Community discussions

MikroTik App
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

How do I configure wireguard in new router os 7.1?

Tue Dec 21, 2021 3:39 am

My intention is to create a tunnel to my home network, something like Amplify teleport. So, that I can access my home mikrotik. My target is to configure my mikrotik as a wireguard server and all the devices get an IP from the DHCP server. My, router config is :
# dec/21/2021 07:13:27 by RouterOS 7.1
# software id = BM4W-X3GK
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 
/interface bridge
add admin-mac=xx.xx.xx.xx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether3 ] advertise=\
    100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp1 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=\
    20/40mhz-XX country=no_country_set disabled=no distance=indoors \
    frequency=auto frequency-mode=manual-txpower installation=indoor mode=\
    ap-bridge ssid=xxx station-roaming=enabled wireless-protocol=802.11 \
    wps-mode=disabled
set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-a/n/ac \
    channel-width=20/40/80mhz-XXXX country=no_country_set disabled=no \
    frequency=5765 frequency-mode=manual-txpower installation=outdoor mode=\
    ap-bridge ssid=xxx station-roaming=enabled wireless-protocol=802.11 \
    wps-mode=disabled
/interface wireguard
add listen-port=13231 mtu=1420 name=Home
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=\
    xxxxxxxxx
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    group-key-update=1h mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=pinet ranges=192.168.188.20-192.168.188.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=pinet interface=ether5 name=pinetDHCP
/routing bgp template
set default as=65530 disabled=no name=default output.network=bgp-networks
/routing ospf instance
add name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add fib name=to_ISP1
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192 rp-filter=loose
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=ether5 list=LAN
add interface=Home list=LAN
/interface wireguard peers
add interface=Home public-key="xxxxxxxxx"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.188.1/24 comment=pinet interface=ether5 network=\
    192.168.188.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1

/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.188.25 \
    gateway=192.168.88.1
add address=192.168.188.0/24 comment=pinet gateway=192.168.188.1 netmask=24
add address=192.168.188.25/32 comment=route dns-server=192.168.88.1 gateway=\
    192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=2d query-server-timeout=100ms \
    query-total-timeout=5s servers=1.1.1.1,1.0.0.1 use-doh-server=\
    https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 name=router.lan
add address=104.16.248.249 name=cloudflare-dns.com
add address=104.16.249.249 name=cloudflare-dns.com
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=192.168.188.20-192.168.188.254 list=allowed_to_router
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow Wireguard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="Allow ADMIN to Router" \
    in-interface-list=LAN src-address-list=allowed_to_router
add action=accept chain=input in-interface-list=LAN port=53 protocol=tcp
add action=accept chain=input in-interface-list=LAN port=53 protocol=udp
add action=drop chain=input
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment=" Allow Port Forwarding - DSTNAT" \
    connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="ENABLE LAN to WAN" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward dst-address=192.168.188.0/24 src-address=\
    192.168.88.0/24
add action=accept chain=forward dst-address=192.168.88.0/24 src-address=\
    192.168.188.0/24
add action=drop chain=forward comment="Drop All Else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=pihole_bypass disabled=yes \
    dst-address=192.168.188.25 dst-port=53 protocol=udp to-addresses=\
    192.168.88.1
add action=dst-nat chain=dstnat comment=pihole_bypass disabled=yes \
    dst-address=192.168.188.25 dst-port=53 protocol=tcp to-addresses=\
    192.168.88.1
/ip route
add check-gateway=ping disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=\
    104.16.248.249 pref-src="" routing-table=to_ISP1 scope=30 \
    suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=\
    pppoe-out1 pref-src="" routing-table=to_ISP1 scope=30 \
    suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    104.16.249.249 routing-table=to_ISP1
add disabled=yes distance=1 dst-address=104.16.248.249/32 gateway=pppoe-out1 \
    pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
    target-scope=10
add disabled=yes distance=1 dst-address=104.16.249.249/32 gateway=pppoe-out1 \
    pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=xxxx
set api disabled=yes
set winbox address=192.168.88.0/24
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote strong-crypto=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=pppoe-out1 type=external
add interface=ether5 type=internal
/system clock
set time-zone-name=Asia/Dhaka
/system logging
add topics=wireless,debug
add disabled=yes topics=dns
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
/system package update
set channel=long-term
/system scheduler
add interval=2d name=reboot on-event="system reboot" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jun/07/2020 start-time=05:05:00
add interval=30s name=bypass on-event=":local piholeDown [/ip firewall nat pri\
    nt count-only where comment~\"pihole_bypass\" && disabled]\r\
    \n:local piholeDNS \"192.168.188.25\"\r\
    \n:local testDomain \"www.google.com\"\r\
    \n\r\
    \n:if (\$piholeDown > 0 ) do={\r\
    \n    :do {\r\
    \n        :resolve \$testDomain server \$piholeDNS\r\
    \n    } on-error={\r\
    \n        /ip firewall nat enable [find comment=pihole_bypass];\r\
    \n    }\r\
    \n} else={\r\
    \n    :do {\r\
    \n        :resolve \$testDomain server \$piholeDNS\r\
    \n        /ip firewall nat disable [find comment=pihole_bypass];\r\
    \n    } on-error={}\r\
    \n}" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=may/21/2021 start-time=05:31:03
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
My ios configuration is:
Interface: iphone
Public key: xxxxxx
Addresses: 192.168.88.20/24,2001         (note these are different subnet masks than in the server config)
DNS servers: as desired - if you want to use the wireguard server for dns, specify 192.168.66.1

Peer:
Public key - mikrotik public key
Endpoint - mydyndns.whatever:13231
Allowed IPs: 0.0.0.0/0, ::/0
What I am doing wrong, seems like no traffic is passing through. Also, after updating to router ways I am seeing some wifi signal dropping on ios devices. Ios device showing poor internet where as one device working on a whatsapp voice call and other struggling to connect.
Last edited by shafiqrahman on Thu Jan 06, 2022 7:51 am, edited 1 time in total.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: How do I configure wireguard in new router os 7.1?

Tue Dec 21, 2021 12:43 pm

Hello,
In my practice, I needed a DST-NAT Rule.
wire-router.png
ios-router.png
My target is to configure my mikrotik as a wireguard server and all the devices get an IP from the DHCP server
I don't think this will be a good practice to use the same IP range for both sides of the tunnel. Try to use a different subnet per network.
Edit: Wireguard won't communicate with DHCP in any way. You have to use a static IP for your peer to connect.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How do I configure wireguard in new router os 7.1?

Tue Dec 21, 2021 2:39 pm

The mistake your making is getting too cute with your IP addressing.
Just give the IPHONE a random IP 10.0.20.5/32
Just ensure the wireguard server references the same address.
Then it will work fine.

As for the wireguard server router.
If you want to allow remote access to Configure the router you have two options in the INPUT CHAIN.
a. make a separate rule for wg OR better
b. simply include WG in your current settings.

SINCE YOU HAVE
add action=accept chain=input comment="Allow ADMIN to Router" \
in-interface-list=LAN src-address-list=allowed_to_router

Thus ensure
1. wg interface (by name) is part of the LAN interface member list.
2. the IP 10.0.20.5/32 is added to the firewall address list of allowed_to_router

BY THE WAY do you really need UPNP............... would turn that off if not absolutely necessary.


Next do you want to allow the WG interface access your LAN.......
add action=accept chain=forward in-interface=WGinterface dst-address=192.168.88.0/24

Not sure why you have two rules,,,,,,,,, i hardly think you will need to configure your iphone from the LAN, or print to your iphone ;-)
As you can see so far no need to assign an IP address or anything to wiireguard.

To ensure all traffic returned from any interface on the router (lan/wan) is sent correctly back through the tunnel to your iphone,
Need:
Dst-address=10.0.20.2/32 gateway=wg interface

Since you have added the WG interface to the LAN interface list.
then you will have internet access through the tunnel out the WANIP of the router.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

Re: How do I configure wireguard in new router os 7.1?

