Community discussions

MikroTik App
 
pwac092
just joined
Topic Author
Posts: 18
Joined: Tue Oct 04, 2022 9:44 pm

Wireguard bidirectionality

Wed Nov 16, 2022 5:06 pm

Good morning!

After a lot of help from you guys here I've managed to get wireguard rolling (viewtopic.php?p=964572#p964572) Things are really looking up and I feel I am close to my goal.

Now, my new question is about persistence of the connection.

I am running a remote backup machine running a vanilla debian 11.5. I want to push my backup to this remote location through the wireguard tunnel.

So, the topology as:

Home peer, mikrotik hAP ac³ [public fixed IP address] [local network 88.0] ----- Internet ----- Remote peer, debian 11.5 [non fixed ip address] [local network 100.0]

And logically, after setting up the wireguard tunnel

Home peer wg peer ip [192.168.89.1] -------------------Wireguard---------------- Remote peer wg peer ip [192.168.89.2]

The tunnel seems to work. My router shows activity in the interface for the remote peer, and I am able to access the remote peer's default web server (port 80). I am however, unable to ping, and unable to ssh into it. Naturally, pushing through rsync does not work either. I am confident this is a problem with my firewall settings, but am just not able to get it right and would really appreciate your help.

Full config:
/interface bridge
add name=bridge_casa
add name=bridge_domotica
add admin-mac=DC:2C:6E:14:DE:91 auto-mac=no comment=defconf name=\
    bridge_oficina
/interface wireguard
add listen-port=13231 mtu=1420 name=wg_oveta
/interface vlan
add interface=ether2 name=vlan50_ether4 vlan-id=50
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=perfil_casa supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=perfil_domotica supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto mode=ap-bridge \
    security-profile=perfil_casa ssid=oficina wireless-protocol=802.11
set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-a/n/ac \
    channel-width=20/40/80mhz-XXXX country=paraguay disabled=no distance=\
    indoors frequency=auto mode=ap-bridge security-profile=perfil_casa ssid=\
    oficina wireless-protocol=802.11
add disabled=no mac-address=DE:2C:6E:14:DE:97 master-interface=wlan2 name=\
    wlan_casa_5 security-profile=perfil_casa ssid=CASA2 wds-default-bridge=\
    bridge_oficina wps-mode=disabled
add disabled=no mac-address=DE:2C:6E:14:DE:96 master-interface=wlan1 name=\
    wlan_casa_24 security-profile=perfil_casa ssid=CASA2 wds-default-bridge=\
    bridge_oficina wps-mode=disabled
add disabled=no mac-address=DE:2C:6E:14:DE:95 master-interface=wlan1 name=\
    wlan_domotica security-profile=perfil_domotica ssid=domotica \
    wds-default-bridge=bridge_oficina wps-mode=disabled
/interface vlan
add interface=wlan_domotica name=vlan10_domotica vlan-id=10
add interface=wlan2 name=vlan50_casa_5 vlan-id=50
add interface=wlan1 name=vlan50_casa_24 vlan-id=50
/ip pool
add name=dhcp ranges=192.168.88.100-192.168.88.254
add name=dhcp_pool_domotica ranges=10.0.0.2-10.0.0.254
add name=dhcp_pool_casa ranges=192.168.1.2-192.168.1.254
add comment="Range of ips for backup vpns" name=vpn-pool ranges=\
    192.168.89.100-192.168.89.254
/ip dhcp-server
add address-pool=dhcp interface=bridge_oficina name=defconf
add address-pool=dhcp_pool_domotica interface=bridge_domotica name=\
    dhcp_domotica
add address-pool=dhcp_pool_casa interface=bridge_casa name=dhcp_casa
/interface bridge port
add bridge=bridge_casa comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge_oficina ingress-filtering=no interface=ether3
add bridge=bridge_domotica ingress-filtering=no interface=ether4
add bridge=bridge_oficina ingress-filtering=no interface=ether5
add bridge=bridge_oficina ingress-filtering=no interface=wlan1
add bridge=bridge_oficina ingress-filtering=no interface=wlan2
add bridge=bridge_domotica ingress-filtering=no interface=vlan10_domotica
add bridge=bridge_domotica ingress-filtering=no interface=wlan_domotica
add bridge=bridge_casa ingress-filtering=no interface=vlan50_casa_5
add bridge=bridge_casa ingress-filtering=no interface=vlan50_casa_24
add bridge=bridge_casa ingress-filtering=no interface=wlan_casa_24
add bridge=bridge_casa ingress-filtering=no interface=wlan_casa_5
add bridge=bridge_domotica ingress-filtering=no interface=vlan50_ether4
