Community discussions

MikroTik App
 
E15RQ22EZN9
just joined
Topic Author
Posts: 10
Joined: Tue Mar 02, 2021 12:49 pm

Wireguard VRF and Default Gateways

Fri Jul 22, 2022 4:34 pm

Hi all,
I am reaching out for some help on something I just can't seem to get right. I am trying to use a VPS instance that i have as a personal VPN for some devices on a specific VLAN (VLAN100). To do this i have a wireguard tunnel established and i have placed the interfaces VL100 and the Wireguard interface (wireguard1) inside VRF. I can ping from the router, the vlan and the VPS and all those connections work, however, I cannot get the default gateway to work! I am sure I am missing a config somewhere... I am hoping someone here could spot it.
The route i am trying to test should look like this:

Home Router - 10.255.255.2 (wireguard1) <--> VPS - 10.0.1.10 (wg0) <---> VPS - PUBLIC IP (enp0s3)

When I try traceroute for 8.8.8.8 inside the VRF i get the below results:
/tool/traceroute vrf=vrf_earthcloud address=8.8.8.8
#  ADDRESS       LOSS  SENT  LAST   AVG  BEST  WORST  STD-DEV  STATUS                            
1  10.255.255.2  0%      14  0.1ms  0.1  0.1   0.1          0  host unreachable from 10.255.255.2
2                0%       0  0ms                                                                 
Doing a TCP DUMP on the VPS shows that no packets are making it to the VPS for the traceroute.

My Routing Table:
/routing/route print
Flags: A - ACTIVE; c, s, d, y - COPY; H - HW-OFFLOADED
Columns: DST-ADDRESS, GATEWAY, AFI, DISTANCE, SCOPE, TARGET-SCOPE, IMMEDIATE-GW
    DST-ADDRESS         GATEWAY                         AFI   DISTANCE  SCOPE  TARGET-SCOPE  IMMEDIATE-GW                   
Ad  0.0.0.0/0           6.6.6.6                   ip4          1     30            10  6.6.6.6%VL90_PASSUNTRUSTED
Ac  10.0.2.2/32         wireguard2                      ip4          0     10                wireguard2                     
;;; Route for local laptop WG connection
As  10.0.5.0/24         wireguard2                      ip4          1     30            10  wireguard2                     
Ac  10.1.0.0/16         VL90_PASSUNTRUSTED              ip4          0     10                VL90_PASSUNTRUSTED             
Ac  192.168.10.0/24     VL10_MGMT                       ip4          0     10                VL10_MGMT                      
Ac  192.168.20.0/24     VL20_TRUST                      ip4          0     10                VL20_TRUST                     
Ac  192.168.35.0/24     VL35_CELL                       ip4          0     10                VL35_CELL                      
Ac  192.168.40.0/24     VL40_GUEST                      ip4          0     10                VL40_GUEST                     
Ac  192.168.50.0/24     VL50-CLEARNET                   ip4          0     10                VL50-CLEARNET                  
Ac  192.168.51.0/24     VL51_MEDIA                      ip4          0     10                VL51_MEDIA                     
Ac  192.168.52.0/24     VL52_IOT                        ip4          0     10                VL52_IOT                       
Ac  192.168.55.0/24     VL55_P2P                        ip4          0     10                VL55_P2P                       
Ac  192.168.60.0/24     VL60_LAB                        ip4          0     10                VL60_LAB                       
Ac  XXX.XXX.XXX.XXX/XXX VL90_PASSUNTRUSTED              ip4          0     10                VL90_PASSUNTRUSTED             
As  0.0.0.0/0           10.0.1.10@vrf_earthcloud        ip4          1     30            30  10.0.1.10%wireguard1           
As  10.0.1.0/24         wireguard1@vrf_earthcloud       ip4          1     30            10  wireguard1                     
Ac  10.0.4.0/24         VL100_WIREGUARD@vrf_earthcloud  ip4          0     10                VL100_WIREGUARD                
Ac  10.255.255.0/30     wireguard1@vrf_earthcloud       ip4          0     10                wireguard1                     
As  XXX.XXX.XXX.XXX/XXX wireguard1@vrf_earthcloud       ip4          1     30            10  wireguard1                     
A H ether9                                              link         0                                                      
A H sfp-sfpplus1                                        link         0                                                      
A H BR1                                                 link         0                                                      
A H VL10_MGMT                                           link         0                                                      
A H VL20_TRUST                                          link         0                                                      
A H VL35_CELL                                           link         0                                                      
A H VL52_IOT                                            link         0                                                      
A H VL40_GUEST                                          link         0                                                      
A H VL55_P2P                                            link         0                                                      
A H VL90_PASSUNTRUSTED                                  link         0                                                      
A H VL60_LAB                                            link         0                                                      
A H wireguard2                                          link         0                                                      
A H VL50-CLEARNET                                       link         0                                                      
A H VL51_MEDIA                                          link         0                                                      
A H wireguard1                                          link         0                                                      
A H VL100_WIREGUARD                                     link         0                                                   
I appreciate any insights or help. Thanks!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard VRF and Default Gateways