Mon Jan 03, 2022 10:24 pm

Thank you @anav & @own3r1138 for replying. Sorry, replying late,I gave the iphone a random IP:
/interface wireguard
add listen-port=13231 mtu=1420 name=Home
/interface wireguard peers
add allowed-address=10.0.20.20/32 interface=Home public-key=\

For accessing the router I had added :
/ip firewall address-list
add address=10.0.20.20 list=allowed_to_router
Wireguardg is part of the LAN.
For accessing I had already included it in the plan.
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=ether5 list=LAN
add interface=Home list=LAN
I am not sure about this portion:
Not sure why you have two rules,,,,,,,,, i hardly think you will need to configure your iphone from the LAN, or print to your iphone ;-)
As you can see so far no need to assign an IP address or anything to wiireguard.
It will be nice if you mention the duplicate rules.
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
[color=#0000FF]add action=accept chain=input comment="Allow Wireguard" disabled=yes \
    dst-port=13231 protocol=udp[/color]
add action=accept chain=input comment="Allow ADMIN to Router" \
    in-interface-list=LAN src-address-list=allowed_to_router
add action=accept chain=input in-interface-list=LAN port=xx protocol=tcp
add action=accept chain=input in-interface-list=LAN port=xx protocol=udp
add action=drop chain=input
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
[color=#0000FF]add action=accept chain=forward comment=Wireguard dst-address=192.168.88.0/24 \
    in-interface=Home[/color]
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment=" Allow Port Forwarding - DSTNAT" \
    connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="ENABLE LAN to WAN" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward dst-address=192.168.188.0/24 src-address=\
    192.168.88.0/24
add action=accept chain=forward dst-address=192.168.88.0/24 src-address=\
    192.168.188.0/24
add action=drop chain=forward comment="Drop All Else"

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=pihole_bypass disabled=yes \
    dst-address=192.168.188.25 dst-port=xx protocol=udp to-addresses=\
    192.168.88.1
add action=dst-nat chain=dstnat comment=pihole_bypass disabled=yes \
    dst-address=192.168.188.25 dst-port=xx protocol=tcp to-addresses=\
    192.168.88.1
[color=#0040FF]add action=accept chain=dstnat dst-address=10.0.20.20 in-interface=Home[/color]
To ensure all traffic returned from any interface on the router (lan/wan) is sent correctly back through the tunnel to your iphone,
Need:
Dst-address=10.0.20.2/32 gateway=wg interface
is this is the same as
add action=accept chain=dstnat dst-address=10.0.20.20 in-interface=Home
And, finally the address list:
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.188.1/24 comment=pinet interface=ether5 network=\
    192.168.188.0
add address=10.0.20.0/24 interface=Home network=10.0.20.0
Still, not working.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: How do I configure wireguard in new router os 7.1?

Mon Jan 03, 2022 10:47 pm

as you practice @anav replay.
I decided to remove my comment to ease your pain.
Last edited by own3r1138 on Tue Jan 04, 2022 12:23 am, edited 1 time in total.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How do I configure wireguard in new router os 7.1?

Mon Jan 03, 2022 11:50 pm

You were and still are missing route to client:
/ip route
add dst-address=10.0.20.20/32 gateway=Home
Your original config would additionally need proxy arp on bridge interface.
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

Re: How do I configure wireguard in new router os 7.1?

Tue Jan 04, 2022 11:02 am

@own3r1138 thank you for the reply. That wasn't necessary. I tried to test your suggestion
add action=accept chain=dstnat dst-address=10.0.20.20 in-interface=Home
but, if I change the action from accept to dstnat router requires a port. Needs more tinkering.

Thank you @Sob for the route info. I will add the route and see what happens.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How do I configure wireguard in new router os 7.1?

Tue Jan 04, 2022 6:36 pm

Okay what is weird to me is your dhcp server setup........
The one in orange is extra, dont see why you have it, should be removed I think!!

/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.188.25 gateway=192.168.88.1 (Bridge network OK!)
add address=192.168.188.0/24 comment=pinet gateway=192.168.188.1 netmask=24 (Ether5 network OK!)
add address=192.168.188.25/32 comment=route dns-server=192.168.88.1 gateway=\
192.168.88.1 netmask=24
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How do I configure wireguard in new router os 7.1?

Tue Jan 04, 2022 7:17 pm

It just means that client 192.168.188.25 has special config different from others.
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

Re: How do I configure wireguard in new router os 7.1?

Tue Jan 04, 2022 7:42 pm

Couldn't recall what was it, but here is the post that I made viewtopic.php?t=174873#p858336. But, removed the orange one any way, Probably, this is the one viewtopic.php?t=141616#p698276
So, is it ok if I combine this two rules
add address=192.168.188.0/24 comment=pinet gateway=192.168.188.1 netmask=24 
add address=192.168.188.25/32 comment=route dns-server=192.168.88.1 gateway=192.168.88.1 netmask=24
into a single one:
add address=192.168.188.0/24 comment=route dns-server=192.168.88.1 gateway=192.168.88.1 netmask=24
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How do I configure wireguard in new router os 7.1?

Wed Jan 05, 2022 12:00 am

On closer look, that last entry is weird, not just because it exists, but because it gives gateway 192.168.88.1 to 192.168.188.25/24 device, which can't work. So I guess that 192.168.188.25 doesn't really use DHCP and you can remove it. Don't change the second one, that's ok. But aside from this, it would be ok to have such entry to give different parameters to one client.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How do I configure wireguard in new router os 7.1?

Wed Jan 05, 2022 12:03 am

@sob lets recap

I said:....
Okay what is weird to me is your dhcp server setup........
The one in orange is extra, dont see why you have it, should be removed I think!!


You said....
It just means that client 192.168.188.25 has special config different from others.

Then you saw the light, and said.....
On closer look, that last entry is weird, not just because it exists, but because it gives gateway 192.168.88.1 to 192.168.188.25/24 device, which can't work. So I guess that 192.168.188.25 doesn't really use DHCP and you can remove it.

Please next time you read my posts...
WEAR YOUR GLASSES!! ;-PP
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How do I configure wireguard in new router os 7.1?

Wed Jan 05, 2022 12:32 am

Sorry, it's past experience. When you say that something is wrong, it can either mean that it's really wrong, or that it's perfectly fine and you just haven't seen such thing before. ;) The problem was that I misread numbers and mixed 88 with 188. One network has 192.168.188.25 as DNS resolver, so it would make sense to have exception for 192.168.188.25, to not give it itself as resolver. Except it's really different networks.
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

Re: How do I configure wireguard in new router os 7.1?

Wed Jan 05, 2022 3:43 am

Ok, the orange one is gone :lol:
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How do I configure wireguard in new router os 7.1?

Wed Jan 05, 2022 3:47 am

Sorry, it's past experience. When you say that something is wrong, it can either mean that it's really wrong, or that it's perfectly fine and you just haven't seen such thing before. ;) The problem was that I misread numbers and mixed 88 with 188. One network has 192.168.188.25 as DNS resolver, so it would make sense to have exception for 192.168.188.25, to not give it itself as resolver. Except it's really different networks.
In my limited experience, if it smells like a pig, and dresses like a pig and walks like a pig, its a pig! ;-)
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How do I configure wireguard in new router os 7.1?

Wed Jan 05, 2022 10:11 am

@shafiqrahman: And how is it going otherwise? Does it work with added route?
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

Re: How do I configure wireguard in new router os 7.1?

Wed Jan 05, 2022 4:33 pm

Nope, nothing. wg ios successfully found my router external IP. But, no traffic in wg interface.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How do I configure wireguard in new router os 7.1?

Wed Jan 05, 2022 5:23 pm

Nope, nothing. wg ios successfully found my router external IP. But, no traffic in wg interface.
Please post your latest config on MT server router
/export hide-sensitive file=anynameyouwant
(and hide any public IPs showing if any, including on firewall address lists).

Also jot down your IOS settings
WIREGUARD INTERFACE
&
PEER INTERFACE

(for public keys just put aabb for one pair and xxyyy for the other pair to represent them.

(for endpoint IP address (just state WANIP)
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

Re: How do I configure wireguard in new router os 7.1?

Wed Jan 05, 2022 10:19 pm

# jan/05/2022 18:35:54 by RouterOS 7.1.1
# software id = BM4W-X3GK
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether3 ] advertise=\
    100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp1 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=\
    20/40mhz-XX country=no_country_set disabled=no distance=indoors \
    frequency=auto frequency-mode=manual-txpower installation=indoor mode=\
    ap-bridge ssid=xxx station-roaming=enabled wireless-protocol=802.11 \
    wps-mode=disabled
set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-a/n/ac \
    channel-width=20/40/80mhz-XXXX country=no_country_set disabled=no \
    frequency=5765 frequency-mode=manual-txpower installation=outdoor mode=\
    ap-bridge ssid=xxx station-roaming=enabled wireless-protocol=802.11 \
    wps-mode=disabled
/interface wireguard
add listen-port=13231 mtu=1420 name=Home
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=\
    xxxxxx
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    group-key-update=1h mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=pinet ranges=192.168.188.20-192.168.188.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=pinet interface=ether5 name=pinetDHCP
/routing bgp template
set default as=65530 disabled=no name=default output.network=bgp-networks
/routing ospf instance
add name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add fib name=to_ISP1
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=xxxx rp-filter=loose
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=xxxx
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=ether5 list=LAN
add interface=Home list=LAN
/interface wireguard peers
add allowed-address=10.0.20.20/32 interface=Home public-key=\
    xxxxxxxx
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.188.1/24 comment=pinet interface=ether5 network=\
    192.168.188.0
add address=10.0.20.0/24 interface=Home network=10.0.20.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1

