Does anyone know if they can help me.
I have followed the following youtube video for Mikrotik Wireguard setup: https://www.youtube.com/watch?v=CH10spRyGpU
Essentially he gets you to set up a wireguard server, then a peer, then download wireguard on your remote PC, enter in public key, address, DNS, endpoint, allowedIPs and public key of the mikrotik wireguard.
Then he clicks activate and he is able to ping his server remotely.
However I followed this and it won't work. Also when I click activate on my remote PC I lose internet connection which is not good either.
In the video he mentions you MAY have to add a firewall filter rule. He doesn't show this in the video because not all users will need to add this.
Does anyone know if thats why I can't connect?
I have tried to add a filter rule for DST port 13231 in interface: ether1 which is what my WAN cable is connected to.
Thank you.
Code: Select all
# oct/12/2022 23:26:46 by RouterOS 7.4
# software id = JCY8-AFLA
#
# model = RB2011iL
# serial number = E7DD0F73B4C5
/interface bridge
add admin-mac=DC:2C:6E:4C:59:6F auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether7 ] name=ether7-access
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
use-peer-dns=yes user=eircom
/interface wireguard
add listen-port=13231 mtu=1420 name=Mikrotik-Wireguard
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment=defconf name=MANAGE
add comment=defconf name=TRUSTED
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE dns-server=192.168.88.1 local-address=192.168.89.1 \
remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=ether7-access list=MANAGE
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/interface wireguard peers
add allowed-address=192.168.34.3/32 interface=Mikrotik-Wireguard public-key=\
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=192.168.100.1/24 interface=*D network=192.168.100.0
add address=192.XX.XX.1/24 interface=Mikrotik-Wireguard network=192.XX.XX.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.88.232 mac-address=00:21:9B:3C:13:ED server=defconf
add address=192.168.88.231 client-id=1:b4:2e:99:16:e1:d0 comment=\
"Lorcan PC C1" mac-address=B4:2E:99:16:E1:D0 server=defconf
add address=192.168.88.218 client-id=1:0:1f:c1:1c:c9:80 mac-address=\
00:1F:C1:1C:C9:80 server=defconf
add address=192.168.88.216 client-id=1:0:1f:c1:1c:c4:20 mac-address=\
00:1F:C1:1C:C4:20 server=defconf
add address=192.168.88.215 client-id=1:0:1f:c1:1c:c4:1b mac-address=\
00:1F:C1:1C:C4:1B server=defconf
add address=192.168.88.214 client-id=1:0:1f:c1:1c:c4:1c mac-address=\
00:1F:C1:1C:C4:1C server=defconf
add address=192.168.88.213 client-id=1:0:1f:c1:1c:c4:8b mac-address=\
00:1F:C1:1C:C4:8B server=defconf
add address=192.168.88.212 client-id=1:0:1f:c1:1c:c4:91 mac-address=\
00:1F:C1:1C:C4:91 server=defconf
add address=192.168.88.211 client-id=1:0:1f:c1:1c:c9:7b mac-address=\
00:1F:C1:1C:C9:7B server=defconf
add address=192.168.88.209 client-id=1:38:22:e2:9f:d:91 mac-address=\
38:22:E2:9F:0D:91 server=defconf
add address=192.168.88.207 client-id=1:0:1f:c1:1c:c4:90 mac-address=\
00:1F:C1:1C:C4:90 server=defconf
add address=192.168.88.206 client-id=1:0:1f:c1:1c:c4:8d mac-address=\
00:1F:C1:1C:C4:8D server=defconf
add address=192.168.88.205 client-id=1:0:1f:c1:1c:c4:8f mac-address=\
00:1F:C1:1C:C4:8F server=defconf
add address=192.168.88.204 client-id=1:0:1f:c1:1c:c4:92 mac-address=\
00:1F:C1:1C:C4:92 server=defconf
add address=192.168.88.203 client-id=1:0:1f:c1:1c:c4:89 mac-address=\
00:1F:C1:1C:C4:89 server=defconf
add address=192.168.88.202 client-id=1:0:1f:c1:1c:c4:1e comment=\
"lorcan phone" mac-address=00:1F:C1:1C:C4:1E server=defconf
add address=192.168.88.201 client-id=1:0:1f:c1:1c:c4:22 mac-address=\
00:1F:C1:1C:C4:22 server=defconf
add address=192.168.88.200 client-id=1:0:1f:c1:1c:c4:8c mac-address=\
00:1F:C1:1C:C4:8C server=defconf
add address=192.168.88.199 client-id=1:0:1f:c1:1c:c4:1f mac-address=\
00:1F:C1:1C:C4:1F server=defconf
add address=192.168.88.198 client-id=1:0:1f:c1:1c:c4:23 mac-address=\
00:1F:C1:1C:C4:23 server=defconf
add address=192.168.88.196 client-id=1:90:9:d0:0:9:11 mac-address=\
90:09:D0:00:09:11 server=defconf
add address=192.168.88.194 client-id=1:0:11:32:ae:a2:7f mac-address=\
00:11:32:AE:A2:7F server=defconf
add address=192.168.88.165 client-id=1:0:1f:c1:1c:c4:8e mac-address=\
00:1F:C1:1C:C4:8E server=defconf
add address=192.168.88.163 client-id=1:34:f6:2d:89:e4:82 mac-address=\
34:F6:2D:89:E4:82 server=defconf
add address=192.168.88.154 client-id=1:0:1f:c1:1c:c4:8a mac-address=\
00:1F:C1:1C:C4:8A server=defconf
add address=192.168.88.92 client-id=1:b8:ec:a3:fd:1d:1f mac-address=\
B8:EC:A3:FD:1D:1F server=defconf
add address=192.168.88.91 client-id=1:b8:ec:a3:fd:1d:1c mac-address=\
B8:EC:A3:FD:1D:1C server=defconf
add address=192.168.88.192 client-id=1:e0:91:f5:c0:c:88 mac-address=\
E0:91:F5:C0:0C:88 server=defconf
add address=192.168.88.217 client-id=1:ec:8e:b5:d9:d7:82 comment="Joyce PC" \
mac-address=EC:8E:B5:D9:D7:82 server=defconf
add address=192.168.88.27 mac-address=6C:2B:59:E6:FB:01 server=defconf
add address=192.168.88.38 client-id=1:0:11:32:b8:2c:31 comment=\
"Backup server" mac-address=00:11:32:B8:2C:31 server=defconf
add address=192.168.88.48 client-id=1:48:2c:a0:79:49:22 comment=\
"lorcan phone" mac-address=48:2C:A0:79:49:22 server=defconf
add address=192.168.88.104 client-id=1:80:5e:c0:a0:3:a3 comment=\
"W60B DECT Base station" mac-address=80:5E:C0:A0:03:A3 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="Wireguard 13231 port allowed" \
dst-port=13231 in-interface=ether1 protocol=udp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
connection-nat-state=dstnat
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.88.0/24 src-address=\
192.168.88.0/24
add action=src-nat chain=srcnat ipsec-policy=out,none out-interface=ether1 \
to-addresses=XX.XX.XX.XX
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="FreePBX Media UDP" dst-address=\
XX.XX.XX.XX dst-port=2000-65001 protocol=udp to-addresses=192.168.88.27 \
to-ports=2000-65001
add action=dst-nat chain=dstnat comment="FreePBX WebGUI" dst-address=\
XX.XX.XX.XX dst-port=8080 protocol=tcp to-addresses=192.168.88.27 \
to-ports=8080
add action=dst-nat chain=dstnat comment="FreePBX LetsEncrypt" dst-address=\
XX.XX.XX.XX dst-port=80 protocol=tcp to-addresses=192.168.88.194 \
to-ports=80
add action=dst-nat chain=dstnat comment="FreePBX Tunnel TCP" dst-address=\
XX.XX.XX.XX dst-port=5090 protocol=tcp to-addresses=192.168.88.27 \
to-ports=5090
add action=dst-nat chain=dstnat comment="FreePBX SIP TCP" dst-address=\
XX.XX.XX.XX dst-port=5060 protocol=tcp to-addresses=192.168.88.27 \
to-ports=5060
add action=dst-nat chain=dstnat comment="FreePBX SIP TLS" dst-address=\
XX.XX.XX.XX dst-port=5061 protocol=tcp to-addresses=192.168.88.27 \
to-ports=5061
add action=dst-nat chain=dstnat dst-address=XX.XX.XX.XX dst-port=5500-5501 \
protocol=tcp to-addresses=192.168.88.194 to-ports=5500-5501
add action=dst-nat chain=dstnat dst-address=XX.XX.XX.XX dst-port=443 \
protocol=tcp to-addresses=192.168.88.194 to-ports=443
/ip firewall service-port
set sip disabled=yes sip-timeout=59w3d15h
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ppp secret
add name=vpn profile=default-encryption
/system clock
set time-zone-name=Europe/Dublin
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN