airplay, Chromecast etc) get through and all other layer 2 traffic from each subnet is blocked - you don't want DHCP leaking across to the other subnet.

You need to do this filtering on each end once you get EoIP working over the Wireguard link. You don't need to turn on IPSEC for EoIP as it'd be redundant in this case. You'll have to do some homework to figure out what filter options to add for other broadcast based discovery mechanisms.
/interface bridge filter
add action=accept chain=forward dst-address=224.0.0.251/32 dst-mac-address=\
    01:00:5E:00:00:FB/FF:FF:FF:FF:FF:FF dst-port=5353 ip-protocol=udp \
    mac-protocol=ip out-interface=EoIP src-port=5353 comment=mDNS
add action=accept chain=forward comment=SSDP dst-address=239.255.255.250/32 \
    dst-mac-address=01:00:5E:7F:FF:FA/FF:FF:FF:FF:FF:FF dst-port=1900 \
    ip-protocol=udp mac-protocol=ip out-interface=EoIP  
add action=drop chain=output out-interface=EoIP
add action=drop chain=forward out-interface=EoIP

Also see my original post which extends this bridge filtering idea to allow mDNS relaying between VLANs without a user space reflector program like Avahi.

viewtopic.php?p=985190&hilit=mdns#p985190
Last edited by UpRunTech on Sun Mar 19, 2023 12:53 pm, edited 2 times in total.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2984
Joined: Mon Apr 08, 2019 1:16 am

Re: Network discovery over wireguard

Sun Mar 19, 2023 12:15 pm

network discovery because network discovery only works for devices on the same subnet?
Network discovery is mostly based on broadcast/multicast. And those packets are not routed from one network to another over the router.
That the subnets are different, has to do with a routing requirement.
(If the destination is in the same subnet as the sender, the sender will not even use the gateway/router, but go directly to the destination, getting the MAC address via ARP)
So there is one poor-mans router option: using proxy-arp, so the router will react with it's router MAC address on the ARP request for an IP address on the other end of the route.

Multicast/broadcast discoveries have their own solution, to pass over routers (L3 connections)
NBT: netbios over TCP, a MS Windows implementation. Used for SMB shared drives, Name registration via broadcast. With master browser elections via broadcasts. Needs a WINS server (Windows name server) for a routed network. The Netbios client must be set to use WINS, or is set as hybrid NBT.
mDNS: multicast DNS, for small networks. As multicasts are not routed, again a server is needed (mDNS reflector, AVAHI (https://www.avahi.org/), Bonjour server, or other mDNS reflector
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Network discovery over wireguard

Sun Mar 19, 2023 3:19 pm

Good thread! ZEROTIER is the clear answer both being arm devices.

@OP, to be clear the person requiring access to devices at work lives at home so its HOME TO WORK flow?

@ UpRunTech, were the subnets you connected via EOIP, different. My understanding is that spanning has to be to the same subnet??
or DISCOVERY needs to be in the same L2 segment. Therefore I dont think its normally possible........
 
holvoetn
Forum Guru
Forum Guru
Posts: 5405
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Network discovery over wireguard

Sun Mar 19, 2023 3:46 pm

I've done it with 2 different subnets in the past.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Network discovery over wireguard

Sun Mar 19, 2023 4:12 pm

I dont believe its possible or more accurately I dont think its stable if you do........... Even in the same subnet its very tricky to get right.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3253
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Network discovery over wireguard

Sun Mar 19, 2023 4:48 pm

This does scream like a ZeroTier problem & actually solvable on RouterOS since all devices mentioned are ARM. Wireguard does not do multicast, which is what's needed for most "discovery" protocols is what you're up against here.

You can create a ZT network for the LAN you want remote access, wireguard would not be involved in this. Or you can add multiple ZT networks, one for each VLAN, if you want multiple broadcast scopes remotely. The ZT does support multicast, and while you have a static IP at one end, ZeroTier doesn't actually require this – both side can be CGNAT or whatever. Since you can turn on/off the ZT networks to control what's discoverable remotely is helpful since you may not always want to see those devices. And proxying discovery (or if you manage multiple sites/customer) can result in too many results sometimes (and complex no matter how you do it).

If it was mDNS, you be able to put the cameras/devices into a real DNS server/domain, which mDNS will use – but you'd need an external DNS server since Mikroitk DNS doesn't support the DNS PTR records needed for DNS-SD. And most cameras likely use SSDP (part of the PnP specs) for discovery, not mDNS (or it's unicast cousin DNS-SD, both part of the IETF RFC specs), so even converting mDNS into unicast DNS wouldn't help if using SSDP. And, importantly no proxying would help with Wiregard alone – WG does not pass multicast packets whether from the LAN or proxied.

If the need is only between the CCR and another Mikrotik, using an EoIP (or theoretically VXLAN*) tunnel might work here too. But that's more useful when you really do want the whole network bridge to another location. And the EoIP tunnel can use WG as it's transport. It's not hard to setup however, you just use the remote Wireguard address as the remote tunnel address, and put the EoIP in the right bridge/pvid on BOTH sides. Only side-effect is MTU is reduced. I get the need may also be from mobile/desktop devices too, thus ZeroTier approach seems better IMO since there are iPhone/etc clients.

You can also dig into the discovery methods of the devices you're using, typically they have some scheme to do discovery outside of multicast. But this be an per-application/device exercise – so if only one thing digging into the device's docs may help as they may have non-multicast discovery method. Thus EoIP or ZeroTier seem like reasonable approaches since it be device-agnostic.


* I can't say how multicast works over VXLAN – it has some different mechanisms for multicast IPs (which is what's needed for discovery), based on the docs
 
HighTechLab
just joined
Topic Author
Posts: 5
Joined: Wed Mar 15, 2023 4:42 am
Location: Las Vegas
Contact:

Re: Network discovery over wireguard

Sun Mar 19, 2023 4:52 pm

Lots to take in here, and a lot more help than I thought I'd get so thank you all!

First, I want to clarify a requirement of what we are trying to accomplish before getting into the details - the flow is home to work - we only need the computers at home to see the devices at work, and not vice versa. I don't need my receptionist connecting to my smart TV at home :lol:

To be clear, I don't need the cameras / voip mDNS, just the "computers" network because the cameras / VOIP only need to be directly accessed for setup and I can do that directly via their IP. The NVR sits on both the cameras and the computers network, so access to that is equal to the other devices on the computers network.

mDNS is the key I need to read up on, the gap in my knowledge. I read a brief summary, and the mechanism now makes a lot more sense, and I understand why NAT wouldn't do anything for me.

I also think bpwl is onto something...the main devices my partner is trying to access through the wireguard tunnel are Windows computers, and printers...I am already running a windows Active Directory Domain Controller at work, and I have a server at home the data backs up to. I can make the server at home an additional domain controller, and enable its DNS capability, then it should be trivial from there.

