Community discussions

MikroTik App
 
d412s
just joined
Topic Author
Posts: 17
Joined: Fri May 08, 2020 1:32 pm
Location: Ukraine

iOS Wireguard access to home network

Thu Sep 08, 2022 10:44 pm

Hi, everyone!
Is it possible that something is wrong with this instruction or maybe missed?
https://youtu.be/vn9ky7p5ESM

Or maybe I already tired and don`t see mistake.
It seems that I configured everything, can connect on iPhone and see packets in firewall rule, but can not get access to home network: for example I have pi-hole on address 10.0.0.98 - doesn`t displayed, the same for home NAS.
Image
Screenshot_4.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: iOS Wireguard access to home network

Thu Sep 08, 2022 10:47 pm

Post your complete Mikrotik config please.
/export (dont show the serial number or any public WANIP info).

The picture of your wireguard IOS settings seem fine but need the details not the pictures of the MT config.
I am sure it will be an easy fix once we have a look.
 
d412s
just joined
Topic Author
Posts: 17
Joined: Fri May 08, 2020 1:32 pm
Location: Ukraine

Re: iOS Wireguard access to home network

Thu Sep 08, 2022 10:50 pm

Post your complete Mikrotik config please.
/export (dont show the serial number or any public WANIP info).

The picture of your wireguard IOS settings seem fine but need the details not the pictures of the MT config.
I am sure it will be an easy fix once we have a look.
Thanks, a few minutes and I will add it.
 
d412s
just joined
Topic Author
Posts: 17
Joined: Fri May 08, 2020 1:32 pm
Location: Ukraine

Re: iOS Wireguard access to home network

Thu Sep 08, 2022 11:06 pm

Here it is.
/export 
# sep/08/2022 22:47:47 by RouterOS 7.5
#
# model = RB5009UG+S+
/interface bridge
add admin-mac=DA:2A:6A:AA:A6:AA auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=Internet
set [ find default-name=ether2 ] comment="TP-LINK TL-SG105"
/interface wireguard
add listen-port=16236 mtu=1420 name=wireguard_home
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add name=peer1 passive=yes
/ip pool
add name=default-dhcp ranges=10.0.0.10-10.0.0.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=22h10m name=defconf
/system logging action
set 0 memory-lines=100
set 1 disk-file-count=1 disk-lines-per-file=100
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,passw\
    ord,web,sniff,sensitive,api,romon,dude,rest-api"
/caps-man manager
set enabled=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set tcp-syncookies=yes
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard_home list=LAN
/interface wireguard peers
add allowed-address=10.10.0.2/32 interface=wireguard_home persistent-keepalive=\
    30s public-key="WDj9z4OxMHeNzah6cZxsuXsByAAq7KxD+YJLqwFFLUo="
/ip address
add address=10.0.0.1/24 comment=defconf interface=bridge network=10.0.0.0
add address=10.10.0.1/24 interface=wireguard_home network=10.10.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add add-default-route=special-classless comment=defconf interface=ether1 \
    use-peer-dns=no
/ip dhcp-server network
add address=10.0.0.0/24 comment=defconf dns-server=10.0.0.1 gateway=10.0.0.1
/ip dns
set allow-remote-requests=yes servers=10.0.0.99,1.1.1.1,8.8.8.8 \
    verify-doh-cert=yes
/ip dns static
add address=10.0.0.1 comment=defconf name=router.lan
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add list=ddos-attackers
add list=ddos-target
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\
    not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
/ip firewall filter
add action=accept chain=input comment="allow Wireguard" dst-port=16236 \
    in-interface=ether1 protocol=udp
add action=accept chain=input comment="allow Wireguard traffic" \
    src-address-list=10.0.10.0/24,10.0.0.0/24
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP after RAW" \
    protocol=icmp
add action=return chain=detect-ddos comment="Protection against DDoS" \
    dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-target \
    address-list-timeout=10m chain=detect-ddos comment=\
    "Protection against DDoS"
add action=add-src-to-address-list address-list=ddos-attackers \
    address-list-timeout=10m chain=detect-ddos comment=\
    "Protection against DDoS"
add action=return chain=detect-ddos comment="SYN-ACK Flood" dst-limit=\
    32,32,src-and-dst-addresses/10s protocol=tcp tcp-flags=syn,ack
add action=add-src-to-address-list address-list="Port Scanners" \
    address-list-timeout=12h chain=input comment="Port Scanners" \
    in-interface-list=WAN protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=Blocked_IP \
    address-list-timeout=8h chain=input comment=Block_IP dst-port=\
    0,20-23,98,137,138,515,2000,3306,3389,5800,5900,8888 in-interface-list=WAN \
    protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept all that matches IPSec policy" disabled=yes ipsec-policy=\
    in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    dst-address-list=no_forward_ipv4
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=masquerade chain=srcnat src-address=10.0.0.0/24
add action=masquerade chain=srcnat src-address=10.10.0.0/24

