Community discussions

MikroTik App
 
Arecki
just joined
Topic Author
Posts: 5
Joined: Tue Feb 23, 2021 11:44 am

Route all traffic via WG tunnel

Mon May 15, 2023 12:18 am

Hi all,
I am working on making my mAP lite a Swiss Army Router based on Lorenzo Busatti idea. I would like to have possibility to route all traffic from mAP lite (and ofc all connected devices) via my WG tunnel when needed.
The device that I want to forward all traffic to is hAP ac^3 (LAN IP: 10.10.30.1). This network has 2 DNS IPs: 172.16.16.2 (Pi-hole+Unbound Docker container on MT) and 10.10.30.253 (also Pi-hole+Unbound on Proxmox node).
I am not sure how to set up routes, DNS addresses and FW rules on mAP lite.
Full mAP lite config is below. Disclaimer: it most probably contains some uncessary lines as I tried to optimize the main script. If you notice such lines, please let me now. I'd like to keep it simple.
# may/14/2023 22:19:44 by RouterOS 7.8
# software id = 46CW-UVAM
#
# model = RBmAPL-2nD
/interface bridge add name=bridge-lan
/interface wireguard add listen-port=13231 mtu=1420 name=WG-CHR-7-mAP
/interface list add name=LAN
/interface list add name=WAN
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/interface wireless security-profiles add authentication-types=wpa2-psk mode=dynamic-keys name=Test-nadajnika-5G-200%-mocy supplicant-identity=""
/interface wireless security-profiles add authentication-types=wpa2-psk mode=dynamic-keys name=Luxtorpeda supplicant-identity=""
/interface wireless security-profiles add authentication-types=wpa2-psk mode=dynamic-keys name=358_net5 supplicant-identity=""
/interface wireless security-profiles add authentication-types=wpa2-psk mode=dynamic-keys name=Bridged supplicant-identity=""
/interface wireless security-profiles add authentication-types=wpa2-psk mode=dynamic-keys name=NoSSID supplicant-identity=""
/interface wireless security-profiles add authentication-types=wpa2-psk mode=dynamic-keys name=P440 supplicant-identity=""
/interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n country=no_country_set disabled=no frequency=2437 installation=indoor mode=station-pseudobridge security-profile=Test-nadajnika-5G-200%-mocy ssid=Test-nadajnika-5G-200%-mocy
/interface wireless add disabled=no keepalive-frames=disabled mac-address=4A:A9:8A:48:52:EC master-interface=wlan1 multicast-buffering=disabled name=wlan2 security-profile=Bridged ssid=MBridged wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip hotspot profile set [ find default=yes ] html-directory=hotspot
/ip pool add name=dhcp_pool0 ranges=10.101.0.11-10.101.0.254
/ip dhcp-server add address-pool=dhcp_pool0 interface=bridge-lan lease-time=1d name=dhcp1
/routing table add disabled=no fib name=via-wg
/interface bridge port add bridge=bridge-lan interface=wlan2
/interface bridge port add bridge=bridge-lan interface=ether1
/ip neighbor discovery-settings set discover-interface-list=all
/interface list member add interface=bridge-lan list=LAN
/interface list member add interface=WG-CHR-7-mAP list=LAN
/interface list member add interface=wlan1 list=WAN
/interface list member add interface=ether1 list=WAN
/interface wireguard peers add allowed-address=10.94.0.1/32,172.31.32.0/24 comment=1-CHR endpoint-address=3.xx.xxx.208 endpoint-port=13231 interface=WG-CHR-7-mAP persistent-keepalive=5m public-key="xxx"
/interface wireguard peers add allowed-address=0.0.0.0/0 comment=2-dom endpoint-address=yyy.sn.mynetname.net endpoint-port=13231 interface=WG-CHR-7-mAP persistent-keepalive=5m public-key="yyy"
/interface wireguard peers add allowed-address=10.94.0.3/32,192.168.88.0/24 comment=3-p440 endpoint-address=zzz.sn.mynetname.net endpoint-port=13231 interface=WG-CHR-7-mAP persistent-keepalive=5m public-key="zzz"
/interface wireguard peers add allowed-address=10.94.0.4/32,10.100.100.0/24 comment=4-mdk8 endpoint-address=vvv.sn.mynetname.net endpoint-port=13231 interface=WG-CHR-7-mAP persistent-keepalive=5m public-key="vvv"
