Community discussions

MikroTik App
 
ronajon
just joined
Topic Author
Posts: 21
Joined: Fri Feb 10, 2023 11:06 pm

Mullvad wireguard on existing VLAN

Wed May 31, 2023 3:46 pm

i've added a mullvad interface with a new VLAN to my RB4011 by this tutorial: https://scholz.ruhr/blog/mullvad-as-sec ... -mikrotik/
all works, vlan60 connects with the vpn and i can see that my ip uses the ip of the mullvad vpn (sweden in this case )

this is a good start, but what i want is some of my other vlans to 1) remain accessible internally and 2) connect to the outside through the VPN
for some reason, i can't have vlan120 use the vpn tunnel which is being used by vlan60

not knowing where to start (and not having deep knowlegde of vlans and vpn :? ) , i've tried a couple of changes, for instance modifying the gateway and DNS servers of vlan120 to resemble those of vlan60 and changing the interface of vlan120 to the one vlan60 uses. all does not work

my config
# may/31/2023 14:29:15 by RouterOS 7.9.1
#
# model = RB4011iGS+
/interface bridge
add fast-forward=no ingress-filtering=no name=bridge-local vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] comment=192.168.110.16 name=ether2-TV
set [ find default-name=ether3 ] name=ether3-Chromecast
set [ find default-name=ether6 ] comment=meterkast name=ether6-switch
set [ find default-name=ether7 ] comment="arcam SA30" name=ether7-arcam
set [ find default-name=ether9 ] name=ether9-RB260GSP
set [ find default-name=ether10 ] name=ether10-R500 poe-priority=1
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface veth
add address=172.17.0.2/24 gateway=172.17.0.1 name=veth1
/interface wireguard
add comment=mullvad listen-port=4063 mtu=1420 name=mullvad-upstream
add listen-port=13231 mtu=1420 name=wireguard
/interface vlan
add comment=mullvad interface=bridge-local name=mullvad vlan-id=60
add interface=ether1-WAN name=vlan-internet vlan-id=300
add comment=servers interface=bridge-local name=vlan105 vlan-id=105
add comment="IOT network" interface=bridge-local name=vlan110 vlan-id=110
add comment="guest network" interface=bridge-local name=vlan120 vlan-id=120
/interface list
add comment="WAN interface" name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add interface=vlan105 lease-time=10m name=dhcp-vlan105
/ip pool
add name=dhcp-local ranges=192.168.0.180-192.168.0.254
add name=pool-vlan110 ranges=192.168.110.180-192.168.110.249
add name=pool-vlan120 ranges=192.168.120.180-192.168.120.254
add comment=mullvad name=pool-vlan60 ranges=10.0.60.100-10.0.60.150
/ip dhcp-server
add address-pool=dhcp-local interface=bridge-local lease-time=5m name=\
    dhcp-local
add address-pool=pool-vlan110 interface=vlan110 lease-time=5m name=\
    dhcp-vlan110
add address-pool=pool-vlan120 interface=vlan120 lease-time=5m name=\
    dhcp-vlan120
add address-pool=pool-vlan60 comment=mullvad disabled=yes interface=mullvad \
    name=dhcp-vlan60
/port
set 0 name=serial0
set 1 name=serial1
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
add disabled=no name=default-v3 version=3
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
add disabled=yes instance=default-v3 name=backbone-v3
/routing table
add fib name=""
add comment=mullvad disabled=no fib name=mullvad
/container
add envlist=repeater_envs hostname=mdns-repeater interface=veth1 \
    start-on-boot=yes
/container envs
add key=REPEATER_INTERFACES name=repeater_envs value="eth0.110 eth0.120"
/interface bridge port
add bridge=bridge-local ingress-filtering=no interface=ether2-TV pvid=110
add bridge=bridge-local ingress-filtering=no interface=ether3-Chromecast \
    pvid=110
add bridge=bridge-local ingress-filtering=no interface=ether4 pvid=110
add bridge=bridge-local ingress-filtering=no interface=ether5 pvid=110
add bridge=bridge-local ingress-filtering=no interface=ether6-switch pvid=110
add bridge=bridge-local ingress-filtering=no interface=ether7-arcam pvid=110
add bridge=bridge-local ingress-filtering=no interface=ether9-RB260GSP
add bridge=bridge-local ingress-filtering=no interface=ether10-R500