I was looking into WINS Microsoft recommends avoiding and decomissioning WINS servers for DNS now:
If you do not already have WINS deployed on your network, do not deploy WINS - instead, deploy Domain Name System (DNS). DNS also provides computer name registration and resolution services, and includes many additional benefits over WINS, such as integration with Active Directory Domain Services.

If you have already deployed WINS on your network, it is recommended that you deploy DNS and then decommission WINS.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3253
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Network discovery over wireguard

Sun Mar 19, 2023 5:43 pm

I also think bpwl is onto something...the main devices my partner is trying to access through the wireguard tunnel are Windows computers, and printers...I am already running a windows Active Directory Domain Controller at work, and I have a server at home the data backs up to. I can make the server at home an additional domain controller, and enable its DNS capability, then it should be trivial from there.

If you have already deployed WINS on your network, it is recommended that you deploy DNS and then decommission WINS.
And that's the a good approach. If you can get these discoverable things into unicast DNS that's really the best plan. You options are limited with RouterOS since there DNS services are limited, but if you have Windows Active Directory, that is totally the place to do this. And work will with wireguard just fine.

If you want to read up on mDNS (and importantly it's unicast variant DNS-SD)... This may be helpful:
http://www.dns-sd.org
(ignore the dated pictures – this all works EXACTLY the same on MacOS Ventura, or anything with Bonjour like Windows)

And the RFC on it pretty readable: https://www.rfc-editor.org/rfc/rfc6763
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2984
Joined: Mon Apr 08, 2019 1:16 am

Re: Network discovery over wireguard

Sun Mar 19, 2023 6:25 pm

I was looking into WINS Microsoft recommends avoiding and decomissioning WINS servers for DNS now:
Yes WINS is old, very old, just as I am, and as is NBT (Netbios over TCP). It went with the TCP/UDP ports 137,138 and 139, and was replaced by connection on TCP 445 after Windows 2000.
It was just as exemple (NBT should have been disabled long ago). I had to manage multisite setups for 20 years with this. Today DLNA, SSDP, Upnp would be better exemples, of which I lack detailed knowledge however.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Network discovery over wireguard

Sun Mar 19, 2023 9:33 pm

With the help of some friends, as I am not worthy or capable.
@HighTechLab This should solve your request!
viewtopic.php?p=990840#p990840
Last edited by anav on Mon Mar 20, 2023 1:44 am, edited 2 times in total.
 
UpRunTech
Member Candidate
Member Candidate
Posts: 209
Joined: Fri Jul 27, 2012 12:11 pm

Re: Network discovery over wireguard

Sun Mar 19, 2023 10:25 pm

@ UpRunTech, were the subnets you connected via EOIP, different. My understanding is that spanning has to be to the same subnet??
or DISCOVERY needs to be in the same L2 segment. Therefore I dont think its normally possible........
As for subnets seeing each others broadcasts it depends on the protocol.

mDNS does most communication all with broadcasts. For example, A client blurts out "who has this kind of service?" and the service device replies with a broadcast "that'd be me". As long as the broadcast can get to the other subnet the device at the other end it's like a big shouting match and everyone can hear each other. If a client wants to use a service that's being advertised it can find the service IP address explicitly written in the contents of the message . I can't speak for all things that use mDNS work that way but Chromecast and Airprint and CUPs have worked for me both ways over the link.

SSDP uses broadcasts for initiating client queries to servers. The server replies with via unicast routed UDP. VLC, Windows and an LG TV can discover my media server using SSDP and DLNA this way. I think the replaying server infers the IP address from the source IP in the packet from the client before it send it's private reply. MythTV proved to be a bit of a pain as it won't respond to any unicast client SSDP UDP connection requests if they aren't a member of any of the subnets MythTV see on it's network interfaces. I had to do some cheeky srcnat/dstnat to get it working.

You can use the bridge filtering of MAC source addresses on the EoIP interface to filter out mDNS traffic from particular servers if you don't want them accessed or known from the other side. If you watch the EoIP interface with torch there is a lot of mDNS traffic especially once you get IOS and MACOS devices on the network.
Last edited by UpRunTech on Mon Mar 20, 2023 9:05 am, edited 2 times in total.
 
optio
Long time Member
Long time Member
Posts: 655
Joined: Mon Dec 26, 2022 2:57 pm

Re: Network discovery over wireguard

Sun Mar 19, 2023 10:55 pm

@UpRunTech can you share hot did you create EoIP tunnel over wireguard?
Simple scenatio, Smart TV on lan, mobile device (iphone) on wireguard, different subnet, can mobile device discover AirPlay service?
 
HighTechLab
just joined
Topic Author
Posts: 5
Joined: Wed Mar 15, 2023 4:42 am
Location: Las Vegas
Contact:

Re: Network discovery over wireguard

Mon Mar 20, 2023 6:20 am

Many thanks to all who have contributed so far. I've got loads of reading to do and my work cut out for me, but this has been fun and got me on the right track to get a solution of some degree to make this work well.


I will say, my Mikrotik and networking experience so far has been along the lines of "If it's difficult, then someone has made a tool/protocol for an easier way". I'm hooked.
 
Valerio5000
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Fri Dec 06, 2013 2:38 am

Re: Network discovery over wireguard

Sun Mar 17, 2024 11:19 am

Many thanks to all who have contributed so far. I've got loads of reading to do and my work cut out for me, but this has been fun and got me on the right track to get a solution of some degree to make this work well.


I will say, my Mikrotik and networking experience so far has been along the lines of "If it's difficult, then someone has made a tool/protocol for an easier way". I'm hooked.
Hello, but then in the end you solved? if you could explain how?
 
holvoetn
Forum Guru
Forum Guru
Posts: 5405
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Network discovery over wireguard

Sun Mar 17, 2024 11:23 am

Set up an EOIP tunnel using the 2 WG end point addresses.
Connect that EOIP tunnel on both ends to bridge.

Done.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Network discovery over wireguard

Sun Mar 17, 2024 3:00 pm

Here is one link to such an approach - viewtopic.php?t=194842

and another.

Discovery Between Two Locations

SOLUTION METHOD ADD A CONNECTING SUBNET/INTERMEDIARY - EOIP OVER WIREGUARD
a. create wireguard connectivity as per normal and then
b. create the EOIP tunnel within the WG tunnel ( EOIP never concerns its self ever with local WANIPs at either end )
c. modify configs to use Third Subnet to "stitch" two separate subnets.
d. Apply Bridge Filter Rules to limit/allow mDNS traffic.


a. Setup the WG


/MT Device One info
/interface wireguard
listening port 15551 mtu=1420 name=wireguard-home
/interface wireguard peers
add allowed-address=192.168.50.2 interface=wireguard-home public-key="---" comment=Router2
add allowed address=192.168.50.3 interface=wireguard-home public0key="---" comment=remoteAdmin
/ip address
add address=192.168.50.1/24 interface=wireguard-home

/MT Device Two
/interface wireguard
listening port 10771 mtu=1420 name=wireguard-client
/interface wireguard peers
add allowed-address=192.168.50.0/24 endpoint-address=mynetnameMTDEVICEONE endpoint-port=15551 \
interface=wireguard-client public-key="..." persistant keep-alive=35sec
/ip address
add address=192.168.50.2/24 interface=wireguard-client

b. Setup EIOP tunnel over wireguard.