/interface wireguard peers add allowed-address=0.0.0.0/0 comment=5-rw interface=WG-CHR-7-mAP persistent-keepalive=5m public-key="uuu"
/interface wireguard peers add allowed-address=10.94.0.6/32,192.168.10.0/24,192.168.40.0/24,192.168.60.0/24 comment=6-sp358 endpoint-address=80.tt.tt.58 endpoint-port=13231 interface=WG-CHR-7-mAP persistent-keepalive=5m public-key="ttt"
/interface wireless connect-list add interface=wlan1 security-profile=Test-nadajnika-5G-200%-mocy ssid=Test-nadajnika-5G-200%-mocy
/interface wireless connect-list add interface=wlan1 security-profile=Luxtorpeda ssid=Luxtorpeda
/interface wireless connect-list add interface=wlan1 security-profile=358_net5 ssid=358_net5
/interface wireless connect-list add interface=wlan1 security-profile=P440 ssid=WiFi-P440
/ip address add address=10.101.0.1/24 interface=bridge-lan network=10.101.0.0
/ip address add address=10.94.0.7/24 interface=WG-CHR-7-mAP network=10.94.0.0
/ip cloud set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client add interface=wlan1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-client add disabled=yes interface=ether1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network add address=10.101.0.0/24 dns-server=1.1.1.2 gateway=10.101.0.1
/ip dns set servers=172.16.16.2,10.10.30.253,1.1.1.2
/ip firewall address-list add address=10.101.0.0/24 list=WG-local
/ip firewall address-list add address=172.31.32.0/24 list=WG-remote
/ip firewall address-list add address=10.10.30.0/24 list=WG-remote
/ip firewall address-list add address=10.10.40.0/24 list=WG-remote
/ip firewall address-list add address=192.168.88.0/24 list=WG-remote
/ip firewall address-list add address=10.100.100.0/24 list=WG-remote
/ip firewall address-list add address=192.168.10.0/24 list=WG-remote
/ip firewall address-list add address=192.168.40.0/24 list=WG-remote
/ip firewall address-list add address=192.168.60.0/24 list=WG-remote
/ip firewall address-list add address=10.94.0.0/24 list=WG-local
/ip firewall address-list add address=10.101.0.2-10.101.0.254 list=allowed_to_router
/ip firewall address-list add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=224.0.0.0/4 comment=Multicast list=not_in_internet
/ip firewall address-list add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=10.94.0.2-10.94.0.254 list=allowed_to_router
/ip firewall filter add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=input comment="Allow incoming established, related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=accept chain=input comment="Allow WireGuard" dst-port=13231 protocol=udp
/ip firewall filter add action=accept chain=forward comment="Allow WireGuard traffic between LANs" dst-address-list=WG-remote src-address-list=WG-local
/ip firewall filter add action=accept chain=forward comment="Allow WireGuard traffic between LANs" dst-address-list=WG-local src-address-list=WG-remote
/ip firewall filter add action=accept chain=input comment="default configuration" connection-state=established,related
/ip firewall filter add action=accept chain=input comment="Allow to router" src-address-list=allowed_to_router
/ip firewall filter add action=accept chain=input comment="Allow ICMP" protocol=icmp
/ip firewall filter add action=accept chain=forward comment="Established, Related" connection-state=established,related
/ip firewall filter add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
/ip firewall filter add action=drop chain=input comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
/ip firewall filter add action=drop chain=input comment="Drop everything to router"
/ip firewall mangle add action=mark-routing chain=prerouting new-routing-mark=via-wg passthrough=yes src-address=10.101.0.0/24
/ip firewall nat add action=masquerade chain=srcnat out-interface=bridge-lan
/ip firewall nat add action=masquerade chain=srcnat out-interface=wlan1
/ip firewall nat add action=masquerade chain=srcnat out-interface=WG-CHR-7-mAP
/ip route add check-gateway=ping disabled=no dst-address=172.31.32.0/24 gateway=WG-CHR-7-mAP routing-table=main suppress-hw-offload=no
