i`m wondering is it possible to use my Google Home sh*ts over wireguard.
What i mean i can use them over wireguard but with limited functionality, for example i can use all controls(changing volume, change channels, turn off and on box and etc.)on my android tv box over Google Home but over wireguard i can change only volume, cannot for example turn off and on the box over wireguard.
The setup is nothing spacial, my main network is 88.0/24, my wireguard network is 89.0/24 with default firewall rules with some little changes.
Code: Select all
# jan/16/2023 10:20:00 by RouterOS 7.6
# software id = 02F4-WMYY
#
# model = RBD52G-5HacD2HnD
# serial number = SN
/interface bridge
add admin-mac=B8:69:F4:8A:6C:97 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=MAC speed=100Mbps
set [ find default-name=ether2 ] rx-flow-control=auto speed=100Mbps \
tx-flow-control=auto
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-eC \
country=bulgaria distance=indoors frequency=2447 hide-ssid=yes mode=\
ap-bridge ssid=SSIDTest station-roaming=enabled wireless-protocol=\
802.11
/interface wireguard
add listen-port=myport mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=internet.isp.bg authentication=pap ip-type=\
ipv4 name=isp use-network-apn=no user=isp
add apn=internet.isp.bg ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk management-protection=allowed mode=\
dynamic-keys name=SSID supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=profile \
supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-Ceee country=bulgaria distance=indoors hide-ssid=yes mode=\
ap-bridge security-profile=SSID skip-dfs-channels=10min-cac ssid=\
SSID station-roaming=enabled wireless-protocol=802.11
add mac-address=BA:69:F4:8A:6C:9C master-interface=wlan2 name=wlan3 \
security-profile=profile ssid=SSID
add hide-ssid=yes mac-address=BA:69:F4:8A:6C:9B master-interface=wlan1 name=\
wlan4 security-profile=profile ssid=SSID
/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=\
0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d tur-thu=\
0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
/ip pool
add name=dhcp ranges=192.168.88.50-192.168.88.150
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/interface bridge filter
# wlan3 not ready
# in/out-bridge-port matcher not possible when interface (wlan3) is not slave
add action=drop chain=forward in-interface=wlan3
# wlan3 not ready
# in/out-bridge-port matcher not possible when interface (wlan3) is not slave
add action=drop chain=forward out-interface=wlan3
# wlan4 not ready
# in/out-bridge-port matcher not possible when interface (wlan4) is not slave
add action=drop chain=forward in-interface=wlan4
# wlan4 not ready
# in/out-bridge-port matcher not possible when interface (wlan4) is not slave
add action=drop chain=forward out-interface=wlan4
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
add bridge=bridge interface=wlan3
add bridge=bridge interface=wlan4
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=*9 list=WAN
add interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.89.2/24 comment="Client Phone" interface=\
wireguard1 public-key="key"
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=192.168.89.1/24 interface=wireguard1 network=192.168.89.0
/ip arp
add address=192.168.88.247 interface=bridge mac-address=MAC
add address=192.168.88.249 interface=bridge mac-address=MAC
add address=192.168.88.250 interface=bridge mac-address=MAC
/ip cloud
set ddns-update-interval=30m
/ip cloud advanced
set use-local-address=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall address-list
add address=192.168.89.2 list=management
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" limit=\
20,40:packet protocol=icmp
add action=accept chain=input comment="Allow Management IP's" \
src-address-list=management
add action=drop chain=input comment="drop ssh brute forcers" dst-port=myport \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=myport \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=myport \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=myport \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=myport \
protocol=tcp
add action=accept chain=input comment=SSH dst-port=myport protocol=tcp
add action=drop chain=input comment="drop winbox brute forcers" dst-port=myport \
protocol=tcp src-address-list=winbox_blacklist
add action=add-src-to-address-list address-list=winbox_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=myport \
protocol=tcp src-address-list=winbox_stage3
add action=add-src-to-address-list address-list=winbox_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=myport \
protocol=tcp src-address-list=winbox_stage2
add action=add-src-to-address-list address-list=winbox_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=myport \
protocol=tcp src-address-list=winbox_stage1
add action=add-src-to-address-list address-list=winbox_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=myport \
protocol=tcp
add action=accept chain=input comment=WinBox disabled=yes dst-port=myport \
protocol=tcp
add action=accept chain=input comment=WireGuard dst-port=myport protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set h323 disabled=yes
set pptp disabled=yes
set rtsp disabled=no
/ip kid-control device
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=myport
set api disabled=yes
set winbox port=myport
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=both
/system clock
set time-zone-name=Europe/Sofia
/system identity
set name=NAME
/system routerboard settings
set auto-upgrade=yes
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no