Community discussions

MikroTik App
 
astronm
just joined
Topic Author
Posts: 11
Joined: Wed Jan 25, 2023 12:27 am

WireGuard RoadWarior plus VLAN configuration

Mon Mar 13, 2023 1:33 am

Hello all,

I'm using an RB1100Dx4 and want to have VLAN network segmentation as it discribed on:
switch with a separate router configuration example : viewtopic.php?p=781603&sid=9288a9c66f40 ... 45#p706997

All is working great as VLAN or as WG router . What I want to do, is to have VPN WireGuard connected to VLAN.

I have added following command , and it's not working as expected and I could not get it as concept how to use WireGuard + VLAN .
Please, help me to marry them :)

I have attached adopted version of example router, where ISP pppoe conneced over VLAN10 as requested from ISP
and WIreGuard WG configured on 10.1.8.0/24.

How to make WG configured on all VLAN's or any taken one like BLUE/GREEN?
#######################################
# Naming
#######################################

# name the device being configured
/system identity set name="Router"


#######################################
# VLAN Overview
#######################################

# 20 = BLUE
# 30 = GREEN
# 40 = RED
# 99 = BASE (MGMT) VLAN


#######################################
# Bridge
#######################################

# create one bridge, set VLAN mode off while we configure
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no

# WireGuard 
/interface wireguard
add listen-port=13231 mtu=1420 name=WG

#######################################
#
# -- Trunk Ports --
#
#######################################

# ingress behavior
/interface bridge port

# Purple Trunk. Leave pvid set to default of 1
add bridge=BR1 interface=ether2
add bridge=BR1 interface=ether3
add bridge=BR1 interface=ether4
add bridge=BR1 interface=ether5

# egress behavior
/interface bridge vlan

# Purple Trunk. These need IP Services (L3), so add Bridge as member
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5 vlan-ids=20
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5 vlan-ids=30
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5 vlan-ids=40
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5 vlan-ids=99


#######################################
# IP Addressing & Routing
#######################################

# LAN facing router's IP address on the BASE_VLAN
/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=99
/ip address add address=192.168.0.1/24 interface=BASE_VLAN

# DNS server, set to cache for LAN
/ip dns set allow-remote-requests=yes servers="9.9.9.9"

# Yellow WAN facing port with IP Address provided by ISP
/interface vlan add interface=ether1 name=vlan10 vlan-id=10

/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan10 name=pppoe-out1 \
    use-peer-dns=yes user=******

#######################################
# IP Services
#######################################

# Blue VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=BLUE_VLAN vlan-id=20
/ip address add interface=BLUE_VLAN address=10.1.1.1/24
/ip pool add name=BLUE_POOL ranges=10.1.1.2-10.1.1.254
/ip dhcp-server add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE_DHCP disabled=no
/ip dhcp-server network add address=10.1.1.0/24 dns-server=192.168.0.1 gateway=10.1.1.1

# Green VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=GREEN_VLAN vlan-id=30
/ip address add interface=GREEN_VLAN address=10.1.2.1/24
/ip pool add name=GREEN_POOL ranges=10.1.2.2-10.1.2.254
/ip dhcp-server add address-pool=GREEN_POOL interface=GREEN_VLAN name=GREEN_DHCP disabled=no
/ip dhcp-server network add address=10.1.2.0/24 dns-server=192.168.0.1 gateway=10.1.2.1

# Red VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=RED_VLAN vlan-id=40
/ip address add interface=RED_VLAN address=10.1.3.1/24
/ip pool add name=RED_POOL ranges=10.1.3.2-10.1.3.254
/ip dhcp-server add address-pool=RED_POOL interface=RED_VLAN name=RED_DHCP disabled=no
/ip dhcp-server network add address=10.1.3.0/24 dns-server=192.168.0.1 gateway=10.1.3.1


#######################################
# Firewalling & NAT
# A good firewall for WAN. Up to you
# about how you want LAN to behave.
#######################################

# Use MikroTik's "list" feature for easy rule matchmaking.

/interface list add name=WAN
/interface list add name=VLAN
/interface list add name=BASE

/interface list member
add interface=ether1     list=WAN
add interface=BASE_VLAN  list=VLAN
add interface=BLUE_VLAN  list=VLAN
add interface=GREEN_VLAN list=VLAN
add interface=RED_VLAN   list=VLAN
add interface=BASE_VLAN  list=BASE

# WireGuard 
/interface wireguard peers
add allowed-address=10.1.8.3/32 interface=WG \
    persistent-keepalive=25s public-key=\
    "**********"


# VLAN aware firewall. Order is important.
/ip firewall filter


##################
# INPUT CHAIN
##################

# WireGuard icmp , udp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" \
    src-address=10.1.8.0/24

add chain=input action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow VLANs to access router services like DNS, Winbox. Naturally, you SHOULD make it more granular.
add chain=input action=accept in-interface-list=VLAN comment="Allow VLAN"

# Allow BASE_VLAN full access to the device for Winbox, etc.
add chain=input action=accept in-interface=BASE_VLAN comment="Allow Base_Vlan Full Access"

add chain=input action=drop comment="Drop"