Fri Jul 22, 2022 7:37 pm

Two things for me to have a chance,
A. Full config
B. network diagram
 
E15RQ22EZN9
just joined
Topic Author
Posts: 10
Joined: Tue Mar 02, 2021 12:49 pm

Re: Wireguard VRF and Default Gateways

Mon Jul 25, 2022 8:27 pm

Thanks, I have two diagrams I generated. One is a physical diagram (probably not much help) and one that is a layer2/layer3 for VLAN100 which is the VLAN I am working with along with the wireguard connections. I really appreciate the help.
/interface bridge
add name=BR1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether6 ] comment="VL99-Passthrough - ethernet device setup VLAN"
set [ find default-name=ether7 ] comment="VL-60LAB - for LAB vlan"
set [ find default-name=ether9 ] comment=WAN
set [ find default-name=ether10 ] comment="Parents Computer"
/caps-man interface
add disabled=yes l2mtu=1600 mac-address=48:8F:5A:70:9B:FF master-interface=none name=cap1 radio-mac=48:8F:5A:70:9B:FF radio-name=488F5A709BFF
add disabled=yes l2mtu=1600 mac-address=48:8F:5A:70:9C:00 master-interface=none name=cap2 radio-mac=48:8F:5A:70:9C:00 radio-name=488F5A709C00
add disabled=no mac-address=48:8F:5A:70:9B:B1 master-interface=none name=cap3 radio-mac=48:8F:5A:70:9B:B1 radio-name=488F5A709BB1
add disabled=no mac-address=48:8F:5A:70:9B:B0 master-interface=none name=cap4 radio-mac=48:8F:5A:70:9B:B0 radio-name=488F5A709BB0
/interface wireguard
add comment=PVPN-NY#38 disabled=yes listen-port=13233 mtu=1420 name=pvpn1
add comment="External: Earthcloud based wireguard" listen-port=51820 mtu=1420 name=wireguard1
add comment="Router: " listen-port=13231 mtu=1420 name=wireguard2
/interface vlan
add interface=BR1 name=VL10_MGMT vlan-id=10
add interface=BR1 name=VL20_TRUST vlan-id=20
add interface=BR1 name=VL35_CELL vlan-id=35
add interface=BR1 name=VL40_GUEST vlan-id=40
add interface=BR1 name=VL50-CLEARNET vlan-id=50
add interface=BR1 name=VL51_MEDIA vlan-id=51
add interface=BR1 name=VL52_IOT vlan-id=52
add interface=BR1 name=VL55_P2P vlan-id=55
add interface=BR1 name=VL60_LAB vlan-id=60
add interface=BR1 name=VL90_PASSUNTRUSTED vlan-id=90
add interface=BR1 name=VL100_WIREGUARD vlan-id=100
/interface list
add name=WAN
add name=LAN
add name=VLAN_WAN
add name=VLAN_VPN
add name=MGMT
add name=LAB
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add interface=VL10_MGMT name=VL10_DHCP
/ip dhcp-server option
add code=121 name=classless value=0x100A00000A000202
add code=121 name=wireguard1 value=0x180A00010A000401180A00030A000401180A00050A000401
add code=43 name="raspberry pi boot" value="'Raspberry Pi Boot'"
add code=66 name="raspberry pi tftp" value="s'192.168.20.100'"
/ip dhcp-server option sets
add name=VL100 options=wireguard1
/ip ipsec mode-config
add name=ProtonVPN responder=no src-address-list=VL20_Addresses
add name=ProtonVPN_USCA98 responder=no src-address-list=VL52_Addresses
/ip ipsec policy group
add name=ProtonVPN
/ip ipsec profile
add dh-group=modp4096,modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=ProtonVPN
/ip ipsec peer
add address=node-us-119.protonvpn.net disabled=yes exchange-mode=ike2 name=US-VA#25 profile=ProtonVPN send-initial-contact=no
add address=node-us-68.protonvpn.net comment="This is US-NY#35 (using b3 username)" disabled=yes exchange-mode=ike2 name=ProtonVPN-US profile=ProtonVPN send-initial-contact=no
add address=node-us-89.protonvpn.net comment=US-CO#15 disabled=yes exchange-mode=ike2 name="Chicago - US-IL44" profile=ProtonVPN send-initial-contact=no
add address=node-us-93.protonvpn.net comment=US-CO#15 disabled=yes exchange-mode=ike2 name=ProtonVPN-CO5 profile=ProtonVPN send-initial-contact=no
add address=91.219.214.170/32 exchange-mode=ike2 name=ProtonVpn-US-FL#39 profile=ProtonVPN
add address=91.219.212.202/32 disabled=yes exchange-mode=ike2 name=ProtonVPN_USCA98_P2P profile=ProtonVPN send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=modp2048
/ip pool
add name=VL20_POOL ranges=192.168.20.100-192.168.20.199
add name=VL35_POOL ranges=192.168.35.100-192.168.35.199
add name=VL52_POOL ranges=192.168.52.100-192.168.52.199
add name=VL40_POOL ranges=192.168.40.100-192.168.40.199
add comment="P2P VPN VLAN" name=VL55_Pool ranges=192.168.55.100-192.168.55.199
add name=VL60_POOL ranges=192.168.60.100-192.168.60.199
add name=VL100_POOL ranges=10.0.4.100-10.0.4.199
add name=VL50_POOL ranges=192.168.50.100-192.168.50.199
add name=VL51_POOL ranges=192.168.51.100-192.168.51.199
/ip dhcp-server
add address-pool=VL20_POOL interface=VL20_TRUST name=VL20_DHCP
add address-pool=VL35_POOL interface=VL35_CELL name=VL35_DHCP
add address-pool=VL52_POOL interface=VL52_IOT name=VL52_DHCP
add address-pool=VL40_POOL interface=VL40_GUEST name=VL40_DHCP
add address-pool=VL55_Pool interface=VL55_P2P name=VL55_DHCP
add address-pool=VL60_POOL interface=VL60_LAB name=VL60_DHCP
add address-pool=VL100_POOL dhcp-option-set=VL100 interface=VL100_WIREGUARD name=VL100_DHCP
add address-pool=VL50_POOL interface=VL50-CLEARNET name=VL50_DHCP
add address-pool=VL51_POOL interface=VL51_MEDIA name=VL51_DHCP
/ip vrf
add interfaces=wireguard1,VL100_WIREGUARD name=vrf_earthcloud
/port
set 0 name=serial0
set 1 name=serial1
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether2
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether3
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether4
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether5
add bridge=BR1 interface=ether6 pvid=99
add bridge=BR1 hw=no ingress-filtering=no interface=ether7 pvid=60
add bridge=BR1 ingress-filtering=no interface=sfp-sfpplus1
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether9 pvid=90
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether10 pvid=90
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=BR1 comment="VL10 Management Net " tagged=BR1,ether2,ether3,ether4,ether5,sfp-sfpplus1,ether6 vlan-ids=10
add bridge=BR1 comment="VL20 - TRUSTED - VPN Protected" tagged=BR1,ether2,ether3,ether4,ether5,ether6,sfp-sfpplus1 vlan-ids=20
add bridge=BR1 comment="VL35 - CELL - No VPN - Only for cell phones with VPN always on via devices" tagged=BR1,ether2,ether3,ether4,ether5,ether6,sfp-sfpplus1 vlan-ids=35
add bridge=BR1 comment="VL52 - IOT" tagged=BR1,sfp-sfpplus1 vlan-ids=52
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,sfp-sfpplus1 untagged=ether6 vlan-ids=99
add bridge=BR1 tagged=sfp-sfpplus1,BR1 vlan-ids=40
add bridge=BR1 comment="VL55 - VPN with P2P enabled" tagged=BR1,sfp-sfpplus1 vlan-ids=55
add bridge=BR1 comment=VL90_UNTRUSTED-WAN tagged=BR1 untagged=VL90_PASSUNTRUSTED vlan-ids=90
add bridge=BR1 comment=VL60-LAB tagged=ether2,BR1 untagged=ether7 vlan-ids=60
add bridge=BR1 tagged=BR1,sfp-sfpplus1 vlan-ids=100
add bridge=BR1 comment=VL50-CLEARNET tagged=BR1,sfp-sfpplus1 vlan-ids=50
add bridge=BR1 comment="VL51 - MEDIA" tagged=BR1,sfp-sfpplus1 vlan-ids=51
/interface list member
add disabled=yes interface=ether1 list=WAN
add interface=VL20_TRUST list=LAN
add interface=VL35_CELL list=LAN
add interface=VL52_IOT list=LAN
add interface=VL10_MGMT list=LAN
add interface=VL20_TRUST list=VLAN_VPN
add interface=VL35_CELL list=VLAN_WAN
add interface=VL52_IOT list=VLAN_WAN
add interface=VL10_MGMT list=MGMT
add interface=VL40_GUEST list=VLAN_WAN
add interface=VL55_P2P list=VLAN_WAN
add disabled=yes interface=ether9 list=WAN
add interface=BR1 list=LAN
add interface=VL90_PASSUNTRUSTED list=WAN
add interface=VL60_LAB list=LAB
add interface=VL100_WIREGUARD list=LAN
add interface=VL50-CLEARNET list=VLAN_WAN
add disabled=yes interface=wireguard1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.0.1.0/24,10.0.3.0/24 comment=Earthcloud endpoint-address=YYY.YYY.Y.YY endpoint-port=51820 interface=wireguard1 persistent-keepalive=30s public-key="JUBRtdhXY9xRA8F+89m6PPHcS+s9vD7MinBLO0aajjk="
add allowed-address=10.0.5.0/24 comment="Laptop - Local" interface=wireguard2 public-key="hpCCDqsGi9cSzt+9bivhXTm9NW+lloqkXRWgSkJJIiI="
add allowed-address=0.0.0.0/0 endpoint-address=193.148.18.66 endpoint-port=51820 interface=pvpn1 public-key="4Gjn941JfIDqDB3KWubQ4slUR362dUrgbT7WGvldPlM="
/ip address
add address=192.168.10.1/24 interface=VL10_MGMT network=192.168.10.0
add address=192.168.20.1/24 interface=VL20_TRUST network=192.168.20.0
add address=192.168.35.1/24 interface=VL35_CELL network=192.168.35.0
add address=192.168.52.1/24 interface=VL52_IOT network=192.168.52.0
add address=192.168.40.1/24 interface=VL40_GUEST network=192.168.40.0
add address=192.168.55.1/24 interface=VL55_P2P network=192.168.55.0
add address=192.168.60.1/24 interface=VL60_LAB network=192.168.60.0
add address=10.255.255.2/30 comment="10.255.255.0/30 address space will be used for indivual wireguard interfaces " interface=wireguard1 network=10.255.255.0
add address=10.0.4.1/24 interface=VL100_WIREGUARD network=10.0.4.0
add address=10.0.2.2 interface=wireguard2 network=10.0.2.2
add address=192.168.50.1/24 interface=VL50-CLEARNET network=192.168.50.0
add address=192.168.51.1/24 interface=VL51_MEDIA network=192.168.51.0
/ip dhcp-client
add disabled=yes interface=ether1 use-peer-dns=no use-peer-ntp=no
add interface=VL90_PASSUNTRUSTED
/ip dhcp-server lease
add address=192.168.20.100 client-id=ff:ad:3a:c9:6c:0:2:0:0:ab:11:c4:47:4b:e5:b3:54:d1:44 comment=FQDN-Local mac-address=34:97:F6:32:97:FC server=VL20_DHCP
add address=10.0.4.100 client-id=ff:ad:3a:c9:6c:0:2:0:0:ab:11:c4:47:4b:e5:b3:54:d1:44 comment=FQDN-Local mac-address=34:97:F6:32:97:FC server=VL100_DHCP
add address=192.168.20.106 client-id=ff:5f:e:72:be:0:4:36:43:46:30:34:39:32:45:36:32:37:30:ff:ff:ff:ff comment=FQDN-Local mac-address=80:61:5F:0E:72:BE server=VL20_DHCP
/ip dhcp-server network
add address=10.0.4.0/24 gateway=10.0.4.1
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1 netmask=24
add address=192.168.20.0/24 dhcp-option="raspberry pi boot,raspberry pi tftp" dns-server=192.168.20.1 domain=FQDN-Local gateway=192.168.20.1 netmask=24 next-server=192.168.20.100 ntp-server=192.168.20.1
add address=192.168.35.0/24 dns-server=192.168.35.1 gateway=192.168.35.1 netmask=24
add address=192.168.40.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.40.1
add address=192.168.50.0/24 comment=VL50-CLEARNET dns-server=1.1.1.1,8.8.8.8 gateway=192.168.50.1 netmask=24
add address=192.168.51.0/24 boot-file-name=/pxelinux.0 comment="Media Network - with Netboot" dns-server=192.168.51.1 gateway=192.168.51.1 netmask=24 ntp-server=192.168.51.1
add address=192.168.52.0/24 dns-server=192.168.52.1 gateway=192.168.52.1 netmask=24
add address=192.168.55.0/24 dns-server=192.168.55.1 gateway=192.168.55.1
add address=192.168.60.0/24 dns-server=192.168.60.1 gateway=192.168.60.1 netmask=24
/ip dns
set allow-remote-requests=yes max-concurrent-tcp-sessions=40 servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.20.106 name=FQDN-Local
add address=192.168.20.1 name=vlan20.FQDN-Local
add address=192.168.20.100 name=FQDN-Local
add address=192.168.11.3 name=mariadb.FQDN-Local
add address=192.168.20.100 name=nfs.FQDN-Local
add address=10.0.4.100 name=FQDN-Local
/ip firewall address-list
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=192.168.20.0/24 list=VL20_Addresses
add address=192.168.55.0/24 comment="For P2P VPN Connections" list=VL55_Addresses
add address=192.168.10.0/24 list=VL10_Addresses
add address=192.168.35.0/24 list=VL35_Addresses
add address=192.168.99.0/24 list=VL99_Addresses
add address=10.0.4.0/24 list=VL100_Addresses
add address=192.168.200.0/24 list=VL90_Addresses
add address=10.255.255.2 list=wireguard1
add address=192.168.60.0/24 list=VL60_Addresses
add address=10.0.1.0/24 comment=earthcloud list=wireguard1-share
add address=10.0.3.0/24 comment="laptop - via earthcloud" list=wireguard1-share
add address=10.0.5.0/24 list=wireguard2-share
add address=10.0.2.2 list=wireguard2
add address=192.168.50.0/24 list=VL50_Addresses
add address=192.168.40.0/24 list=VL40_Addresses
add address=192.168.52.0/24 list=VL52_Addresses
add address=192.168.51.0/24 list=VL51_Addresses
add address=10.0.4.0/24 list=wireguard1-share
add address=10.255.255.2 list=wireguard1-share
/ip firewall filter
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related,untracked disabled=yes src-address=xxx.xxx.xx.xx
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related,untracked disabled=yes dst-address=xxx.xxx.xx.xx
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment="defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=accept chain=input comment="VL10_MGMT - ANTI-LOCKOUT - WINBOX" dst-address=192.168.10.1 dst-port=8291 in-interface-list=MGMT protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=jump chain=input comment="VL10-input: JUMP" dst-address-list=VL10_Addresses in-interface=VL10_MGMT jump-target=VL10-input
add action=jump chain=input comment="VL20-input: JUMP" dst-address-list=VL20_Addresses in-interface=VL20_TRUST jump-target=VL20-input
add action=jump chain=input comment="VL35-input: JUMP" dst-address-list=VL35_Addresses in-interface=VL35_CELL jump-target=VL35-input
add action=jump chain=input comment="VL40-input: JUMP" dst-address-list=VL40_Addresses in-interface=VL40_GUEST jump-target=VL40-input
add action=jump chain=input comment="VL50-input: JUMP" dst-address-list=VL50_Addresses in-interface=VL50-CLEARNET jump-target=VL50-input
add action=jump chain=input comment="VL52-input: JUMP" dst-address-list=VL52_Addresses in-interface=VL52_IOT jump-target=VL52-input
add action=jump chain=input comment="VL51-input: JUMP" dst-address-list=VL52_Addresses in-interface=VL51_MEDIA jump-target=VL51-input
add action=jump chain=input comment="VL55-input: JUMP" dst-address-list=VL55_Addresses in-interface=VL55_P2P jump-target=VL55-input
add action=jump chain=input comment="VL60-input: JUMP" dst-address-list=VL60_Addresses in-interface-list=LAB jump-target=VL60-input
add action=jump chain=input comment="VL90-input: JUMP" in-interface=VL90_PASSUNTRUSTED jump-target=VL90-input
add action=jump chain=input comment="VL100-input: JUMP -- CAUTION!: no dst address filter" jump-target=VL100-input src-address-list=VL100_Addresses
add action=jump chain=input comment="wireguard1-input: JUMP -- CAUTION!: no dst address filter" jump-target=wireguard1-input src-address-list=wireguard1-share
add action=jump chain=input comment="wireguard2-input: JUMP -- CAUTION!: no dst address filter" in-interface=wireguard2 jump-target=wireguard2-input
add action=drop chain=input comment="input: DROP BROADCAST [log spam guard]" dst-address-type=broadcast
add action=drop chain=input comment="input: DROPALL" log=yes log-prefix=input:DROPALL
add action=jump chain=forward comment="VL10-forward: JUMP" in-interface=VL10_MGMT jump-target=VL10-forward
add action=jump chain=forward comment="VL20-forward: JUMP" in-interface=VL20_TRUST jump-target=VL20-forward
add action=jump chain=forward comment="VL35-forward: JUMP" in-interface=VL35_CELL jump-target=VL35-forward
add action=jump chain=forward comment="VL40-forward: JUMP" in-interface=VL40_GUEST jump-target=VL40-forward
add action=jump chain=forward comment="VL50-forward: JUMP" in-interface=VL50-CLEARNET jump-target=VL50-forward
add action=jump chain=forward comment="VL51-forward: JUMP" in-interface=VL51_MEDIA jump-target=VL51-forward
add action=jump chain=forward comment="VL52-forward: JUMP" in-interface=VL52_IOT jump-target=VL52-forward
add action=jump chain=forward comment="VL55-forward: JUMP" in-interface=VL55_P2P jump-target=VL55-forward
add action=jump chain=forward comment="VL60-forward: JUMP" in-interface-list=LAB jump-target=VL60-forward
add action=jump chain=forward comment="VL90-forward: JUMP" in-interface=VL90_PASSUNTRUSTED jump-target=VL90-forward
add action=jump chain=forward comment="VL100-forward: JUMP" jump-target=VL100-forward src-address-list=VL100_Addresses
add action=jump chain=forward comment="wireguard1-forward: JUMP" jump-target=wireguard1-forward src-address-list=wireguard1-share
add action=jump chain=forward comment="wireguard2-forward: JUMP" in-interface=wireguard2 jump-target=wireguard2-forward
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv4
add action=drop chain=forward comment="DROP anything form VL90 for fowarding - this is essentially WAN" in-interface=VL90_PASSUNTRUSTED log-prefix=DROPALL
add action=drop chain=forward comment="DROP ALL ELSE" log=yes log-prefix="forward: DROPALL"
add action=accept chain=output comment=";;; ALLOW Syncthing Traffic Outbound" disabled=yes out-interface-list=VLAN_WAN protocol=tcp src-port=22000
add action=accept chain=output comment=";;; ALLOW Syncthing Traffic Outbound" disabled=yes out-interface-list=VLAN_WAN protocol=udp src-port=22000
add action=accept chain=VL10-input comment="accept DNS from LAN" dst-port=53 protocol=udp
add action=accept chain=VL10-input comment="accept NTP from LAN" dst-port=123 protocol=udp
add action=accept chain=VL10-input comment="accept DHCP request on LAN interfaces" dst-port=67 protocol=udp src-port=68
add action=accept chain=VL10-input comment="accept ICMP after RAW" log-prefix=DEBUG: protocol=icmp
add action=drop chain=VL10-input comment="VL10-input: DROP BROADCAST [log spam guard]" dst-address-type=broadcast
add action=drop chain=VL10-input comment="VL10-input: DROPALL" log=yes log-prefix=VL10-input:DROPALL
add action=accept chain=VL10-forward comment="VL10-forward:WAN ACCESS TOGGLE" out-interface-list=WAN
add action=drop chain=VL10-forward comment="VL10-forward: DROPALL" log=yes log-prefix=VL10-forward:DROPALL
add action=accept chain=VL20-input comment="accept DNS from LAN" dst-port=53 protocol=udp
add action=accept chain=VL20-input comment="accept NTP from LAN" dst-port=123 protocol=udp
add action=accept chain=VL20-input comment="accept DHCP request on LAN interfaces" dst-port=67 protocol=udp src-port=68
add action=accept chain=VL20-input comment="accept ICMP after RAW" protocol=icmp
add action=accept chain=VL20-input comment="VL20-input: Allow wireguard2 access" dst-address-type="" dst-port=13231 protocol=udp
add action=drop chain=VL20-input comment="VL20-input: DROP BROADCAST [log spam guard]" dst-address-type=broadcast
add action=drop chain=VL20-input comment="VL20-input: DROPALL" log=yes log-prefix=VL20-input:DROPALL
add action=accept chain=VL20-forward comment="VL20-forward: ALLOW WAN ACCESS" out-interface-list=WAN
add action=accept chain=VL20-forward comment="VL20-forward: ALLOW SSH into IOT " disabled=yes dst-port=22 out-interface=VL52_IOT protocol=tcp
add action=accept chain=VL20-forward comment="VL20-forward: ALLOW ICMP into IOT " disabled=yes out-interface=VL52_IOT protocol=icmp
add action=drop chain=VL20-forward comment="VL20-forward: DROPALL" log=yes log-prefix=VL20-forward:DROPALL
add action=accept chain=VL60-input comment="VL60-input: accept DNS" dst-port=53 protocol=udp
add action=accept chain=VL60-input comment="VL60-input: accept DNS" dst-port=53 protocol=tcp
add action=accept chain=VL60-input comment="VL60-input: accept NTP" dst-port=123 protocol=udp
add action=accept chain=VL60-input comment="VL60-input: accept DHCP " dst-port=67 protocol=udp src-port=68
add action=accept chain=VL60-input comment="accept ICMP after RAW" protocol=icmp
add action=drop chain=VL60-input comment="VL60-input: DROP BROADCAST [log spam guard]" dst-address-type=broadcast
add action=drop chain=VL60-input comment="VL60-input: DROP ALL ELSE" log=yes log-prefix=VL60-input:DROPALL
add action=drop chain=VL60-forward comment="VL60-forward: WAN ACCESS TOGGLE" out-interface-list=WAN
add action=drop chain=VL60-forward comment="VL60-forward: DROP ALL ELSE" log=yes log-prefix="VL60-forward: DROPALL"
add action=accept chain=VL90-input comment="VL90-input: Allow wireguard2 port forward (dstnat)" disabled=yes dst-address-type="" dst-port=13231 protocol=udp
add action=drop chain=VL90-input comment="VL90-input: DROP BROADCAST [log spam guard]" dst-address-type=broadcast
add action=drop chain=VL90-input comment="VL90-input: DROP ALL" log=yes log-prefix="VL90-input: DROPALL"
add action=drop chain=VL90-forward comment="VL90-forward: DROPALL" log=yes log-prefix=VL90-forward:DROPALL
add action=accept chain=VL100-input comment="VL100-input: accept wireguard1 ICMP" dst-address-list=wireguard1-share protocol=icmp
add action=accept chain=VL100-input comment="VL100-input: accept wireguard2 ICMP" dst-address-list=wireguard2 protocol=icmp
add action=drop chain=VL100-input comment="VL100-input: DROP intervlan traffic - ignore broadcast (taken care of down the chain - log spam guard)" dst-address-list=!VL100_Addresses dst-address-type=!broadcast log=yes log-prefix=\
    "VL100-input: DROP intervlan traffic"
add action=accept chain=VL100-input comment="VL100-input: accept DNS" dst-port=53 protocol=udp
add action=accept chain=VL100-input comment="VL100-input: accept NTP" dst-port=123 protocol=udp
add action=accept chain=VL100-input comment="VL100-input: accept DHCP " dst-port=67 protocol=udp src-port=68
add action=accept chain=VL100-input comment="VL100-input: accept ICMP after RAW" protocol=icmp
add action=accept chain=VL100-input comment="VL100-input: Allow ALL on subnet" src-address=10.0.4.0/24
add action=drop chain=VL100-input comment="VL100-input: DROP BROADCAST [log spam guard]" dst-address-type=broadcast
add action=drop chain=VL100-input comment="VL100-input: DROPALL" log=yes log-prefix=VL100-input:DROPALL
add action=accept chain=VL100-forward comment="VL100-forward: ALLOW to wireguard1 " dst-address-list=wireguard1-share
add action=accept chain=VL100-forward comment="VL100-forward: ALLOW to wireguard2" dst-address-list=wireguard2-share
add action=drop chain=VL100-forward comment="VL100-forward: DROPALL" log=yes log-prefix=VL100-forward:DROPALL
add action=accept chain=wireguard1-input comment="wireguard1: accept DNS from wireguard1" dst-port=53 protocol=udp
add action=accept chain=wireguard1-input comment="wireguard1-forward: Allow ICMP" protocol=icmp
add action=drop chain=wireguard1-input comment="wireguard1-input: DROPALL" log=yes log-prefix="wireguard1-input: DROPALL"
add action=accept chain=wireguard1-forward comment="wireguard1-forward: Allow to VL100 - ICMP" dst-address-list=VL100_Addresses protocol=icmp
add action=accept chain=wireguard1-forward comment="wireguard1-forward: Allow to VL100 - SSH" dst-address-list=VL100_Addresses dst-port=22 protocol=tcp
add action=accept chain=wireguard1-forward comment="wireguard1-forward: Allow to VL100 - HTTP access" dst-address-list=VL100_Addresses dst-port=80 protocol=tcp
add action=accept chain=wireguard1-forward comment="wireguard1-forward: Allow to VL100 - HTTPS access" dst-address-list=VL100_Addresses dst-port=443 protocol=tcp
add action=accept chain=wireguard1-forward comment="wireguard1-forward: Allow to VL100 - NFS" disabled=yes dst-address-list=VL100_Addresses dst-port=2049 protocol=tcp
add action=accept chain=wireguard1-forward comment="wireguard1-forward: Allow to VL100 - Kerberosv5 - TCP" disabled=yes dst-address-list=VL100_Addresses dst-port=88 protocol=tcp
add action=accept chain=wireguard1-forward comment="wireguard1-forward: Allow to VL100 - Kerberosv5 - UDP" disabled=yes dst-address-list=VL100_Addresses dst-port=88 protocol=udp
add action=accept chain=wireguard1-forward comment="wireguard1-forward: Allow to VL100 - Kerberosv5 - kadmin - UDP" disabled=yes dst-address-list=VL100_Addresses dst-port=749 protocol=udp
add action=accept chain=wireguard1-forward comment="wireguard1-forward: Allow to VL100 - Kerberosv5 - kadmin - TCP" disabled=yes dst-address-list=VL100_Addresses dst-port=749 protocol=tcp
add action=accept chain=wireguard1-forward comment="wireguard1-forward: Allow to VL100 - iperf" disabled=yes dst-address-list=VL100_Addresses dst-port=5001 protocol=tcp
add action=drop chain=wireguard1-forward comment="wireguard1-forward: DROPALL" log=yes log-prefix="wireguard1-forward: DROPALL"
add action=drop chain=wireguard2-input comment="wireguard2-input: DROPALL" log=yes log-prefix="wireguard2-input: DROPALL"
add action=accept chain=wireguard2-forward comment="wireguard2-forward: Allow to VL100 - ICMP" dst-address-list=VL100_Addresses protocol=icmp
add action=accept chain=wireguard2-forward comment="wireguard2-forward: Allow to VL100 - SSH" dst-address-list=VL100_Addresses dst-port=22 protocol=tcp
add action=accept chain=wireguard2-forward comment="wireguard2-forward: Allow to VL100 - NFS" dst-address-list=VL100_Addresses dst-port=2049 protocol=tcp
add action=accept chain=wireguard2-forward comment="wireguard2-forward: Allow to VL100 - RPC for NFS" dst-address-list=VL100_Addresses dst-port=111 protocol=tcp
add action=accept chain=wireguard2-forward comment="wireguard2-forward: Allow to VL100 - Kerberosv5 - TCP" dst-address-list=VL100_Addresses dst-port=88 protocol=tcp
add action=accept chain=wireguard2-forward comment="wireguard2-forward: Allow to VL100 - Kerberosv5 - UDP" dst-address-list=VL100_Addresses dst-port=88 protocol=udp
add action=accept chain=wireguard2-forward comment="wireguard2-forward: Allow to VL100 - iperf" disabled=yes dst-address-list=VL100_Addresses dst-port=5001 protocol=tcp
add action=drop chain=wireguard2-forward comment="wireguard2-forward: DROPALL" log=yes log-prefix="wireguard2-forward: DROPALL"
add action=accept chain=VL35-input comment="VL35-input: accept DNS" dst-port=53 protocol=udp
add action=accept chain=VL35-input comment="VL35-input: accept DHCP " dst-port=67 protocol=udp src-port=68
add action=drop chain=VL35-input comment="VL35-input: DROPALL" log=yes log-prefix="VL35-input: DROPALL"
add action=accept chain=VL35-forward comment="VL35-forward: ALLOW WAN ACCESS" out-interface-list=WAN
add action=accept chain=VL35-forward comment="VL35-forward: ALLOW SNAPCAST" disabled=yes dst-address=192.168.20.100 dst-port=1704 protocol=tcp
add action=drop chain=VL35-forward comment="V35-forward: DROPALL" log=yes log-prefix="VL35-forward: DROPALL"
add action=accept chain=VL40-input comment="VL40-input: accept DHCP " dst-port=67 protocol=udp src-port=68
add action=accept chain=VL40-input comment="VL40-input: accept DNS" dst-port=53 protocol=udp
add action=accept chain=VL40-input comment="VL40-input: accept ICMP after RAW" protocol=icmp
add action=drop chain=VL40-input comment="V40-input: DROPALL" log=yes log-prefix="VL40-input: DROPALL"
add action=accept chain=VL40-forward comment="VL40-forward: ALLOW WAN ACCESS" out-interface-list=WAN
add action=drop chain=VL40-forward comment="V40-forward: DROPALL" log=yes log-prefix="VL40-forward: DROPALL"
add action=accept chain=VL50-input comment="VL50-input: accept DHCP " dst-port=67 protocol=udp src-port=68
add action=accept chain=VL50-input comment="VL50-input: accept DNS" dst-port=53 protocol=udp
add action=accept chain=VL50-input comment="accept ICMP after RAW" protocol=icmp
add action=drop chain=VL50-input comment="V50-input: DROPALL" log=yes log-prefix="VL50-input: DROPALL"
add action=accept chain=VL50-forward comment="VL50-forward: ALLOW WAN ACCESS" out-interface-list=WAN
add action=drop chain=VL50-forward comment="V50-forward: DROPALL" log=yes log-prefix="VL50-forward: DROPALL"
add action=accept chain=VL55-input comment="VL55-input: accept DNS" dst-port=53 protocol=udp
add action=accept chain=VL55-input comment="VL55-input: accept DHCP " dst-port=67 protocol=udp src-port=68
add action=drop chain=VL55-input comment="VL55-input: DROPALL" log=yes log-prefix="VL55-input: DROPALL"
add action=accept chain=VL55-forward comment="VL55-forward: ALLOW ACCESS TO SPECIFIC VPN SERVER ADDRESS ONLY  (DISABLE WAN ACCESS BELOW) -- NY#54" dst-address=37.120.244.62 out-interface-list=WAN
add action=accept chain=VL55-forward comment="VL55-forward: ALLOW WAN ACCESS" disabled=yes out-interface-list=WAN
add action=drop chain=VL55-forward comment="VL55-forward: DROPALL" log=yes log-prefix="VL55-forward: DROPALL"
add action=accept chain=VL51-input comment="VL51-input: accept DNS" dst-port=53 protocol=udp
add action=accept chain=VL51-input comment="VL51-input: accept NTP" dst-port=123 protocol=udp
add action=accept chain=VL51-input comment="VL51-input: accept DHCP " dst-port=67 protocol=udp src-port=68
add action=drop chain=VL51-input comment="VL51-input: DROPALL" log=yes log-prefix="VL51-input: DROPALL"
add action=accept chain=VL51-forward comment="VL51-forward: ALLOW WAN " log-prefix="VL51-forward: Allow WAN" out-interface-list=WAN
add action=drop chain=VL51-forward comment="VL51-forward: DROPALL" log=yes log-prefix="VL51-forward: DROPALL"
add action=accept chain=VL52-input comment="VL52-input: accept DNS" dst-port=53 protocol=udp
add action=accept chain=VL52-input comment="VL52-input: accept NTP" dst-port=123 protocol=udp
add action=accept chain=VL52-input comment="VL52-input: accept DHCP " dst-port=67 protocol=udp src-port=68
add action=drop chain=VL52-input comment="VL52-input: DROPALL" log=yes log-prefix="VL52-input: DROPALL"
add action=accept chain=VL52-forward comment="VL52-forward: SNAPCAST - Stream Port 1704" dst-address=192.168.20.100 dst-port=1704 protocol=tcp
add action=accept chain=VL52-forward comment="VL52-forward: SNAPCAST - Control Port 1705" dst-address=192.168.20.100 dst-port=1705 protocol=tcp
add action=drop chain=VL52-forward comment="VL52-forward: DROP WAN " log-prefix="VL52-forward: DROPWAN" out-interface-list=WAN
add action=drop chain=VL52-forward comment="VL52-forward: DROPALL" log=yes log-prefix="VL52-forward: DROPALL"
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes in-interface=wireguard1 log=yes log-prefix="VRF-IN-WG1: " new-routing-mark=vrf_earthcloud passthrough=yes
add action=mark-routing chain=prerouting disabled=yes log-prefix="VRF-IN-WG1: " new-routing-mark=vrf_earthcloud passthrough=yes src-address-list=wireguard1-share
add action=mark-routing chain=output disabled=yes dst-address-list=wireguard1-share log-prefix="VRF-OUT-WG1: " new-routing-mark=vrf_earthcloud passthrough=yes
add action=mark-routing chain=output disabled=yes log=yes log-prefix="VRF-OUT-WG1: " new-routing-mark=vrf_earthcloud out-interface=wireguard1 passthrough=yes
add action=mark-routing chain=prerouting in-interface=VL100_WIREGUARD log-prefix="VRF-IN-VL100: " new-routing-mark=vrf_earthcloud passthrough=yes
add action=mark-routing chain=output log-prefix="VRF-OUT-VL100: " new-routing-mark=vrf_earthcloud out-interface=VL100_WIREGUARD passthrough=yes
add action=mark-connection chain=prerouting connection-state=new new-connection-mark=wg_conn passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wg_conn in-interface=wireguard1 new-routing-mark=vrf_earthcloud passthrough=yes
/ip firewall nat
add action=src-nat chain=srcnat disabled=yes out-interface=wireguard1 to-addresses=10.0.1.10
add action=accept chain=srcnat comment="defconf: accept all that matches IPSec policy" ipsec-policy=out,ipsec
add action=masquerade chain=srcnat comment="defconf: masquerade" log-prefix="SNAT-WAN: " out-interface-list=WAN
add action=src-nat chain=srcnat comment="defconf: masquerade" disabled=yes dst-address-list=!wireguard1-share log=yes log-prefix="SNAT-WG0: " src-address-list=VL100_Addresses to-addresses=10.255.255.2
add action=dst-nat chain=dstnat comment="Syncthing traffic NAT" disabled=yes dst-port=22000 in-interface-list=WAN protocol=tcp to-addresses=192.168.20.103
add action=src-nat chain=srcnat disabled=yes dst-address-list=wireguard1-share log=yes log-prefix=wireguard1-srcnat src-address-list=VL100_Addresses to-addresses=10.0.2.1
add action=dst-nat chain=dstnat comment="wireguard NAT to support direct connections" disabled=yes dst-address=192.168.200.100 dst-port=13231 protocol=udp to-addresses=10.0.2.1
add action=masquerade chain=srcnat disabled=yes out-interface-list=WAN src-address-list=VL40_Addresses
/ip firewall raw
add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment=ANTI-LOCKOUT-MGMT in-interface-list=MGMT
add action=accept chain=prerouting comment="LAB: accept everything else from LAB" in-interface-list=LAB
add action=accept chain=prerouting comment="defconf: accept DHCP discover" dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=udp src-address=0.0.0.0 src-port=68
add action=notrack chain=prerouting comment="IPSEC tunnel rule: https://forum.mikrotik.com/viewtopic.php\?p=889207" disabled=yes ipsec-policy=in,ipsec
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" disabled=yes dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" disabled=yes dst-address-list=bad_dst_ipv4 log-prefix="RAW-PREROUTING: bogon IP drop"
add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment="defconf: drop forward to local lan from WAN" dst-address=192.168.88.0/24 in-interface-list=WAN
add action=accept chain=prerouting comment="defconf: drop local if not from default IP range" in-interface-list=LAN src-address=10.0.0.0/16
add action=drop chain=prerouting comment="defconf: drop local if not from default IP range" disabled=yes in-interface-list=LAN src-address=!192.168.0.0/16
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment="Allow VLAN_WAN traffic - Enables GUEST VLAN" in-interface-list=VLAN_WAN
add action=accept chain=prerouting comment="Allow preroute traffic for wireguard1" src-address-list=wireguard1-share
add action=accept chain=prerouting comment="Allow preroute traffic for wireguard2" in-interface=wireguard2
add action=accept chain=prerouting comment="Allow preroute traffic for wireguard2" src-address-list=wireguard1-share
add action=accept chain=prerouting comment="Allow preroute traffic for wireguard2" src-address-list=VL51_Addresses
add action=drop chain=prerouting comment="defconf: drop the rest" log=yes log-prefix="RAW-PREROUTE: DROP ALL"
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 protocol=tcp
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp
add action=notrack chain=output comment="IPSEC Tunnel rule: https://forum.mikrotik.com/viewtopic.php\?p=889207" disabled=yes ipsec-policy=out,ipsec
/ip ipsec identity
add auth-method=eap certificate=ProtonVPN_ike_root.der_0 comment="Proton Identity with adblock and malware filter" eap-methods=eap-mschapv2 generate-policy=port-override mode-config=ProtonVPN peer=ProtonVPN-US policy-template-group=ProtonVPN \
    username=USERNAME+b:2+f2
add auth-method=eap certificate=ProtonVPN_ike_root.der_0 eap-methods=eap-mschapv2 generate-policy=port-override mode-config=ProtonVPN_USCA98 peer=ProtonVPN_USCA98_P2P policy-template-group=ProtonVPN username=USERNAME+f2
add auth-method=eap certificate=ProtonVPN_ike_root.der_0 eap-methods=eap-mschapv2 generate-policy=port-override mode-config=ProtonVPN peer=ProtonVPN-CO5 policy-template-group=ProtonVPN username=USERNAME+b:2+f2
add auth-method=eap certificate=ProtonVPN_ike_root.der_0 comment="Proton Identity with adblock and malware filter" eap-methods=eap-mschapv2 generate-policy=port-override mode-config=ProtonVPN peer=ProtonVpn-US-FL#39 policy-template-group=ProtonVPN \
    username=USERNAME+b:1+f2
add auth-method=eap certificate=ProtonVPN_ike_root.der_0 eap-methods=eap-mschapv2 generate-policy=port-override mode-config=ProtonVPN peer="Chicago - US-IL44" policy-template-group=ProtonVPN username=USERNAME+f2
add auth-method=eap certificate=ProtonVPN_ike_root.der_0 eap-methods=eap-mschapv2 generate-policy=port-override mode-config=ProtonVPN peer=US-VA#25 policy-template-group=ProtonVPN username=USERNAME+b
/ip ipsec policy
add disabled=yes dst-address=0.0.0.0/0 group=ProtonVPN src-address=0.0.0.0/0 template=yes
/ip ipsec settings
set accounting=no
/ip route
add comment="Route for local laptop WG connection" disabled=no distance=1 dst-address=10.0.5.0/24 gateway=wireguard2 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.0.1.10/32 gateway=wireguard1@vrf_earthcloud pref-src="" routing-table=vrf_earthcloud scope=11 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.0.1.10@vrf_earthcloud routing-table=vrf_earthcloud scope=30 suppress-hw-offload=no target-scope=11
add disabled=no distance=1 dst-address=YYY.YYY.Y.YY/32 gateway=wireguard1@vrf_earthcloud pref-src="" routing-table=vrf_earthcloud scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=America/New_York
/system identity
set name=EdgeRouter
/system logging
add disabled=yes topics=wireguard
add disabled=yes topics=dhcp
add disabled=yes topics=ipsec
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=204.11.201.10
add address=108.61.73.244
/system resource irq rps
set sfp-sfpplus1 disabled=no
/tool bandwidth-server
set authenticate=no enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool sniffer
set filter-interface=all filter-ip-address=8.8.8.8/32 streaming-enabled=yes streaming-server=192.168.20.100