/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.188.25 \
    gateway=192.168.88.1
add address=192.168.188.0/24 comment=pinet gateway=192.168.188.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=2d query-server-timeout=100ms \
    query-total-timeout=5s servers=1.1.1.1,1.0.0.1 use-doh-server=\
    https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 name=router.lan
add address=104.16.248.249 name=cloudflare-dns.com
add address=104.16.249.249 name=cloudflare-dns.com
/ip firewall address-list
add address=192.168.88.x-192.168.88.xxx list=allowed_to_router
add address=192.168.188.x-192.168.188.xxx list=allowed_to_router
add address=10.0.20.20 list=allowed_to_router
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow Wireguard" disabled=yes \
    dst-port=13231 protocol=udp
add action=accept chain=input comment="Allow ADMIN to Router" \
    in-interface-list=LAN src-address-list=allowed_to_router
add action=accept chain=input in-interface-list=LAN port=xx protocol=tcp
add action=accept chain=input in-interface-list=LAN port=xx protocol=udp
add action=drop chain=input
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=Wireguard dst-address=192.168.88.0/24 \
    in-interface=Home
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid

add action=accept chain=forward comment="ENABLE LAN to WAN" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward dst-address=192.168.188.0/24 src-address=\
    192.168.88.0/24
add action=accept chain=forward dst-address=192.168.88.0/24 src-address=\
    192.168.188.0/24
add action=drop chain=forward comment="Drop All Else"

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=pihole_bypass disabled=yes \
    dst-address=192.168.188.25 dst-port=53 protocol=udp to-addresses=\
    192.168.88.1
add action=dst-nat chain=dstnat comment=pihole_bypass disabled=yes \
    dst-address=192.168.188.25 dst-port=53 protocol=tcp to-addresses=\
    192.168.88.1

/ip route
add check-gateway=ping disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=\
    104.16.248.249 pref-src="" routing-table=to_ISP1 scope=30 \
    suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=\
    pppoe-out1 pref-src="" routing-table=to_ISP1 scope=30 \
    suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    104.16.249.249 routing-table=to_ISP1
add disabled=yes distance=1 dst-address=104.16.248.249/32 gateway=pppoe-out1 \
    pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
    target-scope=10
add disabled=yes distance=1 dst-address=104.16.249.249/32 gateway=pppoe-out1 \
    pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
    target-scope=10
add dst-address=10.0.20.20/32 gateway=Home
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=2133
set api disabled=yes
set winbox address=192.168.88.0/24
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote strong-crypto=yes
/system logging
add topics=wireless,debug
add disabled=yes topics=dns
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
/system scheduler
add interval=2d name=reboot on-event="system reboot" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jun/07/2020 start-time=05:05:00
add interval=30s name=bypass on-event=":local piholeDown [/ip firewall nat pri\
    nt count-only where comment~\"pihole_bypass\" && disabled]\r\
    \n:local piholeDNS \"192.168.188.25\"\r\
    \n:local testDomain \"www.google.com\"\r\
    \n\r\
    \n:if (\$piholeDown > 0 ) do={\r\
    \n    :do {\r\
    \n        :resolve \$testDomain server \$piholeDNS\r\
    \n    } on-error={\r\
    \n        /ip firewall nat enable [find comment=pihole_bypass];\r\
    \n    }\r\
    \n} else={\r\
    \n    :do {\r\
    \n        :resolve \$testDomain server \$piholeDNS\r\
    \n        /ip firewall nat disable [find comment=pihole_bypass];\r\
    \n    } on-error={}\r\
    \n}" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=may/21/2021 start-time=05:31:03
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
You do not have the required permissions to view the files attached to this post.
Last edited by shafiqrahman on Thu Jan 06, 2022 3:31 am, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How do I configure wireguard in new router os 7.1?

Wed Jan 05, 2022 11:45 pm

Okay looking at your mac settings, you make it clear that you only want your mac to be able to connect to the local subnet on the MT Server Router of 192.168.88.0/24.

(if those are real public IPs on ip routes for the router, ensure you remove them from the post).

set winbox address=192.168.88.0/24 (this aint going to let you access winbox remotely.................. you need to put in the 10.0.20.20 address or whatever it is......

/tool mac-server mac-winbox
set allowed-interface-list=none SHOULD be set to LAN.


Okay I see your IP route................
dst-address=10.0.20.20.2 gwy=WG interface table=main.

Want I want to know is if this is necessary as you have already assigned an IP address to the wg interface, hoping someone can chime in on what the effect is of assigning an IP address to the WG interface (as I normally dont)

By the way I think your whole setup is bogus and your narrow minded need to get DNS on pihole has created a wrong approach.
You have two separate LANs and yet allow full access from one to the other. What is the point of having two separate LANS then.

THere must be a more elegant way of using pi hole and DNS then what you have attempted, sadly I am not able to help much on this front.
Last edited by anav on Thu Jan 06, 2022 1:47 am, edited 1 time in total.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How do I configure wireguard in new router os 7.1?

Thu Jan 06, 2022 12:15 am

I see wrong IP address=10.0.20.0/24. With .0 it's network address, so it should be e.g. .1. And then the route is not needed.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How do I configure wireguard in new router os 7.1?

Thu Jan 06, 2022 12:24 am

You want to enable this:
/ip firewall filter
add action=accept chain=input comment="Allow Wireguard" disabled=yes dst-port=13231 protocol=udp
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How do I configure wireguard in new router os 7.1?

Thu Jan 06, 2022 1:51 am

Yeah I noted the disabled but thought he was waiting until the rest was good.
I see he has allowed addressed on Server peer settings correctly, thus I am still looking for this wrong address..??

Okay
I see it in IP address,
add address=10.0.20.0/24 interface=Home network=10.0.20.0

But my question is why does he have to choose an IP address for the wg interface that looks like his random IP address.
Cannot it not be anything..... 192.168.77.1/23 network 192.168.78.0 ????
Last edited by anav on Thu Jan 06, 2022 3:20 pm, edited 1 time in total.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How do I configure wireguard in new router os 7.1?

Thu Jan 06, 2022 12:31 pm

Two things:

1) Router needs route to client's address. That's obvious, it needs to know where to find it.
2) WG in RouterOS does not automatically add routes based on allowed-address.

That's different from e.g. Windows client, where everything specified in AllowedIPs will be automatically routed to tunnel. If you have more than one peer with allowed address 0.0.0.0/0 (or generally any overlapping subnets), Windows client will allow only one of them active at the same time, because if more were active, there's no automatic way how to decide what should go where. This is no problem with RouterOS, because it's manually configured by you, the professional. So you can have several active peers with overlapping subnets (edit: with different WG interfaces of course), and you decide what will go where by adding proper routes (inluding optional policy routing).

In OP's case, it's the same thing we discussed in another thread. Either WG interface can have 10.0.20.x/24, which creates connected route to 10.0.20.0/24, so router will know where to find 10.0.20.20. Or there must be route to 10.0.20.20 with WG interface as gateway.
Last edited by Sob on Thu Jan 06, 2022 4:55 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How do I configure wireguard in new router os 7.1?

Thu Jan 06, 2022 3:26 pm

Good answers my question about the random IP having to have an IP address that matches it, for the WG interface on the other end.

I find this very confusing because lets say its a subnet 192.168.30.0/24 is the peer subnet coming through,
now you want me to make an IP address of 192.168.30.1/24 network 192/.168.30.0 with interface being the wg interface?? is that correct.......
So if there were multiple peers
I keep adding addresses with gwy of wg interface ???

My question remains............ what are the Pros and cons when comparing
(lets say two subnets and a single IP)
3 IP addresses OR
3 IP routes clean simple
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How do I configure wireguard in new router os 7.1?

Thu Jan 06, 2022 5:17 pm

I don't have definitive guide for all cases, someone should write one, I guess.

If it's access to private network for individual single-device clients (phone, notebook, ...), I'd go with 192.168.30.1/24 on WG interface and then each client would have 192.168.30.X/32. It's simple and straightforward. You just add one address and everything is covered, be it for one client or hundered.

If it's site to site, local subnet to remote subnet, you can go with your favourite addressless way and add route with dst-address=<remote subnet> gateway=<WG interface> on each router. You can have additional connecting subnet, but it doesn't really add much. Traceroute is nicer, without holes, but you can achieve that even without extra addresses, if you add pref-src=<router's address from local subnet> to route.

In fact, the same should work even with the first case, but it still feels somehow better with addresses. Hopefully I'll eventually find some better reason than just this feeling. :)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How do I configure wireguard in new router os 7.1?

Thu Jan 06, 2022 8:04 pm

I see what you are saying in that if you have a bunch of clients all with single IPs
Having one all encompassing address is better.

Lets say you have 192.168.9.5 / 192.168.9.15, 192.168.9.25 requiring access through the tunnel
On the server I would agree with you that this
a. ip address=192.168.9.1/24 gwy=wireguard interface network=192.168.9.0

is probably way more efficient than
b. dst-address=192.168.9.5 gwy=wireguard interface
dst-address=192.168.9.15 gwy=wireguard interface
dst-address=192.168.9.25 gwy=wireguard interface
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

Re: How do I configure wireguard in new router os 7.1?

Fri Jan 07, 2022 7:16 am

Thank you, @anav for pointing out the unfiltered mac's IP. I forgot to remove them. 104.16.248.249 is cloudflare address.
Okay I see your IP route................
dst-address=10.0.20.20.2 gwy=WG interface table=main.

