Community discussions

MikroTik App
 
req
just joined
Topic Author
Posts: 2
Joined: Tue Jan 11, 2022 3:00 pm

Problem with Wireguard and WLAN

Tue Jan 11, 2022 3:17 pm

Hello!

I am trying to connect a MulladVPN Wireguard to my RB2011.
End goal is to have a own VLAN for VPN traffic, which is bridged with a own SSID on wlan2.
I followed some guides online (This guide: viewtopic.php?t=173952) which stated that using VRF was the way to go, so i tried to set that up aswell. Now i have a different table for VPN-traffic.
Everything seems to be working (i can ping the Wireguard peer with both the mullad and bridge interface) except traffic coming over wlan2, have not tested with a LAN-port. DHCP is working fine, routing seems to be working fine (since i can ping from VPN-bridge), but still, no traffic is going through when i connect with my phone.
Really running out of ideas here, maybe someone can help.

Here is my config:
# jan/11/2022 13:50:33 by RouterOS 7.1.1
# software id = 79NX-029P
#
# model = 2011UAS-2HnD
# serial number = 3F0602A6ADDA
/interface bridge
add admin-mac=D4:CA:6D:57:25:86 auto-mac=no comment=defconf fast-forward=no \
    name=bridge
add name=bridge_vpn
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether6-master
set [ find default-name=ether7 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether8 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether9 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether10 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireguard
add listen-port=59969 mtu=1420 name=mullvad_US
/interface vlan
add interface=bridge_vpn name=vlan33 vlan-id=33
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=vpn-rm
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    management-protection=allowed mode=dynamic-keys name=AP-veg \
    supplicant-identity=""
add authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys \
    name=AP-VPN supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=\
    20/40mhz-Ce country=no_country_set disabled=no distance=indoors \
    frequency=auto frequency-mode=manual-txpower mode=ap-bridge \
    security-profile=AP-veg ssid="pretty fly for a wifi" wireless-protocol=\
    802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=D6:CA:6D:57:25:8F \
    master-interface=wlan1 multicast-buffering=disabled name=wlan2 \
    security-profile=AP-VPN ssid="pretty fly for a vpn" vlan-id=33 \
    wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn-pool ranges=192.168.89.10-192.168.89.254
/ip dhcp-server
add address-pool=default-dhcp authoritative=after-2sec-delay interface=bridge \
    name=defconf
add address-pool=vpn-pool interface=bridge_vpn name=vpn_pool
/ip vrf
add interfaces=vpn-rm name=vrf_vpn
/port
set 0 name=serial0
/routing bgp template
set default as=65530 disabled=no name=default output.network=bgp-networks
/routing ospf instance
add name=default-v2
add name=default-v3 version=3
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
add disabled=yes instance=default-v3 name=backbone-v3
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp,rest-api"
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=\
    ether2-master
add bridge=bridge comment=defconf ingress-filtering=no interface=\
    ether6-master
add bridge=bridge comment=defconf hw=no ingress-filtering=no interface=sfp1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge ingress-filtering=no interface=ether3
add bridge=bridge ingress-filtering=no interface=ether4
add bridge=bridge ingress-filtering=no interface=ether5
add bridge=bridge ingress-filtering=no interface=ether7
add bridge=bridge ingress-filtering=no interface=ether8
add bridge=bridge ingress-filtering=no interface=ether9
add bridge=bridge ingress-filtering=no interface=ether10
add bridge=bridge_vpn ingress-filtering=no interface=wlan2 pvid=33
/ip neighbor discovery-settings
set discover-interface-list=discover
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge_vpn vlan-ids=33
/interface list member
add interface=sfp1 list=discover
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6-master list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=wlan1 list=discover
add interface=bridge list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
add interface=mullvad_US list=vpn-rm
add interface=bridge_vpn list=vpn-rm
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=198.54.a.b endpoint-port=\
    51820 interface=mullvad_US public-key=\
    "T1fKJp8knv4kqsfy9O04OIy+1nl5b9ypcnIzdmcfyzM="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.68.a.b interface=mullvad_US network=10.68.a.b
add address=192.168.89.1/24 interface=bridge_vpn network=192.168.89.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.2 domain=\
    bjorseth.local gateway=192.168.88.1
add address=192.168.a.b/24 dns-server=193.138.a.b gateway=192.168.a.b \
    netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
add address=192.168.88.200 name=deb10-zabbix
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
/ip firewall filter
add action=accept chain=input comment="default configuration" \
    connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related" \
    connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
    log=yes log-prefix=invalid
add action=drop chain=forward comment=\
    "Drop incoming packets that are not NATted" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface=ether1 \
    log=yes log-prefix=!public src-address-list=not_in_internet
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=ether1
add action=masquerade chain=srcnat out-interface=mullvad_US
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=mullvad_US routing-table=\
    vrf_vpn suppress-hw-offload=no
add disabled=no dst-address=10.68.a.b/32 gateway=mullvad_US routing-table=\
    vrf_vpn suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.88.0/24
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.88.0/24
set api-ssl disabled=yes
/ipv6 address
add address=fc00:bbbb:bbbb:bb01::a:b/128 advertise=no interface=mullvad_US
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/routing rule
add action=lookup disabled=no interface=bridge_vpn src-address=\
    192.168.89.0/24 table=vrf_vpn
/snmp
set enabled=yes trap-generators=start-trap trap-interfaces=bridge \
    trap-target=0.0.0.0
/system clock
set time-zone-name=Europe/Oslo
/system logging
add topics=wireguard
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Problem with Wireguard and WLAN