/ip firewall raw
add action=drop chain=prerouting src-address-list="Port Scanners"
add action=drop chain=prerouting src-address-list=Blocked_IP
add action=drop chain=prerouting dst-address-list=ddos-target src-address-list=\
    ddos-attackers
add action=accept chain=prerouting comment=\
    "defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
    dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=udp \
    src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
    in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment=\
    "defconf: drop forward to local lan from WAN" dst-address=10.0.0.0/24 \
    in-interface-list=WAN
add action=drop chain=prerouting comment=\
    "defconf: drop local if not from default IP range" in-interface-list=LAN \
    src-address=!10.0.0.0/24
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \
    protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" \
    jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
    jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
    protocol=tcp
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 \
    limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" icmp-options=\
    3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" icmp-options=\
    3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" \
    icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" icmp-options=\
    3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" \
    icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=\
    5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=\
    11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp
/ip firewall service-port
set ftp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.0.0.0/24
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.88.0/24,10.0.0.0/24
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
    src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
    dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Kiev
/system routerboard settings
set auto-upgrade=yes cpu-frequency=1400MHz silent-boot=yes
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: iOS Wireguard access to home network  [SOLVED]

Fri Sep 09, 2022 5:54 am

1 - set this to at least LAN.
/ip neighbor discovery-settings
set discover-interface-list=none

2 - set this to none, known to be problematic and not understood in general.
/interface detect-internet
set detect-interface-list=all

3 - PROBLEM Not sure of your intent here.......... other than clearly you want to be able to config the router with access to the input chain Correct ???
add action=accept chain=input comment="allow Wireguard traffic" \
src-address-list=10.0.10.0/24,10.0.0.0/24


I was expecting simply:
add action=accept chain=input comment="allow admin to access Router via Wireguard" \
src-address-list=10.0.10.0/24
( you could also add in-interface=wireguard_home to be more granular/explicit/accurate )

Why are you giving your entire local LAN SUBNET access to config the router?
Nothing wrong with that as its part of the common default firewall rule set, which is already covered, but the line comment implies its for wireguard access.

Also, only the initial connection establishment line is typically before the default rules, which is fine BUT......... Suggesting the access to the router through wireguard be AFTER the accept ICMP rule.............

4 - Also the format is WRONG!!>

You can either use one source address or you can use a destination address list, but not in the way you have done..............rather amusing actually.

Your rule should look like so......
............... accept ICMP RULE............
add action=accept chain=input comment="allow admin to access Router via Wireguard and LAN access to router services" \
src-address-list=RouterAccess


Where you create a destination firewall address list
add address=10.10.0.2 list=RouterAccess
add address=10.0.0.0/24 list=RouterAccess

.........etc

HOWEVER later on in the input chain rules you have the default rule.
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN

Since you have defined the wireguard_home interface to be part of the LAN, it may very well be you dont even need the allow source address rule specifically for wireguard in reality.
However, Its better to be clear and direct in whats allowed for yourself and the reader.