R1 - VLANS 5,15,25 are on the bridge vlan15 is the subnet where the PC resides (on ETHER4-PC), that wants to discover OFFICE devices (windows) at R2
R2 - VLANS 10,20,30 are on the bridge, VLAN 20 is the subnet where Office devices are located at ETHER3-OFFICE on R2
R1+R2 - common VLAN to create vlan55

Router ONE,
eoip-to-TWO
remote address= 192.168.50.2
local address= 192.168.50.1
tunnel ID= 321

Router TWO
eoip-to-ONE
remote address= 192.168.50.1
local address= 192.168.50.2
tunnel ID= 321

Router One
/interface bridge ports
add bridge=bridge interface=ether4-PC pvid=15
add bridge=bridge interface=eoip-to-TWO pvid=15
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=eiop-to-TWO,ether4-PC vlan-ids=15

Router Two
/interface bridge ports
add bridge=bridge interface=ether3-OFFICE pvid=20
add bridge=bridge interface=eoip-to-ONE pvid=20
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=eiop-to-ONE,ether2-OFFICE vlan-ids=20

c. Creating Intermediary Subnet and add to Bridge VLAN55
Add: VLAN55 ( as tagged vlan and EOIP interface becomes a hybrid (port) interface )

/interface vlan
add interface=bridge name=VLAN55 vlan-id=55 (R1)
add interface=bridge name=vlan55 vlan-id=55 (R2)
/ip address
add address=10.10.55.1/30 interface=VLAN55 network=10.10.55.0 (R1)
add ip-address=10.10.55.2/30 interface=vlan55 network=10.10.55.0 (R2)

Router One
/interface bridge ports
add bridge=bridge interface=ether4-PC pvid=15
add bridge=bridge interface=eoip-to-TWO pvid=15
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=eiop-to-TWO,ether4-PC vlan-ids=15
add bridge=bridge tagged=bridge,eiop-to-TWO vlan-ids=55

Router Two
/interface bridge ports
add bridge=bridge interface=ether3-OFFICE pvid=20
add bridge=bridge interface=eoip-to-ONE pvid=20
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=eiop-to-ONE,ether2-OFFICE vlan-ids=20
add bridge=bridge tagged=bridge,eiop-to-ONE vlan-ids=55

Creating the necessary Routing. This is the secret sauce where multi-cast traffic from PC (vlan20) gets routed to R2 vlan55IP and thus untagged vlan15 traffic is now on the same bridge as VLAN20.
R1 dst-address=vlan20 gwy=10.10.55.2 table=main
R2 dst-address=vlan15 gwy=10.10.55.1 table=main

d. Apply Bridge filters to allow/restrict to mDNS traffic.

R1 - Ensure that Return traffic ( originated as multicast out, unicast return) is permitted back into R1. Needed otherwise return traffic would not be recognized and thus dropped.
This means that the unicast return traffic will be handled in normal IP filters. For the multicast traffic to be permitted and to ensure we limit traffic over the EOIP interface we need to use Bridge Filters. The drop rule is stop any other traffic, cast or otherwise such as DHCP discovery (any leakage) from R1 to R2.

/ip firewall filter
add action=accept chain=forward in-interface=VLAN55 src-address=192.168.15.0/24 dst-address=192.168.20.0/24 src-port=5353 protocol=udp
/interface bridge filter
action=accept out-interface=eoip-to_TWO mac-protocol=ip dst-address=224.0.0.25 ip-protocol=udp dst-port=5353
action=drop out-interface=eoip-to_TWO mac-protocol=ip

R2 - Ensure that Return traffic from R2 (unicast return) is permitted out of R2. Since the destination is outside the local subnet IP firewall filtering will be required. The drop rule is stop any other traffic, cast or otherwise such as DHCP discovery (any leakage) from R2 to R1

/ip firewall filter
action=accept out-interface=vlan55 src-address=192.168.20.0/24 dst-address=192./168.15.0/24 src-port=5353 protocol=udp
/interface bridge filter
action=drop out-interface=eoip-to-ONE mac-protocol=ip
 
holvoetn
Forum Guru
Forum Guru
Posts: 5405
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Network discovery over wireguard

Sun Mar 17, 2024 3:30 pm

I prefer my approach.
Not that much words. :lol:
 
User avatar
spippan
Member
Member
Posts: 333
Joined: Wed Nov 12, 2014 1:00 pm
Location: Austria

Re: Network discovery over wireguard

Sun Mar 17, 2024 7:54 pm

I prefer my approach.
Not that much words. :lol:
and also can be quite dangerous if your STP goes nuts then ...
 
holvoetn
Forum Guru
Forum Guru
Posts: 5405
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Network discovery over wireguard

Sun Mar 17, 2024 8:12 pm

On a serious note, that's quite true
 
Valerio5000
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Fri Dec 06, 2013 2:38 am

Re: Network discovery over wireguard

Mon Mar 18, 2024 9:52 pm

Set up an EOIP tunnel using the 2 WG end point addresses.
Connect that EOIP tunnel on both ends to bridge.

Done.
Okay, I've gotten there. But I don't understand how to do it if the two LANs have different subnets.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Network discovery over wireguard

Tue Mar 19, 2024 12:13 am

If you actually read my post you would see that you need to create a common intermediary VLAN. ( vlan55 ). ;-)
 
Valerio5000
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Fri Dec 06, 2013 2:38 am

Re: Network discovery over wireguard

Tue Mar 19, 2024 7:02 pm

If you actually read my post you would see that you need to create a common intermediary VLAN. ( vlan55 ). ;-)
HI ! Sorry, I actually missed your post. I'm a very basic MK user and my scenario is this:
MY LAN (192.168.0.0/24)                      REMOTE LAN (192.168.88.0/24)
Synology NAS (192.168.0.6)                 SAMSUNG TV (192.168.88.5)
WINDOWS PC (192.168.0.10)              WINDOWS PC (192.168.88.6)
HP PRINT (192.168.0.7)                       ANDROID CLIENT (192.168.88.8)
SAMSUNG TV (192.168.0.18)

HAP AC2 (ROS 7.14) <-------WIREGUARD---->> RB MAP (ROS 7.14)
If I wanted to keep the different subnets but have the possibility of discovering the opposite devices via Windows network resources, finding my HP Print, having the possibility from the Android client (192.168.88.8 ) to mirror the screen to the Samsung TV ( 192.168.0.18 ) I need to create an intermediate VLAN (VLAN 55). But I don't fully understand your guide... after having created an Eoip tunnel in wireguard and inserted it into the respective bridges, how should I proceed?

that would be great for me!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Network discovery over wireguard

Tue Mar 19, 2024 7:05 pm

Unless you post your config, I am unable to comment
/export file=anyname youwish ( minus router serial number, public WANIP info, keys, long dhcp lease lists etc.)
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3253
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Network discovery over wireguard

Tue Mar 19, 2024 7:45 pm

I was looking into WINS Microsoft recommends avoiding and decomissioning WINS servers for DNS now:
Yes WINS is old, very old, just as I am, and as is NBT (Netbios over TCP).
Well the even older NBF (NetBEUI) come up the other day (viewtopic.php?t=205901). I was left wondering if "NetBIOS discovery" actually work across WG -> EoIP -> LAN+"NetBEUI" - then felt old that even knew NetBEUI.
 