add bridge=bridge-local ingress-filtering=no interface=sfp-sfpplus1
add bridge=bridge-local ingress-filtering=no interface=ether8
add bridge=bridge-local interface=veth1
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no disable-ipv6=yes \
    forward=no max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge-local tagged=\
    ether10-R500,ether9-RB260GSP,bridge-local,veth1 untagged=\
    ether2-TV,ether3-Chromecast,ether5,ether4,ether7-arcam,ether6-switch \
    vlan-ids=110
add bridge=bridge-local tagged=\
    ether10-R500,ether9-RB260GSP,bridge-local,veth1 vlan-ids=120
add bridge=bridge-local tagged=bridge-local,ether9-RB260GSP,ether4 vlan-ids=\
    105
add bridge=bridge-local comment=mullvad tagged=ether9-RB260GSP,bridge-local \
    vlan-ids=60
/interface list member
add interface=bridge-local list=LAN
add interface=vlan-internet list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.0.0.2/32 comment="mobile" interface=wireguard \
    public-key="xxx"
add allowed-address=10.0.0.3/32 comment="laptop" interface=wireguard \
    public-key="xxx"
add allowed-address=0.0.0.0/0,::/0 comment=mullvad endpoint-address=\
    185.213.154.68 endpoint-port=51820 interface=mullvad-upstream public-key=\
    "xxx"
/ip address
add address=192.168.0.1/24 interface=bridge-local network=192.168.0.0
add address=192.168.110.1/24 interface=vlan110 network=192.168.110.0
add address=192.168.120.1/24 interface=vlan120 network=192.168.120.0
add address=10.0.0.1/24 interface=wireguard network=10.0.0.0
add address=192.168.105.1/24 interface=vlan105 network=192.168.105.0
add address=10.0.60.1/24 comment=mullvad interface=mullvad network=10.0.60.0
add address=10.66.250.98 comment=mullvad interface=mullvad-upstream network=\
    10.124.0.152
/ip cloud
set ddns-enabled=yes ddns-update-interval=1d
/ip dhcp-client
add interface=vlan-internet use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.110.80 client-id=1:2c:ab:33:9a:29:4 mac-address=\
    2C:AB:33:9A:29:04 server=dhcp-vlan110
add address=192.168.110.16 client-id=1:8c:79:f5:93:ef:14 mac-address=\
    8C:79:F5:93:EF:14 server=dhcp-vlan110
add address=192.168.110.17 client-id=1:c0:56:27:8f:d5:ea mac-address=\
    C0:56:27:8F:D5:EA server=dhcp-vlan110
add address=192.168.110.20 mac-address=44:09:B8:FE:EB:8C server=dhcp-vlan110
add address=192.168.110.59 comment="slp Ronald" mac-address=DC:4F:22:CB:07:2C \
    server=dhcp-vlan110
add address=192.168.110.62 comment=trap mac-address=DC:4F:22:FA:56:A1 server=\
    dhcp-vlan110
add address=192.168.110.60 comment=werkkamer mac-address=60:01:94:99:7A:26 \
    server=dhcp-vlan110
add address=192.168.110.61 comment="slp Zeb" mac-address=60:01:94:99:78:4D \
    server=dhcp-vlan110
add address=192.168.110.58 comment="wasmachine PoW r2" mac-address=\
    CC:50:E3:1A:F6:8B server=dhcp-vlan110
add address=192.168.110.50 comment=gateway mac-address=7C:49:EB:1C:F3:47 \
    server=dhcp-vlan110
add address=192.168.110.57 comment=s20 mac-address=B4:E6:2D:25:3F:73 server=\
    dhcp-vlan110
add address=192.168.110.51 comment=gang1 mac-address=60:01:94:D6:08:CB \
    server=dhcp-vlan110
add address=192.168.110.52 comment=gang2 mac-address=60:01:94:D6:C7:B3 \
    server=dhcp-vlan110
add address=192.168.110.63 comment=slpObi mac-address=DC:4F:22:C6:A5:22 \
    server=dhcp-vlan110
add address=192.168.110.18 client-id=1:0:11:32:d9:61:16 mac-address=\
    00:11:32:D9:61:16 server=dhcp-vlan110
add address=192.168.110.66 comment=voorraadkast mac-address=34:CE:00:9B:16:08 \
    server=dhcp-vlan110
add address=192.168.110.69 mac-address=54:48:E6:53:5A:87 server=dhcp-vlan110
add address=192.168.110.68 mac-address=64:90:C1:97:AB:E2 server=dhcp-vlan110
add address=192.168.110.67 mac-address=5C:E5:0C:E1:7B:F0 server=dhcp-vlan110
add address=192.168.110.70 mac-address=54:48:E6:51:C8:C0 server=dhcp-vlan110
add address=172.16.0.20 client-id=1:22:ae:66:87:2d:c3 disabled=yes \
    mac-address=22:AE:66:87:2D:C3 server=*A
add address=192.168.110.40 comment=OTGW mac-address=F4:CF:A2:ED:C2:4B server=\
    dhcp-vlan110
add address=192.168.0.10 client-id=1:e4:5f:1:70:90:93 comment="sensecap M1" \
    mac-address=E4:5F:01:70:90:93 server=dhcp-local
add address=192.168.110.71 mac-address=54:48:E6:53:59:BB server=dhcp-vlan110
add address=192.168.110.22 mac-address=A8:48:FA:E9:15:68 server=dhcp-vlan110
add address=192.168.110.5 client-id=1:ca:7a:a8:1a:6c:61 mac-address=\
    CA:7A:A8:1A:6C:61 server=dhcp-vlan110
add address=192.168.110.142 client-id=1:6a:3f:2d:31:84:4e comment=pixel6 \
    mac-address=6A:3F:2D:31:84:4E server=dhcp-vlan110
add address=192.168.110.24 mac-address=18:FE:34:CF:74:17 server=dhcp-vlan110
add address=192.168.110.81 comment="alfen wallbox" mac-address=\
    3A:65:45:61:7E:46 server=dhcp-vlan110
add address=192.168.110.55 comment="AC werkkamer" mac-address=\
    60:01:94:0C:66:E1 server=dhcp-vlan110
add address=192.168.110.14 client-id=1:90:56:82:43:29:c4 mac-address=\
    90:56:82:43:29:C4 server=dhcp-vlan110
add address=192.168.110.15 client-id=1:0:1b:7c:8:3b:24 mac-address=\
    00:1B:7C:08:3B:24 server=dhcp-vlan110
add address=192.168.110.56 mac-address=40:F5:20:2D:29:DD server=dhcp-vlan110
/ip dhcp-server network
add address=10.0.60.0/24 comment=mullvad dns-server=100.64.0.23 gateway=\
    10.0.60.1
add address=192.168.0.0/24 dns-server=192.168.0.12,192.168.0.11 domain=local \
    gateway=192.168.0.1
add address=192.168.105.0/24 dns-server=192.168.0.12,192.168.0.11 domain=\
    local gateway=192.168.105.1 netmask=24
add address=192.168.110.0/24 dns-server=192.168.0.12,192.168.0.11 domain=\
    local gateway=192.168.110.1 netmask=24
add address=192.168.120.0/24 dns-server=192.168.0.12,192.168.0.11 domain=\
    local gateway=192.168.120.1 netmask=24
/ip dns
set cache-max-ttl=1d
/ip firewall address-list
add address=192.168.100.0/24 list=localNet
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 list=not_in_internet
add address=192.168.0.0/16 list=not_in_internet
add address=169.254.0.0/16 list=not_in_internet
add address=127.0.0.0/8 list=not_in_internet
add address=224.0.0.0/4 list=not_in_internet
add address=198.18.0.0/15 list=not_in_internet
add address=192.0.0.0/24 list=not_in_internet
add address=192.0.2.0/24 list=not_in_internet
add address=198.51.100.0/24 list=not_in_internet
add address=203.0.113.0/24 list=not_in_internet
add address=100.64.0.0/10 list=not_in_internet
add address=240.0.0.0/4 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add address=255.255.255.255 list=lan_ip
add address=192.168.0.0/24 comment="Trusted LAN " list=trusted-LAN
add address=192.168.110.0/24 list="untrusted VLAN"
add address=192.168.120.0/24 list="untrusted VLAN"
add address=192.168.0.0/16 list=mynetwork
add address=192.168.0.12 list=pihole
add address=172.16.0.0/12 list="untrusted VLAN"
add address=10.0.0.0/24 list=vpn
add address=192.168.0.10 disabled=yes list=extDNS
add address=172.16.0.20 disabled=yes list=extDNS
add address=192.168.0.128 disabled=yes list=extDNS
add address=192.168.105.0/24 list="untrusted VLAN"
add address=192.168.110.105 comment=homeassistant list=acl_postgres
add address=192.168.110.107 comment=teslamate list=acl_postgres
add address=192.168.110.118 comment=miniflux list=acl_postgres
add address=192.168.110.104 comment=grafana list=acl_influx
add address=192.168.110.105 comment=homeassistant list=acl_influx
add address=192.168.110.107 comment=teslamate list=acl_influx
add address=192.168.110.104 comment=grafana list=acl_postgres
add address=192.168.0.1 comment=snmp list=infra
add address=192.168.0.2 comment=snmp list=infra
add address=192.168.0.5 comment=snmp list=infra
add address=172.21.0.2 comment=docker list=acl_mariadb
add address=192.168.110.216 list=acl_influx
add address=192.168.0.183 list=acl_influx
add address=192.168.110.5 comment=docker list=acl_postgres
add address=192.168.0.11 list=pihole
add address=192.168.110.103 comment=spotweb list=acl_postgres
add address=192.168.110.119 comment=invidious list=acl_postgres
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="servers to LAN" dst-address-list=\