##################
# FORWARD CHAIN
##################
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow all VLANs to access the Internet only, NOT each other
add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access only"

add chain=forward action=drop comment="Drop"


##################
# NAT
##################
/ip firewall nat 
add chain=srcnat action=masquerade out-interface-list=WAN comment="Default masquerade"

# Nat for WireGuard address 
add action=masquerade chain=srcnat src-address=10.1.1.0/24
add action=masquerade chain=srcnat src-address=10.1.8.0/24

#######################################
# VLAN Security
#######################################

# Only allow packets with tags over the Trunk Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether4]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether5]

#######################################
# MAC Server settings
#######################################

# Ensure only visibility and availability from BASE_VLAN, the MGMT network
/ip neighbor discovery-settings set discover-interface-list=BASE
/tool mac-server mac-winbox set allowed-interface-list=BASE
/tool mac-server set allowed-interface-list=BASE


#######################################
# Turn on VLAN mode
#######################################
/interface bridge set BR1 vlan-filtering=yes

My example interesting as it having VLAN10 on the WAN interface.
Obviously I have to use firewall rules for VLAN10 as WAN.
If VLAN10 used as interface it's working as well , just not sure if it's best practice:
/interface list member
add interface=VLAN10     list=WAN
It's working till this point :
##################
# FORWARD CHAIN
##################
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow all VLANs to access the Internet only, NOT each other
add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access only"

add chain=forward action=drop comment="Drop" ## <-- WareGuard can't pass this action
as well it's interesting that some services like RDP over WG stops working when there is no LAN interface configured
Last edited by astronm on Mon Mar 13, 2023 5:29 pm, edited 2 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19109
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard RoadWarior plus VLAN configuration

Mon Mar 13, 2023 1:43 pm

Your requirements are poorly worded and thus have no clue what you want to do. Provide a network diagram, that often helps.
OR
Provide a clear set of user requirements for wireguard specific traffic

1. Identify and Define user/device X needs for flow of traffic. To reach user/device Y or groups of users/devices

2. Identify and Define groups of users/devices needs for flow of traffic. To reach user/device Z or groups of users/devices

3. Traffic could include
a. accessing servers
b. accessing subnets
c. accessing internet

3. Define Admin needs for flow of traffic ( as a special user )
a. accessing servers
b. accessing subnets
c. accessing internet
+
d. able to configure any router that is WG connected from other routers or remotely.
 
astronm
just joined
Topic Author
Posts: 11
Joined: Wed Jan 25, 2023 12:27 am

Re: WireGuard RoadWarior plus VLAN configuration

Mon Mar 13, 2023 4:57 pm

Your requirements are poorly worded and thus have no clue what you want to do. Provide a network diagram, that often helps.
Thank you, Anav ! Good point :)

For the start : General view of Network Diagram with WG server .
I'm not trying to implement WireGuard peers in a Hub and Spoke topology ;)
And for sake of simplicity, Admin VLAN99 can have internet access as in my configuration file above , Idealy may be not, as an example of how to restrict some VLAN segments from Internet access :
NetworkDiagramGenView3.jpg
Router configuration :
router.png
Have it updated :)
What I was thinking to have it as simple as possible, as it's up to undrstanding a concept of running WG server in VLAN segmented network, that's why I do not showing Mail Server VLAN30 accessible from Office VLAN20
I'm not showing configuration for managed switch as it's out of scope of this question.
You do not have the required permissions to view the files attached to this post.
 
astronm
just joined
Topic Author
Posts: 11
Joined: Wed Jan 25, 2023 12:27 am

Re: WireGuard RoadWarior plus VLAN configuration

Tue Mar 14, 2023 2:32 am

I'm guessing that VLAN20 / VLAN30 on the WG client side can be accessed as : Allowed IP's: 10.1.1.0/24,10.1.2.0/24 ?
Or may be use a WG client DNS server settings to access it , say: VLAN20:
[Interface]
Address = 10.1.8.3/32
PrivateKey = privateKey
DNS = 10.1.1.1
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19109
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard RoadWarior plus VLAN configuration

Tue Mar 14, 2023 3:00 am

Dont guess, be articulate. (diagram is great by the way)
For example you have used 0.0.0.0/0 at both client devices on the allowed address for peer settings to the router.
Assuming you want
a. access to internet via router.
b. for client 8.3 it appears you also want to be able to reach mail server or that subnet.
c. for client 8.2 it appears you want to be able to reach vlan20 subnet the office......

All very doable thus far.