Valerio5000
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Fri Dec 06, 2013 2:38 am

Re: Network discovery over wireguard

Wed Mar 20, 2024 12:31 am

Unless you post your config, I am unable to comment
/export file=anyname youwish ( minus router serial number, public WANIP info, keys, long dhcp lease lists etc.)


Hello, thank you for help in the meantime!

Tomorrow I send my configuration but I can already tell you that it's a default configuration with only changes to the subnet (192.168.0.0/24) and wifi name and for now I would like all devices on both sides to be and detect each other. I still don't quite understand the difference between mDNS and SSDP I think I need both..
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3253
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Network discovery over wireguard

Wed Mar 20, 2024 12:40 am

I still don't quite understand the difference between mDNS and SSDP I think I need both..
While not exact: Apple thing always use mDNS, Printers also use mDNS, but Google/Security Cams/VoIP more typically use SSDP. TVs generally do both. Reason why it's relevant is mDNS requires some specific tricks, while if only SSDP you might be able to only use a IGMP Proxy.

"Network discovery" is pretty broad... so SSDP/mDNS aren't the only approaches apps/protocols use — so exactly what devices need to be discovered be an important detail here too.
 
Valerio5000
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Fri Dec 06, 2013 2:38 am

Re: Network discovery over wireguard

Wed Mar 20, 2024 1:06 am

I still don't quite understand the difference between mDNS and SSDP I think I need both..
While not exact: Apple thing always use mDNS, Printers also use mDNS, but Google/Security Cams/VoIP more typically use SSDP. TVs generally do both. Reason why it's relevant is mDNS requires some specific tricks, while if only SSDP you might be able to only use a IGMP Proxy.

"Network discovery" is pretty broad... so SSDP/mDNS aren't the only approaches apps/protocols use — so exactly what devices need to be discovered be an important detail here too.
Hello! Ok I understand this... there not the possibility to allow all these protocols of discovery? (I would not like to be trivial) anyway I'm talking for example about the classic Samba, DLNA, the service "transmit" on screen from Android to TV. things like that in short
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3253
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Network discovery over wireguard

Wed Mar 20, 2024 1:47 am

There isn't some magic setting for that makes this easy ;). Config help to see where you got here, but it a lot of step to enable "discovery over WG"...

The critical step is the bridge filter rules to restrict the bridged EoIP traffic to just multicast stuff like SSDP, mDNS, etc. What you do NOT want to do is join the unicast networks via EoIP — which can happen easily if the bridge filter rules are wrong/missing.

There potential slight "shortcut" to the complexity... if only SSDP ... as you can use the IGMP Proxy or PIM-SM AFAIK. But mDNS cannot work using that approach however.
 
Valerio5000
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Fri Dec 06, 2013 2:38 am

