I have Mikrotik Router RB3011UiAS. On ETH 3 I have 3 VLANs VLAN ID 6,7 and 8. Two WAN Internet PPPoE links on ETH 2 and ETH 4 respectively. DHCP is configured for all 3 VLANs. ETH 3 is connected to the Trunk port of Cisco CBS 350 Switch. On that switch only 3 same VLANs configured and assigned access ports to the clients. This switch in L2 mode only routing is disabled. On Mikrotik Router Firewall rule is configured to block any traffic between all 3 VLANs. All clients in 3 VLANs gets internet access properly.
I have setup Wireguard, Wireguard interface IP is 10.66.67.1/24. VPN client can able to connect to the router. But he cannot access any host in the VLAN. VPN client can ping only VLAN interface IP lets say 192.168.8.1 but cannot ping 192.168.8.9, 10 etc.
Below is the config for your reference, please help.
Also attached Network Diagram.
Code: Select all
# nov/18/2022 18:02:51 by RouterOS 7.6
# software id = WR5M-DGW6
#
# model = RB3011UiAS
# serial number =
/interface ethernet
set [ find default-name=ether1 ] name=ether1_HATH
set [ find default-name=ether2 ] name=ether2_BSNL
set [ find default-name=ether3 ] name=ether3_LAN
set [ find default-name=ether4 ] name=ether4_BSNL_ILL_WAN
set [ find default-name=ether5 ] name=ether5_BSNL_ILL_LAN
set [ find default-name=ether6 ] name=ether6_BSNL_ILL_Static
set [ find default-name=ether7 ] name=ether7_JIO_ILL
set [ find default-name=ether8 ] name=ether8_JIO_STATIC
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether2_BSNL name=pppoe-out1 \
service-name=smphi5 use-peer-dns=yes user=
add add-default-route=yes disabled=no interface=ether4_BSNL_ILL_WAN name=\
pppoe-out2 user=
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=ether3_LAN name=vlan1 vlan-id=8
add interface=ether3_LAN name=vlan2 vlan-id=7
add interface=ether3_LAN name=vlan3 vlan-id=6
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.7.101-192.168.7.126
add name=dhcp_pool2 ranges=192.168.8.70-192.168.9.200
add name=dhcp_pool3 ranges=192.168.7.50-192.168.7.62
/ip dhcp-server
add address-pool=dhcp_pool0 interface=vlan3 name=dhcp1
add address-pool=dhcp_pool2 interface=vlan1 name=dhcp3
add address-pool=dhcp_pool3 interface=vlan2 name=dhcp2
/port
set 0 name=serial0
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add fib name=to_BSNL
add fib name=to_ILL
/user-manager user
add attributes=Framed-Pool:dhcp_pool1 name=sonicwall
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set accept-source-route=yes max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set default-profile=default use-ipsec=yes
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.66.67.2/32 interface=wireguard1 public-key=\
""
/ip address
add address=10.66.67.1/24 interface=wireguard1 network=10.66.67.0
add address=192.168.8.1/23 interface=vlan1 network=192.168.8.0
add address=192.168.7.1/26 interface=vlan2 network=192.168.7.0
add address=192.168.7.65/26 interface=vlan3 network=192.168.7.64
/ip dhcp-server network
add address=192.168.7.0/26 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.7.1
add address=192.168.7.64/26 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.7.65
add address=192.168.8.0/23 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.8.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.8.0/23 list=LAN
add address=x.x.x.x list=WAN
add address=x.x.x.x list=WAN
/ip firewall filter
add action=accept chain=input icmp-options=8:0-255 protocol=icmp
add action=accept chain=input dst-port=13231 protocol=udp
add action=drop chain=forward dst-address=192.168.7.0/26 src-address=\
192.168.8.0/23
add action=drop chain=forward dst-address=192.168.8.0/23 src-address=\
192.168.7.0/26
add action=drop chain=forward dst-address=192.168.7.0/26 src-address=\
192.168.7.64/26
add action=drop chain=forward dst-address=192.168.7.64/26 src-address=\
192.168.7.0/26
add action=drop chain=forward dst-address=192.168.7.64/26 src-address=\
192.168.8.0/23
add action=drop chain=forward dst-address=192.168.8.0/23 src-address=\
192.168.7.64/26
add action=drop chain=output protocol=tcp src-port=80
add action=drop chain=output protocol=tcp src-port=443
/ip firewall mangle
add action=accept chain=prerouting in-interface=pppoe-out1
add action=accept chain=prerouting in-interface=pppoe-out2
add action=mark-connection chain=prerouting comment=\
"New Conn Mark: ILL_conn Per conn classifier 8/0 to 8/1" \
dst-address-type=!local new-connection-mark=BSNL_conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local \
new-connection-mark=ILL_conn passthrough=yes per-connection-classifier=\
both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=BSNL_conn \
new-routing-mark=to_BSNL passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ILL_conn \
new-routing-mark=to_ILL passthrough=yes
add action=mark-connection chain=prerouting dst-address-list=WAN \
new-connection-mark=NAT-SSH passthrough=yes src-address-list=LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Hair-Pin NAT" connection-mark=\
NAT-SSH
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=masquerade chain=srcnat out-interface=pppoe-out2
add action=dst-nat chain=dstnat dst-address-list=WAN dst-port=2022 log=yes \
protocol=tcp to-addresses=192.168.8.50 to-ports=22
add action=dst-nat chain=dstnat dst-address-list=WAN dst-port=2023 log=yes \
protocol=tcp to-addresses=192.168.8.2 to-ports=22
add action=dst-nat chain=dstnat dst-address-list=WAN dst-port=63797 log=yes \
protocol=udp to-addresses=192.168.8.2 to-ports=63797
add action=dst-nat chain=dstnat dst-address-list=WAN dst-port=7000-7005 log=\
yes protocol=tcp to-addresses=192.168.8.50 to-ports=7000-7005
add action=masquerade chain=srcnat disabled=yes src-address=10.66.67.0/24
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 pref-src=\
0.0.0.0 routing-table=to_BSNL scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out2 pref-src=\
0.0.0.0 routing-table=to_ILL scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out2 \
routing-table=main suppress-hw-offload=no
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=pppoe-out1 \
routing-table=main suppress-hw-offload=no
add disabled=no dst-address=10.66.68.0/24 gateway=192.168.8.2 routing-table=\
main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/ip smb
set enabled=yes
/lcd
set enabled=no touch-screen=disabled
/ppp profile
set *FFFFFFFE bridge=*C dns-server=8.8.8.8 local-address=192.168.12.1 \
remote-address=dhcp_pool2
/radius
add address=127.0.0.1 service=login,dhcp
/radius incoming
set accept=yes
/snmp
set enabled=yes trap-generators=interfaces
/system clock
set time-zone-name=Asia/Kolkata
/system logging
add topics=event
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.google.com
/tool graphing interface
add interface=ether2_BSNL
add interface=ether4_BSNL_ILL_WAN
add interface=ether7_JIO_ILL
/user aaa
set use-radius=yes
/user-manager
set certificate=*0 enabled=yes
/user-manager router
add address=127.0.0.1 name=Sonicwall
add address=192.168.7.201 name=router1