Sun Jan 16, 2022 1:25 am

Don't overcomplicate it, there's no need for any VLAN or extra bridge. If you want to use VRF, then just say that it should contain mullvad_US and wlan2, and that should be it. Unless you'd want to add some other interface later, then bridge would make sense, but you still wouldn't need VLAN. Or other way, if you'd want to use new bridge VLAN filtering, then you'd need VLAN, but not another bridge.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Problem with Wireguard and WLAN

Sun Jan 16, 2022 2:19 am

As stated there is no need for any vlans here or wireguard address etc...... and IMHO, no need for VRF either.
The problem is that you think you need to create some sort of network for the wireguard, simply not the case.
The only thing you need to do is route the appropriate users to the wireguard tunnel.

Therefore modify your settings thusly.................................

Remove WLAN2 from the bridge and remove the notation in wireless settings that give it a vlan-33
/ip address
add address=192.168.89.1/24 interface=wlan2 network=192.168.89.0
/ip pool
add name=vpn-pool ranges=192.168.89.10-192.168.89.254
/ip dhcp-server network
add address=192.168.89.0/24 dns-server=192.168.89.1 gateway=192.168.89.1 \
netmask=24
/ip dhcp-server
add address-pool=vpn-pool interface=wlan2 name=vpn_pool

AND simplify
/interface list member
add interface=bridge list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox

/ip neighbor discovery-settings
set discover-interface-list=mac-winbox

Remove the second source nat rule not required........

+++++++++++++++++++++++++++++++++++++++++++++++++++++++

Now lets move WLAN2 users to the mulvad connection.........

First create a table called UseVPN (not available yet on winbox, so have to use winbox Terminal
/routing table add name=UseVPN fib

Then create the necessary route and route rule.
/ip route
dst-address=0.0.0.0/0 gwy=mullvad_US table=UseVPN

Route Rule
src-address=192.168.89.0/24 Action: Lookup-ONLY-In-Table Table=UseVPN

Note: If you wanted wlan2 users to use the router for internet if the wireguard tunnel is not working then change action to Action: Lookup-In-Table

Now all wlan2 users will be directed out the mullvad connection.
You have to ensure on the mullvad settings for peer the allowed addresses are 192.168.89.0/24
 
req
just joined
Topic Author
Posts: 2
Joined: Tue Jan 11, 2022 3:00 pm

Re: Problem with Wireguard and WLAN

Sun Jan 16, 2022 7:51 pm

Thanks for the tips, anav.
I sat down today and reset the whole router, it was time anyway.
Rebuild the config from the ground up using the official Mikrotik-documentation and your suggestions, now everthing works, except getting the VPN-VLAN to send traffic over the Wireguard-link.
No VRF this time.