Re: Network discovery over wireguard

Sat Mar 23, 2024 12:29 am

Unless you post your config, I am unable to comment
/export file=anyname youwish ( minus router serial number, public WANIP info, keys, long dhcp lease lists etc.)
# 2024-03-17 17:12:10 by RouterOS 7.14
# software id = XXXXX
#
# model = RBD52G-5HacD2HnD
# serial number = XXXXX
/interface bridge
add admin-mac=XXXXX arp=proxy-arp auto-mac=no comment=defconf \
    name=bridge port-cost-mode=short
/interface sstp-server
add comment="VPN - \"RB-Map - Lavoro\"" name=sstp-in1 user=Lavoro
add comment="VPN - \"Valerio\"" name=sstp-in2 user=Valerio
/interface wireless
# managed by CAPsMAN
# channel: 2462/20-eC/gn(17dBm), SSID: XXXXX, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=2ghz-onlyn comment="Wlan 2.4 Ghz" \
    country=no_country_set distance=indoors frequency=auto frequency-mode=\
    manual-txpower installation=indoor mode=ap-bridge scan-list=\
    2412,2437,2462 ssid=Rete-Privata tx-power=18 tx-power-mode=\
    all-rates-fixed wireless-protocol=802.11 wmm-support=enabled
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac(21dBm), SSID: XXXXX, CAPsMAN forwarding
set [ find default-name=wlan2 ] band=5ghz-n/ac channel-width=20/40/80mhz-XXXX \
    comment="Wlan 5 Ghz" country=no_country_set distance=indoors frequency=\
    auto frequency-mode=manual-txpower installation=indoor mode=ap-bridge \
    skip-dfs-channels=10min-cac ssid=Rete-Privata-5 tx-power=22 \
    tx-power-mode=all-rates-fixed wireless-protocol=802.11 wmm-support=\
    enabled
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment="Switch Principale"
set [ find default-name=ether3 ] comment="Centralino VOIP"
set [ find default-name=ether4 ] comment="Camera Luca"
set [ find default-name=ether5 ] comment=NAS
/interface eoip
add comment="EoIP \"RB-Map - Lavoro\"" local-address=192.168.0.206 \
    mac-address=XXXXX name=eoip-tunnel1 remote-address=\
    192.168.89.206 tunnel-id=7
/interface wireless manual-tx-power-table
# managed by CAPsMAN
# channel: 2462/20-eC/gn(17dBm), SSID: XXXXX, CAPsMAN forwarding
set wlan1 comment="Wlan 2.4 Ghz"
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac(21dBm), SSID: XXXXX, CAPsMAN forwarding
set wlan2 comment="Wlan 5 Ghz"
/interface wireless nstreme
# managed by CAPsMAN
# channel: 2462/20-eC/gn(17dBm), SSID: XXXXX, CAPsMAN forwarding
set wlan1 comment="Wlan 2.4 Ghz"
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac(21dBm), SSID: XXXXX, CAPsMAN forwarding
set wlan2 comment="Wlan 5 Ghz"
/interface wireguard
add listen-port=13233 mtu=1420 name=WG-RemoteLAN
add listen-port=13232 mtu=1420 name=WG-Roberto
add listen-port=13231 mtu=1420 name=WG-Valerio
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes local-forwarding=no name=\
    Default
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm \
    group-key-update=5m name=Default
/caps-man configuration
add channel.band=2ghz-onlyn .control-channel-width=20mhz .frequency=\
    2412,2437,2462 .reselect-interval=1h country=italy datapath=Default \
    datapath.bridge=bridge .client-to-client-forwarding=yes mode=ap name=\
    XXXXX security=Default ssid=XXXXX
add channel.band=5ghz-n/ac .frequency=5180,5200,5220 .reselect-interval=1h \
    .skip-dfs-channels=no .tx-power=24 country="united states" datapath=\
    Default datapath.bridge=bridge .client-to-client-forwarding=yes mode=ap \
    name=XXXXX security=Default ssid=XXXXX
/caps-man interface
add channel.frequency=2412,2437,2462 comment="Wlan 2.4 Ghz" configuration=\
    XXXXX disabled=no l2mtu=1600 mac-address=XXXXX \
    master-interface=none name=HAP_AC2_Principale-Wlan1 radio-mac=\
    XXXXX radio-name=XXXXX
add comment="Wlan 5 Ghz" configuration=XXXXX disabled=no l2mtu=1600 \
    mac-address=XXXXX master-interface=none name=\
    HAP_AC2_Principale-Wlan2 radio-mac=XXXXX radio-name=\
    XXXXX
add channel.frequency=2412,2437,2462 comment="Wlan 2.4 Ghz" configuration=\
    XXXXX disabled=no l2mtu=1600 mac-address=XXXXX \
    master-interface=none name=HAP_AC2_Salotto-Wlan1 radio-mac=\
    XXXXX radio-name=XXXXX
add comment="Wlan 5 Ghz" configuration=XXXXX disabled=no l2mtu=1600 \
    mac-address=XXXXX master-interface=none name=\
    HAP_AC2_Salotto-Wlan2 radio-mac=XXXXX radio-name=XXXXX
add channel.frequency=2412,2437,2462 comment="Wlan 2.4 Ghz" configuration=\
    XXXXX disabled=no l2mtu=1600 mac-address=XXXXX \
    master-interface=none name=RB_MAP_Ingresso-Wlan1 radio-mac=\
    XXXXX radio-name=XXXXX
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wifi steering
add name=steering1 neighbor-group=dynamic-XXXXX-2538aa67 rrm=yes wnm=\
    yes
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=\
    0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d tur-thu=\
    0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
/ip pool
add name=dhcp ranges=192.168.0.30-192.168.0.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp always-broadcast=yes authoritative=after-2sec-delay \
    interface=bridge lease-time=10m name="DHCP Home"
/ip smb users
set [ find default=yes ] read-only=no
/ppp profile
set *0 dns-server=192.168.0.1 interface-list=LAN local-address=dhcp \
    remote-address=vpn
set *FFFFFFFE dns-server=192.168.0.1 local-address=dhcp remote-address=vpn
/queue tree
add comment="- - - - - - - - - - DOWNLOAD LINE - - - - - - - - - -" limit-at=\
    1G max-limit=1G name=DOWNLOAD parent=bridge queue=default
add comment="- - - - - - - - - - UPLOAD LINE - - - - - - - - - -" limit-at=1G \
    max-limit=1G name=UPLOAD parent=ether1 queue=default
add comment="PRIORITY 1 [VOIP]" limit-at=5M max-limit=10M name=Traffic_IN_1 \
    packet-mark="VOIP_RTP - Packet,VOIP_SIP - Packet" parent=DOWNLOAD \
    priority=1 queue=default
add comment="PRIORITY 8 [All - Traffic]" name=Traffic_IN_8 packet-mark=\
    no-mark parent=DOWNLOAD queue=default
add comment="PRIORITY 1 [VOIP]" limit-at=5M max-limit=10M name=Traffic_OUT_1 \
    packet-mark="VOIP_RTP - Packet,VOIP_SIP - Packet" parent=UPLOAD priority=\
    1 queue=default
add comment="PRIORITY 8 [All - Traffic]" name=Traffic_OUT_8 packet-mark=\
    no-mark parent=UPLOAD queue=default
add comment="PRIORITY 3 [NAS]" limit-at=10M max-limit=400M name=Traffic_IN_3 \
    packet-mark="NAS - Packet" parent=DOWNLOAD priority=3 queue=default
add comment="PRIORITY 3 [NAS]" limit-at=10M max-limit=400M name=Traffic_OUT_3 \