Want I want to know is if this is necessary as you have already assigned an IP address to the wg interface, hoping someone can chime in on what the effect is of assigning an IP address to the WG interface (as I normally dont)
I do prefer the method you describe, I just put them to see what happens.
Here must be a more elegant way of using pi hole and DNS then what you have attempted, sadly I am not able to help much on this front.
I really love to have my home all under the same subnet, but many people on the forum suggested pihole should be on the separate subnet (in my use case) to see all devices. Other than that , raspberry pi on the other subnet has some container needs to communicate with other devices on the network, that the reason they are allowed to each other.
I see wrong IP address=10.0.20.0/24. With .0 it's network address, so it should be e.g. .1. And then the route is not needed.
Found that during the posting but left for consistency.
Cannot it not be anything..... 192.168.77.1/23 network 192.168.78.0 ????
Tried to put 192.168.288.0 but greeted with "error-must be an ip address".

I accidently/foolishly locked my self out of the router , by disabling "Allowed to router" rule :lol: . And the reset button processedure not working, though its still in service. I will get back as soon as I am up.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How do I configure wireguard in new router os 7.1?

Fri Jan 07, 2022 1:59 pm

Yes, that rule should not be touched if you have a drop all rule in play!! Recommend you use SAFE MODE all the time when making changes.
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

Re: How do I configure wireguard in new router os 7.1?

Fri Jan 07, 2022 3:37 pm

I always forgot about the safe mode :lol: . Hopefully i wont next time
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

Re: How do I configure wireguard in new router os 7.1?

Fri Jan 07, 2022 10:22 pm

Here is the new configuration:
# jan/08/2022 01:56:39 by RouterOS 7.1.1
# software id = BM4W-X3GK
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 
/interface bridge
add admin-mac=xxxxxx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether3 ] advertise=\
    100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp1 ] disabled=yes

/interface wireguard
add listen-port=13231 mtu=1420 name=Home
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=\
    xxxxxxxxxx
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    group-key-update=1h mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=pinet ranges=192.168.188.20-192.168.188.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=pinet interface=ether5 name=pinetDHCP
/routing bgp template
set default as=65530 disabled=no name=default output.network=bgp-networks
/routing ospf instance
add name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add fib name=to_ISP1
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192 rp-filter=loose
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=ether5 list=LAN
add interface=Home list=LAN
/interface wireguard peers
add allowed-address=192.168.40.2/32 interface=Home public-key=\

/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.188.1/24 comment=pinet interface=ether5 network=\
    192.168.188.0
add address=192.168.40.1/24 comment=wireguard interface=Home network=\
    192.168.40.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1

/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.188.25 \
    gateway=192.168.88.1
add address=192.168.188.0/24 comment=pinet gateway=192.168.188.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=2d query-server-timeout=100ms \
    query-total-timeout=5s servers=1.1.1.1,1.0.0.1 use-doh-server=\
    https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 name=router.lan
add address=104.16.248.249 name=cloudflare-dns.com
add address=104.16.249.249 name=cloudflare-dns.com
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=192.168.188.20-192.168.188.254 list=allowed_to_router
add address=192.168.40.2-192.168.40.12 list=allowed_to_router

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow Wireguard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="Allow ADMIN to Router" \
    in-interface-list=LAN src-address-list=allowed_to_router
add action=accept chain=input in-interface-list=LAN port=53 protocol=tcp
add action=accept chain=input in-interface-list=LAN port=53 protocol=udp
add action=drop chain=input
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=Wireguard dst-address=192.168.88.0/24 \
    in-interface=Home
add action=accept chain=forward comment=Wireguard dst-address=\
    192.168.188.0/24 in-interface=Home
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment=" Allow Port Forwarding - DSTNAT" \
    connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="ENABLE LAN to WAN" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward dst-address=192.168.188.0/24 src-address=\
    192.168.88.0/24
add action=accept chain=forward dst-address=192.168.88.0/24 src-address=\
    192.168.188.0/24
add action=drop chain=forward comment="Drop All Else"

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=pihole_bypass disabled=yes \
    dst-address=192.168.188.25 dst-port=53 protocol=udp to-addresses=\
    192.168.88.1
/ip route
add check-gateway=ping disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=\
    104.16.248.249 pref-src="" routing-table=to_ISP1 scope=30 \
    suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=\
    pppoe-out1 pref-src="" routing-table=to_ISP1 scope=30 \
    suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    104.16.249.249 routing-table=to_ISP1
add disabled=yes distance=1 dst-address=104.16.248.249/32 gateway=pppoe-out1 \
    pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
    target-scope=10
add disabled=yes distance=1 dst-address=104.16.249.249/32 gateway=pppoe-out1 \
    pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
    target-scope=10

/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How do I configure wireguard in new router os 7.1?

Fri Jan 07, 2022 10:43 pm

And some description what happens or doesn't happen? I'd say you should be able to access all 192.168.88.x. If not, what do you see in "/interface/wireguard/peers/print detail"?
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

Re: How do I configure wireguard in new router os 7.1?

Fri Jan 07, 2022 10:52 pm

Thank you @Sob replying so fast :D
Flags: X - disabled 
 0   interface=Home public-key="xxxxxxxxxxxx" 
     endpoint-address="" endpoint-port=0 current-endpoint-address="" 
     current-endpoint-port=0 allowed-address=192.168.40.2/32 rx=0 tx=0
Still nothing.
Update: Found this on the log:
denied winbox/dude connect from 192.168.40.2.
Was trying to test the connection by using winbox over cellular.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How do I configure wireguard in new router os 7.1?

Fri Jan 07, 2022 11:16 pm

(1) I imagine this means nothing because everything is done through the pppoe client interface ?
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1

(2) add a firewall rule like so.....
add action=accept chain=forward comment="ENABLE LAN to WAN" \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward dst-address=192.168.188.0/24 src-address=\
192.168.88.0/24
add action=accept chain=forward dst-address=192.168.88.0/24 src-address=\
192.168.188.0/24

add action=accept chain=forward dst-address=192.168.88.0/24 src-address=\
192.68.40.0/24

add action=drop chain=forward comment="Drop All Else"

(3) The listening port on the iphone doenst seem to match up to the listening port on the MT Router server wireguard interface?? NM my bad, that would delineated on the end of the endpoint address like so xx.xx.xx.xx:13231
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How do I configure wireguard in new router os 7.1?

Sat Jan 08, 2022 1:07 am

That's weird. With client connected, I see current-endpoint-address=<client's address> current-endpoint-port=<client's port> rx=<amount of received data> tx=<amount of sent data> last-handshake=<last communication, or whatever it is exactly>. Yours looks like there's no connection at all. But then you could hardly have anything from 192.168.40.2 trying to connect to winbox port.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How do I configure wireguard in new router os 7.1?

Sat Jan 08, 2022 1:11 am

Does this rule have any hits?
/ip firewall filter
add action=accept chain=input comment="Allow Wireguard" dst-port=13231 protocol=udp
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

Re: How do I configure wireguard in new router os 7.1?

Sat Jan 08, 2022 4:02 am

Does this rule have any hits?
/ip firewall filter
add action=accept chain=input comment="Allow Wireguard" dst-port=13231 protocol=udp
No tx/rx for this rules.
add action=accept chain=forward dst-address=192.168.88.0/24 src-address=\
192.68.40.0/24
-didn't get this part :(
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How do I configure wireguard in new router os 7.1?

Sat Jan 08, 2022 2:06 pm

There's no rx/tx for firewall rule, but counters for packets and bytes. It won't be much, because most of established connection is accepted by another rule. But it should be more than zero.

Stupid question, you do have public address, right? You know what it is, and you're aware that some address are non-public, so it's not possible to connect to them from internet, and that it's pretty common to have one. And you definitely have the right public one, correct?
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

Re: How do I configure wireguard in new router os 7.1?

Sat Jan 08, 2022 3:35 pm

My IP is dynamic, not static. I put a ddns address on wireguard client :(
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How do I configure wireguard in new router os 7.1?

Sat Jan 08, 2022 3:57 pm

Static or dynamic doesn't matter. Public or private does. In IP->Cloud, is the Public Address the same as you see in IP->Addresses? Or if not, are you supposed do have NAT 1:1? Or did you previously use something else that requires incoming connections and did it work?
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

Re: How do I configure wireguard in new router os 7.1?

Sat Jan 08, 2022 4:14 pm

IP->Cloud showing the same public address that of IP->Addresses pppoe-out1. My understanding about the NAT is limited and never tried NAT 1:1 before. Only thing ever tried is to configure a voip client that requires some incoming connections.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How do I configure wireguard in new router os 7.1?

Sat Jan 08, 2022 4:19 pm

NM, Dont see anything obvious then ?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How do I configure wireguard in new router os 7.1?

Sat Jan 08, 2022 4:47 pm

If PPPoE interface has public address, it's the best possible case. But then why don't you see any incoming packets, that's a mystery. Can you try some online port tester, let it check your udp port 13231 and see it it increases packet counter for the WG firewall rule?
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

Re: How do I configure wireguard in new router os 7.1?

Sat Jan 08, 2022 8:24 pm

The online port checker did increase the packet count.
Screen Shot 2022-01-09 at 00.07.03.png
Screen Shot 2022-01-09 at 00.08.32.png
Found out that whenever I tried to connect my router using wireguard, packet count increases. But the router still refuses. Adding 192.168.88.1 as DNS server in wg client increases packet count on both the wg peer and the firewall rules. But, winbox says "failed to establish a secure connection." and if I try the ddns address it just refuses.
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How do I configure wireguard in new router os 7.1?