Where is the full router config to see what you have or have not so far?
/export file=anynameyouwish (minus router serial number and any public WAN information )

and for gods sake dont make it look stilted and like pcunites thread examples, straight export no tricks LOL
 
astronm
just joined
Topic Author
Posts: 11
Joined: Wed Jan 25, 2023 12:27 am

Re: WireGuard RoadWarior plus VLAN configuration

Tue Mar 14, 2023 2:24 pm

Where is the full router config to see what you have or have not so far?
/export file=anynameyouwish (minus router serial number and any public WAN information )
Hi Anav, thank's a lot , will post router config today as have made some chages trying to explore more hiccups along the way :)
 
astronm
just joined
Topic Author
Posts: 11
Joined: Wed Jan 25, 2023 12:27 am

Re: WireGuard RoadWarior plus VLAN configuration

Wed Mar 15, 2023 2:20 am

Full Router + WG configuration :

# mar/14/2023 23:35:38 by RouterOS 7.8
#
# model = RB1100Dx4
/interface bridge
add name=BR1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] loop-protect=on
/interface wireguard
add listen-port=13231 mtu=1420 name=WG
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=BLUE_VLAN vlan-id=20
add interface=BR1 name=GREEN_VLAN vlan-id=30
add interface=BR1 name=RED_VLAN vlan-id=40
add interface=ether1 name=vlan10 vlan-id=10
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan10 name=pppoe-out1 \
    use-peer-dns=yes user=******
/disk
add parent=sata1 partition-number=1 partition-offset=512 partition-size=\
    "60 019 867 648" type=partition
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=BLUE_POOL ranges=10.1.1.2-10.1.1.254
add name=GREEN_POOL ranges=10.1.2.2-10.1.2.254
add name=RED_POOL ranges=10.1.3.2-10.1.3.254
/ip dhcp-server
add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE_DHCP
add address-pool=GREEN_POOL interface=GREEN_VLAN name=GREEN_DHCP
add address-pool=RED_POOL interface=RED_VLAN name=RED_DHCP
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether2
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether3
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether4
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5 vlan-ids=20
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5 vlan-ids=30
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5 vlan-ids=40
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5 vlan-ids=99
/interface list member
add interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=BLUE_VLAN list=VLAN
add interface=GREEN_VLAN list=VLAN
add interface=RED_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
/interface wireguard peers
add allowed-address=10.1.8.3/32 comment=Mobile interface=WG \
    persistent-keepalive=25s public-key=\
    "********************"
add allowed-address=10.1.8.4/32 comment=HomePC interface=WG \
    persistent-keepalive=25s public-key=\
    "********************"
/ip address
add address=10.1.8.1/24 interface=WG network=10.1.8.0
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=10.1.1.1/24 interface=BLUE_VLAN network=10.1.1.0
add address=10.1.2.1/24 interface=GREEN_VLAN network=10.1.2.0
add address=10.1.3.1/24 interface=RED_VLAN network=10.1.3.0
/ip dhcp-server network
add address=10.1.1.0/24 dns-server=192.168.0.1 gateway=10.1.1.1
add address=10.1.2.0/24 dns-server=192.168.0.1 gateway=10.1.2.1
add address=10.1.3.0/24 dns-server=192.168.0.1 gateway=10.1.3.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip firewall address-list
add address=162.x.x.x list=WAN
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
    10.1.8.0/24
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
    in-interface=BASE_VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
add action=masquerade chain=srcnat src-address=10.1.1.0/24
add action=masquerade chain=srcnat src-address=10.1.8.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Dublin
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE

What I have noticed as a bonus part of VLAN router configuration, now we having no internet going trought the WG RW Client which is configured :
AllowedIPs = 0.0.0.0/0, ::/0

and RDP client Home user workstation could not connect.
Yet WG RW Client having connection established and Winbox is all at your service, traffic is going throught. May be because it's going throught the BASE_VLAN (VLAN99)? :)
2023-03-15_00-37-34.png
2023-03-15_01-06-35.png
2023-03-15_01-07-38.png
Cheers
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19109
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard RoadWarior plus VLAN configuration

Wed Mar 15, 2023 3:54 am

(1) You define 4 VLANS to BR1 but only have 3 pools? 3 DHCP Servers? 3 DHCP-Server Networks?
This leads me to believe you dont really have a BASE VLAN.................
Thus I will assume you actually have a trusted VLAN on the BLUE vlan and I get rid of 99

(2) All bridge ports are trunk ports, I would add ingress-filtering=yes to all the /interface bridge ports.

(3) Since there is no difference between how any VLAN-ID is assigned to bridge ports/vlans, your /interface bridge vlan settings can be simplified.
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5 vlan-ids=20,30,40


(4) Why do you have keep alive settings on the ROUTER, its the client devices which need persistent-keep-alive, YOU can remove them on the peers settings on the router.

(5) Mac server alone, is not a secure access method, set to NONE.
/tool mac-server
set allowed-interface-list=BASE


(6) What is the purpose of these two masquerade rules??
add action=masquerade chain=srcnat src-address=10.1.1.0/24 ??
add action=masquerade chain=srcnat src-address=10.1.8.0/24 ??

(7) Firewall rules are out of order - fixed AND lets think about this from a consistent standpoint. Why bother have a management segment if you let every tom dick and harry full access to the router?? I suppose the wireguard user is you as an admin, THus do this.......