/ip neighbor discovery-settings
set discover-interface-list=none
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge_oficina list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wg_oveta list=LAN
/interface ovpn-server server
set auth=sha1,sha256,sha512 certificate=*C cipher=\
    blowfish128,aes128,aes192,aes256 default-profile=default-encryption \
    require-client-certificate=yes
/interface wireguard peers
add allowed-address=192.168.89.51/32 comment="anguja - 192.168.89.51" \
    interface=wg_oveta public-key=\
    "Zke0XuOTuSq="
add allowed-address=192.168.89.2/32 comment="tavai - 192.168.89.2" interface=\
    wg_oveta public-key="xYNYxh8="
add allowed-address=192.168.89.50/32 comment="iphone - 192.168.89.50" \
    interface=wg_oveta public-key=\
    "tezEgxDhAX="
/ip address
add address=192.168.88.1/24 comment="Oficina bridge interface" interface=\
    bridge_oficina network=192.168.88.0
add address=181.XX.YY.ZZ/24 interface=ether1 network=181.XX.YY.0
add address=10.0.0.1/24 interface=bridge_domotica network=10.0.0.0
add address=192.168.1.1/24 interface=bridge_casa network=192.168.1.0
add address=192.168.89.1/24 comment="Oveta Wireguard" interface=wg_oveta \
    network=192.168.89.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=10.0.0.0/24 gateway=10.0.0.1
add address=192.138.1.0/24 gateway=192.138.1.1
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
add address=192.168.100.0/24 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=oveta.lan
add address=192.168.88.5 name=mrroboto.lan
add address=192.168.88.6 name=mandua.lan
add address=10.0.0.5 name=dvr.domotica.lan
add address=192.168.89.2 comment=Tavai@joaquin name=tavai.lan
/ip firewall filter
add action=accept chain=input dst-port=13231 protocol=udp
add action=accept chain=input src-address=192.168.89.0/24
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log=yes log-prefix=test
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward in-interface=bridge_casa out-interface=\
    bridge_oficina
add action=drop chain=forward in-interface=bridge_oficina out-interface=\
    bridge_domotica
add action=drop chain=forward in-interface=bridge_domotica out-interface=\
    bridge_casa
add action=drop chain=forward in-interface=bridge_oficina out-interface=\
    bridge_casa
add action=drop chain=forward in-interface=bridge_domotica out-interface=\
    bridge_oficina
add action=drop chain=forward in-interface=bridge_casa out-interface=\
    bridge_domotica
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment=\
    "Allow traffic between .89 and .88 nets for Wireguard\
    \n" dst-address=192.168.89.0/24 src-address=192.168.88.0/24
add action=accept chain=forward dst-address=192.168.88.0/24 src-address=\
    192.168.89.0/24
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat comment=Dvr dst-address=181.XX.YY.ZZ \
    dst-port=8000 protocol=tcp to-addresses=10.0.0.5 to-ports=8000
add action=dst-nat chain=dstnat comment=Dvr dst-address=181.XX.YY.ZZ \
    dst-port=554 protocol=tcp to-addresses=10.0.0.5 to-ports=554
/ip firewall service-port
set rtsp disabled=no
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=181.94.236.1
add disabled=no dst-address=192.168.90.0/24 gateway=192.168.89.1 \
    routing-table=main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.88.0/24,192.168.89.0/24
set ssh address=192.168.88.1/32
set www-ssl disabled=no
set api disabled=yes
set winbox address=192.168.88.0/24,192.168.89.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ppp profile
set *FFFFFFFE bridge=*21 dns-server=8.8.8.8,1.1.1.1 interface-list=LAN \
    local-address=192.168.89.1 remote-address=vpn-pool
/system clock
set time-zone-name=America/Asuncion
/system identity
set name=oveta
/system leds
set 0 disabled=yes interface=wlan2 leds=led1,led2,led3,led4,led5 type=\
    wireless-signal-strength
set 1 leds=poe-led type=poe-out
set 2 interface=wg_oveta leds=led1
set 3 interface=wg_oveta leds=led2 type=interface-receive
/tool bandwidth-server
set enabled=no
/tool graphing interface
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
/tool traffic-monitor
add interface=bridge_oficina name=tmon1 threshold=0
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19177
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard bidirectionality

Wed Nov 16, 2022 5:24 pm

I cannot make heads or tails of your wlan, vlan, bridge constructs etc..........
The fact that you assign different vlans to same VLAN-ID which is very confusing.
Also, naming a vlan on ether2 with ether4 in the name.
Keep it simple.
One bridge, all vlans attached to bridge. a vlan identifies a SUBNET period.........
Bridge does no dhcp etc,...........
each vlan gets ip pool, dhcp-server, dhcp-server network, IP address

assign etherports/wlans on /interfaces bridge ports
assign vlans on /interface bridge vlans

add user rules to default rules to match up to requirements
adjust add any routes necessary.
+++++++++++++++++++++++++++++++++++++++++
 
pwac092
just joined
Topic Author
Posts: 18
Joined: Tue Oct 04, 2022 9:44 pm

Re: Wireguard bidirectionality

Wed Nov 16, 2022 6:05 pm

Thank you very much for the reply Anav! I know this is a crazy setup. I am tinkering with it.

When setting this up, the logic was:

I want to have three different "networks", mainly because I have some cheap wifi bulbs that I trust less than I would football stadium sushi. So, I have three bridges (casa, domotica, oficina), each has its own dhcp pool (192.168.100.0, 10.0.0.0 and 192.168.88.0). To futher separate traffic at L2, I also created two VLAN tags, 10 and 50. In my mind, this is better than just having bridges separating the networks. I am able to have: different ip address, each with its own vlan tag and different interfaces. As i said, just playing with it to kinda learn what I can do with this router.

In the meantime, what would you say I should add to the firewall to allow for ssh to my remote wireguard peer?
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Wireguard bidirectionality

Wed Nov 16, 2022 7:05 pm

Your firewall doesn't prevent the Mikrotik itself from connecting anywhere, so if /system ssh from the Mikrotik itself to the Debian is what fails, the reason is not the firewall at the Mikrotik.

Since the Debian is not running on a public address, the pinhole on the ISP NAT device that allows the Wireguargd transport packets to flow between the Debian and the Mikrotik only opens when the Debian actively sends something to the Mikrotik, and only stays open if some traffic keeps passing through it. Some time (typically 3 minutes) after the last packet has been forwarded, it closes, so if later a packet from the Mikrotik arrives to the NAT device of the ISP, it is dropped rather than forwarded to the Debian.
To avoid this, add persistent-keepalive=60s to the /interface/wireguard/peers row representing the Debian.
It may or may not be sufficient to resolve your issue. If it is not, you have to check the firewall at the Debian itself.
 
pwac092
just joined
Topic Author
Posts: 18
Joined: Tue Oct 04, 2022 9:44 pm

Re: Wireguard bidirectionality

Wed Nov 16, 2022 7:13 pm

Thanks sindy!

I'll give that a go, keepalive on the home peer as well.

I will double doublecheck the openssh config on the remote machine as well. What is puzzling is that both ssh and icmp message fail, but www does not..I'll have a look.