IN fact, I usually get rid of this default LAN rule and change it to allow access to DNS (and NTP if required for LAN users), but only after giving the admin access by his/her LANIP address similar to how wireguard admin access is done, but same same for local lan. After doing that, and give lan users only access to Router service do I put in a last input rule which is basically drop everything else.


5 - Get rid of this bloated crap, not going to do anything for you and makes your config much harder to read and troubleshoot.... simplicity and efficiency are keys to a base config........
add action=return chain=detect-ddos comment="Protection against DDoS" \
dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-target \
address-list-timeout=10m chain=detect-ddos comment=\
"Protection against DDoS"
add action=add-src-to-address-list address-list=ddos-attackers \
address-list-timeout=10m chain=detect-ddos comment=\
"Protection against DDoS"
add action=return chain=detect-ddos comment="SYN-ACK Flood" dst-limit=\
32,32,src-and-dst-addresses/10s protocol=tcp tcp-flags=syn,ack
add action=add-src-to-address-list address-list="Port Scanners" \
address-list-timeout=12h chain=input comment="Port Scanners" \
in-interface-list=WAN protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=Blocked_IP \
address-list-timeout=8h chain=input comment=Block_IP dst-port=\
0,20-23,98,137,138,515,2000,3306,3389,5800,5900,8888 in-interface-list=WAN \
protocol=tcp


6- WHY? Do you provide an extra source nat line for the local LAN. Its already covered by the default rule with out-interface-list=WAN.
Also I would have to check but since the wireguard interface is considered part of the LAN interface, Im assuming that traffic would be covered too?
I would test this once you have a good solid working connection, to disable the rule and see if things still work.

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
add action=masquerade chain=srcnat src-address=10.0.0.0/24
add action=masquerade chain=srcnat src-address=10.10.0.0/24


7 - Round two, get rid of these bloated rules that will get in the way of functioning config with unnecessary added complexity and no real gain on performance.
ip firewall raw
add action=drop chain=prerouting src-address-list="Port Scanners"
add action=drop chain=prerouting src-address-list=Blocked_IP
add action=drop chain=prerouting dst-address-list=ddos-target src-address-list=\
ddos-attackers
add action=accept chain=prerouting comment=\
"defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=udp \
src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment=\
"defconf: drop forward to local lan from WAN" dst-address=10.0.0.0/24 \
in-interface-list=WAN
add action=drop chain=prerouting comment=\
"defconf: drop local if not from default IP range" in-interface-list=LAN \
src-address=!10.0.0.0/24
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \
protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" \
jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment=\
"defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment=\
"defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
protocol=tcp
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 \
limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" icmp-options=\
3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" icmp-options=\
3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" \
icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" icmp-options=\
3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" \
icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=\
5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=\
11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp


8 - NO IP ROUTES VISIBLE so not able to comment on a key part of any wireguard config..........
You should have connectivity from LAN to WAN for the wireguard implicitly because there doesnt appear to be any thing blocking such traffic.

Since you have a Wireguard address, the router dynamically should know that return traffic for 10.10.0.2 should go back through the wireguard tunnel because this route will exist on your router.
<DAC> dst-address=10.10.0.0/24 interface=wireguard_home table=main

9 - This needs to be fixed to LAN
/tool mac-server mac-winbox
set allowed-interface-list=none

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

In summary, for wireguard,
a. fix the input chain rule for wireguard as the format is incorrect, either use a proper destination address list format or create two rules (each with src-address=).
b. Add LAN to neighbours discovery

If you have success, then remove the src-nat rule for 10.10.0.2 and still see if your connection works as desired.
 
d412s
just joined
Topic Author
Posts: 17
Joined: Fri May 08, 2020 1:32 pm
Location: Ukraine