You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard VRF and Default Gateways

Mon Jul 25, 2022 10:06 pm

VRF to do Wireguard, a novel approach!!

OKAY here is the scoop VRF IS NOT READY FOR PRIME TIME.
THERE ARE KNOWN ISSUES AS ITS INTERACTIONS WITH FIREWALL RULES AND THE LIKE IS NOT KNOWN.
THE ONLY THING THAT WORKS ARE THE ROUTES CREATED. THE REST IS A CRAP SHOOT.
RECOMMEND YOU DONT USE VRF YET WITH WIREGUARD.


That being said, below are my observations prior to finding that out.......

(1) Just need clarification on the allowed addresses.............. I am assuming from the below that you want VLAN users to be able to access on VPS or beyond, the two subnets shown and NOT internet (10.0.1.0/24,10.0.3.0/24)?? Further, the wireguard vlan will not have local internet access nor access to other vlans on the local router right?

(2) The wireguard address should be properly formatted see below:
add address=10.255.255.2/24 comment="wireguard1 VPN to VPS" interface=wireguard1 network=10.255.255.0

(3) I think your firewall rules are way over complicated,.......... why all the jump rules, especially for INPUT chain.
That is the reason to have interface lists......... simplify simplfify
All the ones that need DNS service - then you have one input chain rule
All the ones that need NTP service - then you have one input chain rule.

I do like the fact that you use drop all, so forget about all the other nonsense.
and add back in after the input chain established related
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
Then put your very nice admin rule (even though tis duplicated - a symptom of a bloated out of control firewall).
add action=accept chain=input comment="VL10_MGMT - ANTI-LOCKOUT - WINBOX" dst-address=192.168.10.1 dst-port=8291 in-interface-list=MGMT protocol=tcp

Except I would never publish here my actual dst-port, and depending on who else was on MGMT, would consider an additional firewall address list called "authorized" for example.

Also, there is absolutely no need for a separate drop broadcast rule on the input chain, that is covered in the next rule the drop all rule, making it redundant.

(4) This needs to be removed as the MT is a client NOT a server and does not require an input chain rule at all???
add action=jump chain=input comment="wireguard1-input: JUMP -- CAUTION!: no dst address filter" jump-target=wireguard1-input src-address-list=wireguard1-share
add action=drop chain=wireguard1-input comment="wireguard1-input: DROPALL" log=yes log-prefix="wireguard1-input: DROPALL"


(5) Instead of cluttering the MT device with all these outgoing vlan100 forward chain rules.. you could put them on the VPS end........ I suppose it doesnt matter either way......... Looks like the wireguard 1 access to the VPS is very limited to certain ports etc......... For me it might make more sense to limit to specific IPs either at the MT router or at VPS end as you give whole subnet access on the allowed IPs, which is the way I would do it as well.


(6) I think you are missing an interface on this rule?? I am assuming the jump chain is to control
either users on the VPS accessing the VLAN100, or users on VLAN100 accessing services on the VPS. Something I found too difficult to figure out LOL.
add action=jump chain=forward comment="wireguard1-forward: JUMP" jump-target=wireguard1-forward src-address-list=wireguard1-share

(7) WHY, you have a drop rule at the end of the forward chain??
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
All you need is:
add action=accept chain=forward comment="allow dst-nat" connection-nat-state=dstnat

(8) Any rules such as this are redundant as well and take care of by the drop rule!!
add action=drop chain=VL100-input comment="VL100-input: DROP intervlan traffic - ignore broadcast (taken care of down the chain - log spam guard)" dst-address-list=!VL100_Addresses dst-address-type=!broadcast log=yes log-prefix=\
"VL100-input: DROP intervlan traffic"


(9) WHY ARE you MANGLING vlan 100 traffic, that was the purpose of using VRF, so that you didnt have to use mangle or route rules !!!

(10) Why are you source NATTING out wireguard one? First of all,
you control the VPS its not a third party VPN and thus for allowed IPs at the VPS just put in the subnet of the VL100 (10.0.4.0/24) ?? No sourcenat required.
If you did for any reason the format is simpler
add action=masquerade chain=srcnat disabled=yes out-interface=wireguard1

Okay then I see the next rule......... is also not correct, the one above works just fine but again I see this rule too is disabled ?????
So perhaps you realized you do not have to source nat here after all LOL.
add action=src-nat chain=srcnat comment="defconf: masquerade" disabled=yes dst-address-list=!wireguard1-share log=yes log-prefix="SNAT-WG0: " src-address-list=VL100_Addresses to-addresses=10.255.255.2

OKAY I see its disabled LOL

(11) You dont need any of your bogons and other crap rules of any chain, prerouting, raw etc........ garbage from youtube etc....................
If you really want to do bogons just do something like.
/ip route
add blackhole disabled=no dst-address=10.0.0.0/8
add blackhole disabled=no dst-address=172.16.0.0/12
add blackhole disabled=no dst-address=192.168.0.0/16

(12) My understand is that VRF creates the necessary routes for subnets within the VRF and there is only one, so thats fine....... BUT not sure what this shows??
Did you manually enter them......
add disabled=no distance=1 dst-address=10.0.1.10/32 gateway=wireguard1@vrf_earthcloud pref-src="" routing-table=vrf_earthcloud scope=11 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.0.1.10@vrf_earthcloud routing-table=vrf_earthcloud scope=30 suppress-hw-offload=no target-scope=11
add disabled=no distance=1 dst-address=YYY.YYY.Y.YY/32 gateway=wireguard1@vrf_earthcloud pref-src="" routing-table=vrf_earthcloud scope=30 suppress-hw-offload=no target-scope=10


In any case there
The only two you need are as follows:
add dst-address=10.0.1.0/24 gwy=wireguard1@vrf_earthcloud table=vrf_earthcloud
add dst-address=10.0.3.0/24 gwy=wireguard1@vrf_earthcloud table=vrf_earthcloud

( I cannot seem to find /ip routing table in your config, usually right after /routing ospf area??)
Last edited by anav on Mon Jul 25, 2022 10:30 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard VRF and Default Gateways

Mon Jul 25, 2022 10:28 pm

How to get there from here.
Still not to hard, no mangling required.

/ip routing table
add name=vrf_earthcloud fib

/ip route
add dst-address=10.0.1.0/24 gwy=wireguard1 table=vrf_earthcloud
add dst-address=10.0.3.0/24 gwy=wireguard1 table=vrf_earthcloud

/routing rule add src-address=10.0.4.0/24 action=lookup-only-in-table table=vrf_earthcloud.


Now all your firewall rules, etc will work.
 
E15RQ22EZN9
just joined
Topic Author
Posts: 10
Joined: Tue Mar 02, 2021 12:49 pm

Re: Wireguard VRF and Default Gateways

Tue Jul 26, 2022 9:12 pm

anav, thanks so much for the incredible feedback! I have responded to your detailed comments below. Unfortunately I still don't have it working (see my last comments). I think I may try to just mangle it since VRF is not quite ready yet. I assume at this point, it is the state of VRF that is my problem and not my config.
(1) Just need clarification on the allowed addresses.............. I am assuming from the below that you want VLAN users to be able to access on VPS or beyond, the two subnets shown and NOT internet (10.0.1.0/24,10.0.3.0/24)?? Further, the wireguard vlan will not have local internet access nor access to other vlans on the local router right?
100% Correct. VLAN 100 should only get to the internet through the VPS via wireguard 1
(2) The wireguard address should be properly formatted see below:
add address=10.255.255.2/24 comment="wireguard1 VPN to VPS" interface=wireguard1 network=10.255.255.0
Thanks, fixed!
(3) I think your firewall rules are way over complicated,.......... why all the jump rules, especially for INPUT chain.
That is the reason to have interface lists......... simplify simplfify
All the ones that need DNS service - then you have one input chain rule
All the ones that need NTP service - then you have one input chain rule.

I do like the fact that you use drop all, so forget about all the other nonsense.
and add back in after the input chain established related
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
Then put your very nice admin rule (even though tis duplicated - a symptom of a bloated out of control firewall).
add action=accept chain=input comment="VL10_MGMT - ANTI-LOCKOUT - WINBOX" dst-address=192.168.10.1 dst-port=8291 in-interface-list=MGMT protocol=tcp

Except I would never publish here my actual dst-port, and depending on who else was on MGMT, would consider an additional firewall address list called "authorized" for example.
Ok, done! I really did not like how duplicative my firewall got, the smart use of interface lists is great! I will have to change my MGMT port after I am done troubleshooting as well. Thanks for pointing out the security issue.
Also, there is absolutely no need for a separate drop broadcast rule on the input chain, that is covered in the next rule the drop all rule, making it redundant.
Yes I agree thats true, but I keep it there so that I can de-clutter my drop all logs from all the broadcast hits. If there is a better way, I am all ears.
(4) This needs to be removed as the MT is a client NOT a server and does not require an input chain rule at all???
add action=jump chain=input comment="wireguard1-input: JUMP -- CAUTION!: no dst address filter" jump-target=wireguard1-input src-address-list=wireguard1-share
add action=drop chain=wireguard1-input comment="wireguard1-input: DROPALL" log=yes log-prefix="wireguard1-input: DROPALL"
Concur, I deleted it.
(5) Instead of cluttering the MT device with all these outgoing vlan100 forward chain rules.. you could put them on the VPS end........ I suppose it doesnt matter either way......... Looks like the wireguard 1 access to the VPS is very limited to certain ports etc......... For me it might make more sense to limit to specific IPs either at the MT router or at VPS end as you give whole subnet access on the allowed IPs, which is the way I would do it as well.
Thanks for the insight here. I think I am more comfortable being more stringent on what I percieve as the network "edge" vice moving it to the VPS.
(6) I think you are missing an interface on this rule?? I am assuming the jump chain is to control
either users on the VPS accessing the VLAN100, or users on VLAN100 accessing services on the VPS. Something I found too difficult to figure out LOL.
add action=jump chain=forward comment="wireguard1-forward: JUMP" jump-target=wireguard1-forward src-address-list=wireguard1-share
So this used to use the wireguard1 intrerface as the source, but it would not pick up traffic from the VPS subnets (10.0.1.0/24, 10.0.3.0/24, 10.0.4.0/24) so I swiched to using the address list.
(7) WHY, you have a drop rule at the end of the forward chain??
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
All you need is:
Ha good catch here.... thanks!
(8) Any rules such as this are redundant as well and take care of by the drop rule!!
add action=drop chain=VL100-input comment="VL100-input: DROP intervlan traffic - ignore broadcast (taken care of down the chain - log spam guard)" dst-address-list=!VL100_Addresses dst-address-type=!broadcast log=yes log-prefix=\
"VL100-input: DROP intervlan traffic"
Agreed. Deleted.
(9) WHY ARE you MANGLING vlan 100 traffic, that was the purpose of using VRF, so that you didnt have to use mangle or route rules !!!
I did this when I started to think the VRF was broken. I have removed them now.
(10) Why are you source NATTING out wireguard one? First of all,
you control the VPS its not a third party VPN and thus for allowed IPs at the VPS just put in the subnet of the VL100 (10.0.4.0/24) ?? No sourcenat required.
If you did for any reason the format is simpler
add action=masquerade chain=srcnat disabled=yes out-interface=wireguard1

Okay then I see the next rule......... is also not correct, the one above works just fine but again I see this rule too is disabled ?????
So perhaps you realized you do not have to source nat here after all LOL.
add action=src-nat chain=srcnat comment="defconf: masquerade" disabled=yes dst-address-list=!wireguard1-share log=yes log-prefix="SNAT-WG0: " src-address-list=VL100_Addresses to-addresses=10.255.255.2

OKAY I see its disabled LOL
Yes I agree that SNAT is not required here.... I started just poking at things to see if I could get the route to work.... removed.
(11) You dont need any of your bogons and other crap rules of any chain, prerouting, raw etc........ garbage from youtube etc....................
If you really want to do bogons just do something like.
/ip route
add blackhole disabled=no dst-address=10.0.0.0/8
add blackhole disabled=no dst-address=172.16.0.0/12
add blackhole disabled=no dst-address=192.168.0.0/16
Yes my thinking has evolved on this, I don't think i need them either. I deleted the RAW table inputs.
(12) My understand is that VRF creates the necessary routes for subnets within the VRF and there is only one, so thats fine....... BUT not sure what this shows??
Did you manually enter them......
add disabled=no distance=1 dst-address=10.0.1.10/32 gateway=wireguard1@vrf_earthcloud pref-src="" routing-table=vrf_earthcloud scope=11 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.0.1.10@vrf_earthcloud routing-table=vrf_earthcloud scope=30 suppress-hw-offload=no target-scope=11
add disabled=no distance=1 dst-address=YYY.YYY.Y.YY/32 gateway=wireguard1@vrf_earthcloud pref-src="" routing-table=vrf_earthcloud scope=30 suppress-hw-offload=no target-scope=10
Yes I manually added these trying to get the default route to work.... They are gone now.
In any case there
The only two you need are as follows:
add dst-address=10.0.1.0/24 gwy=wireguard1@vrf_earthcloud table=vrf_earthcloud
add dst-address=10.0.3.0/24 gwy=wireguard1@vrf_earthcloud table=vrf_earthcloud
Yes I have these routes. I am not sure why the export did not include the routing table... weird.
How to get there from here.
Still not to hard, no mangling required.