Sat Jan 08, 2022 8:47 pm

And with WinBox you're also connecting to 192.168.88.1?
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: How do I configure wireguard in new router os 7.1?

Sat Jan 08, 2022 10:11 pm

Allowing UDP/13231 on input-chain is 1 thing, you also need to "accept" on the input chain in order to hit the Winbox interface.
However the fact that you are getting a "denied" message on Winbox login seems to confirm you can reach it.
Can your list ALL the "input chain" entries please ?
Do you have set an IP-address/range on the Winbox server ? If so, make sure you add the Wireguard IP. (so under "IP" -> "Services")
Also, for a user you can also set an IP-range from which it can be used? So under "users" you can also narrow IP-ranges down.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How do I configure wireguard in new router os 7.1?

Sat Jan 08, 2022 10:16 pm

Why comment when he has provided a config and the applicable line is here!
add action=accept chain=input comment="Allow Wireguard" dst-port=13231 \
protocol=udp

Establishing a successful tunnel comes before the ability to access the router from within the tunnel, do not mix up the op here!!!
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: How do I configure wireguard in new router os 7.1?

Sat Jan 08, 2022 10:21 pm

Why comment when he has provided a config and the applicable line is here!
add action=accept chain=input comment="Allow Wireguard" dst-port=13231 \
protocol=udp

Establishing a successful tunnel comes before the ability to access the router from within the tunnel, do not mix up the op here!!!
That rule is mandatory for the WG packets to arrive at the Mikrotik for Internet for example! Without this rule, WG would not even work.
However, this rule has nothing to do with post-decrypt packets coming out of the "wireguard1" interface as far as I know. Unless I'm completely wrong here.

And indeed like Sob mentioned, he only allows 192.168.88.x on the Wireguard-client so I hope he targets that Winbox interface at 192.168.88.1 because others IP's would not work.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How do I configure wireguard in new router os 7.1?

Sat Jan 08, 2022 10:31 pm

There are these:
/interface list member
add interface=Home list=LAN # <-- WG interface
/ip firewall address-list
add address=192.168.40.2-192.168.40.12 list=allowed_to_router # <-- WG clients
/ip firewall filter
add action=accept chain=input comment="Allow ADMIN to Router" in-interface-list=LAN src-address-list=allowed_to_router
So access to anything on router should work from WG, but only when connecting to 192.168.88.1, because WG client has (in its config) only 192.168.88.0/24 allowed.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How do I configure wireguard in new router os 7.1?

Sat Jan 08, 2022 10:52 pm

So Sob, I have only used 0.0.0.0/0 for allowed IPs, thus far
a. because its geared towards allowing internet access BUT ALSO
b. allows one to put in the iPs for Subnet devices on the server router.

What is the difference between the two if inserted in allowed IPs at the client peer settings.
192.168.0.0/24 AND
192.168.0.1/24

I think the intention of the OP was to be able to access the entire subnet on the Server router!!
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How do I configure wireguard in new router os 7.1?

Sat Jan 08, 2022 11:25 pm

Allowed IPs specify what can come from peer and what you can send to peer. If you have interface with multiple peers, their allowed IPs must not overlap. If you have interface with only one peer, then for traffic to peer it doesn't matter whether you have 0.0.0.0/0 or <smaller subnet>/<mask>. The first one allows everything, but it depends on route(s) what you actually send there. But for traffic from peer it's extra security, because if allowed IPs is only <smaller subnet>/<mask>, you can be absolutely sure that from peer can come only this and nothing else.

As for OPs requirements, currently this WG client can access 192.168.88.0/24. It can be extended with 192.168.188.0/24 for the other subnet. Or with 192.168.40.0/24 to access router at 192.168.40.1 and possibly also other WG clients.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How do I configure wireguard in new router os 7.1?

Sun Jan 09, 2022 12:20 am

All very nice and understood but not what I asked. Ops normal :-)
Sigh this could be a long night.
What would be the difference if

a. he put in 192.168.88.0/24 (this seems like the right choice if he wants the client user, or subnet of users to be able to originate traffic TO any user/device from 192.168.88.2-192.168.88.253)
vice
b. 192.168.88.1/24 ( to me this is most restrictive and useless and not sure what it accomplishes.)

Thus you can understand the genesis of my question because what you wrote conflicts with my thinking, so either my logic is wrong (most likely), or two I didnt understand your input correctly (also very likely) or you stepped on your own d..... (not likely)

Here is the germane quote.........
So access to anything on router should work from WG, but only when connecting to 192.168.88.1, because WG client has (in its config) only 192.168.88.0/24 allowed.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How do I configure wireguard in new router os 7.1?

Sun Jan 09, 2022 12:42 am

The 192.168.88.1/24 in your b. is not valid subnet address (but intestingly, RouterOS accepts it in allowed-address; I assume it treats it as 192.168.88.0/24).

About the quote, I think it should be clear. Client has in its config allowed IPs 192.168.88.0/24. So connection to router from client will work if the used address is 192.168.88.1. But it won't work if you use 192.168.40.1, even though it's also router's address. But it's not included in client's allowed IPs, so client won't even know that it should use this tunnel.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How do I configure wireguard in new router os 7.1?

Sun Jan 09, 2022 1:09 am

Okay got it. thanks..........
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

Re: How do I configure wireguard in new router os 7.1?

Sun Jan 09, 2022 8:45 am

And with WinBox you're also connecting to 192.168.88.1?
Yes, 192.168.88.1 is the router,dns and wg server.

After adding 192.168.88.1 in the DNS field of the wg client packets counts increased in wg server,peer & firewall rules. Reading all the post and out of curiosity I added 192.168.40.0/24 in the client "allowed ip' field. Though I still cant connect to my router over wg. But, the weirdest thing is that I can connect to reddit over cellular through wg. Usually reddit is inaccessible over cellular in my country. But, then again my office blocks facebook messenger over wifi. And I cant access that over the wg.
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 872
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: How do I configure wireguard in new router os 7.1?

Sun Jan 09, 2022 1:03 pm

And with WinBox you're also connecting to 192.168.88.1?
Yes, 192.168.88.1 is the router,dns and wg server.
The KEY POINT is that WireGuardis NOT a Client Server configuration ..... its a Peer to Peer configuration

I looked at your OP config and nowhere did I see that you assigned an IP address to your Tik WireGuard Interface ...

The Wireguard CONVENTION to have it work properly is as follows

Create the virtual Interface and assign it an unique IP Address ....
For your Tik Router
[Interface]
Name =
Listen Port =
MTU =
PrivateKey = whatever it is
PublicKey = whatever it is

[Peer]
Your WG Interface Address = 172.168.199.50/32
Allowed Addresses = 192.168.88.0/24, + 172.168.100.50/32
PublicKey = your iPhone Public key

On your Phone
[Interface]
Name =
Address = 172.168.100.50/32
DNS = 1.1.1.1, 1.0.0.1
[Peer]
PublicKey = your Tik Public key
Endpoint = your FQDN: your Listen Port
AllowedIPs = 172.168.199.50/32, 192.168.88.0/24,
=========================================================
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

Re: How do I configure wireguard in new router os 7.1?

Sun Jan 09, 2022 1:37 pm

I did assign an ip address later on @mozerd.
viewtopic.php?t=181446#p903794
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.188.1/24 comment=pinet interface=ether5 network=\
    192.168.188.0
add address=192.168.40.1/24 comment=wireguard interface=Home network=\
    192.168.40.0
But, will add the address in wireguard peers "allowed address" field and see what happens.
Allowed Addresses = 192.168.88.0/24, + 172.168.100.50/32
But, does the "+" sign needed before the second ip address ?
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 872
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: How do I configure wireguard in new router os 7.1?

Sun Jan 09, 2022 1:44 pm


But, will add the address in wireguard peers "allowed address" field and see what happens.
Allowed Addresses = 192.168.88.0/24, + 172.168.100.50/32
But, does the "+" sign needed before the second ip address ?
Thanks for point that out ... I only checked the 1st post .... this is a very long thread ....
No + sign .... I just added that for emphasis .... IP addresses are separated by "," :D
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How do I configure wireguard in new router os 7.1?

Sun Jan 09, 2022 2:45 pm

But, the weirdest thing is that I can connect to reddit over cellular through wg.
No, you can't, not with client having allowed IPs 192.168.88.0/24. Start with something simple. Can you ping router's 192.168.88.1? Can you ping some other 192.168.88.x in your LAN? If there anything in your LAN you can try to connect to (NAS, ...)? If so, does that work? And all the time you're testing this, you can use Tools->Torch, select WG interface and watch what traffic comes and goes on it.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How do I configure wireguard in new router os 7.1?