Re: iOS Wireguard access to home network

Fri Sep 09, 2022 6:02 pm

1 - set this to at least LAN.
/ip neighbor discovery-settings
set discover-interface-list=none

2 - set this to none, known to be problematic and not understood in general.
/interface detect-internet
set detect-interface-list=all

3 - PROBLEM Not sure of your intent here.......... other than clearly you want to be able to config the router with access to the input chain Correct ???
add action=accept chain=input comment="allow Wireguard traffic" \
src-address-list=10.0.10.0/24,10.0.0.0/24


I was expecting simply:
add action=accept chain=input comment="allow admin to access Router via Wireguard" \
src-address-list=10.0.10.0/24
( you could also add in-interface=wireguard_home to be more granular/explicit/accurate )

Why are you giving your entire local LAN SUBNET access to config the router?
Nothing wrong with that as its part of the common default firewall rule set, which is already covered, but the line comment implies its for wireguard access.

Also, only the initial connection establishment line is typically before the default rules, which is fine BUT......... Suggesting the access to the router through wireguard be AFTER the accept ICMP rule.............

4 - Also the format is WRONG!!>

You can either use one source address or you can use a destination address list, but not in the way you have done..............rather amusing actually.

Your rule should look like so......
............... accept ICMP RULE............
add action=accept chain=input comment="allow admin to access Router via Wireguard and LAN access to router services" \
src-address-list=RouterAccess


Where you create a destination firewall address list
add address=10.10.0.2 list=RouterAccess
add address=10.0.0.0/24 list=RouterAccess

.........etc

HOWEVER later on in the input chain rules you have the default rule.
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN

Since you have defined the wireguard_home interface to be part of the LAN, it may very well be you dont even need the allow source address rule specifically for wireguard in reality.
However, Its better to be clear and direct in whats allowed for yourself and the reader.

IN fact, I usually get rid of this default LAN rule and change it to allow access to DNS (and NTP if required for LAN users), but only after giving the admin access by his/her LANIP address similar to how wireguard admin access is done, but same same for local lan. After doing that, and give lan users only access to Router service do I put in a last input rule which is basically drop everything else.


5 - Get rid of this bloated crap, not going to do anything for you and makes your config much harder to read and troubleshoot.... simplicity and efficiency are keys to a base config........
add action=return chain=detect-ddos comment="Protection against DDoS" \
dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-target \
address-list-timeout=10m chain=detect-ddos comment=\
"Protection against DDoS"
add action=add-src-to-address-list address-list=ddos-attackers \
address-list-timeout=10m chain=detect-ddos comment=\
"Protection against DDoS"
add action=return chain=detect-ddos comment="SYN-ACK Flood" dst-limit=\
32,32,src-and-dst-addresses/10s protocol=tcp tcp-flags=syn,ack
add action=add-src-to-address-list address-list="Port Scanners" \
address-list-timeout=12h chain=input comment="Port Scanners" \
in-interface-list=WAN protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=Blocked_IP \
address-list-timeout=8h chain=input comment=Block_IP dst-port=\
0,20-23,98,137,138,515,2000,3306,3389,5800,5900,8888 in-interface-list=WAN \
protocol=tcp


6- WHY? Do you provide an extra source nat line for the local LAN. Its already covered by the default rule with out-interface-list=WAN.
Also I would have to check but since the wireguard interface is considered part of the LAN interface, Im assuming that traffic would be covered too?
I would test this once you have a good solid working connection, to disable the rule and see if things still work.