/ip routing table
add name=vrf_earthcloud fib

/ip route
add dst-address=10.0.1.0/24 gwy=wireguard1 table=vrf_earthcloud
add dst-address=10.0.3.0/24 gwy=wireguard1 table=vrf_earthcloud

/routing rule add src-address=10.0.4.0/24 action=lookup-only-in-table table=vrf_earthcloud.
Ok so i added these rules (however, it would only accept them in the following format):
/ip route
add dst-address=10.0.3.0/24 gateway=wireguard1@vrf_earthcloud routing-table=vrf_earthcloud

It wanted the gateway to be @ the vrf even with the routing table specified it seems.

What is striking to me with this solution is that now I do not have a default route (0.0.0.0/0) on the VRF table. I would think i need that so it knows to route outside request through wireguard1

The rule is also interesting because the VLAN100 interface is already attached to the VRF: (But I added the rule anyway)
/ip/vrf> print
Flags: X - disabled; * - builtin 
 0    name="vrf_earthcloud" interfaces=wireguard1,VL100_WIREGUARD 

 1  * name="main" interfaces=all 

With the changes you suggested, Here is the ip table:
/ip/route> print
Flags: D - DYNAMIC; A - ACTIVE; c, s, d, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#     DST-ADDRESS      GATEWAY                         DISTANCE
  DAd 0.0.0.0/0        208.102.16.1                           1
  DAc 10.0.2.2/32      wireguard2                             0
;;; Route for local laptop WG connection
0  As 10.0.5.0/24      wireguard2                             1
  DAc 192.168.10.0/24  VL10_MGMT                              0
  DAc 192.168.20.0/24  VL20_TRUST                             0
  DAc 192.168.35.0/24  VL35_CELL                              0
  DAc 192.168.40.0/24  VL40_GUEST                             0
  DAc 192.168.50.0/24  VL50_CLEARNET                          0
  DAc 192.168.51.0/24  VL51_MEDIA                             0
  DAc 192.168.52.0/24  VL52_IOT                               0
  DAc 192.168.55.0/24  VL55_P2P                               0
  DAc 192.168.60.0/24  VL60_LAB                               0
  DAc XXX.XXX.XX.X/20  VL90_PASSUNTRUSTED                     0
1  As 10.0.1.0/24      wireguard1@vrf_earthcloud              1
2  As 10.0.3.0/24      wireguard1@vrf_earthcloud              1
  DAc 10.0.4.0/24      VL100_WIREGUARD@vrf_earthcloud         0
  DAc 10.255.255.0/24  wireguard1@vrf_earthcloud              0

Unfortunately even with these changes it appears I still cannot ping 8.8.8.8 via VLAN100
/tool/traceroute vrf=vrf_earthcloud address=8.8.8.8 
Columns: LOSS, SENT, LAST
#  LOSS  SENT  LAST   
1  100%     1  timeout
2  100%     1  timeout
3  100%     1  timeout
4  100%     1  timeout
5  0%       1  0ms    
I don't see the pings hit the VPS with TCPDUMP at all.

Perhaps i just need to abandon the VRF and instead use mangle to route anything outside wireguard-1 share to the VPS via wireguard-1? I assume if this config "should" work it is simply because of the state of VRF and not an error in my config.

anav, Thanks so much for giving me such detailed feedback, it is incredibly appreciated on my end. Thanks!!!

for your reference, due to your suggestion my firewall now look like this :-) (all RAW rules are gone):
/ip/firewall/filter> print
Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept established,related,untracked
      chain=forward action=accept connection-state=established,related,untracked log=no log-prefix="" 

 2    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related log=no log-prefix="" 

 3    ;;; defconf: accept all that matches IPSec policy
      chain=forward action=accept log=no log-prefix="" ipsec-policy=in,ipsec 

 4    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked log=no log-prefix="" 

 5    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 

 6    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 7    ;;; VL10_MGMT - ANTI-LOCKOUT - WINBOX
      chain=input action=accept protocol=tcp dst-address=192.168.10.1 in-interface-list=MGMT dst-port=8291 log=no log-prefix="" 

 8    ;;; input: accept DNS
      chain=input action=accept protocol=udp in-interface-list=DNS_interfaces dst-port=53 log=no log-prefix="" 

 9    ;;; input: accept NTP
      chain=input action=accept protocol=udp in-interface-list=NTP_interfaces dst-port=123 log=no log-prefix="" 

10    ;;; input: accept DHCP 
      chain=input action=accept protocol=udp in-interface-list=DHCP_interfaces src-port=68 dst-port=67 log=no log-prefix="" 

11    ;;; input: accept DNS requests from earthcloud on Wireguard1
      chain=input action=accept protocol=udp src-address-list=wireguard1-earthcloud dst-port=53 log=no log-prefix="" 

12    ;;; VL20-input: Allow wireguard2 access
      chain=input action=accept protocol=udp dst-address-type="" in-interface=VL20_TRUST dst-port=13231 log=no log-prefix="" 

13    ;;; input: DROP BROADCAST [log spam guard]
      chain=input action=drop dst-address-type=broadcast log=no log-prefix="" 

14    ;;; input: DROPALL
      chain=input action=drop log=yes log-prefix="input:DROPALL" 

15    ;;; forward: Allow WAN access for specific interfaces
      chain=forward action=accept in-interface-list=WAN_ACCESS out-interface-list=WAN log=no log-prefix="" 

16 X  ;;; forward:WAN ACCESS TOGGLE - MGMT Net
      chain=forward action=accept in-interface-list=MGMT out-interface-list=WAN log=no log-prefix="" 

17    ;;; VL55-forward: ALLOW ACCESS TO SPECIFIC VPN SERVER ADDRESS ONLY  (DISABLE WAN ACCESS BELOW) -- NY#54
      chain=forward action=accept dst-address=37.120.244.62 in-interface=VL55_P2P out-interface-list=WAN log=no log-prefix="" 

18 X  ;;; forward: ALLOW WAN ACCESS TOGGLE - VL55-P2P
      chain=forward action=accept in-interface=VL55_P2P out-interface-list=WAN log=no log-prefix="" 

19    ;;; forward: SNAPCAST - Stream Port 1704 - VL52-IOT to SNAPCAST SERVER (VL20)
      chain=forward action=accept protocol=tcp dst-address=192.168.20.100 in-interface=VL52_IOT dst-port=1704 log=no log-prefix="" 

20    ;;; forward: SNAPCAST - Stream Port 1705 - VL52-IOT to SNAPCAST SERVER (VL20)
      chain=forward action=accept protocol=tcp dst-address=192.168.20.100 in-interface=VL52_IOT dst-port=1705 log=no log-prefix="" 

21    ;;; forward: ALLOW to wireguard1 from VL100
      chain=forward action=accept dst-address-list=wireguard1-share in-interface=VL100_WIREGUARD log=no log-prefix="" 

22    ;;; forward: ALLOW to wireguard1 from VL100
      chain=forward action=accept dst-address-list=wireguard2-share in-interface=VL100_WIREGUARD log=no log-prefix="" 

23    ;;; wireguard1-forward: JUMP
      chain=forward action=jump jump-target=wireguard1-forward src-address-list=wireguard1-share log=no log-prefix="" 

24    ;;; wireguard2-forward: JUMP
      chain=forward action=jump jump-target=wireguard2-forward in-interface=wireguard2 log=no log-prefix="" 

25    ;;; allow dst-nat
      chain=forward action=accept connection-nat-state=dstnat 

26    ;;; defconf: drop bad forward IPs
      chain=forward action=drop src-address-list=no_forward_ipv4 

27    ;;; defconf: drop bad forward IPs
      chain=forward action=drop dst-address-list=no_forward_ipv4 

28    ;;; DROP anything form VL90 for fowarding - this is essentially WAN
      chain=forward action=drop in-interface=VL90_PASSUNTRUSTED log=no log-prefix="DROPALL" 

29    ;;; DROP ALL ELSE
      chain=forward action=drop log=yes log-prefix="forward: DROPALL" 

30    ;;; wireguard1-forward: Allow to VL100 - ICMP
      chain=wireguard1-forward action=accept protocol=icmp dst-address-list=wireguard1-share log=no log-prefix="" 

31    ;;; wireguard1-forward: Allow to VL100 - SSH
      chain=wireguard1-forward action=accept protocol=tcp dst-address-list=VL100_Addresses dst-port=22 log=no log-prefix="" 

32    ;;; wireguard1-forward: Allow to VL100 - HTTP access
      chain=wireguard1-forward action=accept protocol=tcp dst-address-list=VL100_Addresses dst-port=80 log=no log-prefix="" 

33    ;;; wireguard1-forward: Allow to VL100 - HTTPS access
      chain=wireguard1-forward action=accept protocol=tcp dst-address-list=VL100_Addresses dst-port=443 log=no log-prefix="" 

34 X  ;;; wireguard1-forward: Allow to VL100 - NFS
      chain=wireguard1-forward action=accept protocol=tcp dst-address-list=VL100_Addresses dst-port=2049 log=no log-prefix="" 

35 X  ;;; wireguard1-forward: Allow to VL100 - Kerberosv5 - TCP
      chain=wireguard1-forward action=accept protocol=tcp dst-address-list=VL100_Addresses dst-port=88 log=no log-prefix="" 

36 X  ;;; wireguard1-forward: Allow to VL100 - Kerberosv5 - UDP
      chain=wireguard1-forward action=accept protocol=udp dst-address-list=VL100_Addresses dst-port=88 log=no log-prefix="" 

37 X  ;;; wireguard1-forward: Allow to VL100 - Kerberosv5 - kadmin - UDP
      chain=wireguard1-forward action=accept protocol=udp dst-address-list=VL100_Addresses dst-port=749 log=no log-prefix="" 

38 X  ;;; wireguard1-forward: Allow to VL100 - Kerberosv5 - kadmin - TCP
      chain=wireguard1-forward action=accept protocol=tcp dst-address-list=VL100_Addresses dst-port=749 log=no log-prefix="" 

39 X  ;;; wireguard1-forward: Allow to VL100 - iperf
      chain=wireguard1-forward action=accept protocol=tcp dst-address-list=VL100_Addresses dst-port=5001 log=no log-prefix="" 

40    ;;; wireguard1-forward: DROPALL
      chain=wireguard1-forward action=drop log=yes log-prefix="wireguard1-forward: DROPALL" 

41    ;;; wireguard2-forward: Allow to VL100 - ICMP
      chain=wireguard2-forward action=accept protocol=icmp dst-address-list=wireguard2-share log=no log-prefix="" 

42    ;;; wireguard2-forward: Allow to VL100 - SSH
      chain=wireguard2-forward action=accept protocol=tcp dst-address-list=VL100_Addresses dst-port=22 log=no log-prefix="" 

43    ;;; wireguard2-forward: Allow to VL100 - NFS
      chain=wireguard2-forward action=accept protocol=tcp dst-address-list=VL100_Addresses dst-port=2049 log=no log-prefix="" 

44    ;;; wireguard2-forward: Allow to VL100 - RPC for NFS
      chain=wireguard2-forward action=accept protocol=tcp dst-address-list=VL100_Addresses dst-port=111 log=no log-prefix="" 

45    ;;; wireguard2-forward: Allow to VL100 - Kerberosv5 - TCP
      chain=wireguard2-forward action=accept protocol=tcp dst-address-list=VL100_Addresses dst-port=88 log=no log-prefix="" 

46    ;;; wireguard2-forward: Allow to VL100 - Kerberosv5 - UDP
      chain=wireguard2-forward action=accept protocol=udp dst-address-list=VL100_Addresses dst-port=88 log=no log-prefix="" 

47 X  ;;; wireguard2-forward: Allow to VL100 - iperf
      chain=wireguard2-forward action=accept protocol=tcp dst-address-list=VL100_Addresses dst-port=5001 log=no log-prefix="" 

48    ;;; wireguard2-forward: DROPALL
      chain=wireguard2-forward action=drop log=yes log-prefix="wireguard2-forward: DROPALL" 