I only have one bridge now, but I now i have 3 VLAN's, one is "normal" internet and admin work, one is for IoT and one is for VPN.
VLAN 66 - Admin/normal: No restrictions, access to internett and all other VLANS.
VLAN 99 - VPN: Not access to any other VLANS or the router (except for DHCP traffic, which does work!), should only be able to send traffic through Wireguard interface. This does NOT work, yet.
VLAN 100 - IoT: Not access to any other VLAN or the router (except DHCP-traffic), can access 192.168.88.2:53 udp and tcp for DNS (this is my Pi-Hole). Access to internet through normal WAN-link.

As stated, everything seems to be working as intended now, except the Wireguard link.
This time i only used a new routing table, as you suggested, instead of messing around with VRF.
Can you take another look?
# jan/16/2022 18:08:25 by RouterOS 7.1.1
# software id = 79NX-029P
#
# model = 2011UAS-2HnD
# serial number = 3F0602A6ADDA
/interface bridge
add ingress-filtering=no name=LAN_bridge vlan-filtering=yes
/interface wireguard
add listen-port=61083 mtu=1420 name=mullvad_US
/interface vlan
add interface=LAN_bridge name=IoT_100 vlan-id=100
add interface=LAN_bridge name=LAN_66 vlan-id=66
add interface=LAN_bridge name=VPN_99 vlan-id=99
/interface list
add name=WAN
add name=LAN
add name=VPN
add name=IoT
add name=VPN_WAN
add name=ALL_VLAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys \
    name=LAN supplicant-identity=""
add authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys \
    name=VPN supplicant-identity=""
add authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys \
    name=IoT supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=norway disabled=no \
    mode=ap-bridge security-profile=LAN ssid="pretty fly for a wifi" \
    wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=D6:CA:6D:57:25:8F \
    master-interface=wlan1 multicast-buffering=disabled name=wlan2 \
    security-profile=VPN ssid="pretty fly for a vpn" wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=D6:CA:6D:57:25:90 \
    master-interface=wlan1 multicast-buffering=disabled name=wlan3 \
    security-profile=IoT ssid="pretty fly for the iot" wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
/ip pool
add name=LAN_POOL ranges=192.168.88.100-192.168.88.254
add name=VPN_POOL ranges=192.168.99.100-192.168.99.254
add name=IoT_POOL ranges=192.168.100.100-192.168.100.254
/ip dhcp-server
add address-pool=LAN_POOL interface=LAN_66 name=LAN_DHCP
add address-pool=VPN_POOL interface=VPN_99 name=VPN_DHCP
add address-pool=IoT_POOL interface=IoT_100 name=IoT_DHCP
/port
set 0 name=serial0
/routing table
add fib name=wireguard-rtable
/interface bridge port
add bridge=LAN_bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2 pvid=66
add bridge=LAN_bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3 pvid=66
add bridge=LAN_bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wlan1 pvid=66
add bridge=LAN_bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wlan2 pvid=99
add bridge=LAN_bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wlan3 pvid=100
add bridge=LAN_bridge interface=ether4 pvid=66
add bridge=LAN_bridge frame-types=admit-only-vlan-tagged interface=ether5
add bridge=LAN_bridge interface=ether6 pvid=66
add bridge=LAN_bridge interface=ether7 pvid=66
add bridge=LAN_bridge interface=ether8 pvid=66
add bridge=LAN_bridge interface=ether9 pvid=66
add bridge=LAN_bridge interface=ether10 pvid=66
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=LAN_bridge tagged=LAN_bridge,ether5 vlan-ids=66
add bridge=LAN_bridge tagged=LAN_bridge,ether5 vlan-ids=99
add bridge=LAN_bridge tagged=LAN_bridge,ether5 vlan-ids=100
/interface list member
add interface=ether1 list=WAN
add interface=LAN_66 list=LAN
add interface=VPN_99 list=VPN
add interface=IoT_100 list=IoT
add interface=mullvad_US list=VPN_WAN
add interface=VPN_99 list=ALL_VLAN
add interface=IoT_100 list=ALL_VLAN
add interface=LAN_66 list=ALL_VLAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=94.198.a.b endpoint-port=\
    51820 interface=mullvad_US public-key=\