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
add action=masquerade chain=srcnat src-address=10.0.0.0/24
add action=masquerade chain=srcnat src-address=10.10.0.0/24


7 - Round two, get rid of these bloated rules that will get in the way of functioning config with unnecessary added complexity and no real gain on performance.
ip firewall raw
add action=drop chain=prerouting src-address-list="Port Scanners"
add action=drop chain=prerouting src-address-list=Blocked_IP
add action=drop chain=prerouting dst-address-list=ddos-target src-address-list=\
ddos-attackers
add action=accept chain=prerouting comment=\
"defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=udp \
src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment=\
"defconf: drop forward to local lan from WAN" dst-address=10.0.0.0/24 \
in-interface-list=WAN
add action=drop chain=prerouting comment=\
"defconf: drop local if not from default IP range" in-interface-list=LAN \
src-address=!10.0.0.0/24
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \
protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" \
jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment=\
"defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment=\
"defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
protocol=tcp
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 \
limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" icmp-options=\
3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" icmp-options=\
3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" \
icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" icmp-options=\
3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" \
icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=\
5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=\
11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp


8 - NO IP ROUTES VISIBLE so not able to comment on a key part of any wireguard config..........
You should have connectivity from LAN to WAN for the wireguard implicitly because there doesnt appear to be any thing blocking such traffic.

Since you have a Wireguard address, the router dynamically should know that return traffic for 10.10.0.2 should go back through the wireguard tunnel because this route will exist on your router.
<DAC> dst-address=10.10.0.0/24 interface=wireguard_home table=main

9 - This needs to be fixed to LAN
/tool mac-server mac-winbox
set allowed-interface-list=none

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

In summary, for wireguard,
a. fix the input chain rule for wireguard as the format is incorrect, either use a proper destination address list format or create two rules (each with src-address=).
b. Add LAN to neighbours discovery

If you have success, then remove the src-nat rule for 10.10.0.2 and still see if your connection works as desired.
Thank you, I applied all what you mentioned, also create from the scratch connection and was able to connect from iPhone (LTE) to home network and get access to all resources which I have locally.

Only one problem I still have: next rule shows 0 connection
add action=accept chain=input comment="allow Wireguard traffic" src-address-list=10.0.10.0/24,10.0.0.0/24
And when I enable wireguard tunnel on iPhone - I can not open any external resources on iPhone, for example open google.com, probably I need some extra firewall rule, all traffic should be going to home router, because I use 0.0.0.0/0 in tunnel settings, but probably my router did not give me access to outside.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: iOS Wireguard access to home network

Fri Sep 09, 2022 6:36 pm

Only one problem I still have: next rule shows 0 connection
add action=accept chain=input comment="allow Wireguard traffic" src-address-list=10.0.10.0/24,10.0.0.0/24
And when I enable wireguard tunnel on iPhone - I can not open any external resources on iPhone, for example open google.com, probably I need some extra firewall rule, all traffic should be going to home router, because I use 0.0.0.0/0 in tunnel settings, but probably my router did not give me access to outside.

It remains "0" because chain=INPUT and this is not going to work here.
This WG-traffic flows THROUGH the router (either to some stations on the LAN or out to the Internet) , so you must use the FORWARD chain.
 
d412s
just joined
Topic Author
Posts: 17
Joined: Fri May 08, 2020 1:32 pm
Location: Ukraine

Re: iOS Wireguard access to home network

Fri Sep 09, 2022 6:57 pm

Only one problem I still have: next rule shows 0 connection
add action=accept chain=input comment="allow Wireguard traffic" src-address-list=10.0.10.0/24,10.0.0.0/24
And when I enable wireguard tunnel on iPhone - I can not open any external resources on iPhone, for example open google.com, probably I need some extra firewall rule, all traffic should be going to home router, because I use 0.0.0.0/0 in tunnel settings, but probably my router did not give me access to outside.