    packet-mark="NAS - Packet" parent=UPLOAD priority=3 queue=default
add comment="PRIORITY 2 [PS4 & Streaming Service]" limit-at=30M max-limit=\
    500M name=Traffic_IN_2 packet-mark=\
    "PS4 - Packet,Streaming_Service - Packet" parent=DOWNLOAD priority=2 \
    queue=default
add comment="PRIORITY 2 [PS4 & Sreaming Service]" limit-at=30M max-limit=500M \
    name=Traffic_OUT_2 packet-mark="PS4 - Packet,Streaming_Service - Packet" \
    parent=UPLOAD priority=2 queue=default
/system logging action
add email-to=XXXXX name=Email target=email
/ip smb
set comment=USB_RB_HAP domain=WORKGROUP enabled=yes
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment="EoIP \"Lavoro\"" ingress-filtering=no interface=\
    eoip-tunnel1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set default-profile=default use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=WG-Roberto list=LAN
add interface=WG-Valerio list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface sstp-server server
set authentication=mschap2 certificate=VPN-SSTP enabled=yes \
    max-mru=1400 max-mtu=1400 pfs=yes tls-version=only-1.2
/interface wireguard peers
add allowed-address=192.168.89.1/32 comment=\
    "Valerio - Cell [IP: 192.168.89.1]" interface=WG-Valerio \
    persistent-keepalive=20s public-key=\
    "XXXXX"
add allowed-address=192.168.89.33/32 comment=\
    "Roberto - Cell [IP: 192.168.89.33]" interface=WG-Roberto \
    persistent-keepalive=20s public-key=\
    "XXXXX"
add allowed-address=10.10.10.0/30,192.168.53.0/24 comment=\
    "VPN - StudioDP [IP: LAN 10.10.10.1  <---> 10.10.10.2 LAN_53]" \
    endpoint-address=XXXXX endpoint-port=13231 interface=WG-RemoteLAN \
    persistent-keepalive=20s public-key=\
    "XXXXX"
add allowed-address=10.10.10.4/30,192.168.54.0/24 comment=\
    "VPN - CasaDP [IP: LAN 10.10.10.5  <---> 10.10.10.6 LAN_54]" \
    endpoint-port=13231 interface=WG-RemoteLAN persistent-keepalive=20s \
    public-key="XXXXX"
add allowed-address=10.10.10.8/30,192.168.50.0/24 comment=\
    "VPN - CasaMazzaro [IP: LAN 10.10.10.9 <---> 10.10.10.10 LAN_50]" \
    endpoint-port=13231 interface=WG-RemoteLAN persistent-keepalive=20s \
    public-key="XXXXX"
add allowed-address=10.10.10.12/30,192.168.52.0/24 comment=\
    "VPN - SpSu [IP: LAN 10.10.10.13 <---> 10.10.10.14 LAN_52]" \
    endpoint-port=13231 interface=WG-RemoteLAN persistent-keepalive=20s \
    public-key="XXXXX"
add allowed-address=10.10.10.16/30,192.168.55.0/24 comment=\
    "VPN - CasaDaniAndra  [IP: LAN 10.10.10.17 <---> 10.10.10.18 LAN_55]" \
    endpoint-port=13231 interface=WG-RemoteLAN persistent-keepalive=20s \
    public-key="XXXXX"
add allowed-address=192.168.89.2/32 comment=\
    "Valerio - PC HP [IP: 192.168.89.2]" interface=WG-Valerio \
    persistent-keepalive=20s public-key=\
    "XXXXX"
add allowed-address=10.10.10.20/30,192.168.51.0/24 comment=\
    "VPN - RB-Nonna [IP: LAN 10.10.10.21  <---> 10.10.10.22 LAN_51]" \
    endpoint-port=13231 interface=WG-RemoteLAN persistent-keepalive=20s \
    public-key="XXXXX"
add allowed-address=192.168.89.34/32 comment=\
    "Roberto - PC [IP: 192.168.89.34]" interface=WG-Roberto \
    persistent-keepalive=20s public-key=\
    "XXXXX"
add allowed-address=10.10.10.24/30,192.168.56.0/24 comment=\
    "VPN - Carolina&Simone  [IP: LAN 10.10.10.25 <---> 10.10.10.26 LAN_56]" \
    endpoint-port=13231 interface=WG-RemoteLAN persistent-keepalive=20s \
    public-key="XXXXX"
add allowed-address=10.10.10.28/30,192.168.57.0/24 comment=\
    "VPN - CasaMichi  [IP: LAN 10.10.10.29 <---> 10.10.10.30 LAN_57]" \
    endpoint-port=13231 interface=WG-RemoteLAN persistent-keepalive=20s \
    public-key="XXXXX"
/interface wireless access-list
add allow-signal-out-of-range=always comment=\
    "Allow Connection HP Lavoro Valerio" interface=wlan2 mac-address=\
    84:1B:77:8B:CD:B5 signal-range=-80..120
/interface wireless cap
# 
set bridge=bridge caps-man-addresses=127.0.0.1 enabled=yes interfaces=\
    wlan1,wlan2
/ip address
add address=192.168.0.1/24 comment=defconf interface=ether2 network=\
    192.168.0.0
add address=192.168.89.0/27 comment=\
    "WG-Valerio [192.168.89.1 - 192.168.89.30]" interface=WG-Valerio network=\
    192.168.89.0
add address=192.168.89.32/27 comment=\
    "WG-Roberto [192.168.89.33 - 192.168.89.62]" interface=WG-Roberto \
    network=192.168.89.32
add address=10.10.10.1/30 comment="VPN - StudioDP [10.10.10.1 - 10.10.10.3]" \
    interface=WG-RemoteLAN network=10.10.10.0
add address=10.10.10.5/30 comment="VPN - CasaDP [10.10.10.5 - 10.10.10.7]" \
    interface=WG-RemoteLAN network=10.10.10.4
add address=10.10.10.9/30 comment=\
    "VPN - CasaMazzaro [10.10.10.9 - 10.10.10.11]" interface=WG-RemoteLAN \
    network=10.10.10.8
add address=10.10.10.13/30 comment=\
    "VPN - SpSu [10.10.10.13 - 10.10.10.15]" interface=WG-RemoteLAN \
    network=10.10.10.12
add address=10.10.10.17/30 comment=\
    "VPN - CasaDaniAndra [10.10.10.17 - 10.10.10.19]" interface=WG-RemoteLAN \
    network=10.10.10.16
add address=10.10.10.21/30 comment=\
    "VPN - RB-Nonna [10.10.10.21 - 10.10.10.23]" interface=WG-RemoteLAN \
    network=10.10.10.20
add address=10.10.10.25/30 comment=\
    "VPN - Carolina&Simone [10.10.10.25 - 10.10.10.27]" interface=\
    WG-RemoteLAN network=10.10.10.24
add address=10.10.10.29/30 comment=\
    "VPN - CasaMichi [10.10.10.29 - 10.10.10.31]" interface=WG-RemoteLAN \
    network=10.10.10.28
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server config
set store-leases-disk=1h
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.1 domain=\
    HomeLAN gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=45.90.28.22,45.90.30.22
/ip dns static
add address=192.168.0.1 comment="[HomeLAN] HAP_AC2" name=Router.HomeLAN
add address=192.168.0.4 comment="[HomeLAN] HAP_AC2_Salotto" name=\
    Router2.HomeLAN
add address=192.168.0.20 comment="[HomeLAN] RB_MAP_Ingresso" name=\
    Router3.HomeLAN
add address=192.168.0.6 comment="[HomeLAN] NAS_Casa" name=NAS.HomeLAN
add address=192.168.0.5 comment="[HomeLAN] NAS_Casa_BK" name=NAS2.HomeLAN
add address=192.168.0.13 comment="[HomeLAN] PC-Roberto" name=\
    PC-Roberto.HomeLAN
add address=192.168.0.17 comment="[HomeLAN] PC-Camera (Luca)" name=\
    PC-Camera.HomeLAN
add address=192.168.0.19 comment="[HomeLAN] PC-Valerio (Cameretta)" name=\
