I am trying to connect a MulladVPN Wireguard to my RB2011.
End goal is to have a own VLAN for VPN traffic, which is bridged with a own SSID on wlan2.
I followed some guides online (This guide: viewtopic.php?t=173952) which stated that using VRF was the way to go, so i tried to set that up aswell. Now i have a different table for VPN-traffic.
Everything seems to be working (i can ping the Wireguard peer with both the mullad and bridge interface) except traffic coming over wlan2, have not tested with a LAN-port. DHCP is working fine, routing seems to be working fine (since i can ping from VPN-bridge), but still, no traffic is going through when i connect with my phone.
Really running out of ideas here, maybe someone can help.
Here is my config:
Code: Select all
# jan/11/2022 13:50:33 by RouterOS 7.1.1
# software id = 79NX-029P
#
# model = 2011UAS-2HnD
# serial number = 3F0602A6ADDA
/interface bridge
add admin-mac=D4:CA:6D:57:25:86 auto-mac=no comment=defconf fast-forward=no \
name=bridge
add name=bridge_vpn
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
ether6-master
set [ find default-name=ether7 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether8 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether9 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether10 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireguard
add listen-port=59969 mtu=1420 name=mullvad_US
/interface vlan
add interface=bridge_vpn name=vlan33 vlan-id=33
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=vpn-rm
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
management-protection=allowed mode=dynamic-keys name=AP-veg \
supplicant-identity=""
add authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys \
name=AP-VPN supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=\
20/40mhz-Ce country=no_country_set disabled=no distance=indoors \
frequency=auto frequency-mode=manual-txpower mode=ap-bridge \
security-profile=AP-veg ssid="pretty fly for a wifi" wireless-protocol=\
802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=D6:CA:6D:57:25:8F \
master-interface=wlan1 multicast-buffering=disabled name=wlan2 \
security-profile=AP-VPN ssid="pretty fly for a vpn" vlan-id=33 \
wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn-pool ranges=192.168.89.10-192.168.89.254
/ip dhcp-server
add address-pool=default-dhcp authoritative=after-2sec-delay interface=bridge \
name=defconf
add address-pool=vpn-pool interface=bridge_vpn name=vpn_pool
/ip vrf
add interfaces=vpn-rm name=vrf_vpn
/port
set 0 name=serial0
/routing bgp template
set default as=65530 disabled=no name=default output.network=bgp-networks
/routing ospf instance
add name=default-v2
add name=default-v3 version=3
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
add disabled=yes instance=default-v3 name=backbone-v3
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp,rest-api"
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=\
ether2-master
add bridge=bridge comment=defconf ingress-filtering=no interface=\
ether6-master
add bridge=bridge comment=defconf hw=no ingress-filtering=no interface=sfp1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge ingress-filtering=no interface=ether3
add bridge=bridge ingress-filtering=no interface=ether4
add bridge=bridge ingress-filtering=no interface=ether5
add bridge=bridge ingress-filtering=no interface=ether7
add bridge=bridge ingress-filtering=no interface=ether8
add bridge=bridge ingress-filtering=no interface=ether9
add bridge=bridge ingress-filtering=no interface=ether10
add bridge=bridge_vpn ingress-filtering=no interface=wlan2 pvid=33
/ip neighbor discovery-settings
set discover-interface-list=discover
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge_vpn vlan-ids=33
/interface list member
add interface=sfp1 list=discover
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6-master list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=wlan1 list=discover
add interface=bridge list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
add interface=mullvad_US list=vpn-rm
add interface=bridge_vpn list=vpn-rm
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=198.54.a.b endpoint-port=\
51820 interface=mullvad_US public-key=\
"T1fKJp8knv4kqsfy9O04OIy+1nl5b9ypcnIzdmcfyzM="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=10.68.a.b interface=mullvad_US network=10.68.a.b
add address=192.168.89.1/24 interface=bridge_vpn network=192.168.89.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.2 domain=\
bjorseth.local gateway=192.168.88.1
add address=192.168.a.b/24 dns-server=193.138.a.b gateway=192.168.a.b \
netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
add address=192.168.88.200 name=deb10-zabbix
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
/ip firewall filter
add action=accept chain=input comment="default configuration" \
connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log=yes log-prefix=invalid
add action=drop chain=forward comment=\
"Drop incoming packets that are not NATted" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" in-interface=ether1 \
log=yes log-prefix=!public src-address-list=not_in_internet
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=ether1
add action=masquerade chain=srcnat out-interface=mullvad_US
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=mullvad_US routing-table=\
vrf_vpn suppress-hw-offload=no
add disabled=no dst-address=10.68.a.b/32 gateway=mullvad_US routing-table=\
vrf_vpn suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.88.0/24
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.88.0/24
set api-ssl disabled=yes
/ipv6 address
add address=fc00:bbbb:bbbb:bb01::a:b/128 advertise=no interface=mullvad_US
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/routing rule
add action=lookup disabled=no interface=bridge_vpn src-address=\
192.168.89.0/24 table=vrf_vpn
/snmp
set enabled=yes trap-generators=start-trap trap-interfaces=bridge \
trap-target=0.0.0.0
/system clock
set time-zone-name=Europe/Oslo
/system logging
add topics=wireguard
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox