Community discussions

MikroTik App
 
aah
newbie
Topic Author
Posts: 27
Joined: Wed Apr 21, 2021 7:37 pm

Wireguard filter rules confusing the heck out of me!

Mon Sep 26, 2022 10:07 am

RB3011, ROS7.5
Hi all,
I am trying to setup WG on my home router so I can connect home via my phone. I have setup both ends on my router and my phone. I can connect home, but as for the traffic traveling through tunnel I am getting super confused.
/ip firewall filter
add action=accept chain=input comment="Allow traffic thru Home WG interface" \
    log=yes src-address=10.10.35.0/24
add action=accept chain=input comment=\
    "Allow inbound connection to Home WG interface" dst-port=13231 \
    in-interface-list=WAN log=yes protocol=udp
add action=accept chain=input comment="LAN Hosts allowed access to router" \
    src-address-list=allowed_to_router
add action=drop chain=input comment=\
    "DROP Inbound DNS-TCP queries from WAN list" dst-port=53 \
    in-interface-list=WAN protocol=tcp
add action=drop chain=input comment=\
    "DROP Inbound DNS-UDP queries from WAN list" dst-port=53 \
    in-interface-list=WAN protocol=udp
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="Port scanner detection rule" \
    protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop all entries in the port scan list" \
    src-address-list=Port_Scanner
add action=add-src-to-address-list address-list=Syn_Flooder \
    address-list-timeout=30m chain=input comment=\
    "Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
    tcp-flags=syn
add action=drop chain=input comment="Drop Syn flood list" src-address-list=\
    Syn_Flooder
add action=add-src-to-address-list address-list=Spammers \
    address-list-timeout=3h chain=forward comment=\
    "Add spammers to the drop list for 3 hours" connection-limit=30,32 \
    disabled=yes dst-port=25,587 limit=30/1m,0:packet protocol=tcp
add action=drop chain=forward comment="Avoid [EMAIL] spammers action" \
    disabled=yes dst-port=25,587 protocol=tcp src-address-list=Spammers
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface-list=\
    WAN src-address-list=Bogons
add action=accept chain=input comment=\
    "Defcon - Accept established connections" connection-state=established
add action=accept chain=input comment="Defcon - Accept related connections" \
    connection-state=related
add action=drop chain=forward comment=\
    "Drop ALL invalid packets on all interfaces" connection-state=invalid
add action=drop chain=forward comment=\
    "Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment=\
    "Drop packets from LAN that do not have LAN IP" in-interface=LAN_Bridge \
    src-address=!10.10.10.0/24
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
    protocol=icmp
add action=drop chain=input comment="BLOCK ALL ACCESS TO ROUTER" dst-port=\
    8291 protocol=tcp src-address-list=!allowed_to_router
add action=drop chain=input comment=\
    "DROP EVERYTHING ELSE!"
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
    protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
    protocol=icmp
add action=accept chain=icmp comment=\
    "host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
    protocol=icmp
add action=drop chain=icmp comment="deny all other types"
First rule doesn't do anything (no counter). Second rule, if I add Src-address then no traffic travels from my phone through the tunnel unless I disable the DROP rule further down that drops everything not specified above it. If I delete the Src-address in the second rule then WG traffic flow works just fine. Unless there's a bug here, I know I am missing something.
The first rule should allow traffic thru wireguard. The second rule is to allow WG connection to the mikrotik router via port 13231 (as per instructions by Mikrotik on Youtube). As mentioned above the first rule doesn't counter whatsoever whether it's first or second. The second rule breaks if src-address is added. Yes, the src-address on my phone is correct. Can anyone help me out with this please? Thanks a loooot!
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Wireguard filter rules confusing the heck out of me!

Mon Sep 26, 2022 10:48 am

Oh crystal ball please show this guys configs, thanks.
 
aah
newbie
Topic Author
Posts: 27
Joined: Wed Apr 21, 2021 7:37 pm

Re: Wireguard filter rules confusing the heck out of me!

Mon Sep 26, 2022 11:05 am

Oh crystal ball please show this guys configs, thanks.
Pertinent rules are included. Rest is pretty obvious, no?!
If you intend to relay the sarcasm as you once received in your early days, you best do it elsewhere.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Wireguard filter rules confusing the heck out of me!

Mon Sep 26, 2022 11:10 am

We don't know what those rules do until you provide the other relevant parts of the config, wireguard peers and ip addresses set on interfaces, on both sides.
Oh crystal ball, you disappoint.
Not to mention that your topic is titled WIREGUARD FILTER RULES and you only show us some basic firewall rules that have nothing to do with wireguard.
 
aah
newbie
Topic Author
Posts: 27
Joined: Wed Apr 21, 2021 7:37 pm

Re: Wireguard filter rules confusing the heck out of me!