 
E15RQ22EZN9
just joined
Topic Author
Posts: 10
Joined: Tue Mar 02, 2021 12:49 pm

Re: Wireguard VRF and Default Gateways

Tue Jul 26, 2022 9:22 pm

I figured you might want to see the post-changes full config so here it is as well. thanks again!
# jul/26/2022 14:14:17 by RouterOS 7.3.1
# software id = F3RN-N3NC
#
# model = RB4011iGS+
# serial number = XXXXXXXXXXXX
/interface bridge
add name=BR1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether6 ] comment=\
    "VL99-Passthrough - ethernet device setup VLAN"
set [ find default-name=ether7 ] comment="VL-60LAB - for LAB vlan"
set [ find default-name=ether9 ] comment=WAN
set [ find default-name=ether10 ] comment="Parents Computer"
/caps-man interface
add disabled=yes l2mtu=1600 mac-address=48:8F:5A:70:9B:FF master-interface=\
    none name=cap1 radio-mac=48:8F:5A:70:9B:FF radio-name=488F5A709BFF
add disabled=yes l2mtu=1600 mac-address=48:8F:5A:70:9C:00 master-interface=\
    none name=cap2 radio-mac=48:8F:5A:70:9C:00 radio-name=488F5A709C00
add disabled=no mac-address=48:8F:5A:70:9B:B1 master-interface=none name=cap3 \
    radio-mac=48:8F:5A:70:9B:B1 radio-name=488F5A709BB1
add disabled=no mac-address=48:8F:5A:70:9B:B0 master-interface=none name=cap4 \
    radio-mac=48:8F:5A:70:9B:B0 radio-name=488F5A709BB0
/interface wireguard
add comment=PVPN-NY#38 disabled=yes listen-port=13233 mtu=1420 name=pvpn1
add comment="External: Earthcloud based wireguard" listen-port=51820 mtu=1420 \
    name=wireguard1
add comment="Router: " listen-port=13231 mtu=1420 name=wireguard2
/interface vlan
add interface=BR1 name=VL10_MGMT vlan-id=10
add interface=BR1 name=VL20_TRUST vlan-id=20
add interface=BR1 name=VL35_CELL vlan-id=35
add interface=BR1 name=VL40_GUEST vlan-id=40
add interface=BR1 name=VL50_CLEARNET vlan-id=50
add interface=BR1 name=VL51_MEDIA vlan-id=51
add interface=BR1 name=VL52_IOT vlan-id=52
add interface=BR1 name=VL55_P2P vlan-id=55
add interface=BR1 name=VL60_LAB vlan-id=60
add interface=BR1 name=VL90_PASSUNTRUSTED vlan-id=90
add interface=BR1 name=VL100_WIREGUARD vlan-id=100
/interface list
add name=WAN
add name=LAN
add name=VLAN_WAN
add name=VLAN_VPN
add name=MGMT
add name=LAB
add name=DHCP_interfaces
add name=NTP_interfaces
add name=DNS_interfaces
add name=WAN_ACCESS
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add interface=VL10_MGMT name=VL10_DHCP
/ip dhcp-server option
add code=121 name=classless value=0x100A00000A000202
add code=121 name=wireguard1 value=\
    0x180A00010A000401180A00030A000401180A00050A000401
add code=43 name="raspberry pi boot" value="'Raspberry Pi Boot'"
add code=66 name="raspberry pi tftp" value="s'192.168.20.100'"
/ip dhcp-server option sets
add name=VL100 options=wireguard1
/ip ipsec mode-config
add name=ProtonVPN responder=no src-address-list=VL20_Addresses
add name=ProtonVPN_USCA98_LIBREELEC responder=no src-address-list=\
    VL52_Addresses
/ip ipsec policy group
add name=ProtonVPN
/ip ipsec profile
add dh-group=modp4096,modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 \
    name=ProtonVPN
/ip ipsec peer
add address=node-us-119.protonvpn.net disabled=yes exchange-mode=ike2 name=\
    US-VA#25 profile=ProtonVPN send-initial-contact=no
add address=node-us-68.protonvpn.net comment=\
    "This is US-NY#35 (using b3 username)" exchange-mode=ike2 name=\
    ProtonVPN-US profile=ProtonVPN send-initial-contact=no
add address=node-us-89.protonvpn.net comment=US-CO#15 disabled=yes \
    exchange-mode=ike2 name="Chicago - US-IL44" profile=ProtonVPN \
    send-initial-contact=no
add address=node-us-93.protonvpn.net comment=US-CO#15 disabled=yes \
    exchange-mode=ike2 name=ProtonVPN-CO5 profile=ProtonVPN \
    send-initial-contact=no
add address=91.219.214.170/32 disabled=yes exchange-mode=ike2 name=\
    ProtonVpn-US-FL#39 profile=ProtonVPN
add address=91.219.212.202/32 disabled=yes exchange-mode=ike2 name=\
    ProtonVPN_USCA98_P2P profile=ProtonVPN send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
    pfs-group=modp2048
/ip pool
add name=VL20_POOL ranges=192.168.20.100-192.168.20.199
add name=VL35_POOL ranges=192.168.35.100-192.168.35.199
add name=VL52_POOL ranges=192.168.52.100-192.168.52.199
add name=VL40_POOL ranges=192.168.40.100-192.168.40.199
add comment="P2P VPN VLAN" name=VL55_Pool ranges=\
    192.168.55.100-192.168.55.199
add name=VL60_POOL ranges=192.168.60.100-192.168.60.199
add name=VL100_POOL ranges=10.0.4.100-10.0.4.199
add name=VL50_POOL ranges=192.168.50.100-192.168.50.199
add name=VL51_POOL ranges=192.168.51.100-192.168.51.199
/ip dhcp-server
add address-pool=VL20_POOL interface=VL20_TRUST name=VL20_DHCP
add address-pool=VL35_POOL interface=VL35_CELL name=VL35_DHCP
add address-pool=VL52_POOL interface=VL52_IOT name=VL52_DHCP
add address-pool=VL40_POOL interface=VL40_GUEST name=VL40_DHCP
add address-pool=VL55_Pool interface=VL55_P2P name=VL55_DHCP
add address-pool=VL60_POOL interface=VL60_LAB name=VL60_DHCP
add address-pool=VL100_POOL dhcp-option-set=VL100 interface=VL100_WIREGUARD \
    name=VL100_DHCP
add address-pool=VL50_POOL interface=VL50_CLEARNET name=VL50_DHCP
add address-pool=VL51_POOL interface=VL51_MEDIA name=VL51_DHCP
/ip vrf
add interfaces=wireguard1,VL100_WIREGUARD name=vrf_earthcloud
/port
set 0 name=serial0
set 1 name=serial1
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether2
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether3
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether4
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether5
add bridge=BR1 interface=ether6 pvid=99
add bridge=BR1 hw=no ingress-filtering=no interface=ether7 pvid=60
add bridge=BR1 ingress-filtering=no interface=sfp-sfpplus1
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether9 pvid=90
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether10 pvid=90
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=BR1 comment="VL10 Management Net " tagged=\
    BR1,ether2,ether3,ether4,ether5,sfp-sfpplus1,ether6 vlan-ids=10
add bridge=BR1 comment="VL20 - TRUSTED - VPN Protected" tagged=\
    BR1,ether2,ether3,ether4,ether5,ether6,sfp-sfpplus1 vlan-ids=20
add bridge=BR1 comment="VL35 - CELL - No VPN - Only for cell phones with VPN a\
    lways on via devices" tagged=\
    BR1,ether2,ether3,ether4,ether5,ether6,sfp-sfpplus1 vlan-ids=35
add bridge=BR1 comment="VL52 - IOT" tagged=BR1,sfp-sfpplus1 vlan-ids=52
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,sfp-sfpplus1 untagged=\
    ether6 vlan-ids=99
add bridge=BR1 tagged=sfp-sfpplus1,BR1 vlan-ids=40
add bridge=BR1 comment="VL55 - VPN with P2P enabled" tagged=BR1,sfp-sfpplus1 \
    vlan-ids=55
add bridge=BR1 comment=VL90_UNTRUSTED-WAN tagged=BR1 untagged=\
    VL90_PASSUNTRUSTED vlan-ids=90
add bridge=BR1 comment=VL60-LAB tagged=ether2,BR1 untagged=ether7 vlan-ids=60
add bridge=BR1 tagged=BR1,sfp-sfpplus1 vlan-ids=100
add bridge=BR1 comment=VL50-CLEARNET tagged=BR1,sfp-sfpplus1 vlan-ids=50
add bridge=BR1 comment="VL51 - MEDIA" tagged=BR1,sfp-sfpplus1 vlan-ids=51
/interface list member
add disabled=yes interface=ether1 list=WAN
add interface=VL20_TRUST list=LAN
add interface=VL35_CELL list=LAN
add interface=VL52_IOT list=LAN
add interface=VL10_MGMT list=LAN
add interface=VL20_TRUST list=VLAN_VPN
add interface=VL35_CELL list=VLAN_WAN
add interface=VL52_IOT list=VLAN_WAN
add interface=VL10_MGMT list=MGMT
add interface=VL40_GUEST list=VLAN_WAN
add interface=VL55_P2P list=VLAN_WAN
add disabled=yes interface=ether9 list=WAN
add interface=BR1 list=LAN
add interface=VL90_PASSUNTRUSTED list=WAN
add interface=VL60_LAB list=LAB
add interface=VL100_WIREGUARD list=LAN
add interface=VL50_CLEARNET list=VLAN_WAN
add disabled=yes interface=wireguard1 list=WAN
add interface=VL10_MGMT list=DNS_interfaces
add interface=VL20_TRUST list=DNS_interfaces
add interface=VL35_CELL list=DNS_interfaces
add interface=VL40_GUEST list=DNS_interfaces
add interface=VL50_CLEARNET list=DNS_interfaces
add interface=VL51_MEDIA list=DNS_interfaces
add interface=VL52_IOT list=DNS_interfaces
add interface=VL55_P2P list=DNS_interfaces
add interface=VL60_LAB list=DNS_interfaces
add interface=VL100_WIREGUARD list=DNS_interfaces
add interface=VL10_MGMT list=NTP_interfaces
add interface=VL20_TRUST list=NTP_interfaces
add interface=VL35_CELL list=NTP_interfaces
add interface=VL40_GUEST list=NTP_interfaces
add interface=VL50_CLEARNET list=NTP_interfaces
add interface=VL51_MEDIA list=NTP_interfaces
add interface=VL52_IOT list=NTP_interfaces
add interface=VL55_P2P list=NTP_interfaces
add interface=VL60_LAB list=NTP_interfaces
add interface=VL100_WIREGUARD list=NTP_interfaces
add interface=VL10_MGMT list=DHCP_interfaces
add interface=VL20_TRUST list=DHCP_interfaces
add interface=VL35_CELL list=DHCP_interfaces
add interface=VL40_GUEST list=DHCP_interfaces
add interface=VL50_CLEARNET list=DHCP_interfaces
add interface=VL51_MEDIA list=DHCP_interfaces
add interface=VL52_IOT list=DHCP_interfaces
add interface=VL55_P2P list=DHCP_interfaces
add interface=VL60_LAB list=DHCP_interfaces
add interface=VL100_WIREGUARD list=DHCP_interfaces
add interface=wireguard1 list=DNS_interfaces
add interface=VL20_TRUST list=WAN_ACCESS
add interface=VL35_CELL list=WAN_ACCESS
add interface=VL40_GUEST list=WAN_ACCESS
add interface=VL50_CLEARNET list=WAN_ACCESS
add interface=VL51_MEDIA list=WAN_ACCESS
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.0.1.0/24,10.0.3.0/24 comment=Earthcloud \
    endpoint-address=XXX.XXX.XXX.XX endpoint-port=51820 interface=wireguard1 \
    persistent-keepalive=30s public-key=\
    "JUBRtdhXY9xRA8F+89m6PPHcS+s9vD7MinBLO0aajjk="
add allowed-address=10.0.5.0/24 comment="Laptop - Local" interface=wireguard2 \
    public-key="hpCCDqsGi9cSzt+9bivhXTm9NW+lloqkXRWgSkJJIiI="
add allowed-address=0.0.0.0/0 endpoint-address=XXX.XXX.XX.XX endpoint-port=\
    51820 interface=pvpn1 public-key=\
    "4Gjn941JfIDqDB3KWubQ4slUR362dUrgbT7WGvldPlM="
    
    
/ip address
add address=192.168.10.1/24 interface=VL10_MGMT network=192.168.10.0
add address=192.168.20.1/24 interface=VL20_TRUST network=192.168.20.0
add address=192.168.35.1/24 interface=VL35_CELL network=192.168.35.0
add address=192.168.52.1/24 interface=VL52_IOT network=192.168.52.0
add address=192.168.40.1/24 interface=VL40_GUEST network=192.168.40.0
add address=192.168.55.1/24 interface=VL55_P2P network=192.168.55.0
add address=192.168.60.1/24 interface=VL60_LAB network=192.168.60.0
add address=10.255.255.2/24 comment="10.255.255.0/24 address space will be use\
    d for indivual wireguard interfaces " interface=wireguard1 network=\
    10.255.255.0
add address=10.0.4.1/24 interface=VL100_WIREGUARD network=10.0.4.0
add address=10.0.2.2 interface=wireguard2 network=10.0.2.2
add address=192.168.50.1/24 interface=VL50_CLEARNET network=192.168.50.0
add address=192.168.51.1/24 interface=VL51_MEDIA network=192.168.51.0
/ip dhcp-client
add disabled=yes interface=ether1 use-peer-dns=no use-peer-ntp=no
add interface=VL90_PASSUNTRUSTED
/ip dhcp-server lease
add address=192.168.20.100 client-id=\
    ff:ad:3a:c9:6c:0:2:0:0:ab:11:c4:47:4b:e5:b3:54:d1:44 comment=\
    FQDN-Local mac-address=34:97:F6:32:97:FC \
    server=VL20_DHCP
add address=10.0.4.100 client-id=\
    ff:ad:3a:c9:6c:0:2:0:0:ab:11:c4:47:4b:e5:b3:54:d1:44 comment=\
    FQDN-Local mac-address=34:97:F6:32:97:FC server=\
    VL100_DHCP
add address=192.168.20.106 client-id=\
    ff:5f:e:72:be:0:4:36:43:46:30:34:39:32:45:36:32:37:30:ff:ff:ff:ff \
    comment=nas.FQDN-Local mac-address=80:61:5F:0E:72:BE server=\
    VL20_DHCP
/ip dhcp-server network
add address=10.0.4.0/24 gateway=10.0.4.1
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1 \
    netmask=24
add address=192.168.20.0/24 dhcp-option="raspberry pi boot,raspberry pi tftp" \
    dns-server=192.168.20.1 domain=FQDN-Local gateway=\
    192.168.20.1 netmask=24 next-server=192.168.20.100 ntp-server=\
    192.168.20.1
add address=192.168.35.0/24 dns-server=192.168.35.1 gateway=192.168.35.1 \
    netmask=24
add address=192.168.40.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.40.1
add address=192.168.50.0/24 comment=VL50-CLEARNET dns-server=1.1.1.1,8.8.8.8 \
    gateway=192.168.50.1 netmask=24
add address=192.168.51.0/24 boot-file-name=/pxelinux.0 comment=\
    "Media Network - with Netboot" dns-server=192.168.51.1 gateway=\
    192.168.51.1 netmask=24 ntp-server=192.168.51.1
add address=192.168.52.0/24 dns-server=192.168.52.1 gateway=192.168.52.1 \
    netmask=24
add address=192.168.55.0/24 dns-server=192.168.55.1 gateway=192.168.55.1
add address=192.168.60.0/24 dns-server=192.168.60.1 gateway=192.168.60.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes max-concurrent-tcp-sessions=40 servers=\
    1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.20.106 name=nas.FQDN-Local
add address=192.168.20.1 name=vlan20.FQDN-Local
add address=192.168.20.100 name=FQDN-Local
add address=192.168.11.3 name=mariadb.FQDN-Local
add address=192.168.20.100 name=nfs.FQDN-Local
add address=10.0.4.100 name=FQDN-Local
/ip firewall address-list
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=192.168.20.0/24 list=VL20_Addresses
add address=192.168.55.0/24 comment="For P2P VPN Connections" list=\
    VL55_Addresses
add address=192.168.10.0/24 list=VL10_Addresses
add address=192.168.35.0/24 list=VL35_Addresses
add address=192.168.99.0/24 list=VL99_Addresses
add address=10.0.4.0/24 list=VL100_Addresses
add address=192.168.200.0/24 list=VL90_Addresses
add address=10.255.255.2 list=wireguard1
add address=192.168.60.0/24 list=VL60_Addresses
add address=10.0.1.0/24 comment=earthcloud list=wireguard1-earthcloud
add address=10.0.3.0/24 comment="david-laptop - via earthcloud" list=\
    wireguard1-share
add address=10.0.5.0/24 list=wireguard2-share
add address=10.0.2.2 list=wireguard2
add address=192.168.50.0/24 list=VL50_Addresses
add address=192.168.40.0/24 list=VL40_Addresses
add address=192.168.52.0/24 list=VL52_Addresses
add address=192.168.51.0/24 list=VL51_Addresses
add address=10.0.4.0/24 list=wireguard1-share
add address=10.255.255.2 list=wireguard1-share
add address=10.0.1.0/24 list=wireguard1-share
/ip firewall filter
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="VL10_MGMT - ANTI-LOCKOUT - WINBOX" \
    dst-address=192.168.10.1 dst-port=8291 in-interface-list=MGMT protocol=\
    tcp
add action=accept chain=input comment="input: accept DNS" dst-port=53 \
    in-interface-list=DNS_interfaces protocol=udp
add action=accept chain=input comment="input: accept NTP" dst-port=123 \
    in-interface-list=NTP_interfaces protocol=udp
add action=accept chain=input comment="input: accept DHCP " dst-port=67 \
    in-interface-list=DHCP_interfaces protocol=udp src-port=68
add action=accept chain=input comment=\
    "input: accept DNS requests from earthcloud on Wireguard1" dst-port=53 \
    protocol=udp src-address-list=wireguard1-earthcloud
add action=accept chain=input comment="VL20-input: Allow wireguard2 access" \
    dst-address-type="" dst-port=13231 in-interface=VL20_TRUST protocol=udp
add action=drop chain=input comment="input: DROP BROADCAST [log spam guard]" \
    dst-address-type=broadcast
add action=drop chain=input comment="input: DROPALL" log=yes log-prefix=\
    input:DROPALL
add action=accept chain=forward comment=\
    "forward: Allow WAN access for specific interfaces" in-interface-list=\
    WAN_ACCESS out-interface-list=WAN
add action=accept chain=forward comment=\
    "forward:WAN ACCESS TOGGLE - MGMT Net" disabled=yes in-interface-list=\
    MGMT out-interface-list=WAN
add action=accept chain=forward comment="VL55-forward: ALLOW ACCESS TO SPECIFI\
    C VPN SERVER ADDRESS ONLY  (DISABLE WAN ACCESS BELOW) -- NY#54" \
    dst-address=37.120.244.62 in-interface=VL55_P2P out-interface-list=WAN
add action=accept chain=forward comment=\
    "forward: ALLOW WAN ACCESS TOGGLE - VL55-P2P" disabled=yes in-interface=\
    VL55_P2P out-interface-list=WAN
add action=accept chain=forward comment="forward: SNAPCAST - Stream Port 1704 \
    - VL52-IOT to SNAPCAST SERVER (VL20)" dst-address=192.168.20.100 \
    dst-port=1704 in-interface=VL52_IOT protocol=tcp
add action=accept chain=forward comment="forward: SNAPCAST - Stream Port 1705 \
    - VL52-IOT to SNAPCAST SERVER (VL20)" dst-address=192.168.20.100 \
    dst-port=1705 in-interface=VL52_IOT protocol=tcp
add action=accept chain=forward comment=\
    "forward: ALLOW to wireguard1 from VL100" dst-address-list=\
    wireguard1-share in-interface=VL100_WIREGUARD
add action=accept chain=forward comment=\
    "forward: ALLOW to wireguard1 from VL100" dst-address-list=\
    wireguard2-share in-interface=VL100_WIREGUARD
add action=jump chain=forward comment="wireguard1-forward: JUMP" jump-target=\
    wireguard1-forward src-address-list=wireguard1-share
add action=jump chain=forward comment="wireguard2-forward: JUMP" \
    in-interface=wireguard2 jump-target=wireguard2-forward
add action=accept chain=forward comment="allow dst-nat" connection-nat-state=\
    dstnat
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    dst-address-list=no_forward_ipv4
add action=drop chain=forward comment=\
    "DROP anything form VL90 for fowarding - this is essentially WAN" \
    in-interface=VL90_PASSUNTRUSTED log-prefix=DROPALL
add action=drop chain=forward comment="DROP ALL ELSE" log=yes log-prefix=\
    "forward: DROPALL"
add action=accept chain=wireguard1-forward comment=\
    "wireguard1-forward: Allow to VL100 - ICMP" dst-address-list=\
    wireguard1-share protocol=icmp
add action=accept chain=wireguard1-forward comment=\
    "wireguard1-forward: Allow to VL100 - SSH" dst-address-list=\
    VL100_Addresses dst-port=22 protocol=tcp
add action=accept chain=wireguard1-forward comment=\
    "wireguard1-forward: Allow to VL100 - HTTP access" dst-address-list=\
    VL100_Addresses dst-port=80 protocol=tcp
add action=accept chain=wireguard1-forward comment=\
    "wireguard1-forward: Allow to VL100 - HTTPS access" dst-address-list=\
    VL100_Addresses dst-port=443 protocol=tcp
add action=accept chain=wireguard1-forward comment=\
    "wireguard1-forward: Allow to VL100 - NFS" disabled=yes dst-address-list=\
    VL100_Addresses dst-port=2049 protocol=tcp
add action=accept chain=wireguard1-forward comment=\
    "wireguard1-forward: Allow to VL100 - Kerberosv5 - TCP" disabled=yes \
    dst-address-list=VL100_Addresses dst-port=88 protocol=tcp
add action=accept chain=wireguard1-forward comment=\
    "wireguard1-forward: Allow to VL100 - Kerberosv5 - UDP" disabled=yes \
    dst-address-list=VL100_Addresses dst-port=88 protocol=udp
add action=accept chain=wireguard1-forward comment=\
    "wireguard1-forward: Allow to VL100 - Kerberosv5 - kadmin - UDP" \
    disabled=yes dst-address-list=VL100_Addresses dst-port=749 protocol=udp
add action=accept chain=wireguard1-forward comment=\
    "wireguard1-forward: Allow to VL100 - Kerberosv5 - kadmin - TCP" \
    disabled=yes dst-address-list=VL100_Addresses dst-port=749 protocol=tcp
add action=accept chain=wireguard1-forward comment=\
    "wireguard1-forward: Allow to VL100 - iperf" disabled=yes \
    dst-address-list=VL100_Addresses dst-port=5001 protocol=tcp
add action=drop chain=wireguard1-forward comment=\
    "wireguard1-forward: DROPALL" log=yes log-prefix=\
    "wireguard1-forward: DROPALL"
add action=accept chain=wireguard2-forward comment=\
    "wireguard2-forward: Allow to VL100 - ICMP" dst-address-list=\
    wireguard2-share protocol=icmp
add action=accept chain=wireguard2-forward comment=\
    "wireguard2-forward: Allow to VL100 - SSH" dst-address-list=\
    VL100_Addresses dst-port=22 protocol=tcp
add action=accept chain=wireguard2-forward comment=\
    "wireguard2-forward: Allow to VL100 - NFS" dst-address-list=\
    VL100_Addresses dst-port=2049 protocol=tcp
add action=accept chain=wireguard2-forward comment=\
    "wireguard2-forward: Allow to VL100 - RPC for NFS" dst-address-list=\
    VL100_Addresses dst-port=111 protocol=tcp
add action=accept chain=wireguard2-forward comment=\
    "wireguard2-forward: Allow to VL100 - Kerberosv5 - TCP" dst-address-list=\
    VL100_Addresses dst-port=88 protocol=tcp
add action=accept chain=wireguard2-forward comment=\
    "wireguard2-forward: Allow to VL100 - Kerberosv5 - UDP" dst-address-list=\
    VL100_Addresses dst-port=88 protocol=udp
add action=accept chain=wireguard2-forward comment=\
    "wireguard2-forward: Allow to VL100 - iperf" disabled=yes \
    dst-address-list=VL100_Addresses dst-port=5001 protocol=tcp
add action=drop chain=wireguard2-forward comment=\
    "wireguard2-forward: DROPALL" log=yes log-prefix=\
    "wireguard2-forward: DROPALL"
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes in-interface=wireguard1 \
    log=yes log-prefix="VRF-IN-WG1: " new-routing-mark=vrf_earthcloud \
    passthrough=yes
add action=mark-routing chain=prerouting disabled=yes log-prefix=\
    "VRF-IN-WG1: " new-routing-mark=vrf_earthcloud passthrough=yes \
    src-address-list=wireguard1-share
add action=mark-routing chain=output disabled=yes dst-address-list=\
    wireguard1-share log-prefix="VRF-OUT-WG1: " new-routing-mark=\
    vrf_earthcloud passthrough=yes
add action=mark-routing chain=output disabled=yes log=yes log-prefix=\
    "VRF-OUT-WG1: " new-routing-mark=vrf_earthcloud out-interface=wireguard1 \
    passthrough=yes
add action=mark-routing chain=prerouting disabled=yes in-interface=\
    VL100_WIREGUARD log-prefix="VRF-IN-VL100: " new-routing-mark=\
    vrf_earthcloud passthrough=yes
add action=mark-routing chain=output disabled=yes log-prefix=\
    "VRF-OUT-VL100: " new-routing-mark=vrf_earthcloud out-interface=\
    VL100_WIREGUARD passthrough=yes
add action=mark-connection chain=prerouting connection-state=new disabled=yes \
    new-connection-mark=wg_conn passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wg_conn disabled=yes \
    in-interface=wireguard1 new-routing-mark=vrf_earthcloud passthrough=yes
/ip firewall nat
add action=src-nat chain=srcnat disabled=yes out-interface=wireguard1 \
    to-addresses=10.0.1.10
add action=accept chain=srcnat comment=\
    "defconf: accept all that matches IPSec policy" ipsec-policy=out,ipsec
add action=masquerade chain=srcnat comment="defconf: masquerade" log-prefix=\
    "SNAT-WAN: " out-interface-list=WAN
add action=src-nat chain=srcnat comment="defconf: masquerade" disabled=yes \
    dst-address-list=!wireguard1-share log=yes log-prefix="SNAT-WG0: " \
    src-address-list=VL100_Addresses to-addresses=10.255.255.2
add action=dst-nat chain=dstnat comment="Syncthing traffic NAT" disabled=yes \
    dst-port=22000 in-interface-list=WAN protocol=tcp to-addresses=\
    192.168.20.103
add action=src-nat chain=srcnat disabled=yes dst-address-list=\
    wireguard1-share log=yes log-prefix=wireguard1-srcnat src-address-list=\
    VL100_Addresses to-addresses=10.0.2.1
add action=dst-nat chain=dstnat comment=\
    "wireguard NAT to support direct connections" disabled=yes dst-address=\
    192.168.200.100 dst-port=13231 protocol=udp to-addresses=10.0.2.1
add action=masquerade chain=srcnat disabled=yes out-interface-list=WAN \
    src-address-list=VL40_Addresses
/ip ipsec identity
add auth-method=eap certificate=ProtonVPN_ike_root.der_0 comment=\
    "Proton Identity with adblock and malware filter" eap-methods=\
    eap-mschapv2 generate-policy=port-override mode-config=ProtonVPN peer=\
    ProtonVPN-US policy-template-group=ProtonVPN username=USERNAME+b:2+f2
add auth-method=eap certificate=ProtonVPN_ike_root.der_0 eap-methods=\
    eap-mschapv2 generate-policy=port-override mode-config=\
    ProtonVPN_USCA98_LIBREELEC peer=ProtonVPN_USCA98_P2P \
    policy-template-group=ProtonVPN username=USERNAME+f2
add auth-method=eap certificate=ProtonVPN_ike_root.der_0 eap-methods=\
    eap-mschapv2 generate-policy=port-override mode-config=ProtonVPN peer=\
    ProtonVPN-CO5 policy-template-group=ProtonVPN username=USERNAME+b:2+f2
add auth-method=eap certificate=ProtonVPN_ike_root.der_0 comment=\
    "Proton Identity with adblock and malware filter" eap-methods=\
    eap-mschapv2 generate-policy=port-override mode-config=ProtonVPN peer=\
    ProtonVpn-US-FL#39 policy-template-group=ProtonVPN username=\
    USERNAME+b:1+f2
add auth-method=eap certificate=ProtonVPN_ike_root.der_0 eap-methods=\
    eap-mschapv2 generate-policy=port-override mode-config=ProtonVPN peer=\
    "Chicago - US-IL44" policy-template-group=ProtonVPN username=USERNAME+f2
add auth-method=eap certificate=ProtonVPN_ike_root.der_0 eap-methods=\
    eap-mschapv2 generate-policy=port-override mode-config=ProtonVPN peer=\
    US-VA#25 policy-template-group=ProtonVPN username=USERNAME+b
/ip ipsec policy
add disabled=yes dst-address=0.0.0.0/0 group=ProtonVPN src-address=0.0.0.0/0 \
    template=yes
/ip ipsec settings
set accounting=no
/ip route
add comment="Route for local laptop WG connection" disabled=no distance=1 \
    dst-address=10.0.5.0/24 gateway=wireguard2 pref-src="" routing-table=main \
    scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.0.1.0/24 gateway=\
    wireguard1@vrf_earthcloud pref-src="" routing-table=vrf_earthcloud scope=\
    30 suppress-hw-offload=no target-scope=10
add dst-address=10.0.3.0/24 gateway=wireguard1@vrf_earthcloud routing-table=\
    vrf_earthcloud
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/routing rule
add action=lookup-only-in-table disabled=no src-address=10.0.4.0/24 table=\
    vrf_earthcloud
/system clock
set time-zone-name=America/New_York
/system identity
set name=EdgeRouter
/system logging
add disabled=yes topics=wireguard
add disabled=yes topics=dhcp
add disabled=yes topics=ipsec
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=204.11.201.10
add address=108.61.73.244
/system resource irq rps
set sfp-sfpplus1 disabled=no
/tool bandwidth-server
set authenticate=no enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool sniffer
set filter-interface=all filter-ip-address=8.8.8.8/32 streaming-enabled=yes \
    streaming-server=192.168.20.100
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard VRF and Default Gateways