On the pinhole side of things, would it be crazy to have something forcing the interface open other than keepaliave? like a constant, low bandwith transfer?

cheers.
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Wireguard bidirectionality

Wed Nov 16, 2022 7:25 pm

What is puzzling is that both ssh and icmp message fail, but www does not..I'll have a look.
So are you trying from the Mikrotik itself or from some computer on its LAN? If from the Mikrotik, it is very likely that a firewall on the Debian blocks it. I did not check the firewall rules in forward chain that handle traffic that passes through the Mikrotik, so if you try from a PC in LAN, it may be the Mikrotik firewall.

It is also possible that you've tried WWW before the pinhole has closed, and the rest after.

On the pinhole side of things, would it be crazy to have something forcing the interface open other than keepaliave? like a constant, low bandwith transfer?
Not exactly crazy, but what would be the benefit of that as compared to the keepalive? Also, maybe the WG settings at the Debian end do use the keepalive?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19177
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard bidirectionality

Wed Nov 16, 2022 7:59 pm

Yes, the WG settings on the debian are important to know as part of the puzzle.
 
pwac092
just joined
Topic Author
Posts: 18
Joined: Tue Oct 04, 2022 9:44 pm

Re: Wireguard bidirectionality

Wed Nov 16, 2022 8:10 pm

So are you trying from the Mikrotik itself or from some computer on its LAN? If from the Mikrotik, it is very likely that a firewall on the Debian blocks it. I did not check the firewall rules in forward chain that handle traffic that passes through the Mikrotik, so if you try from a PC in LAN, it may be the Mikrotik firewall.
I have tried SSHing from within the LAN. Pinging from the mikrotik router. Both to no avail.
It is also possible that you've tried WWW before the pinhole has closed, and the rest after.
This would be unlikely. I tried this at the same time I was trying to SSH.

My setup on the remote peer is actually quite simple
[Interface]
Address=192.168.89.2/32
PrivateKey=XXYYZZ #Debian's private key

[Peer]
PublicKey=AABBCC #Mikrotik's public key
Endpoint=publicIP:13231
AllowedIPs=0.0.0.0
PersistentKeepalive=20
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19177
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard bidirectionality

Wed Nov 16, 2022 8:17 pm

Why is the allowed IPs set to 0.0.0.0?
I get easily confused. What are the requirements for traffic?
Where does traffic originate etc.

Is it users on the MT accessing LANIPs/servers on the debian device? ( including you the admin loading stuff on the debian)
Does any traffic originate on the debian ??? Any users behind debian?
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Wireguard bidirectionality

Wed Nov 16, 2022 8:21 pm

Since there is the PersistentKeepalive=20 row at Debian side, there is no point in having it at Mikrotik side as well, and the issue has nothing to do with expired pinhole.

I now had a look at the forward chain of your /ip firewall filter - it's a bit messy (find what a stateful firewall means and why the "accept established or related" rule should be the first one in each filter chain), but it doesn't block traffic between the LAN subnet and the wireguard interface. So iptables/nftables/whatever else firewall you use at Debian needs inspection. Also sshd_config may be set to only permit connections from particular subnets but it has no influence on pings.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19177
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard bidirectionality

Wed Nov 16, 2022 8:26 pm

To add to previous, the allowed IPS... for the Debian should probably contain more info' - specifically whatever subnet on the debian is hosting the devices on the debian. Again, what will help is a better explanation of where all the various traffic that goes through the tunnel ORIGINATES FROM.
add allowed-address=192.168.89.2/32,192.168.100.0/24 comment="tavai - 192.168.89.2" interface=\
wg_oveta public-key="xYNYxh8="



On the debian side, instead of 0.0.0.0/0 which works if one is very lazy! ;-) and there is no chance of duplication of peers on the debian which there is not, then still one has to be careful about routes on the debian. How does the debian know where to send traffic that visits the servers.
Using a more defined and accurate allowed IPs, allows one to cross check allowed users/subnets to existing routes to ensure nothing is missing.

SO if you know subnets SUBNET A, and SUBNET B, and not C,D,E will be coming through the tunnel the allowed IPs at the debian would be
allowed-ips=192.168.89.0/24,subnetA,subnetB

then one would create some type of debian routes.
add dst-address=subnetA gwy=wireguard
add dst-address=subneB gwy=wireguard
 
pwac092
just joined
Topic Author
Posts: 18
Joined: Tue Oct 04, 2022 9:44 pm

Re: Wireguard bidirectionality

Wed Nov 16, 2022 8:50 pm

I am really thankful for you help and patience Anav! I am sorry for any lack of clarity.
add allowed-address=192.168.89.2/32,192.168.100.0/24 comment="tavai - 192.168.89.2" interface=\
wg_oveta public-key="xYNYxh8="
I will give this a go.
Why is the allowed IPs set to 0.0.0.0?
I've done this to make all traffic go through the wireguard tunnel, i.e through the mikrotik. Also, as you have rightly identified, I am lazy.
Where does traffic originate etc.
Is it users on the MT accessing LANIPs/servers on the debian device? ( including you the admin loading stuff on the debian)
Does any traffic originate on the debian ??? Any users behind debian?
Traffic originates only from the home peer, that is, from a machine connecteed to the mikrotik router with an IP in the 192.168.88.0 network. This traffic is generated through rsync destined for the debian machine (a PC with 2 drives RAID 1) There is nothing on the network where the debian peer is hosted that I need to access other than debian. I am simply pushing a backup from the home peer LAN to the debian through
rsync --archive --compress --human-readable --delete -H --numeric-ids BACK_DIR user@192.168.89.2:/home/user/backup_destination/
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19177
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard bidirectionality

Wed Nov 16, 2022 9:02 pm

Okay

YOu cannot make all traffic go through the wireguard with any setting at wireguard.
Its does not route traffic LOL.
All you are saying to the wireguard is two things........

a. any traffic originating from the debian with any IP address will be selected and matched to the single available peer .........
b. any traffic coming in on the tunnel (originating remotely) regardless of source IP address will be allowed to exit the tunnel.

Neither is accurate or what you want, its more likely then that this suffices.
allowed-ips=192.168.89.0/24,192.168.88.0/24

This will ensure that any traffic from the subnet 88.0 will be allowed to exit the tunnel at the debian instance and that such traffic will be able to access debian for pinging purposes or lets say even config the debian or the server from the iphone -----> all dependent upon firewall rules on the debian.

In other words, wireguard rules are only valid to ensure wireguard traffic passes. The traffic still has to be processed for local firewall rules and also for local routing rules.

In addition I see you have firewall rules on the MT both ways for that traffic when you only need MT to debian as, the return traffic will be tracked and allowed as part of the same session.
YOu would only need the return rule if traffic originated on the debian to reach the .88 subnet.
 
pwac092
just joined
Topic Author
Posts: 18
Joined: Tue Oct 04, 2022 9:44 pm

Re: Wireguard bidirectionality

Wed Nov 16, 2022 9:12 pm

This internet thing is great..am able to get educated for free by cool people. I really appreciate you taking the time..

I will have a go and get back to you..
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19177
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard bidirectionality

Wed Nov 16, 2022 9:30 pm

Well there are many errors, for example you dont even have /interface bridge vlan settings..................... Its a wonder anything works,
LIke the fact that you have the same Ip address structure for some ovpn ppp setup as wireguard.............
So much needs fixing.....
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19177
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard bidirectionality

Wed Nov 16, 2022 9:35 pm

My best guess at your setup intentions
Modified your setup to one of four vlans vlan10-home, vlan20-office, vlan30-guest, vlan40-iot
Just to give you a flavour of a possible config.

Pretty much every line has been modified so understand each line and its change and feel free to ask questions.
it should be fairly organized and coherent and thus easier to read. I may have mixed up home and dometica in some instances but pretty easy to fix. This is just a starting point to get you thinking in the right direction.