Mon Sep 26, 2022 11:31 am

We don't know what those rules do until you provide the other relevant parts of the config, wireguard peers and ip addresses set on interfaces, on both sides.
Oh crystal ball, you disappoint.
Not to mention that your topic is titled WIREGUARD FILTER RULES and you only show us some basic firewall rules that have nothing to do with wireguard.
I suggest you go back to read the initial post again. Before you do that, I also suggest you grab yourself a cup a coffee, cuz it must be late wherever you are. Lack of attention is pretty evident.
A. My WG config is pretty straightforward. One "sever" with public IP, one road-warrior that actually manages to initiate the P2P connection. IP address of the RW is 10.10.35.x/32 which one could and should extract fairly easily from rule # 2 of the filter rules.
B. Whatever mess I am being confronted with, or have generated for myself rests within the rules, hence the post's TOPIC. If I disable ONE drop rule, then all is dandy. If I enable it then I have no traffic. Omitting the question is not the same as arriving to an answer! I just want to understand what I am missing and/or doing wrong.
C. If a filter rule (here we go again with that word) should be there, but it doesn't account for anything, then what gives?
D. I have seen far worse posts with much more patient and assistive individuals helping out the poor stuck soul who asked the question. So, I have absolutely no interest in your attitude, nor need your input. I have too much of a respect for this forum to engage in nonsensories! Hence, Carry on. I suggest you join a BMW forum. They seem to be right up your alley.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Wireguard filter rules confusing the heck out of me!

Mon Sep 26, 2022 11:46 am

I suggest you go back to read the initial post again. Before you do that, I also suggest you grab yourself a cup a coffee, cuz it must be late wherever you are. Lack of attention is pretty evident.
A. My WG config is pretty straightforward. One "sever" with public IP, one road-warrior that actually manages to initiate the P2P connection. IP address of the RW is 10.10.35.x/32 which one could and should extract fairly easily from rule # 2 of the filter rules.
[...]
RB3011, ROS7.5
Hi all,
I am trying to setup WG on my home router so I can connect home via my phone. I have setup both ends on my router and my phone. I can connect home, but as for the traffic traveling through tunnel I am getting super confused.
/ip firewall filter
add action=accept chain=input comment="Allow traffic thru Home WG interface" \
    log=yes src-address=10.10.35.0/24
add action=accept chain=input comment=\
    "Allow inbound connection to Home WG interface" dst-port=13231 \
    in-interface-list=WAN log=yes protocol=udp
First rule doesn't do anything (no counter). Second rule, if I add Src-address then no traffic travels from my phone through the tunnel unless I disable the DROP rule further down that drops everything not specified above it. If I delete the Src-address in the second rule then WG traffic flow works just fine. Unless there's a bug here, I know I am missing something.
The first rule should allow traffic thru wireguard. The second rule is to allow WG connection to the mikrotik router via port 13231 (as per instructions by Mikrotik on Youtube). As mentioned above the first rule doesn't counter whatsoever whether it's first or second. The second rule breaks if src-address is added. Yes, the src-address on my phone is correct. Can anyone help me out with this please? Thanks a loooot!
Your 2nd rule doesn't mention any src-address, yet you mention it twice and you seem to think it's the other one, maybe you're the one needing a cup of coffee or two. No wonder you're confused.
Chain input allows access to the router itself from the tunnel, as in if you want to manage the router from the phone via wg, it does NOT allow your packets to get forwarded into other subnets which should be done via, you guessed it, the forward chain.
And again, THIS HAS NOTHING TO DO WITH WIREGUARD but just with your understanding of how a firewall works, it could've been OpenVPN or some other vpn type, same thing.
Change your topic title and try to provide a more complete picture of the puzzle, thanks.
 
aah
newbie
Topic Author
Posts: 27
Joined: Wed Apr 21, 2021 7:37 pm

Re: Wireguard filter rules confusing the heck out of me!  [SOLVED]