Sun Jan 09, 2022 5:17 pm

Mozerd, its not mandatory or required to assign the wg interface an ip address............ it can be advantageous to do so in some circumstances but if you know how to config MT devices you can do without the address ;-P

Correction point #2, at least for the connection of a wg tunnel one has to play server/client to first establish the tunnel, yes either end could do it depending upon the configurations but it is a one way tx that results in the establishment of a tunnel and from then on can be considered two way highway :-)
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

Re: How do I configure wireguard in new router os 7.1?

Sun Jan 09, 2022 5:29 pm

My wg client is 192.168.40.2, router 192.168.88.1. 192.168.88.108 is another device on the 192.168.88.0/32 subnet. 192.168.188.21 is another device in another subnet.
Ping from
192.168.40.2>192.168.88.1 ok
192.168.40.2>192.168.88.108 ok
192.168.40.2>192.168.188.21 failed
192.168.88.245<192.168.40.2 failed. (full packet loss)
Also, I can access my router by browser but not with mikrotik app.
You do not have the required permissions to view the files attached to this post.
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 872
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: How do I configure wireguard in new router os 7.1?

Sun Jan 09, 2022 6:17 pm

Mozerd, its not mandatory or required to assign the wg interface an ip address............ it can be advantageous to do so in some circumstances but if you know how to config MT devices you can do without the address ;-P
@anav ... I disagree.
Perhaps you should read and inwardly digest the following:
https://www.wireguard.com/papers/wireguard.pdf
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How do I configure wireguard in new router os 7.1?

Sun Jan 09, 2022 6:30 pm

Step1 is Open the Wireguard Tunnel.
Then go to the MT APP.
You have to put in 192.168.88.1:PORT# on your APP
Last edited by anav on Sun Jan 09, 2022 6:33 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How do I configure wireguard in new router os 7.1?

Sun Jan 09, 2022 6:31 pm

Mozerd, its not mandatory or required to assign the wg interface an ip address............ it can be advantageous to do so in some circumstances but if you know how to config MT devices you can do without the address ;-P
@anav ... I disagree.
Perhaps you should read and inwardly digest the following:
https://www.wireguard.com/papers/wireguard.pdf
Papers schmapers........... those are generic rules which are then to be applied to ones devices. Mikrotik is very flexible and allows one to manipulate traffic flow in various ways........
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How do I configure wireguard in new router os 7.1?

Sun Jan 09, 2022 8:18 pm

Ping from
192.168.40.2>192.168.88.1 ok
192.168.40.2>192.168.88.108 ok
That's expected and correct.
192.168.40.2>192.168.188.21 failed
If you still have allowed IPs only with 192.168.88.0/24 on client, then 192.168.188.21 can't pass through tunnel, because it's in different subnet. And same goes for Reddit too. I understand that you rather believe your eyes than me, but it's simply not possible. :) Only way how it could pass through tunnel with allowed IPs 192.168.88.0/24 would be if you'd be accessing it using proxy server running on some 192.168.88.x. Or, just to cover all possibilities, you host Reddit servers in your LAN. Edit: or one more, it would be possible if it's some dns-based blocking and you configure client to use router as dns server.
192.168.88.245<192.168.40.2 failed. (full packet loss)
It should work, but it could be just client not answering pings. Not all devices do.
Also, I can access my router by browser but not with mikrotik app.
You can again use Torch to see what comes to router when you try to connect from app. Or some logging rule like:
/ip firewall mangle
add chain=prerouting in-interface=Home connection-state=new action=log log-prefix=WGnew
Or without connection-state if you'd want to log all packets.

I'm also curious about those three weird lines in your screenshot, where router supposedly sends dns requests to 1.1.1.1/8.8.8.8/1.0.0.1 from 192.168.40.1:5678.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How do I configure wireguard in new router os 7.1?

Sun Jan 09, 2022 8:46 pm

To clarify what SOB is saying..........

Remote Client:
By putting in 192.168.88.0/24 ON the allowed IPs on the remote Client device under peer settings you are saying
ONLY ALLOW DESTINATION IPs out the tunnel that are in the subnet of 192.168.88.0/24

Thus you can try to reach anything but 192.168.88.0/24 and your client device will not let it hit the tunnel right from the beginning (will never reach server side).

The other question is reaching the router for configuration purpose. I noted you needed both the IP address and PORT at the MT APP after connecting to the wireguard interface first. The other part of that equation is ensuring on the WG server that you have allowed the WG interface access to the router in the input chain.

Probably a good idea to post your latest config on the server again.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: How do I configure wireguard in new router os 7.1?

Mon Jan 10, 2022 7:05 am

@anav @Sob

I have a question regarding WG.
I configured MT to MT WG. It's not a Site to Site. using to bypass the ISP FW With the mangle/NAT rules.
Problem:
Routes are working fine (maybe:d). But I have a problem with the DNS query. It looks like some websites are opening as usual, but some don't. some apps like Facebook and youtube will open. Reddit doesn't.
I even checked some pornography websites some will open some don't. As weird as it is for me it gets better. all of this test was with windows and IOS clients. I test this with a TV as the main reason for this setup is browsing youtube on TV. It didn't browse any filtered domain at first, then I changed the DHCP Server DNS to /32 WG IP and then it opened youtube but still behave like other clients. some domains will do some don't.

Can you guys shine some light on this? please.
Could this be an MTU issue?

update :d
Yes, it was.
viewtopic.php?f=2&t=182072&p=904300#p904300
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How do I configure wireguard in new router os 7.1?

Mon Jan 10, 2022 3:16 pm

It will have to be sob, I avoid mangling where possible and dont feel its necessary most of the time.
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

Re: How do I configure wireguard in new router os 7.1?

Mon Jan 10, 2022 5:39 pm

Here is current configuration:
# jan/09/2022 17:05:50 by RouterOS 7.1.1
# software id = BM4W-X3GK
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number =
/interface bridge
add admin-mac=xxxxxxxx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether3 ] advertise=\
    100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp1 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=\
    20/40mhz-XX country=no_country_set disabled=no distance=indoors \
    frequency=auto frequency-mode=manual-txpower installation=indoor mode=\
    ap-bridge ssid=bad station-roaming=enabled wireless-protocol=802.11 \
    wps-mode=disabled
set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-a/n/ac \
    channel-width=20/40/80mhz-XXXX country=no_country_set disabled=no \
    frequency=5765 frequency-mode=manual-txpower installation=outdoor mode=\
    ap-bridge ssid=bad station-roaming=enabled wireless-protocol=802.11 \
    wps-mode=disabled
/interface wireguard
add listen-port=13231 mtu=1420 name=Home
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=\
    xxxxxxxxxxxxxx
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    group-key-update=1h mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=pinet ranges=192.168.188.20-192.168.188.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=pinet interface=ether5 name=pinetDHCP
/routing bgp template
set default as=65530 disabled=no name=default output.network=bgp-networks
/routing ospf instance
add name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add fib name=to_ISP1
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192 rp-filter=loose
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=ether5 list=LAN
add interface=Home list=LAN
/interface wireguard peers
add allowed-address=192.168.40.2/32 interface=Home public-key=\
    xxxxxxxxxxxxxxxxxxxxxxx
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.188.1/24 comment=pinet interface=ether5 network=\
    192.168.188.0
add address=192.168.40.1/24 comment=wireguard interface=Home network=\
    192.168.40.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.188.21 server=pinetDHCP
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.188.25 \
    gateway=192.168.88.1
add address=192.168.188.0/24 comment=pinet gateway=192.168.188.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=2d query-server-timeout=100ms \
    query-total-timeout=5s servers=1.1.1.1,1.0.0.1 use-doh-server=\
    https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 name=router.lan
add address=104.16.248.249 name=cloudflare-dns.com
add address=104.16.249.249 name=cloudflare-dns.com
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=192.168.188.20-192.168.188.254 list=allowed_to_router
add address=192.168.40.2-192.168.40.12 list=allowed_to_router
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow Wireguard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="Allow ADMIN to Router" \
    in-interface-list=LAN src-address-list=allowed_to_router
add action=accept chain=input in-interface-list=LAN port=53 protocol=tcp
add action=accept chain=input in-interface-list=LAN port=53 protocol=udp
add action=drop chain=input
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=Wireguard dst-address=192.168.88.0/24 \
    in-interface=Home
add action=accept chain=forward comment=Wireguard dst-address=\
    192.168.188.0/24 in-interface=Home
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment=" Allow Port Forwarding - DSTNAT" \
    connection-nat-state=dstnat connection-state=new in-interface-list=WAN

add action=accept chain=forward comment="ENABLE LAN to WAN" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward dst-address=192.168.188.0/24 src-address=\
    192.168.88.0/24
add action=accept chain=forward dst-address=192.168.88.0/24 src-address=\
    192.168.188.0/24
add action=drop chain=forward comment="Drop All Else"
/ip firewall mangle
add action=log chain=prerouting connection-state="" in-interface=Home \
    log-prefix=WGnew

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=pihole_bypass disabled=yes \
    dst-address=192.168.188.25 dst-port=53 protocol=udp to-addresses=\
    192.168.88.1
add action=dst-nat chain=dstnat comment=pihole_bypass disabled=yes \
    dst-address=192.168.188.25 dst-port=53 protocol=tcp to-addresses=\
    192.168.88.1