It remains "0" because chain=INPUT and this is not going to work here.
This WG-traffic flows THROUGH the router (either to some stations on the LAN or out to the Internet) , so you must use the FORWARD chain.
Just change input to forward or I have to add some additional rules?
add action=accept chain=forward comment="allow Wireguard traffic" src-address-list=10.0.10.0/24,10.0.0.0/24
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: iOS Wireguard access to home network

Fri Sep 09, 2022 7:07 pm

Only one problem I still have: next rule shows 0 connection
add action=accept chain=input comment="allow Wireguard traffic" src-address-list=10.0.10.0/24,10.0.0.0/24
And when I enable wireguard tunnel on iPhone - I can not open any external resources on iPhone, for example open google.com, probably I need some extra firewall rule, all traffic should be going to home router, because I use 0.0.0.0/0 in tunnel settings, but probably my router did not give me access to outside.

It remains "0" because chain=INPUT and this is not going to work here.
This WG-traffic flows THROUGH the router (either to some stations on the LAN or out to the Internet) , so you must use the FORWARD chain.
Just change input to forward or I have to add some additional rules?
add action=accept chain=forward comment="allow Wireguard traffic" src-address-list=10.0.10.0/24,10.0.0.0/24
Change to FORWARD should be OK
What about DNS ?? What DNS-setting is your iphone using ?? Maybe your problem to access www.google.com might be resolving .....
It seems you had already a NAT-rule so packets from Wireguard range 10.0.10.0/24 should be allowed out and will be NAT'ed correctly.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: iOS Wireguard access to home network

Fri Sep 09, 2022 7:31 pm

Post your latest updated config please......
 
d412s
just joined
Topic Author
Posts: 17
Joined: Fri May 08, 2020 1:32 pm
Location: Ukraine

Re: iOS Wireguard access to home network

Fri Sep 09, 2022 9:40 pm


Just change input to forward or I have to add some additional rules?
add action=accept chain=forward comment="allow Wireguard traffic" src-address-list=10.0.10.0/24,10.0.0.0/24
Change to FORWARD should be OK
What about DNS ?? What DNS-setting is your iphone using ?? Maybe your problem to access www.google.com might be resolving .....
It seems you had already a NAT-rule so packets from Wireguard range 10.0.10.0/24 should be allowed out and will be NAT'ed correctly.
According to official instruction what I mentioned in first post ( https://youtu.be/vn9ky7p5ESM ) I added DNS as recommended, in my case 10.0.10.1 and you are right, I just changed to 8.8.8.8 and was able to have access to home network + internet.

But forward rule anyway is empty, I don`t care already, because everything works.
Also, noticed that when I use wireguard even when connected to wi-fi (I have unifi 6 lite AP) I will get 235Mbps speed, meanwhile without wireguard almost 400Mbps.
Post your latest updated config please......
Decided to leave my two rules for Port Scanners and Block IP, otherwise I will have always open 80 and 443 ports:
/export 
# sep/09/2022 21:31:29 by RouterOS 7.5
# model = RB5009UG+S+/interface bridge
add admin-mac=DA:2A:6A:AA:A6:AA auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=Internet
set [ find default-name=ether2 ] comment="TP-LINK TL-SG105"
/interface wireguard
add listen-port=21123 mtu=1420 name=wireguard_home
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add name=peer1 passive=yes
/ip pool
add name=default-dhcp ranges=10.0.0.10-10.0.0.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=22h10m name=defconf
/queue simple
add disabled=yes name=nas target=10.0.0.8/32
/system logging action
set 0 memory-lines=100
set 1 disk-file-count=1 disk-lines-per-file=100
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,passw\
    ord,web,sniff,sensitive,api,romon,dude,rest-api"/caps-man manager
set enabled=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set tcp-syncookies=yes
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=10.0.10.2/32 interface=wireguard_home public-key=\
    "SOME_KEY"
/ip address
add address=10.0.0.1/24 comment=defconf interface=bridge network=10.0.0.0
add address=10.0.10.1/24 interface=wireguard_home network=10.0.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add add-default-route=special-classless comment=defconf interface=ether1 \
    use-peer-dns=no