Tue Jul 26, 2022 10:33 pm

Since VRF and wireguard together are not ready for prime time, concur dispense with VRF, it looked like a nice script but not worth the pain at the moment.

Now, this is the line in question!
".... add action=jump chain=forward comment="wireguard1-forward: JUMP" jump-target=wireguard1-forward src-address-list=wireguard1-share"
The associated firewall lists.
add address=10.0.1.0/24 comment=earthcloud list=wireguard1-share
add address=10.0.3.0/24 comment="laptop - via earthcloud" list=wireguard1-share


And your comment.
So this used to use the wireguard1 interface as the source, but it would not pick up traffic from the VPS subnets (10.0.1.0/24, 10.0.3.0/24, 10.0.4.0/24) so I switched to using the address list.

++++++++++++++++++
All this leading to my question, WHY are you worried about subnets on the Local SERVER Router, going out the tunnel to the CLient device.
From the discussion wasnt the traffic going in the opposite direction, from VLAN100 users on 10.0.4.0/24 being able to reach the three subnets on the MT server router.

Hence my confusion!
If this was a requirement you needed to say so from the getgo as this changes many aspects of the config......
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

I suspect more likely I have lost the bubble. Lets recap and consider wireguard 1 ONLY
Main MT wireguard server is a VPS instance
what local subnets exist on the VPS instance?

The RB4011 is the client device connecting to the VPS to establish a tunnel.
what local subnets exist on the RB4011 instance.

ARE THERE ANY OTHER client devices attached via wireguard to the VPS instance that are important to be aware of?

Most importantly, what are the requirements for users either on the VPS or RB4011 OR BOTH, in regard to using wireguard to access resources ( specific subnets (from/to) or internet).

Once that is clear in my mind, all will be good.
Last edited by anav on Tue Jul 26, 2022 10:43 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard VRF and Default Gateways

Tue Jul 26, 2022 10:42 pm

What is the purpose of this, never seen it before your config, is it a VRF ism??
/ip dhcp-server option sets
add name=VL100 options=wireguard1


Lets delete this for now...............
/ip vrf
add interfaces=wireguard1,VL100_WIREGUARD name=vrf_earthcloud


If VLAN100 is going out the tunnel only then you need to ensure that, traffic that could get confused is not involved........ or at least cognizant of any firewall rules that may cause issues.........
add interface=VL100_WIREGUARD list=DNS_interfaces
add interface=VL100_WIREGUARD list=LAN
add interface=VL100_WIREGUARD list=NTP_interfaces
add interface=VL100_WIREGUARD list=DHCP_interfaces

AND
add interface=wireguard1 list=DNS_interfaces ????

/ip dhcp-server network
add address=10.0.4.0/24 gateway=10.0.4.1 - related to DNS interfaces above???
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard VRF and Default Gateways

Tue Jul 26, 2022 10:53 pm

I absolutely detest that you mix forward chain rules in with input chain rules.
Be organized and put all input chain rules together and then all forward chain rules together etc...

WHY is this rule required? No one else has this, what is special in your case ???
add action=accept chain=input comment="input: accept DHCP " dst-port=67 \
in-interface-list=DHCP_interfaces protocol=udp src-port=68
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard VRF and Default Gateways

Tue Jul 26, 2022 10:54 pm

Lets dissect this.........

add action=accept chain=input comment="input: accept DNS" dst-port=53 \
in-interface-list=DNS_interfaces protocol=udp
add action=accept chain=input comment=\
"input: accept DNS requests from earthcloud on Wireguard1" dst-port=53 \
protocol=udp src-address-list=wireguard1-earthcloud



add interface=VL100_WIREGUARD list=DNS_interfaces (okay)
add interface=wireguard1 list=DNS_interfaces (not sure of the purpose here at all)
add address=10.0.1.0/24 comment=earthcloud list=wireguard1-earthcloud (really out to lunch not even on this router)

Trying to figure out why and if there is any purpose...........
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard VRF and Default Gateways

Tue Jul 26, 2022 11:11 pm

Lets dissect.........
add action=accept chain=forward comment=\
"forward: ALLOW to wireguard1 from VL100" dst-address-list=\
wireguard1-share in-interface=VL100_WIREGUARD
add action=accept chain=forward comment=\
"forward: ALLOW to wireguard1 from VL100" dst-address-list=\
wireguard2-share in-interface=VL100_WIREGUARD


The first one........... all you need is
add chain=forward action=accept in-interface=vlan100 out-interface=wireguard1 DONE

Now you have some jumping thats done,,,,,,,,,,,so make it a jump rule.......then add all the funky port stuff........limitations
add chain=forward action=jump jump-target=VLAN100_Rules in-interface=vlan100 out-interface=wireguard1
+++
+++
+++
add chain=VLAN100_Rules action=accept dst-address-list=wireguard1-share protocol=icmp

BUT BUT
add address=10.0.4.0/24 list=wireguard1-share TO ITSELF ???? ( maybe you meant ?? 10.0.1.0/24 ??
add address=10.255.255.2 list=wireguard1-share TO its own wireguard interface,,,,,,,, not possible to block anyway
add address=10.0.1.0/24 list=wireguard1-share Okay allow to ping a subnet on the other remote location, will buy that.

+++++++++++++++++++++++

I get it that you are trying to find efficiencies with a balance of good security, but creating so many different entities is confusing and causing errors.
Use interfaces ONLY for groups of subnets.
Dont mix subnets in an interface that have no purpose being there.
I think once you figure out which subnets are going where, my first post on this session, planning will be easier.
I think your way overdoing it for starters on your access between subnets.
Start with limitations by IP, and if no issues leave it. If you need more granular control then add them in as necessary.
Simplify simplify, organize..........
 
E15RQ22EZN9
just joined
Topic Author
Posts: 10
Joined: Tue Mar 02, 2021 12:49 pm

Re: Wireguard VRF and Default Gateways

Wed Jul 27, 2022 4:01 pm

Okay So big picture.
The router services multiple subnets which are aligned with various VLANs. All of the local only VLANs are in the 192.168.0.0/16 address space and do not require any communication to the VPS. For my purposes here they can be safely ignored.

The local subnet in communication with the VPS is 10.0.4.0/24. This communicates with the VPS via wireguard1 tunnel which has a local IP of 10.255.255.2 and connects to the VPS which has a wireguard IP of 10.0.1.10.
The tunnel is also a means to commincate with other roaming resources (think road warrior) which can connect to the local 10.0.4.0/24 network by establishing a link to the VPS via its own tunnel. These road-warrior computers take on an IP address in the 10.0.3.0/24 subnet and connect to the VPS via thier own wireguard tunnels. These connections are all functioning and work under the current configuration.

Where I hit my problem is in my last requirement. My local subnet 10.0.4.0/24 should not use the local router default route. When connecting to address spaces outside of 10.0.1.0/24 (VPS), 10.0.4.0/24 (local VLAN), 10.0.3.0/24 (road-warrior) & 10.255.255.2 (Local tunnel ip) [[These are the wireguard1-share address List]] it should route traffic (default route) through the VPS (10.0.1.10). The VPS has IPtables configured to then forward traffic out to the internet. The problem is I cannot get traffic outside wireguard1-share to route to the VPS. The VPS never sees any packets.

This is where I thought the VRF would be great as I could put all wireguard1-share interfaces into the VRF and route them separately with thier own default route but as you know that has not worked in practice.

I have included a modified network diagram if that helps.

So in summary:
The VPS is the wireguard server it accepts connections from the local Mikrotik router as well as road warrior PCs.
The Mikrotik router (RB4011) services the 10.0.4.0/24 (VLAN100) local network and should route all traffic outside 10.0.4.0/24 over the wireguard tunnel.
Road warrior subnets (10.0.3.0/24) should be able to communicate with 10.0.4.0/24 subnet via the VPS. (VPS forwards 10.0.3.0/24 to 10.0.4.0/24 and vice versa)
All other non-local (outside 10.0.4.0/24) should route to the VPS where the VPS can NAT requests to the internet.

I hope this helps a bit more with where I am trying to go, thanks again for your continued help!

I will note that all of my firewall drop rules are now logged and I have confirmed that the firewall does not seem to be dropping my trouble traffic (icmp to 8.8.8.8 via 10.0.4.1). It seems the router simply is not routing it.

I hope the above answers your first response (quoted Below).
Now, this is the line in question!
".... add action=jump chain=forward comment="wireguard1-forward: JUMP" jump-target=wireguard1-forward src-address-list=wireguard1-share"
The associated firewall lists.
add address=10.0.1.0/24 comment=earthcloud list=wireguard1-share
add address=10.0.3.0/24 comment="laptop - via earthcloud" list=wireguard1-share

And your comment.
So this used to use the wireguard1 interface as the source, but it would not pick up traffic from the VPS subnets (10.0.1.0/24, 10.0.3.0/24, 10.0.4.0/24) so I switched to using the address list.

++++++++++++++++++
All this leading to my question, WHY are you worried about subnets on the Local SERVER Router, going out the tunnel to the CLient device.
From the discussion wasnt the traffic going in the opposite direction, from VLAN100 users on 10.0.4.0/24 being able to reach the three subnets on the MT server router.

Hence my confusion!
If this was a requirement you needed to say so from the getgo as this changes many aspects of the config......
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

I suspect more likely I have lost the bubble. Lets recap and consider wireguard 1 ONLY
Main MT wireguard server is a VPS instance
what local subnets exist on the VPS instance?

The RB4011 is the client device connecting to the VPS to establish a tunnel.
what local subnets exist on the RB4011 instance.

ARE THERE ANY OTHER client devices attached via wireguard to the VPS instance that are important to be aware of?

Most importantly, what are the requirements for users either on the VPS or RB4011 OR BOTH, in regard to using wireguard to access resources ( specific subnets (from/to) or internet).

Once that is clear in my mind, all will be good.
What is the purpose of this, never seen it before your config, is it a VRF ism??
/ip dhcp-server option sets
add name=VL100 options=wireguard1
Yes i could see this as something not normally seen. I am using this to push classless static routes on that VLAN. Specifically to add 10.0.1.0/24 (VPS) 10.0.3.0/24 (road warrior) to routing table of the client so it knows to route those to 10.0.4.1 and not use its own default route for those routes. This would not effect the router routes and is an artifact of some of the virtual systems being hosted on the network. I can probably do this more elegantly via the router itself but that is something for another day.
Lets delete this for now...............
/ip vrf
add interfaces=wireguard1,VL100_WIREGUARD name=vrf_earthcloud
Agreed.
if VLAN100 is going out the tunnel only then you need to ensure that, traffic that could get confused is not involved........ or at least cognizant of any firewall rules that may cause issues.........
add interface=VL100_WIREGUARD list=DNS_interfaces
add interface=VL100_WIREGUARD list=LAN
add interface=VL100_WIREGUARD list=NTP_interfaces
add interface=VL100_WIREGUARD list=DHCP_interfaces
AND
add interface=wireguard1 list=DNS_interfaces ????

/ip dhcp-server network
add address=10.0.4.0/24 gateway=10.0.4.1 - related to DNS interfaces above???
VL100 is the 10.0.4.0/24 Subnet. Clients on this subnet will use 10.0.4.1 (the Mikrotik router) for DNS, NTP and DHCP services. So these address lists will allow for that. The LAN interface list is an artifact of the old table and I have removed it.

Wireguard 1 itself does not require DNS from the router, it should push all its traffic to the VPS and the VPS can handle the DNS.

The DHCP server that serves VL100 is on the Mikrotik router and that is there simply to push addresses and the static routes (mentioned above) to the clients.

I absolutely detest that you mix forward chain rules in with input chain rules.
Be organized and put all input chain rules together and then all forward chain rules together etc...

WHY is this rule required? No one else has this, what is special in your case ???
add action=accept chain=input comment="input: accept DHCP " dst-port=67 \
in-interface-list=DHCP_interfaces protocol=udp src-port=68
I am not sure I am following this one. All my rules are grouped from what I can see. If your referring to the source port 68 on the DHCP rule, Its an oversight on my part. I only need to be concerned with the desination port 67. I have fixed the rule. it now reads:
 ;;; input: accept DHCP 
      chain=input action=accept protocol=udp in-interface-list=DHCP_interfaces dst-port=67 log=no log-prefix="" 
Lets dissect this.........

add action=accept chain=input comment="input: accept DNS" dst-port=53 \
in-interface-list=DNS_interfaces protocol=udp
add action=accept chain=input comment=\
"input: accept DNS requests from earthcloud on Wireguard1" dst-port=53 \
protocol=udp src-address-list=wireguard1-earthcloud


add interface=VL100_WIREGUARD list=DNS_interfaces (okay)
add interface=wireguard1 list=DNS_interfaces (not sure of the purpose here at all)
add address=10.0.1.0/24 comment=earthcloud list=wireguard1-earthcloud (really out to lunch not even on this router)

Trying to figure out why and if there is any purpose...........
Ok so i have two different rules both accepting DNS traffic. The first using the DNS_interfaces covers my local interfaces but i cannot use the local interface list to service DNS requests coming via the VPS subnets (wireguard1-share: 10.0.1.0/24, 10.0.3.0/24) In order to allow this traffic i hasve to use a separate rule and utize source address list vice interface lists.