/ip route
add check-gateway=ping disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=\
    104.16.248.249 pref-src="" routing-table=to_ISP1 scope=30 \
    suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=\
    pppoe-out1 pref-src="" routing-table=to_ISP1 scope=30 \
    suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=yes distance=2 dst-address=0.0.0.0/0 gateway=\
    104.16.249.249 pref-src="" routing-table=to_ISP1 scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=104.16.249.249/32 gateway=pppoe-out1 \
    pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=xxxx
set api disabled=yes
set winbox address=192.168.88.0/24,192.168.40.0/24
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote strong-crypto=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=pppoe-out1 type=external
add interface=ether5 type=internal
/system clock
set time-zone-name=Asia/Dhaka
/system logging
add topics=wireless,debug
add disabled=yes topics=dns
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
/system scheduler
add interval=2d name=reboot on-event="system reboot" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jun/07/2020 start-time=05:05:00
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
Thus you can try to reach anything but 192.168.88.0/24 and your client device will not let it hit the tunnel right from the beginning (will never reach server side).
this issue was fixed by adding 192.168.188.0/24 to peer field in the client. Does, this means if I don't specify e.g: 0.0.0.0/0 wg will let anything to connect?
The other question is reaching the router for configuration purpose. I noted you needed both the IP address and PORT at the MT APP after connecting to the wireguard interface first. The other part of that equation is ensuring on the WG server that you have allowed the WG interface access to the router in the input chain.
Winbox can now access router , this is what preventing:
/ip service
set winbox address=192.168.88.0/24,192.168.40.0/24
Previously, It only had 192.168.88.0/24.
192.168.40.2>192.168.188.21 failed
This one is also solved by adding the subnet on allowed address field.
Sorry, for this one
192.168.88.245<192.168.40.2 failed.
. I missed typed . It was suppose to be
192.168.88.245>192.168.40.2 failed
I cant ping from my home network to wg clients.
@Sob I did ran torch, those three always appears regardless of whether wg client is connected or not. And I don't have 8.8.8.8 in the configuration that I am aware of. I tried to torch other devices, but none showed those lines. log using mangle rule showing
WGnew prerouting: in:Home out:(unknown 0), proto UDP, 192.168.40.2:62671->192.168.88.1:53, len 69
with changing ports.
And, finally reddit works sometimes and sometimes it don't. But, messenger not working on a blocked network. Exactly opposite issue what @own3r1138 has.

@anav ,do I need this? :D
/interface bridge
add admin-mac=xxxxxxxx auto-mac=no comment=defconf name=bridge
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How do I configure wireguard in new router os 7.1?

Mon Jan 10, 2022 6:08 pm

Good day, glad you are sticking with it. Easy to get discouraged! Tenacity I admire!
Yes of course you need the bridge LOL..........

Okay. yes, the correct fix was in the peer setting you stated.
If you had used 0.0.0.0/0 that would mean the client device would allow the subnet users or single user on client device (MT router or smart phone respectively) to be able to put in their destination, ANY IP address and the client wg interface would let it through. This is actually a typical scenario to allow those subnet or smartphone user to access ANY address on the internet through the Server Router.
Because its all addresses the more wide all inclusive 0.0.0.0/0 also includes all the subnets on the LAN SIDE of the Server router.

SO, to allow clients only to access the tunnel when looking to contact a specific subnet on the LANS side of the Server Router and not to any other subnets and not to the internet YOU DID THE RIGHT THING by stating 192.168.88.0/24

Correct on winbox access as well. It makes sense doesnt it.
There are a bunch of layers involved in accessing the router via winbox to config.

1. System USERS, here one sets the users allowed, the passwords, and ALLOWED ADDRESSES (user centric but can reduce by Ip address)
2. Tools-->Mac Server-->MAC WinBox Server : which details what interface list is allowed access to winbox (access to winbox)
3. IP SERVICES -->Winbox: Sets the winbox port and allows which addresses as well and certificates { Port centric but can reduce by ip address and certificates even}
4. INPUT CHAIN ---> what interfaces, subnets, IP addresses are allowed access to the router.

One can quickly see that these work together and have to line up. One also should note that the pickier you get the more changes you need to make and to keep track of.
Hence typically we create a separate interface list entry for the trusted or management subnet/vlan called BASE, MANAGEMENT, CONTROL, etc...........
This interface list entry can be used for
a. input chain
b. neighbours discovery (as typically all smart devices (which require management) get their IP address from the trusted or management subnet/vlan)
c. winmac server
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How do I configure wireguard in new router os 7.1?  [SOLVED]

Mon Jan 10, 2022 7:05 pm

I cant ping from my home network to wg clients.
It's firewal, you don't allow traffic from LAN to WG. Since you allow traffic between other LAN subnets anyway, you can use one rule to allow all:
/ip firewall filter
add action=accept chain=forward in-interface-list=LAN out-interface-list=LAN
And then you wouldn't need the other four rules you have with subnet addresses.
@Sob I did ran torch, those three always appears regardless of whether wg client is connected or not.
Try to disable internet detect and check if it stops:
/interface detect-internet set detect-interface-list=none
WGnew prerouting: in:Home out:(unknown 0), proto UDP, 192.168.40.2:62671->192.168.88.1:53, len 69
That's dns request, i.e. client uses router as dns resolver. If it uses it exclusively, it may get you around dns-based blocking, if router's ISP doesn't do the same thing. But if there are some other methods used, it won't help.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How do I configure wireguard in new router os 7.1?

Mon Jan 10, 2022 8:09 pm

I cant ping from my home network to wg clients.
Lets say you have a subnet then on your wireguard clients 192.168.40.0/24
Lets say they were allowed to access 192.168.88.0/24 on the wireguard server.

NOW you want the wg tunnel to act more like a peer to peer vpn and thus want some 192.168.88.0/24 users to access the client subnet at the other end.
As Sob noted you since the wg interface is like at the LAN level a forward chain firewall rule that is perhaps a tad more discriminatory would be in order
in-interface-list=LAN src-address-list=(if want to limit which originators on server subnet can access clients) out-interface=wg-interface dst-address-list=(to limit to exactly which client IPs are to be accessible)

One note though on the MT CLIENT router side, you have to ensure that return traffic from the client devices/users gets pointed back through the tunnel to the WG Server originators.
This would already be accomplished by IP routes presumably in existence.
Not sure how to on smart phones but may not be required??
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: How do I configure wireguard in new router os 7.1?

Mon Jan 10, 2022 8:41 pm

@anav Thankyou. anyway, because I found my solution in one of your replays. all good.
@shafiqrahman if you have the issue too, check this I didn't read all the posts I'm not sure if it's your case or not but sounds like it.

viewtopic.php?f=2&t=182072&p=904300#p904300
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

Re: How do I configure wireguard in new router os 7.1?

Tue Jan 11, 2022 10:03 pm

Sorry, for the delayed response.
0.0.0.0/0 in the allowed address in the client peer section resolved the facebook/reddit issue. I tried to left the field automatic, but that failed. Had to add 0.0.0.0/0 to make it work. @Sob this helped
Try to disable internet detect and check if it stops:

now the three DNS lines were gone. Now, with
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN lan-interface-list=\
    LAN wan-interface-list=WAN
there is no more three lines. Now the firewall rules:
/ip firewall filter
add action=accept chain=forward in-interface-list=LAN out-interface-list=LAN

Added before the "lan to wan" field. And disabled this two.
add action=accept chain=forward comment=Wireguard dst-address=192.168.88.0/24 \
    in-interface=Home
add action=accept chain=forward comment=Wireguard dst-address=\
    192.168.188.0/24 in-interface=Home
I am confused about the other two rules containing subnet
And then you wouldn't need the other four rules you have with subnet addresses.
add action=accept chain=forward dst-address=192.168.188.0/24 src-address=\
    192.168.88.0/24
add action=accept chain=forward dst-address=192.168.88.0/24 src-address=\
    192.168.188.0/24
NOW you want the wg tunnel to act more like a peer to peer vpn and thus want some 192.168.88.0/24 users to access the client subnet at the other end.
As Sob noted you since the wg interface is like at the LAN level a forward chain firewall rule that is perhaps a tad more discriminatory would be in order
in-interface-list=LAN src-address-list=(if want to limit which originators on server subnet can access clients) out-interface=wg-interface dst-address-list=(to limit to exactly which client IPs are to be accessible)
I am not clear about this line. My intention is to use the wg clients as devices as if they are on the same network. Mainly for a SIP client who doesn't like firewalls/NAT etc.
This would already be accomplished by IP routes presumably in existence.
@anav you are right about this. My guess is that wg client route traffic is based on ip routes. Aside from the firewall the thing is not working is that pihole not blocking ads on the wg client side. Here the firewall export :D
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow Wireguard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="Allow ADMIN to Router" \
    in-interface-list=LAN src-address-list=allowed_to_router
add action=accept chain=input in-interface-list=LAN port=53 protocol=tcp
add action=accept chain=input in-interface-list=LAN port=53 protocol=udp
add action=drop chain=input
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=Wireguard disabled=yes dst-address=\
    192.168.88.0/24 in-interface=Home
add action=accept chain=forward comment=Wireguard disabled=yes dst-address=\
    192.168.188.0/24 in-interface=Home
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment=" Allow Port Forwarding - DSTNAT" \
    connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward disabled=yes in-interface-list=LAN \
    out-interface-list=LAN
add action=accept chain=forward comment="ENABLE LAN to WAN" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward dst-address=192.168.188.0/24 src-address=\
    192.168.88.0/24
add action=accept chain=forward dst-address=192.168.88.0/24 src-address=\
    192.168.188.0/24
add action=accept chain=forward dst-address=192.168.40.0/24 src-address=\
    192.168.188.0/24
add action=accept chain=forward dst-address=192.168.188.0/24 src-address=\
    192.168.40.0/24
add action=drop chain=forward comment="Drop All Else"
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How do I configure wireguard in new router os 7.1?