/ip route add disabled=no dst-address=10.10.30.0/24 gateway=WG-CHR-7-mAP routing-table=main suppress-hw-offload=no
/ip route add disabled=no distance=1 dst-address=10.10.40.0/24 gateway=WG-CHR-7-mAP pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no distance=1 dst-address=192.168.88.0/24 gateway=WG-CHR-7-mAP pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no distance=1 dst-address=10.100.100.0/24 gateway=WG-CHR-7-mAP pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no distance=1 dst-address=192.168.10.0/24 gateway=WG-CHR-7-mAP pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no distance=1 dst-address=192.168.40.0/24 gateway=WG-CHR-7-mAP pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no distance=1 dst-address=192.168.60.0/24 gateway=WG-CHR-7-mAP pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no distance=10 dst-address=0.0.0.0/0 gateway=192.168.43.199 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10 vrf-interface=wlan1
/ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=WG-CHR-7-mAP pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add gateway=WG-CHR-7-mAP routing-table=via-wg
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set www disabled=yes
/ip service set ssh disabled=yes
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes
/ip ssh set host-key-size=1024 strong-crypto=yes
/system clock set time-zone-name=Europe/Warsaw
/system identity set name="mAP lite"
/system ntp client set enabled=yes
/system ntp client servers add address=194.146.251.100
/system ntp client servers add address=194.146.251.101
/system scheduler add name=autorun-client-mode on-event="/system/script/run client-mode" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-time=startup
/system script add dont-require-permissions=no name=NoSSID1 owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":log info \"script: Going into Lost Duckling mode\"\r\
    \n/interface wireless set wlan1 mode=ap-bridge ssid=MNoSSID security-profile=NoSSID"
/system script add comment="ver. 3" dont-require-permissions=no name=client-mode owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":log info \"Waiting 10s\"\r\
    \n:delay 10s\r\
    \n# set wlan1 station\r\
    \n:log info \"Setting wlan1 in station-pseudobridge mode\";\r\
    \n/interface/wireless/disable wlan1;\r\
    \n/interface/wireless/enable wlan1;\r\
    \n/interface/wireless/set wlan1 mode=station-pseudobridge security-profile=\"Test-nadajnika-5G-200%-mocy\" ssid=\"Test-nadajnika-5G-200%-mocy\";\r\
    \n# wait for WiFi connection\r\
    \n:log info \"Waiting 20s for WiFi connection\";\r\
    \n:delay 20s;\r\
    \n# check if there is WiFi connection\r\
    \n:local connectstatus [/interface/wireless/get wlan1 running];\r\
    \n# if wlan1 is connected, enable dhcp-client on wlan1, ether1 to bridge, otherwise enable DHCP client on ether1\r\
    \n:if \$connectstatus do={ \r\
    \n/interface list member add interface=wlan1 list=WAN; \r\
    \n/ip/dhcp-client/add interface=wlan1 add-default-route=yes disabled=no; \r\
    \n/ip firewall nat add action=masquerade chain=srcnat out-interface=wlan1; \r\
    \n/interface/bridge/port/add interface=ether1 bridge=bridge-lan; \r\
    \n} else={ \r\
    \n/interface/bridge/port/remove [find interface=ether1]; \r\
    \n/interface/wireless/set wlan1 band=2ghz-g/n country=no_country_set disabled=no frequency=auto mode=ap-bridge ssid=MNoSSID security-profile=NoSSID; \r\
    \n/interface list member add interface=ether1 list=WAN; \r\
    \n/ip/dhcp-client/add interface=ether1 add-default-route=yes disabled=no; \r\
    \n/ip firewall nat add action=masquerade chain=srcnat out-interface=ether1; \r\
    \n }"
/tool bandwidth-server set enabled=no
/tool mac-server set allowed-interface-list=LAN
/tool netwatch add disabled=no down-script="" host=8.8.8.8 http-codes="" test-script="" type=simple up-script=""
/tool romon set enabled=yes
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route all traffic via WG tunnel