- add WG interface to BASE interface list
- add WG interface to VLAN interface list
- add blue-vlan trusted to the BASE interface list
- create firewall address list: list=Authorized add AdminDesktop_IP, AdminLaptop_IP, AdminIPad/iphone, RemoteAdminWG-IP
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related & untracked" \
    connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="wg handshake" dst-port=13231 protocol=udp
add action=accept chain=input comment="Allow Admin" in-interface-list=BASE src-address=list=Authorized
add action=accept chain=input comment="User services" dst-port=53,123 protocol=udp in-interface-list=VLAN
add action=accept chain=input comment="User services" dst-port=53 protocol=tcp in-interface-list=VLAN
add action=drop chain=input comment=Drop
add action=fasttrack-connection chain=forward comment=Fasttrack \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Allow Estab & Related & Untracked" \
    connection-state=established,related,untracked
add action=accept chain=forward comment="Internet traffic" in-interface-list=VLAN out-interface-list=WAN
add action=acccept chain=forward comment="admin to vlans"  in-interface-list=BASE out-interface-list=VLAN src-address-list=Authorized
add action=drop chain=forward comment=Drop
...

(8) This statement is completely bogus.
What I have noticed as a bonus part of VLAN router configuration, now we having no internet going trought the WG RW Client which is configured :
AllowedIPs = 0.0.0.0/0, ::/0


First, if there is no intention to provide internet to wireguard clients when they hit the router, then they should NOT use 0.0.0.0/0 as their allowed IP settings.
It should be 10.10.1.8.0/24,SUBNETA,SUBNETB ( depending if there are any subnets they need to reach ).

Secondly if there is no intention to provide internet to wireguard clients, then dont assign them to the VLAN interface as I did above for interface list members, and then they wont be included in the VLAN to WAN rule and thus not get internet.

Thirdly lets say you did have one wireguard client that needs internet and two that dont, then just create another firewall rule
add chain=forward action=accept in-interface=WG out-interface-list=WAN src=address=wgIP.

All to say is that you need to know what the requirements are and articulate them prior to making the config and/or asking advice.
 
astronm
just joined
Topic Author
Posts: 11
Joined: Wed Jan 25, 2023 12:27 am

Re: WireGuard RoadWarior plus VLAN configuration

Wed Mar 15, 2023 12:32 pm


(8) This statement is completely bogus.
What I have noticed as a bonus part of VLAN router configuration, now we having no internet going trought the WG RW Client which is configured :
AllowedIPs = 0.0.0.0/0, ::/0


First, if there is no intention to provide internet to wireguard clients when they hit the router, then they should NOT use 0.0.0.0/0 as their allowed IP settings.
It should be 10.10.1.8.0/24,SUBNETA,SUBNETB ( depending if there are any subnets they need to reach ).

All to say is that you need to know what the requirements are and articulate them prior to making the config and/or asking advice.
Hi Anav! Sorry for that silly joke I made, my bad. I was trying to say, it was not intentional drop of internet and RDP client on the remote user.

Pinging internet and VLAN's from clients side : all of VLAN's are accessable and no internet :
C:\Users\User>ping google.com
Ping request could not find host google.com. Please check the name and try again.

C:\Users\User>ping 192.168.0.1

Pinging 192.168.0.1 with 32 bytes of data:
Reply from 192.168.0.1: bytes=32 time=11ms TTL=64
Reply from 192.168.0.1: bytes=32 time=11ms TTL=64

Ping statistics for 192.168.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 11ms, Maximum = 11ms, Average = 11ms

C:\Users\User>ping 10.1.1.1

Pinging 10.1.1.1 with 32 bytes of data:
Reply from 10.1.1.1: bytes=32 time=11ms TTL=64
Reply from 10.1.1.1: bytes=32 time=11ms TTL=64

Ping statistics for 10.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 11ms, Maximum = 11ms, Average = 11ms

C:\Users\User>ping 10.1.2.1

Pinging 10.1.2.1 with 32 bytes of data:
Reply from 10.1.2.1: bytes=32 time=11ms TTL=64
Reply from 10.1.2.1: bytes=32 time=10ms TTL=64

Ping statistics for 10.1.2.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 10ms, Maximum = 11ms, Average = 10ms

C:\Users\User>ping 10.1.3.1

Pinging 10.1.3.1 with 32 bytes of data:
Reply from 10.1.3.1: bytes=32 time=11ms TTL=64
Reply from 10.1.3.1: bytes=32 time=10ms TTL=64