Wed Jan 12, 2022 12:09 am

Well what isnt working is what I need to know LOL.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How do I configure wireguard in new router os 7.1?

Wed Jan 12, 2022 1:07 am

0.0.0.0/0 in the allowed address in the client peer section resolved the facebook/reddit issue.
It means that client now routes everything via router. Which is fine, if it's what you want.

About detect internet, I'd keep it disabled (set all lists to none), because I don't think that it's doing anything useful for you.
I am confused about the other two rules containing subnet
You have rule with dst-address=192.168.188.0/24 src-address=192.168.88.0/24, then subnet 188 is on ether5 and 88 is on bridge, and both ether5 and bridge are in interface list LAN. So rule with src-address-list=LAN dst-address-list=LAN covers it. Same for the other rule with swapped src and dst.
...the thing is not working is that pihole not blocking ads on the wg client side.
And did you configure client to use pihole as resolver? Last time it used router's .88.1.
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

Re: How do I configure wireguard in new router os 7.1?

Thu Jan 13, 2022 9:45 pm

@anav firewall is working good.
Here is the export:
/interface ethernet
set [ find default-name=ether3 ] advertise=\
    100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp1 ] disabled=yes
/interface wireguard
add listen-port=13231 mtu=1420 name=Home
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=\
    
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    group-key-update=1h mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=pinet ranges=192.168.188.20-192.168.188.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=pinet interface=ether5 name=pinetDHCP
/routing bgp template
set default as=65530 disabled=no name=default output.network=bgp-networks
/routing ospf instance
add name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add fib name=to_ISP1
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192 rp-filter=loose
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=ether5 list=LAN
add interface=Home list=LAN
/interface wireguard peers
add allowed-address=192.168.40.2/32 interface=Home public-key=\
    
add allowed-address=192.168.40.3/32 interface=Home \
    public-key=
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.188.1/24 comment=pinet interface=ether5 network=\
    192.168.188.0
add address=192.168.40.1/24 comment=wireguard interface=Home network=\
    192.168.40.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1

/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.188.25 \
    gateway=192.168.88.1
add address=192.168.188.0/24 comment=pinet gateway=192.168.188.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=2d query-server-timeout=100ms \
    query-total-timeout=5s servers=1.1.1.1,1.0.0.1 use-doh-server=\
    https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 name=router.lan
add address=104.16.248.249 name=cloudflare-dns.com
add address=104.16.249.249 name=cloudflare-dns.com
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=192.168.188.20-192.168.188.254 list=allowed_to_router
add address=192.168.40.2-192.168.40.12 list=allowed_to_router
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow Wireguard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="Allow ADMIN to Router" \
    in-interface-list=LAN src-address-list=allowed_to_router
add action=accept chain=input in-interface-list=LAN port=53 protocol=tcp
add action=accept chain=input in-interface-list=LAN port=53 protocol=udp
add action=drop chain=input
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment=" Allow Port Forwarding - DSTNAT" \
    connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="ENABLE LAN to WAN" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="ENABLE LAN to LAN" \
    in-interface-list=LAN out-interface-list=LAN
add action=drop chain=forward comment="Drop All Else"
/ip firewall mangle
add action=log chain=prerouting connection-state="" in-interface=Home \
    log-prefix=WGnew
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=pihole_bypass disabled=yes \
    dst-address=192.168.188.25 dst-port=53 protocol=udp to-addresses=\
    192.168.88.1
add action=dst-nat chain=dstnat comment=pihole_bypass disabled=yes \
    dst-address=192.168.188.25 dst-port=53 protocol=tcp to-addresses=\
    192.168.88.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=
set api disabled=yes
set winbox address=192.168.88.0/24,192.168.40.0/24
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote strong-crypto=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=pppoe-out1 type=external
add interface=ether5 type=internal
/system clock
set time-zone-name=Asia/Dhaka
/system logging
add disabled=yes topics=wireless,debug
add disabled=yes topics=dns
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
/system scheduler
add interval=2d name=reboot on-event="system reboot" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jun/07/2020 start-time=05:05:00
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
@sob, changed the firewall as you suggested. After two days of testing didn't found any issue. But, I did set 192.168.88.1 as a DNS server on the wg client.But, no other device on my local network has a predefined DNS. Previous, firewall/ip route was redirected all traffic to pihole. But, there is no option to set that on wg(No dhcp for wg). And pihole is not reliable to be a DNS server, that's why I put a script in place,if pihole failed as a dns.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How do I configure wireguard in new router os 7.1?

Thu Jan 13, 2022 9:59 pm

Very nice,
Have changed my advice ref the forward chain rule for port forwarding, its now in the format:

add action=accept chain=forward comment=" Allow Port Forwarding - DSTNAT" \
connection-nat-state=dstnat


No need to state NEW connection, because its redundant. If you think about it, the first packet will hit this rule match it and from then on traffic for this connection will always be matched by established/related. So any rule we put other than established/related is for the first new packet of the connection.
Why new is an option then is beyond me other than to reinforce that relationship?

What I do understand is that the need for in-interface-list=WAN is not required and I put it there by accident when modifying this default rule to the more simple accept rule......
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

The rule above basically says drop all WAN traffic unless its destination natted.
So I changed this into two rules
Allow port forwarding from WAN
Stop all other traffic (wan and lan)

One can see the last stop rule is better because it drops all unneeded Wan & LAN traffic.
However you can see that the default rule does not stop LAN to LAN traffic including dst-nat traffic.
My modification cut out accidentally the LAN to LAN dst-nat part, although who the hecks wants to use dst nat lan to lan LOL.............
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

Re: How do I configure wireguard in new router os 7.1?

Thu Jan 13, 2022 10:36 pm

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow Wireguard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="Allow ADMIN to Router" \
    in-interface-list=LAN src-address-list=allowed_to_router
add action=accept chain=input in-interface-list=LAN port=53 protocol=tcp
add action=accept chain=input in-interface-list=LAN port=53 protocol=udp
add action=drop chain=input
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment=" Allow Port Forwarding - DSTNAT" \
    connection-nat-state=dstnat
add action=accept chain=forward comment="ENABLE LAN to WAN" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="ENABLE LAN to LAN" \
    in-interface-list=LAN out-interface-list=LAN
add action=drop chain=forward comment="Drop All Else"
Am I interpreting you correctly? :D
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How do I configure wireguard in new router os 7.1?

Thu Jan 13, 2022 10:42 pm

Looks good!
For Reference......
viewtopic.php?t=180838
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

Re: How do I configure wireguard in new router os 7.1?

Sat Jan 15, 2022 5:53 am

Thank you @anav & @Sob for solving the issue. Also, @own3r1138 your post with screenshot gave me an easy understanding/setup guide for the client app.
For documentation purpose I will answer the only unanswered question that I had. The answer is really simple. The question was
Previous, firewall/ip route was redirected all traffic to pihole. But, there is no option to set that on wg(No dhcp for wg). And pihole is not reliable to be a DNS server, that's why I put a script in place,if pihole failed as a dns.
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.188.25 \
    gateway=192.168.88.1
add address=192.168.188.0/24 comment=pinet gateway=192.168.188.1 netmask=24

Here is the solution:
The first rule has defined dns=192.168.188.25 (which is pihole & pihole has dns set to 192.168.88.1) the subnet 192.168.88.XX. So, all dns traffic will route through pihole. My question was what will happen if pihole fails. So, I put the the pihole address in my wg clients dns field. So, it will use pihole as a dns. But, after taking good look , I found out the nat rules:
/ip firewall nat
add action=dst-nat chain=dstnat comment=pihole_bypass disabled=yes \
    dst-address=192.168.188.25 dst-port=53 protocol=udp to-addresses=\
    192.168.88.1
add action=dst-nat chain=dstnat comment=pihole_bypass disabled=yes \
    dst-address=192.168.188.25 dst-port=53 protocol=tcp to-addresses=\
    192.168.88.1
are placed to route all traffic destine to 192.168.188.25 to 192.168.88.1 at port 53. So, the same thing happened when I put the pihole dns address to my pihole address. It will also route all my wg traffic to 192.168.88.1. This two nat rules are govern by a script, which checks pihole every few seconds for its update status and enable/disables the NAT rules accordingly.

Who is online

Users browsing this forum: JDF, johnson73, ramirez and 78 guests