The "add interface=wireguard1 list=DNS_interfaces (not sure of the purpose here at all)" is an oversight on my part. I have removed wireguard1 from this list. (as stated above wireguard1 does not need DNS).

The "add address=10.0.1.0/24 comment=earthcloud list=wireguard1-earthcloud (really out to lunch not even on this router)" Is how I am able to utilize the DNS rule to accept DNS from the VPS (10.0.1.10).
Lets dissect.........
add action=accept chain=forward comment=\
"forward: ALLOW to wireguard1 from VL100" dst-address-list=\
wireguard1-share in-interface=VL100_WIREGUARD
add action=accept chain=forward comment=\
"forward: ALLOW to wireguard1 from VL100" dst-address-list=\
wireguard2-share in-interface=VL100_WIREGUARD

The first one........... all you need is
add chain=forward action=accept in-interface=vlan100 out-interface=wireguard1 DONE

Now you have some jumping thats done,,,,,,,,,,,so make it a jump rule.......then add all the funky port stuff........limitations
add chain=forward action=jump jump-target=VLAN100_Rules in-interface=vlan100 out-interface=wireguard1
+++
+++
+++
add chain=VLAN100_Rules action=accept dst-address-list=wireguard1-share protocol=icmp
I agree much better. Done!
BUT BUT
add address=10.0.4.0/24 list=wireguard1-share TO ITSELF ???? ( maybe you meant ?? 10.0.1.0/24 ??
add address=10.255.255.2 list=wireguard1-share TO its own wireguard interface,,,,,,,, not possible to block anyway
add address=10.0.1.0/24 list=wireguard1-share Okay allow to ping a subnet on the other remote location, will buy that.
These are all the subnets I need to have communication between, so having them lumped in the address-list is convenient. Agreed that 10.255.255.2 can't be blocked anyway I honestly added it there when i could not get my default route to work out of desperation. I will remove it.
get it that you are trying to find efficiencies with a balance of good security, but creating so many different entities is confusing and causing errors.
Use interfaces ONLY for groups of subnets.
Dont mix subnets in an interface that have no purpose being there.
I think once you figure out which subnets are going where, my first post on this session, planning will be easier.
I think your way overdoing it for starters on your access between subnets.
Start with limitations by IP, and if no issues leave it. If you need more granular control then add them in as necessary.
Simplify simplify, organize..........
I hope the new diagram and the verbiage I provided at the beginning of this response provides some clarity. I will say that I do not believe my firewall rules are the issue as every DROP rule is logged and I do not see any dropped traffic when i traceroute from 10.0.4.1 (router) to 8.8.8.8 (should be routed via VPS).

Thanks again for all your help!!
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard VRF and Default Gateways

Wed Jul 27, 2022 7:07 pm

Some good clarifications and how I know what has been hard to see within all the noise of the config. You have a mismatch in the IP addressing of Wireguard1. Its not following the VPS.

The VPS wireguard address is 10.0.1.10/24, all other wireguard addresses in that tunnel should be within that subnet!!
The local subnet in communication with the VPS is 10.0.4.0/24. This communicates with the VPS via wireguard1 tunnel which has a local IP of 10.255.255.2 and connects to the VPS which has a wireguard IP of 10.0.1.10.

Thus your IP address should be anything within the subnet described by VPS but not conflicting with others......... such at
/ip address
add address=10.0.10.15/24 interface=wireguard1

Below was the missing link not explained and causing confusion/doubt in the config or my understanding of it and should have been stated at the beginning LOL.

The tunnel is also a means to communicate with other roaming resources (think road warrior) which can connect to the local 10.0.4.0/24 network by establishing a link to the VPS via its own tunnel. These road-warrior computers take on an IP address in the 10.0.3.0/24 subnet and connect to the VPS via thier own wireguard tunnels. These connections are all functioning and work under the current configuration.

Hence,
The allowed addresse at the VPS peer, NOW have to include the subnet 10.0.4.0/24 (before it was none except for the IP address of the wireguard client of the MT device in the format 10.10.10.2/32

The allowed addresses at the MT Client peer, NOW have to include the incoming road warrior information or subnet information as well as wireguard addresses. If it was a smart phone then it would just be the assigned wireguard network IP, but you have a subnet coming so your current rule is ALREADY CORRECT!!

/interface wireguard peers
add allowed-address=10.10.0.1.0/24,10.0.3.0/24 comment=Earthcloud \
endpoint-address=XXX.XXX.XXX.XX endpoint-port=51820 interface=wireguard1 \
persistent-keepalive=30s public-key=\

Now this firewall rule list makes sense
add chain=forward action=accept in-interface=wireguard1 src-address-list=list=wireguard1-earthcloud dst-address=10.0.4.0/24
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard VRF and Default Gateways

Wed Jul 27, 2022 7:11 pm

Post the complete config again with the latest changes and dont see why you need port 67 rule anywhere, there has to be a reason you are the only one in 1million posters using it............. aka not needed LOL.
 
E15RQ22EZN9
just joined
Topic Author
Posts: 10
Joined: Tue Mar 02, 2021 12:49 pm

Re: Wireguard VRF and Default Gateways

Thu Jul 28, 2022 1:55 pm

anav I can claim victory!
/tool/ping address=8.8.8.8 vrf=vrf_earthcloud 
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                                                                 
    0 8.8.8.8                                    56 116 22ms638us 
    1 8.8.8.8                                    56 116 21ms584us 
    2 8.8.8.8                                    56 116 20ms642us 
    sent=3 received=3 packet-loss=0% min-rtt=20ms642us avg-rtt=21ms621us max-rtt=22ms638us 
I changed the wireguard interface to match the subnet of the vps as you suggested.
Thus your IP address should be anything within the subnet described by VPS but not conflicting with others......... such at
/ip address
add address=10.0.10.15/24 interface=wireguard1
I think you may have made a typo though as i used 10.0.1.15/24 as the address. (I don't believe 10.0.10.15/24 is in the same subnet as 10.0.1.10/24 (VPS))

I still could not get traffic through the default route. The key appears to be this:
/interface wireguard peers
add allowed-address=10.0.1.0/24,10.0.3.0/24,0.0.0.0/0 comment=Earthcloud \
endpoint-address=XXX.XXX.XXX.XX endpoint-port=51820 interface=wireguard1 \
persistent-keepalive=30s public-key=

with this change i can now get the default route through the vps as expected!! I even went back and tried the VRF out again and it seems to be working!

Also i disabled my DHCP interfaces rule (port 67) and my clients still seem to be able to use DHCP so you were right about that as well. I will have to go dig out my TCP/IP book again cause I now don't understand how the router allows DHCP requests :shock:

Interestingly even if i turn on the logs for wireguard, there is nothing in the logs to indicate the traffic is being blocked.... would be nice to see that there in the future.

now I think i need to rethink my firewall rules for wireguard 1 to account for default route traffic.

anav, thanks again for all your help!!