    "c2ifgyT1M41zbFEaSCbeLY033u/RurG5eJKYHZOMrBE="
/ip address
add address=192.168.88.1/24 interface=LAN_66 network=192.168.88.0
add address=192.168.99.1/24 interface=VPN_99 network=192.168.99.0
add address=192.168.100.1/24 interface=IoT_100 network=192.168.100.0
add address=10.64.a.b interface=mullvad_US network=10.64.a.b
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.2 gateway=192.168.88.1
add address=192.168.99.0/24 dns-server=192.168.99.2 gateway=192.168.99.1
add address=192.168.100.0/24 dns-server=193.138.218.74 gateway=192.168.100.1
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\
    not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=192.168.100.0/24 list=local_subnet
add address=192.168.88.0/24 list=local_subnet
add address=192.168.99.0/24 list=local_subnet
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=input comment="Allow LAN to router" \
    in-interface-list=LAN
add action=accept chain=input comment="TEST RULE for wg-if" \
    in-interface-list=VPN_WAN protocol=udp
add action=drop chain=input comment="Drop all"
add action=fasttrack-connection chain=forward comment=\
    "Fasttrack for established, related" connection-state=established,related \
    hw-offload=yes
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="LAN Internet Access only" \
    connection-state=new in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="IoT_VLAN Internet Access only" \
    connection-state=new in-interface-list=IoT out-interface-list=WAN
add action=accept chain=forward comment=\
    "VPN Internet Access only through VPN_WAN" connection-state=new \
    in-interface-list=VPN out-interface-list=VPN_WAN
add action=accept chain=forward comment="Allow LAN to all VLAN" \
    connection-state=new in-interface-list=LAN out-interface-list=ALL_VLAN
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=drop chain=forward comment=\
    "Drop tries to reach not public addresses from LAN" dst-address-list=\
    not_in_internet in-interface=LAN_bridge log=yes log-prefix=\
    !public_from_LAN out-interface=!LAN_bridge
add action=drop chain=forward comment=\
    "Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment=\
    "Drop access to clients behind NAT form WAN" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop all"
/ip firewall mangle
add action=change-mss chain=postrouting new-mss=1380 out-interface=mullvad_US \
    passthrough=no protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
add action=masquerade chain=srcnat comment="VPN masq" out-interface-list=\
    VPN_WAN
/ip firewall raw
add action=accept chain=prerouting comment=\
    "defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
    dst-address=255.255.255.255 dst-port=67 in-interface-list=ALL_VLAN \
    protocol=udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
    in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment=\
    "defconf: drop forward to local lan from WAN" dst-address-list=\
    local_subnet in-interface-list=WAN
add action=drop chain=prerouting comment=\
    "defconf: drop local if not from default IP range" in-interface-list=LAN \
    src-address-list=!local_subnet
add action=drop chain=prerouting comment=\
    "defconf: drop bad UDP EXCEPT wireguard udp 59969" disabled=yes dst-port=\
    !59969 port=0 protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" \
    disabled=yes jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
    jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
    protocol=tcp
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=mullvad_US pref-src=\
    0.0.0.0 routing-table=wireguard-rtable scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.88.0/24
set ssh address=192.168.88.0/24
set api disabled=yes
set winbox address=192.168.88.0/24
set api-ssl disabled=yes
/lcd
set default-screen=interfaces
/lcd interface
add interface=mullvad_US
/routing rule
add action=lookup-only-in-table disabled=no src-address=192.168.99.0/24 \
    table=wireguard-rtable
/system clock
set time-zone-name=Europe/Oslo
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Problem with Wireguard and WLAN