Ping statistics for 10.1.3.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 10ms, Maximum = 11ms, Average = 10ms
Thank you very much!
Working on the config, will update it shortly.
Cheers
 
astronm
just joined
Topic Author
Posts: 11
Joined: Wed Jan 25, 2023 12:27 am

Re: WireGuard RoadWarior plus VLAN configuration

Wed Mar 15, 2023 2:36 pm

(1) You define 4 VLANS to BR1 but only have 3 pools? 3 DHCP Servers? 3 DHCP-Server Networks?
This leads me to believe you dont really have a BASE VLAN.................
Thus I will assume you actually have a trusted VLAN on the BLUE vlan and I get rid of 99
Is it any good of having admin staic IP addresses on BASE VLAN?
Say all the IP addresses are defined :
  list=Authorized  add AdminDesktop_IP, AdminLaptop_IP, AdminIPad/iphone, RemoteAdminWG-IP  
(2) All bridge ports are trunk ports, I would add ingress-filtering=yes to all the /interface bridge ports.
Done
(3) Since there is no difference between how any VLAN-ID is assigned to bridge ports/vlans, your /interface bridge vlan settings can be simplified.
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5 vlan-ids=20,30,40
Good point
(4) Why do you have keep alive settings on the ROUTER, its the client devices which need persistent-keep-alive, YOU can remove them on the peers settings on the router.
Agreed, it was done during debugging of Windows RDP client as it was dropping connection on every minute or so.
(5) Mac server alone, is not a secure access method, set to NONE.
/tool mac-server
set allowed-interface-list=BASE
I see
(6) What is the purpose of these two masquerade rules??
add action=masquerade chain=srcnat src-address=10.1.1.0/24 ??
add action=masquerade chain=srcnat src-address=10.1.8.0/24 ??
Taken off
(7) Firewall rules are out of order - fixed AND lets think about this from a consistent standpoint. Why bother have a management segment if you let every tom dick and harry full access to the router?? I suppose the wireguard user is you as an admin, THus do this.......

- add WG interface to BASE interface list
- add WG interface to VLAN interface list
- add blue-vlan trusted to the BASE interface list
- create firewall address list: list=Authorized add AdminDesktop_IP, AdminLaptop_IP, AdminIPad/iphone, RemoteAdminWG-IP
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related & untracked" \
    connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="wg handshake" dst-port=13231 protocol=udp
add action=accept chain=input comment="Allow Admin" in-interface-list=BASE src-address=list=Authorized
add action=accept chain=input comment="User services" dst-port=53,123 protocol=udp in-interface-list=VLAN
add action=accept chain=input comment="User services" dst-port=53 protocol=tcp in-interface-list=VLAN
add action=drop chain=input comment=Drop
add action=fasttrack-connection chain=forward comment=Fasttrack \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Allow Estab & Related & Untracked" \
    connection-state=established,related,untracked
add action=accept chain=forward comment="Internet traffic" in-interface-list=VLAN out-interface-list=WAN
add action=acccept chain=forward comment="admin to vlans"  in-interface-list=BASE out-interface-list=VLAN src-address-list=Authorized
add action=drop chain=forward comment=Drop
...
Working on this bit
Thirdly lets say you did have one wireguard client that needs internet and two that dont, then just create another firewall rule
add chain=forward action=accept in-interface=WG out-interface-list=WAN src=address=wgIP.
Working on it, trying to fix internet and RDP client connection

Cheers
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19109
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard RoadWarior plus VLAN configuration

Wed Mar 15, 2023 2:53 pm

I will leave RDP to you LOL.
I personally dont like to use it, its either wireguard in and access device or use Teamviewer LOL

I was thinking about this last night.
There is no issue with having a base VLAN if you want all smart devices to be on a separate VLAN.
You can certainly add a fixed DHCP IP in the VLAN base for the admin if you so choose to plug into a port that provides access to the Base VLAN.
However, if the admin is on blue vlan, he can always access any device on the base vlan without being on it.

add action=accept chain=forward in-interface=MGT out-interface=VLANBASE src-address-list=Authorized.

So all the smart devices can be on a separate vlan from users (which is good) can be accessed by ADmin (good) from blue vlan, from wireguard, from ethernet port off the bridge
(as all are part of MGMT interface list for starters and then refined by source address list).
 
astronm
just joined
Topic Author
Posts: 11
Joined: Wed Jan 25, 2023 12:27 am

Re: WireGuard RoadWarior plus VLAN configuration

Sun Mar 19, 2023 3:36 pm

There is no issue with having a base VLAN if you want all smart devices to be on a separate VLAN.
You can certainly add a fixed DHCP IP in the VLAN base for the admin if you so choose to plug into a port that provides access to the Base VLAN.
I have reconfigured Router from the scratch to make sure that VLAN's are working according to scematic diagram ( No WG this time just to make sure VALN is working before WG) and having the problem with local internet access:
  • On the local PC: I can ping VLAN and DNS server on the 192.168.0.1 IP address
  • On the local PC: "nslookup google.com 192.168.0.1" giving response : "Server: UnKnown Address: 192.168.0.1 Non-authoritative answer: Name: google.com Addresses: 209.85.203.113 209.85.203.139 209.85.203.101 209.85.203.138 209.85.203.102 209.85.203.100" , showing that DNS server at 192.168.0.1 can resolve
  • On the local PC: "ping www.google.com" from the local network giving no response with packets received = 0
  • On MikroTik router : able to successfully ping the Google DNS server .


Possibly there are some there is a firewall rule blocking the traffic, so I have disabled all Drop rules in firewall in case if they causing any problem ...
To narrow down the problem with Internet I'm still using Mac server alone even it is not a secure access method.

This is configuration
# mar/19/2023 13:05:22 by RouterOS 7.8
# model = RB1100Dx4

/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=BLUE_VLAN vlan-id=20
add interface=BR1 name=GREEN_VLAN vlan-id=30
add interface=BR1 name=RED_VLAN vlan-id=40
add interface=ether1 name=VLAN10 vlan-id=10
/interface pppoe-client
add add-default-route=yes disabled=no interface=VLAN10 name=pppoe-out1 \
    password=****** use-peer-dns=yes user=*****
/disk
add parent=sata1 partition-number=1 partition-offset=512 partition-size=\
    "60 019 867 648" type=partition
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=BLUE_POOL ranges=10.1.1.2-10.1.1.254
add name=GREEN_POOL ranges=10.1.2.2-10.1.2.254
add name=RED_POOL ranges=10.1.3.2-10.1.3.254
add name=BASE_POOL ranges=192.168.0.10-192.168.0.254
/ip dhcp-server
add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE_DHCP
add address-pool=GREEN_POOL interface=GREEN_VLAN name=GREEN_DHCP
add address-pool=RED_POOL interface=RED_VLAN name=RED_DHCP
add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether2
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether3
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether4
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5 vlan-ids=20
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5 vlan-ids=30
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5 vlan-ids=40
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5 vlan-ids=99
/interface list member
add interface=VLAN10 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=BLUE_VLAN list=VLAN
add interface=GREEN_VLAN list=VLAN
add interface=RED_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
/ip address
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=10.1.1.1/24 interface=BLUE_VLAN network=10.1.1.0
add address=10.1.2.1/24 interface=GREEN_VLAN network=10.1.2.0
add address=10.1.3.1/24 interface=RED_VLAN network=10.1.3.0
/ip dhcp-server network
add address=10.1.1.0/24 dns-server=192.168.0.1 gateway=10.1.1.1
add address=10.1.2.0/24 dns-server=192.168.0.1 gateway=10.1.2.1
add address=10.1.3.0/24 dns-server=192.168.0.1 gateway=10.1.3.1
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input dst-port=53,123 in-interface-list=VLAN \
    protocol=udp
add action=accept chain=input dst-port=53 in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
    in-interface=BASE_VLAN
add action=drop chain=input comment=Drop disabled=yes
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward dst-port=53,123 in-interface-list=VLAN \
    protocol=udp
add action=accept chain=forward dst-port=53 in-interface-list=VLAN protocol=\
    tcp
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Dublin
/system identity
set name=Router
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE


Cheers
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19109
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard RoadWarior plus VLAN configuration

Sun Mar 19, 2023 4:34 pm

(1) From
/interface list members

TO:
/interface list member
add interface=pppoe-out1 list=WAN
add interface=vlan10 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=BLUE_VLAN list=VLAN
add interface=GREEN_VLAN list=VLAN
add interface=RED_VLAN list=VLAN
add interface=BASE_VLAN list=BASE


(2) SIMPLIFIED
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5 vlan-ids=20,30,40,99


(3) WHY is your BASE vlan being use for dns server, just use the same input as gateway ?????

(4) WHY???
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
connection-state=established,related
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN { EVERY USER/VLAN CAN ACCESS ROUTER }
add action=accept chain=input dst-port=53,123 in-interface-list=VLAN \ { EVERY USER CAN ACCESS TWO PORTS UDP }
protocol=udp
add action=accept chain=input dst-port=53 in-interface-list=VLAN protocol=tcp { EVERY USER CAN ACCESS ONE PORT UDP }
add action=accept chain=input comment="Allow Base_Vlan Full Access" \ { BASE VLAN CAN ACCESS ROUTER }
in-interface=BASE_VLAN
add action=drop chain=input comment=Drop disabled=yes { understood for troubleshooting purposes }


A. Redundant rules.
B. Only Admin requires full access to the router.

TO
add action=accept chain=input comment="Allow Estab & Related" \
connection-state=established,related
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN src-address-list=ADMIN *****
add action=accept chain=input dst-port=53,123 in-interface-list=VLAN \
protocol=udp
add action=accept chain=input dst-port=53 in-interface-list=VLAN protocol=tcp
add action=drop chain=input comment=Drop disabled=no


/ip firewall address ( set static dhcp leases for local IPs)
add address=admin-desktopIP list=ADMIN
add address=admin-laptopIP list=ADMIN
add address=admin-ipad/phoneIP list=ADMIN
add address=remoteWireguardIP list=ADMIN