Mon May 15, 2023 5:06 pm

Your text and config make no sense.

You should have only one peer from this device if connecting to the HAPAC3
 
Arecki
just joined
Topic Author
Posts: 5
Joined: Tue Feb 23, 2021 11:44 am

Re: Route all traffic via WG tunnel

Mon May 15, 2023 9:48 pm

Is it impossible to route all traffic to one peer and still be able to manage another MikroTik devices?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route all traffic via WG tunnel

Mon May 15, 2023 10:23 pm

Best to plan and have a clear set of requirements for all the traffic flows you wish to accomplish.
The tunnel to a peer allows all kinds of potential traffic,

clients to other routers LAN
clients out other routers internet
clients to a router that is also a peer of the other router
admin to any router in the wireguard subnet for config purposes.
 
Arecki
just joined
Topic Author
Posts: 5
Joined: Tue Feb 23, 2021 11:44 am

Re: Route all traffic via WG tunnel

Mon May 15, 2023 11:47 pm

Alright, so let me try clarify my needs:
1. Use mAP lite as a portable router to connect via WG to all the networks that I manage to access MikroTik hardware, RDP, file shares etc.
2. Using mAP lite outside of home/office to access my Pi-hole servers at home to browse Internet without ads.
Are both of my goals possible to achieve?
EDIT:
I tinkered with my config and got it working.
# may/15/2023 23:17:53 by RouterOS 7.8
# software id = 46CW-UVAM
#
# model = RBmAPL-2nD
/interface bridge add name=bridge-lan
/interface wireguard add listen-port=13231 mtu=1420 name=WG-CHR-7-mAP
/interface list add name=LAN
/interface list add name=WAN
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/interface wireless security-profiles add authentication-types=wpa2-psk mode=dynamic-keys name=Test-nadajnika-5G-200%-mocy supplicant-identity=""
/interface wireless security-profiles add authentication-types=wpa2-psk mode=dynamic-keys name=Luxtorpeda supplicant-identity=""
/interface wireless security-profiles add authentication-types=wpa2-psk mode=dynamic-keys name=358_net5 supplicant-identity=""
/interface wireless security-profiles add authentication-types=wpa2-psk mode=dynamic-keys name=Bridged supplicant-identity=""
/interface wireless security-profiles add authentication-types=wpa2-psk mode=dynamic-keys name=NoSSID supplicant-identity=""
/interface wireless security-profiles add authentication-types=wpa2-psk mode=dynamic-keys name=P440 supplicant-identity=""
/interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n country=no_country_set disabled=no frequency=2437 installation=indoor mode=station-pseudobridge security-profile=Test-nadajnika-5G-200%-mocy ssid=Test-nadajnika-5G-200%-mocy
/interface wireless add disabled=no keepalive-frames=disabled mac-address=4A:A9:8A:48:52:EC master-interface=wlan1 multicast-buffering=disabled name=wlan2 security-profile=Bridged ssid=MBridged wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip hotspot profile set [ find default=yes ] html-directory=hotspot
/ip pool add name=dhcp_pool0 ranges=10.101.0.11-10.101.0.254
/ip dhcp-server add address-pool=dhcp_pool0 interface=bridge-lan lease-time=1d name=dhcp1
/interface bridge port add bridge=bridge-lan interface=wlan2
/interface bridge port add bridge=bridge-lan interface=ether1
/ip neighbor discovery-settings set discover-interface-list=all
/interface list member add interface=bridge-lan list=LAN
/interface list member add interface=WG-CHR-7-mAP list=LAN
/interface list member add interface=wlan1 list=WAN
/interface list member add interface=ether1 list=WAN
/interface wireguard peers add allowed-address=10.94.0.1/32,172.31.32.0/24 comment=1-CHR endpoint-address=3.zz.zzz.208 endpoint-port=13231 interface=WG-CHR-7-mAP persistent-keepalive=5m public-key="zzzzz"
/interface wireguard peers add allowed-address=10.94.0.2/32,10.10.30.0/24,10.10.40.0/24 comment=2-dom endpoint-address=178.yyy.yyy.34 endpoint-port=13231 interface=WG-CHR-7-mAP persistent-keepalive=5m public-key="yyyyy"
/interface wireguard peers add allowed-address=10.94.0.3/32,192.168.88.0/24 comment=3-p440 endpoint-address=185.xxx.xx.54 endpoint-port=13231 interface=WG-CHR-7-mAP persistent-keepalive=5m public-key="xxxxx"
/interface wireguard peers add allowed-address=10.94.0.4/32,10.100.100.0/24 comment=4-mdk8 endpoint-address=195.www.ww.68 endpoint-port=13231 interface=WG-CHR-7-mAP persistent-keepalive=5m public-key="wwwww"
/interface wireguard peers add allowed-address=10.94.0.5/32,0.0.0.0/0 comment=5-rw interface=WG-CHR-7-mAP persistent-keepalive=5m public-key="uuuuu"
/interface wireguard peers add allowed-address=10.94.0.6/32,192.168.10.0/24,192.168.40.0/24,192.168.60.0/24 comment=6-sp358 endpoint-address=80.tt.tt.58 endpoint-port=13231 interface=WG-CHR-7-mAP persistent-keepalive=5m public-key="ttttt"
/interface wireless connect-list add interface=wlan1 security-profile=Test-nadajnika-5G-200%-mocy ssid=Test-nadajnika-5G-200%-mocy
/interface wireless connect-list add interface=wlan1 security-profile=Luxtorpeda ssid=Luxtorpeda
/interface wireless connect-list add interface=wlan1 security-profile=358_net5 ssid=358_net5
/interface wireless connect-list add interface=wlan1 security-profile=P440 ssid=WiFi-P440
/ip address add address=10.101.0.1/24 interface=bridge-lan network=10.101.0.0
/ip address add address=10.94.0.7/24 interface=WG-CHR-7-mAP network=10.94.0.0
/ip cloud set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client add interface=wlan1 use-peer-dns=no
/ip dhcp-client add disabled=yes interface=ether1
/ip dhcp-server network add address=10.101.0.0/24 gateway=10.101.0.1
/ip dns set servers=172.16.16.2,10.10.30.253
/ip firewall address-list add address=10.101.0.0/24 list=WG-local
/ip firewall address-list add address=172.31.32.0/24 list=WG-remote
/ip firewall address-list add address=10.10.30.0/24 list=WG-remote
/ip firewall address-list add address=10.10.40.0/24 list=WG-remote
/ip firewall address-list add address=192.168.88.0/24 list=WG-remote
/ip firewall address-list add address=10.100.100.0/24 list=WG-remote
/ip firewall address-list add address=192.168.10.0/24 list=WG-remote
/ip firewall address-list add address=192.168.40.0/24 list=WG-remote
/ip firewall address-list add address=192.168.60.0/24 list=WG-remote
/ip firewall address-list add address=10.94.0.0/24 list=WG-local
/ip firewall address-list add address=10.101.0.2-10.101.0.254 list=allowed_to_router
/ip firewall address-list add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=224.0.0.0/4 comment=Multicast list=not_in_internet
/ip firewall address-list add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=10.94.0.2-10.94.0.254 list=allowed_to_router
/ip firewall filter add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=input comment="Allow incoming established, related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=accept chain=input comment="Allow WireGuard" dst-port=13231 protocol=udp
/ip firewall filter add action=accept chain=forward comment="Allow WireGuard traffic between LANs" dst-address-list=WG-remote src-address-list=WG-local
/ip firewall filter add action=accept chain=forward comment="Allow WireGuard traffic between LANs" dst-address-list=WG-local src-address-list=WG-remote
/ip firewall filter add action=accept chain=input comment="default configuration" connection-state=established,related
/ip firewall filter add action=accept chain=input comment="Allow to router" src-address-list=allowed_to_router
/ip firewall filter add action=accept chain=input comment="Allow ICMP" protocol=icmp
/ip firewall filter add action=accept chain=forward comment="Established, Related" connection-state=established,related
/ip firewall filter add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
/ip firewall filter add action=drop chain=input comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
/ip firewall filter add action=drop chain=input comment="Drop everything to router"
/ip firewall nat add action=masquerade chain=srcnat out-interface-list=WAN
/ip firewall nat add action=src-nat chain=srcnat dst-port=53 protocol=tcp to-addresses=10.94.0.2 to-ports=53