    PC-Valerio.HomeLAN
add address=192.168.50.1 comment="[LAN50] RB951 \"CasaMazzaro\"" name=\
    Router.LAN50
add address=192.168.50.2 comment="[LAN50] PWR-Line-IN" name=Router2.LAN50
add address=192.168.50.3 comment="[LAN50] PWR-Line-Cucina" name=Router3.LAN50
add address=192.168.50.4 comment="[LAN50] PWR-Line-Camere" name=Router4.LAN50
add address=192.168.50.5 comment="[LAN50] PWR-Line-Garage" name=Router5.LAN50
add address=192.168.51.1 comment="[LAN51] RB \"RB-Nonna\"" name=Router.LAN51
add address=192.168.51.2 comment="[LAN51] mAP-Repeater  \"RB-Nonna\"" name=\
    Router2.LAN51
add address=192.168.52.1 comment="[LAN52] HAP_AC3 \"SplendorSuite\"" name=\
    Router.LAN52
add address=192.168.52.2 comment="[LAN52] WAP-103 \"SplendorSuite\"" name=\
    Router2.LAN52
add address=192.168.52.3 comment="[LAN52] WAP-101 \"SplendorSuite\"" name=\
    Router3.LAN52
add address=192.168.52.4 comment="[LAN52] WAP-SP \"SplendorSuite\"" name=\
    Router4.LAN52
add address=192.168.53.1 comment="[LAN53] HAP_AC2 \"StudioDiPirro\"" name=\
    Router.LAN53
add address=192.168.53.252 comment="[LAN53] Server HP StudioDPR" name=\
    Server.LAN53
add address=192.168.53.242 comment="[LAN53] PC-Fabio \"StudioDiPirro\"" name=\
    PC-Fabio.LAN53
add address=192.168.53.249 comment="[LAN53] PC-Stefania \"StudioDiPirro\"" \
    name=PC-Stefania.LAN53
add address=192.168.54.1 comment="[LAN54] HAP_AC2 \"CasaDiPirro\"" name=\
    Router.LAN54
add address=192.168.54.246 comment="[LAN54] NAS_Home \"CasaDiPirro\"" name=\
    NAS.LAN54
add address=192.168.54.147 comment="[LAN54] PC-Michele \"CasaDiPirro\"" name=\
    PC-Michele.LAN54
add address=192.168.54.131 comment="[LAN54] PC-ASUS \"CasaDiPirro\"" name=\
    PC-ASUS.LAN54
add address=192.168.55.1 comment="[LAN55] HAP_AC2 \"CasaDaniAndra\"" name=\
    Router.LAN55
add address=192.168.55.2 comment="[LAN55] PWR-IN \"CasaDaniAndra\"" name=\
    Router2.LAN55
add address=192.168.55.3 comment="[LAN55] PWR-Salotto \"CasaDaniAndra\"" \
    name=Router3.LAN55
add address=192.168.55.4 comment="[LAN55] PWR-Cameretta \"CasaDaniAndra\"" \
    name=Router4.LAN55
add address=192.168.56.1 comment="[LAN56] HAP_AX2 \"Carolina&Simone\"" name=\
    Router.LAN56
add address=192.168.57.1 comment="[LAN57] HAP_AX2 \"CasaMichi\"" name=\
    Router.LAN57
/ip firewall address-list
add address=192.168.0.12 comment="Sky Q Decoder IP" list=Streaming_Service_IP
add address=192.168.0.9 comment="TV Salotto" list=Streaming_Service_IP
add address=192.168.0.10 comment="TV Stanza Luca" list=Streaming_Service_IP
add address=192.168.0.11 comment="TV Cucina" list=Streaming_Service_IP
/ip firewall filter
add action=drop chain=input comment="[ROS - Security] Drop Ping from WAN" \
    in-interface=ether1 protocol=icmp
add action=add-src-to-address-list address-list=Banned_IP \
    address-list-timeout=4w2d chain=input comment=\
    "[ROS - Security] Port Scanner Detect (Banned)" protocol=tcp psd=\
    21,3s,3,1
add action=add-src-to-address-list address-list=Banned_IP \
    address-list-timeout=4w2d chain=input comment=\
    "[ROS - Security] Brute Froce Access Detect (Banned)" connection-state=\
    new disabled=yes dst-port=2190,2295,8081,8291 in-interface-list=!LAN \
    protocol=tcp src-address-list=Brute_Force_Attempt_3
add action=add-src-to-address-list address-list=Brute_Force_Attempt_3 \
    address-list-timeout=30s chain=input comment=\
    "[ROS - Security] Brute Froce Access Detect (Attempt 3)" \
    connection-state=new disabled=yes dst-port=2190,2295,8081,8291 \
    in-interface-list=!LAN protocol=tcp src-address-list=\
    Brute_Force_Attempt_2
add action=add-src-to-address-list address-list=Brute_Force_Attempt_2 \
    address-list-timeout=30s chain=input comment=\
    "[ROS - Security] Brute Froce Access Detect (Attempt 2)" \
    connection-state=new disabled=yes dst-port=2190,2295,8081,8291 \
    in-interface-list=!LAN protocol=tcp src-address-list=\
    Brute_Force_Attempt_1
add action=add-src-to-address-list address-list=Brute_Force_Attempt_1 \
    address-list-timeout=30s chain=input comment=\
    "[ROS - Security] Brute Froce Access Detect (Attempt 1)" \
    connection-state=new disabled=yes dst-port=2190,2295,8081,8291 \
    in-interface-list=!LAN protocol=tcp
add action=drop chain=input comment=\
    "[ROS - Security] Drop from Banned_IP List" in-interface-list=!LAN \
    src-address-list=Banned_IP
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="[VPN] Allow Wireguard" dst-port=\
    13231,13232,13233 in-interface=ether1 protocol=udp
add action=accept chain=input comment="[VPN] Allow SSTP" dst-port=443 \
    in-interface=ether1 protocol=tcp
add action=accept chain=input comment="[VPN] Allow IPSec" dst-port=4500 \
    in-interface=ether1 protocol=udp
add action=accept chain=input comment=\
    "[ROS] Allow FTP - SSH - WebFig - WinBox" dst-port=2190,2295,8081,8291 \
    protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward comment="Change MSS" new-mss=\
    clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
add action=change-mss chain=forward comment="Change MSS to WG-Valerio (TEST)" \
    disabled=yes new-mss=clamp-to-pmtu out-interface=WG-Valerio passthrough=\
    yes protocol=tcp tcp-flags=syn
add action=mark-connection chain=forward comment="[VOIP] SIP Connection Mark" \
    dst-address=192.168.0.8 dst-port=5060 new-connection-mark=\
    "VOIP_SIP - Connection" passthrough=yes protocol=udp
add action=mark-packet chain=forward comment="[VOIP] SIP Packet Mark" \
    connection-mark="VOIP_SIP - Connection" new-packet-mark=\
    "VOIP_SIP - Packet" passthrough=yes
add action=mark-connection chain=forward comment="[VOIP] RTP Connection Mark" \
    dst-address=192.168.0.8 dst-port=5004 new-connection-mark=\
    "VOIP_RTP - Connection" passthrough=yes protocol=udp
add action=mark-packet chain=forward comment="[VOIP] RTP Packet Mark" \
    connection-mark="VOIP_RTP - Connection" new-packet-mark=\
    "VOIP_RTP - Packet" passthrough=yes
add action=change-dscp chain=postrouting comment="[VOIP] DSCP Priority" \
    dst-address=192.168.0.8 new-dscp=46 packet-mark="VOIP_RTP - Packet" \
    passthrough=yes
add action=mark-connection chain=forward comment=\
    "[Streaming Service] Connection Mark" dst-address-list=\
    Streaming_Service_IP new-connection-mark="Streaming_Service - Connection" \
    passthrough=yes protocol=tcp
add action=mark-packet chain=forward comment=\
    "[Streaming Service] Packet Mark" connection-mark=\
    "Streaming_Service - Connection" new-packet-mark=\
    "Streaming_Service - Packet" passthrough=yes
add action=mark-connection chain=forward comment=\
    "[PS4 - Luca] Connection Mark" dst-address=192.168.0.14 \
    new-connection-mark="PS4 - Connection" passthrough=yes
add action=mark-packet chain=forward comment="[PS4 - Luca] Packet Mark" \
    connection-mark="PS4 - Connection" new-packet-mark="PS4 - Packet" \
    passthrough=yes
add action=mark-connection chain=forward comment="[NAS] Connection Mark" \
    dst-address=192.168.0.6 new-connection-mark="NAS - Connection" \
    passthrough=yes
add action=mark-packet chain=forward comment="[NAS] Packet Mark" \
    connection-mark="NAS - Connection" new-packet-mark="NAS - Packet" \
    passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="[VPN] Traffic OUT for RemoteLAN" \
    out-interface=WG-RemoteLAN
add action=masquerade chain=srcnat comment=\
    "[VPN] Traffic OUT for RemoteLAN SSTP" out-interface=sstp-in1
add action=dst-nat chain=dstnat comment="[VOIP] UDP Traffic Centralino" \
    dst-address=XXXXX dst-port=5004,5060 in-interface=ether1 protocol=\
    udp to-addresses=192.168.0.8
add action=dst-nat chain=dstnat comment=\
    "[NAS] TCP Traffic HTTP - HTTPS - SFTP - Torrent - eMule" dst-port=\
    8080,5001,2224,16881,4662 in-interface=ether1 protocol=tcp to-addresses=\
    192.168.0.6
add action=dst-nat chain=dstnat comment="[NAS] UDP Traffic Torrent - eMule" \
    dst-port=6881,4672 in-interface=ether1 protocol=udp to-addresses=\
    192.168.0.6
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set pptp disabled=yes
/ip route
add comment="Rotta -->> LAN CasaMazzaro" disabled=no distance=1 dst-address=\
    192.168.50.0/24 gateway=10.10.10.10 pref-src="" routing-table=main scope=\
    30 suppress-hw-offload=no target-scope=10
add comment="Rotta -->> LAN SplendorSuite" disabled=no distance=1 \
    dst-address=192.168.52.0/24 gateway=10.10.10.14 pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Rotta -->> LAN StudioDP" disabled=no distance=1 dst-address=\
    192.168.53.0/24 gateway=10.10.10.2 pref-src="" routing-table=main scope=\
    30 suppress-hw-offload=no target-scope=10
add comment="Rotta -->> LAN CasaDP" disabled=no distance=1 dst-address=\
    192.168.54.0/24 gateway=10.10.10.6 pref-src="" routing-table=main scope=\
    30 suppress-hw-offload=no target-scope=10
add comment="Rotta -->> LAN CasaDaniAndra" disabled=no distance=1 \
    dst-address=192.168.55.0/24 gateway=10.10.10.18 pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Rotta OUT LAN Lavoro" disabled=no dst-address=192.107.93.0/24 \
    gateway=sstp-in1
add comment="Rotta OUT LAN \"Lavoro\"" disabled=no dst-address=\
    192.168.116.0/24 gateway=sstp-in1
add comment="Rotta OUT LAN \"Lavoro\"" disabled=no dst-address=\
    192.168.125.0/24 gateway=sstp-in1
add comment="Rotta OUT LAN \"Lavoro\"" disabled=no dst-address=\
    192.168.126.0/24 gateway=sstp-in1
add comment="Rotta OUT LAN \"Lavoro\"" disabled=no dst-address=\
    192.168.127.0/24 gateway=sstp-in1
add comment="Rotta OUT \"RBNonna\" (Accesso 4G Key)" disabled=no dst-address=\
    192.168.8.1/32 gateway=*F
add comment="Rotta OUT LAN \"Lavoro\" (Subnet RB)" disabled=no dst-address=\
    192.168.88.0/24 gateway=sstp-in1
add comment="Rotta -->> LAN RB-Nonna" disabled=no distance=1 dst-address=\
    192.168.51.0/24 gateway=10.10.10.22 pref-src="" routing-table=main scope=\
    30 suppress-hw-offload=no target-scope=10
add comment="Rotta -->> LAN Carolina&Simone" disabled=no distance=1 \
    dst-address=192.168.56.0/24 gateway=10.10.10.26 pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Rotta -->> LAN CasaMichi" disabled=no distance=1 dst-address=\
    192.168.57.0/24 gateway=10.10.10.30 pref-src="" routing-table=main scope=\
    30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp port=2190
set www port=8081
set ssh port=2295
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/flash/pub disabled=no
add directory=usb1 name=USB
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ppp secret
add local-address=192.168.0.206 name=Lavoro remote-address=192.168.89.206
add name=Valerio
/routing bfd configuration
add disabled=no
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=HAP_AC2
/system leds
add interface=HAP_AC2_Principale-Wlan1 leds=user-led type=interface-activity
/system logging
set 0 topics=info,!wireguard
add action=Email disabled=yes prefix="[RB_HAP_AC2-Casa]" topics=account
/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add comment="Abilita il wireless" disabled=yes interval=1d name=Wlan-on \
    on-event="/interface wifi enable wlan1\r\
    \n/interface wifi enable wlan2" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
    2016-01-15 start-time=06:00:00
add comment="Disabilita il wireless" disabled=yes interval=1d name=Wlan-off \
    on-event="/interface wifi disable wlan1\r\
    \n/interface wifi disable wlan2" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
    2016-01-15 start-time=02:00:00
add comment="Disabilita il wireless (CAPsMAN)" interval=1d name=Caps-off \
    on-event="caps-man manager set enabled=no" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
    2016-01-15 start-time=02:00:00
add comment="Abilita il wireless (CAPsMAN)" interval=1d name=Caps-on \
    on-event="caps-man manager set enabled=yes" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
    2016-01-15 start-time=06:00:00
/tool e-mail
set from=<RB951> port=587 server=smtp.gmail.com tls=starttls user=\
    XXXXX
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Let's say the LAN to which I want to send SSDP and mDNS traffic is the following:

add allowed-address=10.10.10.20/30,192.168.51.0/24 comment=\
"VPN - RB-Nonna [IP: LAN 10.10.10.21 <---> 10.10.10.22 LAN_51]" \
endpoint-port=13231 interface=WG-RemoteLAN persistent-keepalive=20s \
public-key="XXXXX"

On the other hand I have a MAP in completely default configuration with this Wireguard tunnel nothing more

Thank you both for the enormous help you are giving me ;)

Who is online

Users browsing this forum: Amazon [Bot], DMITRYB, fibracapi, sid5632, whernandez and 94 guests