***** Note: the logic here is that although it was tempting to put in in-interface-list=BASE (vice VLAN) for the full access to the router, the more flexible approach with firewall address list, allows wireguard access ( typically one adds the wireguard interface to the VLAN interface list ) and then you can be connected to any network for testing purposes, be it laptop on the two wifi networks etc.. and be able to access and config the network from there.........
If not then simply change the config to
add action=accept chain=input comment="Allow admin access" in-interface-list=BASE
 
astronm
just joined
Topic Author
Posts: 11
Joined: Wed Jan 25, 2023 12:27 am

Re: WireGuard RoadWarior plus VLAN configuration

Sun Mar 19, 2023 5:00 pm

(1) From
/interface list members

TO:
/interface list member
add interface=pppoe-out1 list=WAN
add interface=vlan10 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=BLUE_VLAN list=VLAN
add interface=GREEN_VLAN list=VLAN
add interface=RED_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
Thank you anav! That was it , having internet on the local network .
Keeps working on other queries. Will update shortly.
Cheers
 
astronm
just joined
Topic Author
Posts: 11
Joined: Wed Jan 25, 2023 12:27 am

Re: WireGuard RoadWarior plus VLAN configuration

Tue Apr 11, 2023 11:04 pm

Took me a while to have some issues settled with RDP, which is a topick on it's own :)

Having so far a major flaw with configuration as there is no access to local LAN on client side -
Say, you can browse internet on the client while WG VPN connected but can not access local NAS storage or ping local router or printer
:
# apr/11/2023 20:44:19 by RouterOS 7.8
#
# model = RB1100Dx4

/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface wireguard
add listen-port=13231 mtu=1420 name=WG
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=BLUE_VLAN vlan-id=20
add interface=BR1 name=GREEN_VLAN vlan-id=30
add interface=BR1 name=RED_VLAN vlan-id=40
add interface=ether1 name=VLAN10 vlan-id=10
/interface pppoe-client
add add-default-route=yes disabled=no interface=VLAN10 name=pppoe-out1 \
    use-peer-dns=yes user=*******

/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=BLUE_POOL ranges=10.1.1.2-10.1.1.254
add name=GREEN_POOL ranges=10.1.2.2-10.1.2.254
add name=RED_POOL ranges=10.1.3.2-10.1.3.254
add name=BASE_POOL ranges=192.168.0.10-192.168.0.254
/ip dhcp-server
add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE_DHCP
add address-pool=GREEN_POOL interface=GREEN_VLAN name=GREEN_DHCP
add address-pool=RED_POOL interface=RED_VLAN name=RED_DHCP
add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether2
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether3
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether4
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether5
/ip firewall connection tracking
set udp-timeout=20s
/ip neighbor discovery-settings
set discover-interface-list=BASE
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5 vlan-ids=20
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5 vlan-ids=30
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5 vlan-ids=40
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5 vlan-ids=99
/interface list member
add interface=VLAN10 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=BLUE_VLAN list=VLAN
add interface=GREEN_VLAN list=VLAN
add interface=RED_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
add interface=pppoe-out1 list=WAN
add interface=WG list=VLAN
add interface=WG list=BASE
/interface wireguard peers
add allowed-address=10.1.8.3/32 comment=Client1 interface=WG public-key=\
    "0************="

/ip address
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=10.1.1.1/24 interface=BLUE_VLAN network=10.1.1.0
add address=10.1.2.1/24 interface=GREEN_VLAN network=10.1.2.0
add address=10.1.3.1/24 interface=RED_VLAN network=10.1.3.0
add address=10.1.8.1/24 interface=WG network=10.1.8.0
/ip dhcp-server network
add address=10.1.1.0/24 dns-server=10.1.1.1 gateway=10.1.1.1
add address=10.1.2.0/24 dns-server=10.1.2.1 gateway=10.1.2.1
add address=10.1.3.0/24 dns-server=10.1.3.1 gateway=10.1.3.1
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
    10.1.8.0/24
add action=accept chain=input dst-port=53,123 in-interface-list=VLAN \
    protocol=udp
add action=accept chain=input comment="Allow DNS queries" dst-port=53 \
    in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Allow RDP" dst-port=3389 \
    in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Allow SMTP SSL" dst-port=465 \
    in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Allow SMTP TLS" dst-port=587 \
    in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Allow IMAP SSL" dst-port=993 \
    in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Allow POP3 SSL" dst-port=995 \
    in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
    in-interface=BASE_VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward dst-port=53,123 in-interface-list=VLAN \
    protocol=udp
add action=accept chain=forward dst-port=53 in-interface-list=VLAN protocol=\
    tcp
add action=accept chain=forward dst-port=3389 in-interface-list=VLAN \
    protocol=tcp
add action=accept chain=forward disabled=yes dst-port=3389 in-interface-list=\
    VLAN protocol=udp
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop 
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
    protocol=tcp tcp-flags=syn
add action=change-mss chain=output new-mss=clamp-to-pmtu passthrough=no \
    protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes src-address=10.1.8.0/24
add action=dst-nat chain=dstnat dst-port=465 in-interface-list=WAN protocol=\
    tcp to-addresses=10.1.1.200 to-ports=465
add action=dst-nat chain=dstnat dst-port=587 in-interface-list=WAN protocol=\
    tcp to-addresses=10.1.1.200 to-ports=587
add action=dst-nat chain=dstnat dst-port=995 in-interface-list=WAN protocol=\
    tcp to-addresses=10.1.1.200 to-ports=995
add action=dst-nat chain=dstnat dst-port=993 in-interface-list=WAN protocol=\
    tcp to-addresses=10.1.1.200 to-ports=993

