Thank you very much for your replies.
Drawing of the network setup is enclosed. I configured a test setup according to Larsa with a wireguard with an ip range within the subnet. However, tunnel is up an running (handshake), but no connection is possible within the subnet 10.1.10.0/24
# jan/20/2023 20:14:14 by RouterOS 7.5
# model = RouterBOARD 3011UiAS
/interface bridge
add name=bridge5_private protocol-mode=none
add name=bridge7_dmz protocol-mode=none
add arp=proxy-arp name=bridge10_office protocol-mode=none
add name=bridge99_mgmt protocol-mode=none
add name=bridge200_public protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1_mgmt
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] name=ether5_trunk
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] poe-out=off
/interface pppoe-client
add add-default-route=yes comment=ISP disabled=no interface=sfp1_gateway \
keepalive-timeout=60 max-mtu=1480 name=pppoe-out1 use-peer-dns=yes
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1-roadwarrior
/interface vlan
add interface=ether5_trunk name=vlan5.5_private vlan-id=5
add interface=ether5_trunk name=vlan5.7_dmz vlan-id=7
add interface=ether5_trunk name=vlan5.10_office vlan-id=10
add interface=ether5_trunk name=vlan5.99_mgmt vlan-id=99
add interface=ether5_trunk name=vlan5.200_public vlan-id=200
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-128 name=profile_nat-traversal
/ip ipsec peer
add address=xx.xx.xx.xx/32 comment=FH local-address=xx.xx.xx.xx name=\
peer_fh profile=profile_nat-traversal
add comment="dynamic Hub, CA" local-address=xx.xx.xx.xx name=\
peer_dynamic-ip passive=yes profile=profile_nat-traversal \
send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=aes-128-cbc \
lifetime=8h
add auth-algorithms=sha256,sha1 enc-algorithms=aes-128-cbc,des lifetime=1h \
name=proposal_custom
/ip pool
add name=pool10_office ranges=10.1.10.10-10.1.10.30
add name=pool5_private ranges=10.1.5.10-10.1.5.50
add name=pool99_mgmt ranges=10.1.99.10-10.1.99.20
add name=pool200_public ranges=10.1.200.10-10.1.200.240
/ip dhcp-server
add address-pool=pool5_private interface=bridge5_private lease-time=1d name=\
dhcp5_private
add address-pool=pool200_public interface=bridge200_public lease-time=3d \
name=dhcp200_public
add address-pool=pool10_office interface=bridge10_office lease-time=1d name=\
dhcp10_office
add address-pool=pool99_mgmt disabled=yes interface=bridge99_mgmt lease-time=\
1d name=dhcp99_mgmt
/interface bridge port
add bridge=bridge200_public ingress-filtering=no interface=vlan5.200_public
add bridge=bridge99_mgmt ingress-filtering=no interface=vlan5.99_mgmt
add bridge=bridge5_private ingress-filtering=no interface=vlan5.5_private
add bridge=bridge10_office ingress-filtering=no interface=vlan5.10_office
add bridge=bridge99_mgmt ingress-filtering=no interface=ether1_mgmt
add bridge=bridge7_dmz ingress-filtering=no interface=vlan5.7_dmz
/interface wireguard peers
add allowed-address=10.1.10.100/32 comment=testClient endpoint-port=13231 \
interface=wireguard1-roadwarrior public-key=\
"xxx"
/ip address
add address=10.1.10.254/24 interface=bridge10_office network=10.1.10.0
add address=10.1.5.254/24 interface=bridge5_private network=10.1.5.0
add address=10.1.200.254/24 interface=bridge200_public network=10.1.200.0
add address=10.1.99.254/24 interface=bridge99_mgmt network=10.1.99.0
add address=10.1.7.254/24 interface=bridge7_dmz network=10.1.7.0
add address=10.1.10.96/28 interface=wireguard1-roadwarrior network=10.1.10.96
/ip dhcp-server network
add address=10.1.5.0/24 dns-server=10.1.5.254 gateway=10.1.5.254
add address=10.1.7.0/24 dns-server=10.1.7.254 gateway=10.1.7.254
add address=10.1.10.0/24 dns-server=10.4.10.203,10.1.10.201 domain=pale.local \
gateway=10.1.10.254
add address=10.1.99.0/24 dns-server=10.4.10.203,10.1.10.201 domain=pale.local \
gateway=10.1.99.254
add address=10.1.200.0/24 dns-server=10.1.200.254 gateway=10.1.200.254
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=10.1.10.0/24 list=1.10_office
add address=10.1.200.0/24 list=1.200_public
add address=10.1.5.0/24 list=1.5_private
add address=10.1.99.0/24 list=1.99_mgmt
add address=10.1.0.0/16 list=1_all
add address=10.3.0.0/16 list=3_all
add address=10.3.10.0/24 list=3.10_office
add address=10.3.2.0/24 list=3.2_pos
add address=10.3.99.0/24 list=3.99_mgmt
add address=10.4.0.0/16 list=4_all
add address=10.4.10.0/24 list=4.10_office
add address=10.4.99.0/24 list=4.99_mgmt
add address=10.1.7.0/24 list=1.7_dmz
add address=10.4.5.0/24 list=4.5_private
add address=10.2.0.0/16 list=2_all
add address=10.2.99.0/24 list=2.99_mgmt
add address=10.2.5.0/24 list=2.5_private
add address=10.1.110.0/24 list=1.0_wireguard
/ip firewall filter
add action=fasttrack-connection chain=forward comment=\
"=== FASTTRACK === accept related/established except ipsec" \
connection-mark=!ipsec connection-state=established,related hw-offload=\