.............
/interface bridge
add name=onebridge
/interface wireguard
add listen-port=13231 mtu=1420 name=wg_oveta
/interface vlan
add interface=onebridge name=vlan10_home vlan-id=10
add interface=onebridge name=vlan20-office vlan-id=20
add interface=onebridge name=vlan30-guest vlan-id=30
add interface=onebridge name=vlan40-iot vlan-id=40
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Manage
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no-id=50
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=perfil_casa supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=perfil_domotica supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto mode=ap-bridge \
    security-profile=perfil_casa ssid=oficina wireless-protocol=802.11
set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-a/n/ac \
    channel-width=20/40/80mhz-XXXX country=paraguay disabled=no distance=\
    indoors frequency=auto mode=ap-bridge security-profile=perfil_casa ssid=\
    oficina wireless-protocol=802.11
add disabled=no mac-address=DE:2C:6E:14:DE:97 master-interface=wlan2 name=\
    wlan_casa_5 security-profile=perfil_casa ssid=CASA2  wps-mode=disabled
add disabled=no mac-address=DE:2C:6E:14:DE:96 master-interface=wlan1 name=\
    wlan_casa_24 security-profile=perfil_casa ssid=CASA2  wps-mode=disabled
add disabled=no mac-address=DE:2C:6E:14:DE:95 master-interface=wlan1 name=\
    wlan_domotica security-profile=perfil_domotica ssid=domotica \
     wps-mode=disabled
/ip pool
add name=dhcp_home ranges=10.0.0.2-10.0.0.254
add name=dhcp_office ranges=192.168.88.100-192.168.88.254
add name=dhcp_guest ranges=192.168.1.2-192.168.1.254
add name=dhcp_iot ranges=192.168.2.2-192.168.1.254
/ip dhcp-server
add address-pool=dhcp-home interface=vlan10-home name=home-server
add address-pool=dhcp_office interface=vlan20-office name=office-server
add address-pool=dhcp_guest interface=vlan30-guest name=guest-server
add address-pool=dhcp_iot interface=vlan40-iot name=iot-server
/interface bridge port
add bridge=onebridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether2 pvid=10
add bridge=onebridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether3 pvid=20
add bridge=onebridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether4 pvid=40
add bridge=onebridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether5 pvid=20
add bridge=onebridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan1  pvid=20
add bridge=onebridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan2  pvid=20
add bridge=onebridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan_domotica pvid=40
add bridge=onebridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan_casa_24  pvid=30
add bridge=onebridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan_casa_5  pvid=10
/interface bridge vlans
add bridge=onebridge tagged=onebridge untagged=ether2,wlan_casa_5 vlan-id=10
add bridge=onebridge tagged=onebridge untagged=ether3,ether5,wlan1,wlan2 vlan-id=20
add bridge=onebridge tagged=onebridge untagged=wlan_casa_24 vlan-id=30
add bridge=onebridge tagged=onebridge untagged=ether4,wlan_dometica vlan-id=40
/ip neighbor discovery-settings
set discover-interface-list=Manage
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=NONE
/interface list member
add comment=defconf interface=ether1 list=WAN
add comment=defconf interface=vlan10-home list=LAN
add interface=vlan20-office list=LAN
add interface=vlan30-guest list=LAN
add interface=vlan40-iot list=LAN
add interface=wg_oveta list=LAN
add interface=vlan10-home list=Manage
add interface=wg_oveta list=Manage
/interface wireguard peers
add allowed-address=192.168.89.51/32 comment="anguja - 192.168.89.51" \
    interface=wg_oveta public-key=\
    "Zke0XuOTuSq="
add allowed-address=192.168.89.2/32,192.168.100.0/24 comment="tavai - 192.168.89.2" interface=\
    wg_oveta public-key="xYNYxh8="
add allowed-address=192.168.89.50/32 comment="iphone - 192.168.89.50" \
    interface=wg_oveta public-key=\
    "tezEgxDhAX="
/ip address
add address=181.XX.YY.ZZ/24 interface=ether1 network=181.XX.YY.0
add address=10.0.0.1/24 interface=vlan10-home network=10.0.0.0
add address=192.168.88.1/24  interface=vlan20-office network=192.168.88.0
add address=192.168.1.1/24 interface=vlan30-guest network=192.168.1.0
add address=192.168.2.1/24 interface=vlan40-iot network=192.168.2.0