Sun Jan 16, 2022 9:02 pm

Hi there,
Looks goods so far.....

(1) Would add persistent keep alive to the MT Peer settings lets say 30 seconds.

(2) Remove the IP address you have assigned to mullvad interface (for now).

(3) Some issues in your INPUT CHAIN.
add action=accept chain=input comment="Allow LAN to router" \
in-interface-list=LAN *****
add action=accept chain=input comment="TEST RULE for wg-if" \ (Remove this not needed )
in-interface-list=VPN_WAN protocol=udp

**** You only provide DNS services for vlan66 by your method. I agree only the vlan66 should have full access and later you can narrow it down by admin IP addresses by src-address-list=authorized.
For now though keep that but add for the rest of the vlans to ensure they get DNS services etc.... just before the drop all rule!!
add action=accept chain=input comment="Allow VLAN DNS queries-UDP" \
dst-port=53 in-interface-list=ALL_VLAN protocol=udp
add action=accept chain=input comment="Allow VLAN DNS queries - TCP" \
dst-port=53 in-interface-list=ALL_VLAN protocol=tcp

(4) Interface list members, the only time to really make an interface member for A SINGLE interface is for the management vlan,
SO remove these ones..... there is no purpose served by them that cannot be addressed in a better way.
add name=VPN
add name=IoT
add name=VPN_WAN


However, I would add one back called Allowed-Internet
add interface=LAN_66 list=Allowed-Internet
add interface=IoT_100 list=Allowed-Internet

I would replace the following two rules.............
add action=accept chain=forward comment="LAN Internet Access only" \
connection-state=new in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="IoT_VLAN Internet Access only" \
connection-state=new in-interface-list=IoT out-interface-list=WAN

WITH
add action=accept chain=forward in-interface-list=Allowed-Internet out-interface-list=WAN

(5) Change this firewall rule FROM
add action=accept chain=forward comment=\
"VPN Internet Access only through VPN_WAN" connection-state=new \
in-interface-list=VPN out-interface-list=VPN_WAN

TO
add action=accept chain=forward comment="WG Internet for Vlan99" \
source-address=192.168.99.0/24 out-interface=mullvad_US


(6) Just DISABLE this rule for now...........if you want to block bogons thats up to you but to ensure its not doing anything else simply disable till its all working then re-enable!!
add action=drop chain=forward comment=\
"Drop tries to reach not public addresses from LAN" dst-address-list=\
not_in_internet in-interface=LAN_bridge log=yes log-prefix=\
!public_from_LAN out-interface=!LAN_bridge


(7) Not efficient, and duplication, lets keep it simple!! FROM
add action=drop chain=forward comment=\
"Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment=\
"Drop access to clients behind NAT form WAN" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop all"

TO
add action=accept chain=forward comment="allow port forwarding" \
connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all"

(7) Move this rule UP to just after the established related default rule.
add action=drop chain=forward comment="Drop invalid" connection-state=invalid

(8) WHY THIS RULE ???
/ip firewall mangle
add action=change-mss chain=postrouting new-mss=1380 out-interface=mullvad_US \
passthrough=no protocol=tcp tcp-flags=syn

If you need to play with MTU (not even sure what mss is, ) but suggest just set both sides of tunnel to 1380 if you really meant MTU ????
On this one, its over my head so best get other input if you are not sure.........


(9) ADD THIS RULE TO INPUT CHAIN (right after the establish rule)
add action=accept chain=input comment="Allow Estab & Related" \
connection-state=established,related

add action=drop chain=input comment="Drop invalid" connection-state=invalid

(10) ADD THIS RULE TO INPUT CHAIN for now, (just below the invalid rule) you can remove later .............
add action=accept chain=input comment="Allow Estab & Related" \
connection-state=established,related
add action=drop chain=input comment="Drop invalid" connection-state=invalid

add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp (normally required for testing)

(11) DISABLE ALL RAW RULES..........not required and want to establish the connections are working without them.

(12) Remove this Source NAT rule, I have no idea what purpose it serves........
add action=masquerade chain=srcnat comment="VPN masq" out-interface-list=\
VPN_WAN

(13) Okay so we have a forward chain rule created that allows Vlan99 to access the Wireguard interface, now we have to tell the route how to route vlan99 traffic to ensure it goes out the wg interface.
Create a route rule so that VLAN99 goes out the correct interface.
SO FIRST need to create the table lets say. Use-WG
VIA Terminal Window in winbox CLI only
/routing table
add name=Use-WG name fib

Then a route....
/ip route
dst-address=0.0.0.0/0 gwy=mullvad_US table=Use-WG

and the route rule
src-address=192.168.99.0/24 (or you could use interface=VPN_99)
Action= lookup-only-in-table
Table=Use-WG

note: If you wanted vpn99 users to use the main router internet when WG is down, then change action to Action=lookup

Who is online

Users browsing this forum: Amazon [Bot], Bing [Bot], Google [Bot], ivicask, johnson73, mada3k, pajapatak, rhn007 and 94 guests