Here is the full config that now appears to be working.
# jul/28/2022 06:42:39 by RouterOS 7.4
# software id = F3RN-N3NC
#
# model = RB4011iGS+
# serial number = xxxxxxxxxxxxx
/interface bridge
add name=BR1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether6 ] comment="VL99-Passthrough - ethernet device setup VLAN"
set [ find default-name=ether7 ] comment="VL-60LAB - for LAB vlan"
set [ find default-name=ether9 ] comment=WAN
set [ find default-name=ether10 ] comment="Parents Computer"
/caps-man interface
add disabled=yes l2mtu=1600 mac-address=48:8F:5A:70:9B:FF master-interface=none name=cap1 radio-mac=48:8F:5A:70:9B:FF radio-name=488F5A709BFF
add disabled=yes l2mtu=1600 mac-address=48:8F:5A:70:9C:00 master-interface=none name=cap2 radio-mac=48:8F:5A:70:9C:00 radio-name=488F5A709C00
add disabled=no mac-address=48:8F:5A:70:9B:B1 master-interface=none name=cap3 radio-mac=48:8F:5A:70:9B:B1 radio-name=488F5A709BB1
add disabled=no mac-address=48:8F:5A:70:9B:B0 master-interface=none name=cap4 radio-mac=48:8F:5A:70:9B:B0 radio-name=488F5A709BB0
/interface wireguard
add comment=PVPN-NY#38 disabled=yes listen-port=13233 mtu=1420 name=pvpn1
add comment="External: Earthcloud based wireguard" listen-port=51820 mtu=1420 name=wireguard1
add comment="Router: " listen-port=13231 mtu=1420 name=wireguard2
/interface vlan
add interface=BR1 name=VL10_MGMT vlan-id=10
add interface=BR1 name=VL20_TRUST vlan-id=20
add interface=BR1 name=VL35_CELL vlan-id=35
add interface=BR1 name=VL40_GUEST vlan-id=40
add interface=BR1 name=VL50_CLEARNET vlan-id=50
add interface=BR1 name=VL51_MEDIA vlan-id=51
add interface=BR1 name=VL52_IOT vlan-id=52
add interface=BR1 name=VL53_WIFI_VPN vlan-id=53
add interface=BR1 name=VL55_P2P vlan-id=55
add interface=BR1 name=VL60_LAB vlan-id=60
add interface=BR1 name=VL90_PASSUNTRUSTED vlan-id=90
add interface=BR1 name=VL100_WIREGUARD vlan-id=100
/interface list
add name=WAN
add name=LAN
add name=VLAN_WAN
add name=VLAN_VPN
add name=MGMT
add name=LAB
add name=DHCP_interfaces
add name=NTP_interfaces
add name=DNS_interfaces
add name=WAN_ACCESS
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add interface=VL10_MGMT name=VL10_DHCP
/ip dhcp-server option
add code=121 name=classless value=0x100A00000A000202
add code=121 name=wireguard1 value=0x180A00010A000401180A00030A000401180A00050A000401
add code=43 name="raspberry pi boot" value="'Raspberry Pi Boot'"
add code=66 name="raspberry pi tftp" value="s'192.168.20.100'"
/ip dhcp-server option sets
add name=VL100 options=wireguard1
/ip ipsec mode-config
add name=ProtonVPN responder=no src-address-list=VL20_Addresses
add name=ProtonVPN_USCA98_LIBREELEC responder=no src-address-list=VL52_Addresses
add name=ProtonVPN_WIFI_VPN2 responder=no src-address-list=VL53_WIFI_VPN
/ip ipsec policy group
add name=ProtonVPN
/ip ipsec profile
add dh-group=modp4096,modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=ProtonVPN
add dh-group=modp4096,modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=ProtonVPN_WIFI
/ip ipsec peer
add address=node-us-119.protonvpn.net disabled=yes exchange-mode=ike2 name=US-VA#25 profile=ProtonVPN send-initial-contact=no
add address=node-us-68.protonvpn.net comment="This is US-NY#35 (using b3 username)" disabled=yes exchange-mode=ike2 name=ProtonVPN-US profile=ProtonVPN send-initial-contact=no
add address=node-us-89.protonvpn.net comment=US-CO#15 disabled=yes exchange-mode=ike2 name="Chicago - US-IL44" profile=ProtonVPN send-initial-contact=no
add address=node-us-93.protonvpn.net comment=US-CO#15 exchange-mode=ike2 name=ProtonVPN-CO5 profile=ProtonVPN_WIFI send-initial-contact=no
add address=91.219.214.170/32 exchange-mode=ike2 name=ProtonVpn-US-FL#39 profile=ProtonVPN
add address=91.219.212.202/32 disabled=yes exchange-mode=ike2 name=ProtonVPN_USCA98_P2P profile=ProtonVPN send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=modp2048
/ip pool
add name=VL20_POOL ranges=192.168.20.100-192.168.20.199
add name=VL35_POOL ranges=192.168.35.100-192.168.35.199
add name=VL52_POOL ranges=192.168.52.100-192.168.52.199
add name=VL40_POOL ranges=192.168.40.100-192.168.40.199
add comment="P2P VPN VLAN" name=VL55_Pool ranges=192.168.55.100-192.168.55.199
add name=VL60_POOL ranges=192.168.60.100-192.168.60.199
add name=VL100_POOL ranges=10.0.4.100-10.0.4.199
add name=VL50_POOL ranges=192.168.50.100-192.168.50.199
add name=VL51_POOL ranges=192.168.51.100-192.168.51.199
add name=VL53_POOL ranges=192.168.53.100-192.168.53.199
/ip dhcp-server
add address-pool=VL20_POOL interface=VL20_TRUST name=VL20_DHCP
add address-pool=VL35_POOL interface=VL35_CELL name=VL35_DHCP
add address-pool=VL52_POOL interface=VL52_IOT name=VL52_DHCP
add address-pool=VL40_POOL interface=VL40_GUEST name=VL40_DHCP
add address-pool=VL55_Pool interface=VL55_P2P name=VL55_DHCP
add address-pool=VL60_POOL interface=VL60_LAB name=VL60_DHCP
add address-pool=VL100_POOL dhcp-option-set=VL100 interface=VL100_WIREGUARD name=VL100_DHCP
add address-pool=VL50_POOL interface=VL50_CLEARNET name=VL50_DHCP
add address-pool=VL51_POOL interface=VL51_MEDIA name=VL51_DHCP
add address-pool=VL53_POOL interface=VL53_WIFI_VPN name=VL53_DHCP
/ip vrf
add interfaces=wireguard1,VL100_WIREGUARD name=vrf_earthcloud
/port
set 0 name=serial0
set 1 name=serial1
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add disabled=no fib name=earthcloud
/interface bridge port
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether2
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether3
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether4
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether5
add bridge=BR1 interface=ether6 pvid=99
add bridge=BR1 hw=no ingress-filtering=no interface=ether7 pvid=60
add bridge=BR1 ingress-filtering=no interface=sfp-sfpplus1
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether9 pvid=90
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether10 pvid=90
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=BR1 comment="VL10 Management Net " tagged=BR1,ether2,ether3,ether4,ether5,sfp-sfpplus1,ether6 vlan-ids=10
add bridge=BR1 comment="VL20 - TRUSTED - VPN Protected" tagged=BR1,ether2,ether3,ether4,ether5,ether6,sfp-sfpplus1 vlan-ids=20
add bridge=BR1 comment="VL35 - CELL - No VPN - Only for cell phones with VPN always on via devices" tagged=BR1,ether2,ether3,ether4,ether5,ether6,sfp-sfpplus1 vlan-ids=35
add bridge=BR1 comment="VL52 - IOT" tagged=BR1,sfp-sfpplus1 vlan-ids=52
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,sfp-sfpplus1 untagged=ether6 vlan-ids=99
add bridge=BR1 tagged=sfp-sfpplus1,BR1 vlan-ids=40
add bridge=BR1 comment="VL55 - VPN with P2P enabled" tagged=BR1,sfp-sfpplus1 vlan-ids=55
add bridge=BR1 comment=VL90_UNTRUSTED-WAN tagged=BR1 untagged=VL90_PASSUNTRUSTED vlan-ids=90
add bridge=BR1 comment=VL60-LAB tagged=ether2,BR1 untagged=ether7 vlan-ids=60
add bridge=BR1 tagged=BR1,sfp-sfpplus1 vlan-ids=100
add bridge=BR1 comment=VL50-CLEARNET tagged=BR1,sfp-sfpplus1 vlan-ids=50
add bridge=BR1 comment="VL51 - MEDIA" tagged=BR1,sfp-sfpplus1 vlan-ids=51
add bridge=BR1 tagged=sfp-sfpplus1,BR1 vlan-ids=53
/interface list member
add interface=VL10_MGMT list=MGMT
add interface=VL90_PASSUNTRUSTED list=WAN
add interface=VL60_LAB list=LAB
add interface=VL10_MGMT list=DNS_interfaces
add interface=VL20_TRUST list=DNS_interfaces
add interface=VL35_CELL list=DNS_interfaces
add interface=VL40_GUEST list=DNS_interfaces
add interface=VL50_CLEARNET list=DNS_interfaces
add interface=VL51_MEDIA list=DNS_interfaces
add interface=VL52_IOT list=DNS_interfaces
add interface=VL55_P2P list=DNS_interfaces
add interface=VL60_LAB list=DNS_interfaces
add interface=VL100_WIREGUARD list=DNS_interfaces
add interface=VL10_MGMT list=NTP_interfaces
add interface=VL20_TRUST list=NTP_interfaces
add interface=VL35_CELL list=NTP_interfaces
add interface=VL40_GUEST list=NTP_interfaces
add interface=VL50_CLEARNET list=NTP_interfaces
add interface=VL51_MEDIA list=NTP_interfaces
add interface=VL52_IOT list=NTP_interfaces
add interface=VL55_P2P list=NTP_interfaces
add interface=VL60_LAB list=NTP_interfaces
add interface=VL100_WIREGUARD list=NTP_interfaces
add interface=VL10_MGMT list=DHCP_interfaces
add interface=VL20_TRUST list=DHCP_interfaces
add interface=VL35_CELL list=DHCP_interfaces
add interface=VL40_GUEST list=DHCP_interfaces
add interface=VL50_CLEARNET list=DHCP_interfaces
add interface=VL51_MEDIA list=DHCP_interfaces
add interface=VL52_IOT list=DHCP_interfaces
add interface=VL55_P2P list=DHCP_interfaces
add interface=VL60_LAB list=DHCP_interfaces
add interface=VL100_WIREGUARD list=DHCP_interfaces
add interface=VL20_TRUST list=WAN_ACCESS
add interface=VL35_CELL list=WAN_ACCESS
add interface=VL40_GUEST list=WAN_ACCESS
add interface=VL50_CLEARNET list=WAN_ACCESS
add interface=VL51_MEDIA list=WAN_ACCESS
add interface=VL53_WIFI_VPN list=WAN_ACCESS
add interface=VL53_WIFI_VPN list=DNS_interfaces
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.0.1.0/24,10.0.3.0/24,0.0.0.0/0 comment=Earthcloud endpoint-address=XXX.XXX.XXX.XXX endpoint-port=51820 interface=wireguard1 persistent-keepalive=30s public-key="JUBRtdhXY9xRA8F+89m6PPHcS+s9vD7MinBLO0aajjk="
add allowed-address=10.0.5.0/24 comment="Laptop - Local" interface=wireguard2 public-key="hpCCDqsGi9cSzt+9bivhXTm9NW+lloqkXRWgSkJJIiI="
add allowed-address=0.0.0.0/0 endpoint-address=193.148.18.66 endpoint-port=51820 interface=pvpn1 public-key="4Gjn941JfIDqDB3KWubQ4slUR362dUrgbT7WGvldPlM="
/ip address
add address=192.168.10.1/24 interface=VL10_MGMT network=192.168.10.0
add address=192.168.20.1/24 interface=VL20_TRUST network=192.168.20.0
add address=192.168.35.1/24 interface=VL35_CELL network=192.168.35.0
add address=192.168.52.1/24 interface=VL52_IOT network=192.168.52.0
add address=192.168.40.1/24 interface=VL40_GUEST network=192.168.40.0
add address=192.168.55.1/24 interface=VL55_P2P network=192.168.55.0
add address=192.168.60.1/24 interface=VL60_LAB network=192.168.60.0
add address=10.0.1.15/24 comment="10.255.255.0/24 address space will be used for indivual wireguard interfaces " interface=wireguard1 network=10.0.1.0
add address=10.0.4.1/24 interface=VL100_WIREGUARD network=10.0.4.0
add address=10.0.2.2 interface=wireguard2 network=10.0.2.2
add address=192.168.50.1/24 interface=VL50_CLEARNET network=192.168.50.0
add address=192.168.51.1/24 interface=VL51_MEDIA network=192.168.51.0
add address=192.168.53.1/24 interface=VL53_WIFI_VPN network=192.168.53.0
/ip dhcp-client
add disabled=yes interface=ether1 use-peer-dns=no use-peer-ntp=no
add interface=VL90_PASSUNTRUSTED
/ip dhcp-server lease
add address=192.168.20.100 client-id=ff:ad:3a:c9:6c:0:2:0:0:ab:11:c4:47:4b:e5:b3:54:d1:44 comment=local-FQDN mac-address=34:97:F6:32:97:FC server=VL20_DHCP
add address=10.0.4.100 client-id=ff:ad:3a:c9:6c:0:2:0:0:ab:11:c4:47:4b:e5:b3:54:d1:44 comment=local-FQDN mac-address=34:97:F6:32:97:FC server=VL100_DHCP
add address=192.168.20.106 client-id=ff:5f:e:72:be:0:4:36:43:46:30:34:39:32:45:36:32:37:30:ff:ff:ff:ff comment=nas.local-FQDN mac-address=80:61:5F:0E:72:BE server=VL20_DHCP
/ip dhcp-server network
add address=10.0.4.0/24 gateway=10.0.4.1
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1 netmask=24
add address=192.168.20.0/24 dhcp-option="raspberry pi boot,raspberry pi tftp" dns-server=192.168.20.1 domain=local-FQDN gateway=192.168.20.1 netmask=24 next-server=192.168.20.100 ntp-server=192.168.20.1
add address=192.168.35.0/24 dns-server=192.168.35.1 gateway=192.168.35.1 netmask=24
add address=192.168.40.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.40.1
add address=192.168.50.0/24 comment=VL50-CLEARNET dns-server=1.1.1.1,8.8.8.8 gateway=192.168.50.1 netmask=24
add address=192.168.51.0/24 boot-file-name=/pxelinux.0 comment="Media Network - with Netboot" dns-server=192.168.51.1 gateway=192.168.51.1 netmask=24 ntp-server=192.168.51.1
add address=192.168.52.0/24 dns-server=192.168.52.1 gateway=192.168.52.1 netmask=24
add address=192.168.53.0/24 dns-server=192.168.53.1 gateway=192.168.53.1 netmask=24
add address=192.168.55.0/24 dns-server=192.168.55.1 gateway=192.168.55.1
add address=192.168.60.0/24 dns-server=192.168.60.1 gateway=192.168.60.1 netmask=24
/ip dns
set allow-remote-requests=yes max-concurrent-tcp-sessions=40 servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.20.106 name=nas.local-FQDN
add address=192.168.20.1 name=vlan20.local-FQDN
add address=192.168.20.100 name=local-FQDN
add address=192.168.11.3 name=mariadb.local-FQDN
add address=192.168.20.100 name=nfs.local-FQDN
add address=10.0.4.100 name=local-FQDN
/ip firewall address-list
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=192.168.20.0/24 list=VL20_Addresses
add address=192.168.55.0/24 comment="For P2P VPN Connections" list=VL55_Addresses
add address=192.168.10.0/24 list=VL10_Addresses
add address=192.168.35.0/24 list=VL35_Addresses
add address=192.168.99.0/24 list=VL99_Addresses
add address=10.0.4.0/24 list=VL100_Addresses
add address=192.168.200.0/24 list=VL90_Addresses
add address=10.255.255.2 list=wireguard1
add address=192.168.60.0/24 list=VL60_Addresses
add address=10.0.1.0/24 comment=earthcloud list=wireguard1-earthcloud
add address=10.0.3.0/24 comment="david-laptop - via earthcloud" list=wireguard1-share
add address=10.0.5.0/24 list=wireguard2-share
add address=10.0.2.2 list=wireguard2
add address=192.168.50.0/24 list=VL50_Addresses
add address=192.168.40.0/24 list=VL40_Addresses
add address=192.168.52.0/24 list=VL52_Addresses
add address=192.168.51.0/24 list=VL51_Addresses
add address=10.0.4.0/24 list=wireguard1-share
add address=10.255.255.2 list=wireguard1-share
add address=10.0.1.0/24 list=wireguard1-share
add address=192.168.53.0/24 list=VL53_WIFI_VPN
/ip firewall filter
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment="defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix="Drop Invalid:"
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="VL10_MGMT - ANTI-LOCKOUT - WINBOX" dst-address=192.168.10.1 dst-port=8291 in-interface-list=MGMT protocol=tcp
add action=accept chain=input comment="input: accept DNS" dst-port=53 in-interface-list=DNS_interfaces protocol=udp
add action=accept chain=input comment="input: accept NTP" dst-port=123 in-interface-list=NTP_interfaces protocol=udp
add action=accept chain=input comment="input: accept DHCP " disabled=yes dst-port=67 in-interface-list=DHCP_interfaces protocol=udp
add action=accept chain=input comment="input: accept DNS requests from earthcloud on Wireguard1" dst-port=53 protocol=udp src-address-list=wireguard1-earthcloud
add action=accept chain=input comment="VL20-input: Allow wireguard2 access" dst-address-type="" dst-port=13231 in-interface=VL20_TRUST protocol=udp
add action=drop chain=input comment="input: DROP BROADCAST [log spam guard]" dst-address-type=broadcast
add action=drop chain=input comment="input: DROPALL" log=yes log-prefix=input:DROPALL
add action=accept chain=forward comment="forward: Allow WAN access for specific interfaces" in-interface-list=WAN_ACCESS out-interface-list=WAN
add action=accept chain=forward comment="forward:WAN ACCESS TOGGLE - MGMT Net" disabled=yes in-interface-list=MGMT out-interface-list=WAN
add action=accept chain=forward comment="VL55-forward: ALLOW ACCESS TO SPECIFIC VPN SERVER ADDRESS ONLY  (DISABLE WAN ACCESS BELOW) -- NY#54" dst-address=37.120.244.62 in-interface=VL55_P2P out-interface-list=WAN
add action=accept chain=forward comment="forward: ALLOW WAN ACCESS TOGGLE - VL55-P2P" disabled=yes in-interface=VL55_P2P out-interface-list=WAN
add action=accept chain=forward comment="forward: SNAPCAST - Stream Port 1704 - VL52-IOT to SNAPCAST SERVER (VL20)" dst-address=192.168.20.100 dst-port=1704 in-interface=VL52_IOT protocol=tcp
add action=accept chain=forward comment="forward: SNAPCAST - Stream Port 1705 - VL52-IOT to SNAPCAST SERVER (VL20)" dst-address=192.168.20.100 dst-port=1705 in-interface=VL52_IOT protocol=tcp
add action=accept chain=forward comment="forward: ALLOW to wireguard1 from VL100" dst-address-list=wireguard1-share in-interface=VL100_WIREGUARD
add action=accept chain=forward comment="forward: ALLOW to wireguard1 from VL100" dst-address-list=wireguard2-share in-interface=VL100_WIREGUARD
add action=jump chain=forward comment="wireguard1-forward: JUMP" jump-target=wireguard1-forward src-address-list=wireguard1-share
add action=jump chain=forward comment="wireguard2-forward: JUMP" in-interface=wireguard2 jump-target=wireguard2-forward
add action=accept chain=forward comment="allow dst-nat" connection-nat-state=dstnat
add action=drop chain=forward comment="DROP ALL ELSE" log=yes log-prefix="forward: DROPALL"
add action=accept chain=wireguard1-forward comment="wireguard1-forward: Allow to VL100 - ICMP" out-interface=wireguard1 protocol=icmp
add action=accept chain=wireguard1-forward comment="wireguard1-forward: Allow to VL100 - SSH" dst-port=22 protocol=tcp
add action=accept chain=wireguard1-forward comment="wireguard1-forward: Allow to VL100 - HTTP access" dst-port=80 protocol=tcp
add action=accept chain=wireguard1-forward comment="wireguard1-forward: Allow to VL100 - HTTPS access" dst-port=443 protocol=tcp
add action=accept chain=wireguard1-forward comment="wireguard1-forward: Allow to VL100 - NFS" disabled=yes dst-address-list=VL100_Addresses dst-port=2049 protocol=tcp
add action=accept chain=wireguard1-forward comment="wireguard1-forward: Allow to VL100 - Kerberosv5 - TCP" disabled=yes dst-address-list=VL100_Addresses dst-port=88 protocol=tcp
add action=accept chain=wireguard1-forward comment="wireguard1-forward: Allow to VL100 - Kerberosv5 - UDP" disabled=yes dst-address-list=VL100_Addresses dst-port=88 protocol=udp
add action=accept chain=wireguard1-forward comment="wireguard1-forward: Allow to VL100 - Kerberosv5 - kadmin - UDP" disabled=yes dst-address-list=VL100_Addresses dst-port=749 protocol=udp
add action=accept chain=wireguard1-forward comment="wireguard1-forward: Allow to VL100 - Kerberosv5 - kadmin - TCP" disabled=yes dst-address-list=VL100_Addresses dst-port=749 protocol=tcp
add action=accept chain=wireguard1-forward comment="wireguard1-forward: Allow to VL100 - iperf" disabled=yes dst-address-list=VL100_Addresses dst-port=5001 protocol=tcp
add action=drop chain=wireguard1-forward comment="wireguard1-forward: DROPALL" log=yes log-prefix="wireguard1-forward: DROPALL"
add action=accept chain=wireguard2-forward comment="wireguard2-forward: Allow to VL100 - ICMP" dst-address-list=wireguard2-share protocol=icmp
add action=accept chain=wireguard2-forward comment="wireguard2-forward: Allow to VL100 - SSH" dst-address-list=VL100_Addresses dst-port=22 protocol=tcp
add action=accept chain=wireguard2-forward comment="wireguard2-forward: Allow to VL100 - NFS" dst-address-list=VL100_Addresses dst-port=2049 protocol=tcp
add action=accept chain=wireguard2-forward comment="wireguard2-forward: Allow to VL100 - RPC for NFS" dst-address-list=VL100_Addresses dst-port=111 protocol=tcp
add action=accept chain=wireguard2-forward comment="wireguard2-forward: Allow to VL100 - Kerberosv5 - TCP" dst-address-list=VL100_Addresses dst-port=88 protocol=tcp
add action=accept chain=wireguard2-forward comment="wireguard2-forward: Allow to VL100 - Kerberosv5 - UDP" dst-address-list=VL100_Addresses dst-port=88 protocol=udp
add action=accept chain=wireguard2-forward comment="wireguard2-forward: Allow to VL100 - iperf" disabled=yes dst-address-list=VL100_Addresses dst-port=5001 protocol=tcp
add action=drop chain=wireguard2-forward comment="wireguard2-forward: DROPALL" log=yes log-prefix="wireguard2-forward: DROPALL"
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes in-interface=VL100_WIREGUARD new-routing-mark=earthcloud passthrough=no
add action=mark-routing chain=output disabled=yes log=yes log-prefix=out_mark new-routing-mark=earthcloud passthrough=yes src-address-list=VL100_Addresses
/ip firewall nat
add action=src-nat chain=srcnat disabled=yes out-interface=wireguard1 to-addresses=10.0.1.10
add action=accept chain=srcnat comment="defconf: accept all that matches IPSec policy" ipsec-policy=out,ipsec
add action=masquerade chain=srcnat comment="defconf: masquerade" log-prefix="SNAT-WAN: " out-interface-list=WAN
add action=src-nat chain=srcnat comment="defconf: masquerade" disabled=yes dst-address-list=!wireguard1-share log=yes log-prefix="SNAT-WG0: " src-address-list=VL100_Addresses to-addresses=10.255.255.2
add action=dst-nat chain=dstnat comment="Syncthing traffic NAT" disabled=yes dst-port=22000 in-interface-list=WAN protocol=tcp to-addresses=192.168.20.103
add action=src-nat chain=srcnat disabled=yes dst-address-list=wireguard1-share log=yes log-prefix=wireguard1-srcnat src-address-list=VL100_Addresses to-addresses=10.0.2.1
add action=dst-nat chain=dstnat comment="wireguard NAT to support direct connections" disabled=yes dst-address=192.168.200.100 dst-port=13231 protocol=udp to-addresses=10.0.2.1
add action=masquerade chain=srcnat disabled=yes out-interface-list=WAN src-address-list=VL40_Addresses
/ip ipsec identity
add auth-method=eap certificate=ProtonVPN_ike_root.der_0 comment="Proton Identity with adblock and malware filter" eap-methods=eap-mschapv2 generate-policy=port-override mode-config=ProtonVPN peer=ProtonVPN-US policy-template-group=ProtonVPN \
    username=USERNAME+b:2+f2
add auth-method=eap certificate=ProtonVPN_ike_root.der_0 eap-methods=eap-mschapv2 generate-policy=port-override mode-config=ProtonVPN_USCA98_LIBREELEC peer=ProtonVPN_USCA98_P2P policy-template-group=ProtonVPN username=USERNAME+f2
add auth-method=eap certificate=ProtonVPN_ike_root.der_0 eap-methods=eap-mschapv2 generate-policy=port-override mode-config=ProtonVPN_WIFI_VPN2 peer=ProtonVPN-CO5 policy-template-group=ProtonVPN username=USERNAME+b:2+f2
add auth-method=eap certificate=ProtonVPN_ike_root.der_0 comment="Proton Identity with adblock and malware filter" eap-methods=eap-mschapv2 generate-policy=port-override mode-config=ProtonVPN peer=ProtonVpn-US-FL#39 policy-template-group=ProtonVPN \
    username=USERNAME+b:1+f2
add auth-method=eap certificate=ProtonVPN_ike_root.der_0 eap-methods=eap-mschapv2 generate-policy=port-override mode-config=ProtonVPN peer="Chicago - US-IL44" policy-template-group=ProtonVPN username=USERNAME+f2
add auth-method=eap certificate=ProtonVPN_ike_root.der_0 eap-methods=eap-mschapv2 generate-policy=port-override mode-config=ProtonVPN peer=US-VA#25 policy-template-group=ProtonVPN username=USERNAME+b
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ProtonVPN src-address=0.0.0.0/0 template=yes
/ip ipsec settings
set accounting=no
/ip route
add comment="Route for local laptop WG connection" disabled=no distance=1 dst-address=10.0.5.0/24 gateway=wireguard2 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard1@vrf_earthcloud pref-src="" routing-table=vrf_earthcloud scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/routing rule
add action=lookup-only-in-table disabled=yes src-address=10.0.4.0/24 table=vrf_earthcloud
add action=lookup-only-in-table disabled=yes src-address=10.0.4.0/24 table=vrf_earthcloud
/system clock
set time-zone-name=America/New_York
/system identity
set name=EdgeRouter
/system logging
add topics=wireguard
add disabled=yes topics=dhcp
add disabled=yes topics=ipsec
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=204.11.201.10
add address=108.61.73.244
/system resource irq rps
set sfp-sfpplus1 disabled=no
/tool bandwidth-server
set authenticate=no enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool sniffer
set filter-interface=all filter-ip-address=8.8.8.8/32 streaming-enabled=yes streaming-server=192.168.20.100
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard VRF and Default Gateways

Thu Jul 28, 2022 3:40 pm

Not surprising I made a typo LOL.

As for the allowed IPs,,,,,,,,,,,,,, depends on expectations.
At the MT client, and for any device have to account for three things at the peer settings for ALLOWED IPs.

a. the wireguard network (to facilitate pinging connectivity check or access from devices that only have a wireguard IP)
b. the remote address local clients are trying to reach outbound (it allows MT client device to match to user requests and routes)
c. the source addresses of remote users that will be exiting the tunnel on the local mt client device inbound.

You should be able to see that often B. C. will be the same and thus one entry kills two birds......... (local users want access subnet A, on the remote site and subnetA users need access to local router)

d. Finally, there is the special case of b. above, where they are going out a remote location for INTERNET and thus the entry is 0.0.0.0/0
Since this includes every IP address, this entry covers off the Ip wireguard network and any remote subnets that need to be reached as well and
ANY inbound address !!!

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Long winded story but at the MT client device we had 10.0.1.0/24 - which covers off part a.
We had 10.0.3.0/24 which overs off possible b and c.
b. Did you have local vlan100 users that needed to access the subnet 10.0.3.0/24 AND
c. Did you have remote users (with source address within 10.0.3.0/24) coming from or through VPS that needed access to the MT client device ??

If entering 0.0.0.0/0 solved the issues it tells me you didnt articulate the requirements correctly and we were missing
either a. remote addresses locations properly OR
b. incoming remote users properly

OR FINALLY, there was requirement for local MT users on vlan100 to go out the VPS for internet.

Only you know LOL
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard VRF and Default Gateways

Thu Jul 28, 2022 3:42 pm

Also a discussion of this statement, as I do not know what you mean, will probably clear up some confusion as well!
"with this change i can now get the default route through the vps as expected!!
 
E15RQ22EZN9
just joined
Topic Author
Posts: 10
Joined: Tue Mar 02, 2021 12:49 pm

Re: Wireguard VRF and Default Gateways

Fri Jul 29, 2022 8:06 pm

anav, Sorry with the delayed response my kid got sick and so I have not had a chance to get back until now.
We had 10.0.3.0/24 which overs off possible b and c.
b. Did you have local vlan100 users that needed to access the subnet 10.0.3.0/24 AND
c. Did you have remote users (with source address within 10.0.3.0/24) coming from or through VPS that needed access to the MT client device ??

If entering 0.0.0.0/0 solved the issues it tells me you didnt articulate the requirements correctly and we were missing
either a. remote addresses locations properly OR
b. incoming remote users properly

OR FINALLY, there was requirement for local MT users on vlan100 to go out the VPS for internet.
VLAN100 (10.0.4.0/24) needs to be able to communicate with 10.0.3.0/24 and needs to be able to go out out the VPS for internet. My apologies if I was unclear on that.
Also a discussion of this statement, as I do not know what you mean, will probably clear up some confusion as well!
"with this change i can now get the default route through the vps as expected!!
Under my original config, within the VRF i had established a default route with the gateway as the wireguard1 interface with the intention of routing VLAN100 traffic to the internet through the VPS. This was not functioning correctly. (Now I understand it was my wireguard config that was incorrect).

So with wireguard config changed, I re-added my VRF and added my default gateway to my routing table:
/ip vrf add interfaces=wireguard1,VL100_WIREGUARD name=vrf_earthcloud

/ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard1@vrf_earthcloud pref-src="" routing-table=vrf_earthcloud scope=30 suppress-hw-offload=no target-scope=10
And now VLAN100 has access to the VPS resources and the roadwarriors as well as routes internet traffic via the VPS :-)

With this in place it enabled my new default route in the VRF to function correctly.

Thanks again for all of your help and your time. It was very much appreciated and I learned alot!

Who is online

Users browsing this forum: Dimas2810, GoogleOther [Bot] and 49 guests