add address=192.168.89.1/24 comment="Oveta Wireguard" interface=wg_oveta \
    network=192.168.89.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=10.0.0.0/24 gateway=10.0.0.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.2.0/24 gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=oveta.lan
add address=192.168.88.5 name=mrroboto.lan
add address=192.168.88.6 name=mandua.lan
add address=10.0.0.5 name=dvr.domotica.lan
add address=192.168.89.2 comment=Tavai@joaquin name=tavai.lan
/ip firewall address-list
add list=authorized address=adminDesktop-IP
add list=authorized address=adminLaptop-IP
add list=authorized address=Ipad-IP
add list=authorized address=192.168.89.50
add list=authorized address=192.168.89.51
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid 
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=13231 protocol=udp
add action=accept chain=input in-interface-list=Manage src-address-list=authorized
add action=accept chain=input dst-port=53 protocol=tcp in-interface-list=LAN
add action=accept chain=input dst-port=53 protocol=udp in-interface-list=LAN
add action=drop chain=input comment="drop all else"
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment=in-interface=vlan10-home out-interface=wg_oveta
add action=accept chain=forward connection-nat-state=dstnat comment="allow port forwarding"
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=src-nat chain=srcnat in-interface=ether1  to=addresses=181.XX.YY.ZZ
add action=dst-nat chain=dstnat comment=Dvr dst-address=181.XX.YY.ZZ \
    dst-port=8000 protocol=tcp to-addresses=10.0.0.5 
add action=dst-nat chain=dstnat comment=Dvr dst-address=181.XX.YY.ZZ \
    dst-port=554 protocol=tcp to-addresses=10.0.0.5
/ip firewall service-port
set rtsp disabled=no
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=181.XX.YY.ZZ
add disabled=no dst-address=192.168.100.0/24 gateway=wg-oveta \
    routing-table=main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh address=192.168.88.1/32
set www-ssl disabled=no
set api disabled=yes
set winbox address=192.168.88.0/24,192.168.89.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=America/Asuncion
/system identity
set name=oveta
/system leds
set 0 disabled=yes interface=wlan2 leds=led1,led2,led3,led4,led5 type=\
    wireless-signal-strength
set 1 leds=poe-led type=poe-out
set 2 interface=wg_oveta leds=led1
set 3 interface=wg_oveta leds=led2 type=interface-receive
/tool bandwidth-server
set enabled=no
/tool graphing interface
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=Manage
/tool mac-server ping
set enabled=no
/tool traffic-monitor
add interface=bridge_oficina name=tmon1 threshold=0
Last edited by anav on Thu Nov 17, 2022 2:07 am, edited 1 time in total.
 
pwac092
just joined
Topic Author
Posts: 18
Joined: Tue Oct 04, 2022 9:44 pm

Re: Wireguard bidirectionality

Thu Nov 17, 2022 1:56 am

Thank you very much anav.

I think I get the logic. This is really cool.

I have, however, one problem.
add bridge=onebridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether2 pvid=10
add bridge=onebridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether3 pvid=20
Routeros is not allowing this. It says that the interface has already been assigned. That is, the bridge. I remember this now and is why I created multiple bridges. I will try and move in this direction..I think it is really much better..
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19177
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard bidirectionality

Thu Nov 17, 2022 2:05 am

Just make sure that the vlans are associated with the bridge and not an ethernet interface as that is probably the conflict.
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Wireguard bidirectionality

Thu Nov 17, 2022 12:14 pm

Routeros is not allowing this.
add is used when an object doesn't exist yet. set is used when you need to change parameters of an already existing object. To identify that object (or a list of objects), you have to use [find where parameter1=value1 and parameter2=value2 ...], or you have to use print to visualize a numbered list of the objects, and then use the row numbers from this list in the set (or remove) command.

Who is online

Users browsing this forum: No registered users and 43 guests