/ip firewall nat add action=src-nat chain=srcnat dst-port=53 protocol=udp to-addresses=10.94.0.2 to-ports=53
/ip route add check-gateway=ping disabled=no dst-address=172.31.32.0/24 gateway=WG-CHR-7-mAP routing-table=main suppress-hw-offload=no
/ip route add disabled=no dst-address=10.10.30.0/24 gateway=WG-CHR-7-mAP routing-table=main suppress-hw-offload=no
/ip route add disabled=no distance=1 dst-address=10.10.40.0/24 gateway=WG-CHR-7-mAP pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no distance=1 dst-address=192.168.88.0/24 gateway=WG-CHR-7-mAP pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no distance=1 dst-address=10.100.100.0/24 gateway=WG-CHR-7-mAP pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no distance=1 dst-address=192.168.10.0/24 gateway=WG-CHR-7-mAP pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no distance=1 dst-address=192.168.40.0/24 gateway=WG-CHR-7-mAP pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no distance=1 dst-address=192.168.60.0/24 gateway=WG-CHR-7-mAP pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set www disabled=yes
/ip service set ssh disabled=yes
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes
/ip ssh set host-key-size=1024 strong-crypto=yes
/system clock set time-zone-name=Europe/Warsaw
/system identity set name="mAP lite"
/system ntp client set enabled=yes
/system ntp client servers add address=194.146.251.100
/system ntp client servers add address=194.146.251.101
/system scheduler add name=autorun-client-mode on-event="/system/script/run client-mode" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-time=startup
/system script add dont-require-permissions=no name=NoSSID1 owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":log info \"script: Going into Lost Duckling mode\"\r\
    \n/interface wireless set wlan1 mode=ap-bridge ssid=MNoSSID security-profile=NoSSID"
/system script add comment="ver 3" dont-require-permissions=no name=client-mode owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":log info \"Waiting 10s\"\r\
    \n:delay 10s\r\
    \n# set wlan1 station\r\
    \n:log info \"Setting wlan1 in station-pseudobridge mode\";\r\
    \n/interface/wireless/disable wlan1;\r\
    \n/interface/wireless/enable wlan1;\r\
    \n/interface/wireless/set wlan1 mode=station-pseudobridge security-profile=\"Test-nadajnika-5G-200%-mocy\" ssid=\"Test-nadajnika-5G-200%-mocy\";\r\
    \n# wait for WiFi connection\r\
    \n:log info \"Waiting 20s for WiFi connection\";\r\
    \n:delay 20s;\r\
    \n# check if there is WiFi connection\r\
    \n:local connectstatus [/interface/wireless/get wlan1 running];\r\
    \n# if wlan1 is connected, enable dhcp-client on wlan1, ether1 to bridge, otherwise enable DHCP client on ether1\r\
    \n:if \$connectstatus do={ \r\
    \n/interface list member add interface=wlan1 list=WAN; \r\
    \n/ip/dhcp-client/add interface=wlan1 add-default-route=yes disabled=no; \r\
    \n/ip firewall nat add action=masquerade chain=srcnat out-interface=wlan1; \r\
    \n/interface/bridge/port/add interface=ether1 bridge=bridge-lan; \r\
    \n} else={ \r\
    \n/interface/bridge/port/remove [find interface=ether1]; \r\
    \n/interface/wireless/set wlan1 band=2ghz-g/n country=no_country_set disabled=no frequency=auto mode=ap-bridge ssid=MNoSSID security-profile=NoSSID; \r\
    \n/interface list member add interface=ether1 list=WAN; \r\
    \n/ip/dhcp-client/add interface=ether1 add-default-route=yes disabled=no; \r\
    \n/ip firewall nat add action=masquerade chain=srcnat out-interface=ether1; \r\
    \n }"
/tool bandwidth-server set enabled=no
/tool mac-server set allowed-interface-list=LAN
/tool netwatch add disabled=no down-script="" host=8.8.8.8 http-codes="" test-script="" type=simple up-script=""
/tool romon set enabled=yes
 
fragtion
Member Candidate
Member Candidate
Posts: 257
Joined: Fri Nov 13, 2009 10:08 pm
Location: Johannesburg, South Africa

Re: Route all traffic via WG tunnel

Tue May 16, 2023 12:36 am

Yes absolutely possible

Who is online

Users browsing this forum: No registered users and 26 guests