/ip dhcp-server network
add address=10.0.0.0/24 comment=defconf dns-server=10.0.0.1 gateway=10.0.0.1
/ip dns
set allow-remote-requests=yes servers=10.0.0.99,1.1.1.1,8.8.8.8 \
    verify-doh-cert=yes
/ip dns static
add address=10.0.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="allow Wireguard" dst-port=21123 \
    in-interface=ether1 protocol=udp
add action=accept chain=input comment="allow Wireguard traffic" \
    src-address-list=10.0.10.0/24,10.0.0.0/24
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP after RAW" \
    disabled=yes protocol=icmp
add action=add-src-to-address-list address-list="Port Scanners" \
    address-list-timeout=12h chain=input comment="Port Scanners" \
    in-interface-list=WAN protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=Blocked_IP \
    address-list-timeout=8h chain=input comment=Block_IP dst-port=\
    0,20-23,98,137,138,515,2000,3306,3389,5800,5900,8888 in-interface-list=WAN \
    protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="allow Wireguard traffic" \
    src-address-list=10.0.10.0/24,10.0.0.0/24
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=masquerade chain=srcnat src-address=10.0.0.0/24
add action=masquerade chain=srcnat src-address=10.10.0.0/24
/ip firewall raw
add action=drop chain=prerouting src-address-list="Port Scanners"
add action=drop chain=prerouting src-address-list=Blocked_IP
/ip firewall service-port
set ftp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.0.0.0/24
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.88.0/24,10.0.0.0/24
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/system clock
set time-zone-name=Europe/Kiev
/system routerboard settings
set auto-upgrade=yes cpu-frequency=1400MHz silent-boot=yes
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

Just added a few rules and removed from RAW.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: iOS Wireguard access to home network

Fri Sep 09, 2022 9:55 pm

Since it seems I am not getting through, this will be last post in this thread.
(1) FROM:
/ip firewall filter
add action=accept chain=input comment="allow Wireguard" dst-port=21123 \
in-interface=ether1 protocol=udp
add action=accept chain=input comment="allow Wireguard traffic" \
src-address-list=10.0.10.0/24,10.0.0.0/24

TO
/ip firewall filter
add action=accept chain=input comment="allow Wireguard traffic" \
src-address=10.0.10.0/24

The LAN subnet has nothing to do with wireguard access to the router for config purposes.
LAN users have access to the router for services and access to the router for config purposes by this rule.
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN


As already stated also, there is no such format as dst-address-list=x,y,z
its dst-address-list=LIST_NAME where one defines what is on the list and in this case x,y,z
 
d412s
just joined
Topic Author
Posts: 17
Joined: Fri May 08, 2020 1:32 pm
Location: Ukraine

Re: iOS Wireguard access to home network

Fri Sep 09, 2022 10:03 pm

Since it seems I am not getting through, this will be last post in this thread.
(1) FROM:
/ip firewall filter
add action=accept chain=input comment="allow Wireguard" dst-port=21123 \
in-interface=ether1 protocol=udp
add action=accept chain=input comment="allow Wireguard traffic" \
src-address-list=10.0.10.0/24,10.0.0.0/24

TO
/ip firewall filter
add action=accept chain=input comment="allow Wireguard traffic" \
src-address=10.0.10.0/24

The LAN subnet has nothing to do with wireguard access to the router for config purposes.
LAN users have access to the router for services and access to the router for config purposes by this rule.
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN


As already stated also, there is no such format as dst-address-list=x,y,z
its dst-address-list=LIST_NAME where one defines what is on the list and in this case x,y,z
But I changed this rule to
/ip firewall filter
add action=accept chain=input comment="allow Wireguard traffic" \
src-address=10.0.10.0/24
Nothing changed, still 0 Bytes and 0 Packets.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: iOS Wireguard access to home network

Fri Sep 09, 2022 11:20 pm

It should also be after the accepted rule as well..................
In any case good luck! I use my iphone to access the config of any mikrotik device on my network using wireguard for security and the IOS MT app for config its like winbox.

Who is online

Users browsing this forum: tinodj and 93 guests