Mon Sep 26, 2022 3:46 pm

@Anav OP detailed post:
Assuming one uses a drop all rule at the end of the input and forward chains, one recognizes that we have to create "allow" rules for wireguard traffic. In any Mikrotik device (client or server) and more accurately (local or remote) there are two cases that may occur.
The first is local outbound traffic from an admin, or user or subnet of users to be permitted to enter the tunnel.
The second case is to allow remote inbound traffic from remote users, to access a local server, an entire subnet, the internet, or the MT device for configuration purposes.
The following rules demonstrate the possibilities that exist at both ends of the tunnel:
add action=accept chain=input in-interface=wg-interface-name dst-port=winboxport protocol=tcp src-address=Admin_IP { allows admin to config local router remotely }
add action=accept chain=forward src-address=Subnet out-interface=wg-interface-name { to allow local subnet to enter the wireguard interface }
add action=accept chain=forward in-interface=wg-interface-name dst-address=IPofServer { to allow remote users access to local server } ***
add action=accept chain=forward in-interface=wg-interface-name out-interface-list=WAN { to allow remote users access to local WANIP (internet) } ***

Note1: In the last two examples *** use src-address or src-address-list to refine access to specific users, which may be required for multiple addresses from a peer and multiple peers.
Note2: Ensure Peer Devices software firewalls ( ex. Windows PC ) do not block WG traffic including ICMP.

Explained this very clearly. Thanks as always if and when you see this.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Wireguard filter rules confusing the heck out of me!

Mon Sep 26, 2022 4:23 pm

D'uh.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard filter rules confusing the heck out of me!

Mon Sep 26, 2022 4:26 pm

Glad you got it working!!!
This is the reference I refer to...... since I cant keep it all in my head at the same time ;-) - viewtopic.php?t=182340
 
gasbie22
just joined
Posts: 2
Joined: Tue Oct 18, 2022 5:31 pm

Re: Wireguard filter rules confusing the heck out of me!

Sun Oct 23, 2022 4:54 pm

@Anav OP detailed post:
Assuming one uses a drop all rule at the end of the input and forward chains, one recognizes that we have to create "allow" rules for wireguard traffic. In any Mikrotik device (client or server) and more accurately (local or remote) there are two cases that may occur.
The first is local outbound traffic from an admin, or user or subnet of users to be permitted to enter the tunnel.
The second case is to allow remote inbound traffic from remote users, to access a local server, an entire subnet, the internet, or the MT device for configuration purposes.
The following rules demonstrate the possibilities that exist at both ends of the tunnel:
add action=accept chain=input in-interface=wg-interface-name dst-port=winboxport protocol=tcp src-address=Admin_IP { allows admin to config local router remotely }
add action=accept chain=forward src-address=Subnet out-interface=wg-interface-name { to allow local subnet to enter the wireguard interface }
add action=accept chain=forward in-interface=wg-interface-name dst-address=IPofServer { to allow remote users access to local server } ***
add action=accept chain=forward in-interface=wg-interface-name out-interface-list=WAN { to allow remote users access to local WANIP (internet) } ***

Note1: In the last two examples *** use src-address or src-address-list to refine access to specific users, which may be required for multiple addresses from a peer and multiple peers.
Note2: Ensure Peer Devices software firewalls ( ex. Windows PC ) do not block WG traffic including ICMP.

Explained this very clearly. Thanks as always if and when you see this.

So @aah,
How did you fix this to work? did you get rid of these default rules
/ip firewall filter
add action=accept chain=input comment="Allow traffic thru Home WG interface" log=yes src-address=10.10.35.0/24
add action=accept chain=input comment="Allow inbound connection to Home WG interface" dst-port=13231 in-interface-list=WAN log=yes protocol=udp    
AND REPLACE IT WITH
add action=accept chain=input in-interface=wg-interface-name dst-port=winboxport protocol=tcp src-address=Admin_IP { allows admin to config local router remotely }
add action=accept chain=forward src-address=Subnet out-interface=wg-interface-name { to allow local subnet to enter the wireguard interface }
add action=accept chain=forward in-interface=wg-interface-name dst-address=IPofServer { to allow remote users access to local server } ***
add action=accept chain=forward in-interface=wg-interface-name out-interface-list=WAN { to allow remote users access to local WANIP (internet) } ***
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Wireguard filter rules confusing the heck out of me!

Mon Oct 24, 2022 9:52 pm

He somehow managed to learn how a firewall works, by trial and error probably, but still...
 
jmay
Member
Member
Posts: 336
Joined: Tue Jun 23, 2009 8:26 pm

Re: Wireguard filter rules confusing the heck out of me!

Mon Oct 24, 2022 11:44 pm

Why be a dick?
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Wireguard filter rules confusing the heck out of me!

Mon Oct 24, 2022 11:46 pm

Just stating the obvious, don't be mad.
I'm sick of "*something* Wireguard *something*" topics that have nothing to do with Wireguard.

Who is online

Users browsing this forum: Ahrefs [Bot], Amazon [Bot], svh79 and 74 guests