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Dublin
/system identity
set name=Router
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE


Last edited by astronm on Wed Apr 12, 2023 12:29 am, edited 1 time in total.
 
astronm
just joined
Topic Author
Posts: 11
Joined: Wed Jan 25, 2023 12:27 am

Re: WireGuard RoadWarior plus VLAN configuration

Wed Apr 12, 2023 12:27 am

Finally have it fixed by allowing not tunnelled traffic check box on the client config.
that peer client config now looks like :
[Interface]
PrivateKey = *********=
Address = 10.1.8.3/32
DNS = 10.1.3.1
MTU = 1420

[Peer]
PublicKey = *********=
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1, ::/1
Endpoint = REMOTE_IP:13231
It is generally recommended to keep the "Allow not tunnelled traffic" option disabled. Can we do anything better?

Cheers
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19109
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard RoadWarior plus VLAN configuration

Wed Apr 12, 2023 1:45 am

The main point that needs to be made is that you still have no grasp of firewall rules!
Kinda funny to be making rules you dont understand.
Example
.
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
This rules says, ALLOW all users/devices on the interface-list VLAN full access to the router.

You have following this, more rules which will never see the light of day, redundant!!
Why do you think they are needed????

add action=accept chain=input comment="allow WireGuard traffic" src-address=\
10.1.8.0/24
add action=accept chain=input dst-port=53,123 in-interface-list=VLAN \
protocol=udp

add action=accept chain=input comment="Allow DNS queries" dst-port=53 \
in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Allow RDP" dst-port=3389 \
in-interface-list=VLAN protocol=tcp

PLUS ALL THE REST
........
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
in-interface=BASE_VLAN



in case you are having a hard day............
a. wireguard is already a vlan list member
b. all ports included in first rule
c. all ports included in first rule
d. all ports included in first rule
PLUS all the rest
....................
last. Base Vlan is already included in VLAN interface list...

Basically all you really needfor user rules is.......
/ip firewall filter
.........
.........
.........
add action=accept chain=input comment="WG handshake" dst-port=13231 protocol=udp
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=drop chain=input comment="drop all else"


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Forward chain......... no better.

what is the purpose of these two rules????
add action=accept chain=forward dst-port=53,123 in-interface-list=VLAN \
protocol=udp
add action=accept chain=forward dst-port=53 in-interface-list=VLAN protocol=\
tcp



What is the purpose of these two rules??
add action=accept chain=forward dst-port=3389 in-interface-list=VLAN \
protocol=tcp
add action=accept chain=forward disabled=yes dst-port=3389 in-interface-list=\
VLAN protocol=udp



add action=accept chain=forward comment="VLAN Internet Access only" \
in-interface-list=VLAN out-interface-list=WAN

There is no need to state connection state is new,

YOU ARE MISSING THE DST NAT RULE REQUIRED FOR PORT FORWARDING>.............
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat

Last rule.
add action=drop chain=forward comment="Drop all else"

++++++++++++++++++++++++++++++++++++++++++++++++++

I believe the MSS clamping is required for when using 3rdparty WG vendors.
I dont believe you are using a third party vendor in this case.................
Perhaps try wtihout mangles first, and then if not working properly try the forward chain mangle only.
/ip firewall mangle ????????????
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
protocol=tcp tcp-flags=syn
add action=change-mss chain=output new-mss=clamp-to-pmtu passthrough=no \
protocol=tcp tcp-flags=syn




Correct this rule is not required ........ can remove..
add action=masquerade chain=srcnat disabled=yes src-address=10.1.8.0/24

Destintion nat rules can be simplified.
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=465,587,993,995 in-interface-list=WAN protocol=\
tcp to-addresses=10.1.1.200
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19109
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard RoadWarior plus VLAN configuration

Wed Apr 12, 2023 1:46 am

Also what are etherports on the RB1100 connected to? All smart devices that need all vlans??
Yes good idea to show client config.

--> Allowed-addresses could be simplified to 0.0.0.0/0
---> add persistent keep alive around 35s
----> reference your mangle rule not sure why its there yet, if your having issues with browsing, before trying the clamping MSS rules,
try changing both MT wireguard interface and client interface MTU to 1500 for example.

>>> why DNS 10.1.3.1 on the client?? Makes no sense to me,
Why not a more standard DNS server 1.1.1.1 for example OR...... the PPPOE dns server.......
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19109
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard RoadWarior plus VLAN configuration

Wed Apr 12, 2023 1:59 am

In the forward chain you need to enable the WG interface to reach the subnets required.

add chain=forward action=accept in-interface=Wireguard dst-address=10.1.1.0/24 src-address=10.1.8.3/32
add chain=forward action=accept in-interface=Wireguard dst-address=10.1.2.0/24 src-address=10.1.8.4/32

Who is online

Users browsing this forum: Bing [Bot], Ddram, Energizer, JohnTRIVOLTA, korg and 86 guests