yes
add action=accept chain=forward connection-state=established,related
add action=drop chain=input comment="=== COMMON === Drop Invalid connections" \
connection-state=invalid
add action=accept chain=input comment="Allow Established connections" \
connection-state=established
add action=accept chain=input comment="Allow Related connections" \
connection-state=related
"=== ACCESS TO MT === ALWAYS ACTIVE!" \
src-address-list=1_all
add action=accept chain=input src-address-list=2_all
add action=accept chain=input src-address-list=3_all
add action=accept chain=input src-address-list=4_all
add action=accept chain=input comment="=== Allow DNS ===" dst-port=53 \
in-interface=!pppoe-out1 protocol=tcp
add action=accept chain=input dst-port=53 in-interface=!pppoe-out1 protocol=\
udp
add action=accept chain=forward comment=\
"=== REMOTE === ROUTER ___pppoe-out1 (pptp)" protocol=gre
add action=accept chain=input dst-port=1723 protocol=tcp
add action=drop chain=forward comment=\
"=== ISOLAT BRIDGES === Block traffic between bridges" in-interface=\
bridge5_private out-interface=!pppoe-out1
add action=drop chain=forward in-interface=bridge7_dmz log-prefix=log_test_ \
out-interface=!pppoe-out1
add action=drop chain=forward in-interface=bridge10_office log-prefix=\
log_test_ out-interface=!pppoe-out1
add action=drop chain=forward in-interface=bridge99_mgmt out-interface=\
!pppoe-out1
add action=drop chain=forward in-interface=bridge200_public out-interface=\
!pppoe-out1
add action=accept chain=input comment=\
"=== IPSec & L2TP | 500 (IPSec Port) ===" dst-port=500 in-interface=\
pppoe-out1 protocol=udp
add action=accept chain=input comment=\
"IPSec & L2TP | 4500 (NAT Traversal Port)" dst-port=4500 in-interface=\
pppoe-out1 protocol=udp
add action=accept chain=forward comment="=== IPSEC FH === allow FH to APP" \
dst-address-list=1.99_mgmt src-address-list=4.99_mgmt
add action=accept chain=forward dst-address-list=1.10_office \
src-address-list=4.10_office
add action=accept chain=forward disabled=yes dst-address-list=1.99_mgmt \
src-address-list=4.10_office
add action=accept chain=forward comment="=== IPSEC HUB === allow HUB to APP" \
dst-address-list=1.99_mgmt src-address-list=3.99_mgmt
add action=accept chain=forward dst-address-list=1.10_office \
src-address-list=3.10_office
add action=accept chain=forward disabled=yes dst-address-list=1.99_mgmt \
src-address-list=3.10_office
add action=accept chain=forward comment="=== IPSEC CA === allow CA to APP" \
dst-address-list=1.99_mgmt src-address-list=2.99_mgmt
add action=accept chain=forward dst-address-list=1.7_dmz dst-port=22,9091 \
log-prefix=private_____ protocol=tcp src-address-list=2.5_private
add action=drop chain=forward comment=\
"=== IPSEC COMMON === Drop everything else" dst-address-list=1_all \
src-address-list=4_all
add action=drop chain=forward dst-address-list=1_all src-address-list=3_all
add action=drop chain=forward dst-address-list=1_all src-address-list=2_all
add action=drop chain=input comment="=== DROP EVERYTHING ELSE ===" \
log-prefix=###drop_input###
/ip firewall mangle
add action=mark-connection chain=forward comment="=== FASTTRACK & IPSEC ===" \
ipsec-policy=out,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward ipsec-policy=in,ipsec \
new-connection-mark=ipsec passthrough=yes
/ip firewall nat
add action=accept chain=srcnat comment="IPSec & L2TP" dst-address-list=3_all \
src-address-list=1_all
add action=accept chain=srcnat dst-address-list=2_all src-address-list=1_all
add action=accept chain=srcnat dst-address-list=4_all src-address-list=1_all
add action=masquerade chain=srcnat comment="NAT PPPOE" out-interface=\
pppoe-out1
add action=dst-nat chain=dstnat comment="DMZSRV01 ___plex, transmission, ssh" \
dst-port=32400 protocol=tcp to-addresses=10.1.7.201
/ip firewall service-port
set sip disabled=yes
/ip ipsec identity
add auth-method=pre-shared-key-xauth peer=peer_fh username=fh_app
add auth-method=pre-shared-key-xauth generate-policy=port-override peer=\
peer_dynamic-ip username=app_hub
add auth-method=pre-shared-key-xauth disabled=yes generate-policy=\
port-override peer=peer_dynamic-ip username=app_ca
/ip ipsec policy
add comment=FH dst-address=10.4.0.0/16 peer=peer_fh proposal=proposal_custom \
src-address=10.1.0.0/16 tunnel=yes
add comment="Template Hub" dst-address=10.3.0.0/16 proposal=proposal_custom \
src-address=10.1.0.0/16 template=yes
add comment="Template CA" disabled=yes dst-address=10.2.0.0/16 proposal=\
proposal_custom src-address=10.1.0.0/16 template=yes
set 3 disabled=yes
What is my goal?
I want that road warriors get an ip address within the ip range 10.1.10.0/24
OR
kind of routing is working so that the road warrios "behave" like they have a ip address within the ip range 10.1.10.0/24
Thank you very much in advance
You do not have the required permissions to view the files attached to this post.