    mynetwork in-interface=vlan105
add action=accept chain=forward comment=postgres dst-address=192.168.105.11 \
    dst-port=5432 protocol=tcp src-address-list=acl_postgres
add action=accept chain=forward comment=influxdb dst-address=192.168.105.12 \
    dst-port=8086 protocol=tcp src-address-list=acl_influx
add action=accept chain=forward comment=mysql disabled=yes dst-address=\
    192.168.105.15 dst-port=3306 protocol=tcp
add action=accept chain=input comment="telegraf snmp" dst-address=192.168.0.1 \
    protocol=udp src-address=192.168.105.14
add action=accept chain=forward comment="telegraf snmp" dst-address-list=\
    infra protocol=udp src-address=192.168.105.14
add action=accept chain=input comment="api access from homeassistant" \
    dst-port=8728 protocol=tcp src-address=192.168.110.105
add action=accept chain=forward dst-address=192.168.120.0/24 protocol=tcp \
    src-address=192.168.110.105
add action=accept chain=forward dst-address=192.168.120.0/24 protocol=udp \
    src-address=192.168.110.105
add action=accept chain=forward comment="VLAN DNS" dst-address-list=pihole \
    dst-port=53 protocol=udp src-address-list="untrusted VLAN"
add action=accept chain=forward comment="VLAN DNS" dst-address-list=pihole \
    dst-port=53 protocol=tcp src-address-list="untrusted VLAN"
add action=accept chain=forward comment="sensecap M1" disabled=yes \
    dst-address=192.168.0.10 dst-port=44158 protocol=tcp src-port=44158
add action=accept chain=input comment=wireguard dst-port=13231 log-prefix=\
    wireguard protocol=udp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="Accept from VPN to LAN" \
    connection-state=established,related dst-address-list="untrusted VLAN" \
    src-address-list=vpn
add action=drop chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=forward comment="Drop from VLAN to LAN" \
    connection-state=!established dst-address-list=trusted-LAN \
    src-address-list="untrusted VLAN"
add action=drop chain=forward comment="Drop from VLAN to VLAN" \
    dst-address-list="untrusted VLAN" src-address-list="untrusted VLAN"
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="defcon: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
/ip firewall mangle
add action=mark-routing chain=prerouting comment=mullvad in-interface=mullvad \
    new-routing-mark=mullvad
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="redirect port for Sensecap M1" \
    disabled=yes dst-port=44158 protocol=tcp to-addresses=192.168.0.10 \
    to-ports=44158
add action=dst-nat chain=dstnat comment="bypass pihole" disabled=yes \
    dst-port=53 protocol=udp src-address-list=extDNS to-addresses=1.1.1.1
add action=dst-nat chain=dstnat comment="bypass pihole" disabled=yes \
    dst-port=53 protocol=tcp src-address-list=extDNS to-addresses=1.1.1.1
add action=masquerade chain=srcnat comment=mullvad out-interface=\
    mullvad-upstream
/ip route
add comment=mullvad disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    10.124.0.152 pref-src="" routing-table=mullvad scope=30 \
    suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip traffic-flow
set active-flow-timeout=1m cache-entries=64k
/ip upnp
set enabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 nd
set [ find default=yes ] disabled=yes
/routing rule
add action=lookup-only-in-table comment=mullvad routing-mark=mullvad table=\
    mullvad
/snmp
set enabled=yes trap-generators="" trap-version=2
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name="MikroTik RB4011iGS+RM"
/system logging
add topics=dns
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=64.99.80.121
add address=20.101.57.9
/system resource irq rps
set sfp-sfpplus1 disabled=no
/system scheduler
add interval=1w name=run-7d on-event=backup policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=aug/19/2021 start-time=09:07:12
/system script
add dont-require-permissions=no name=backup owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="backupscript"
/tool bandwidth-server
set enabled=no
/tool graphing
set page-refresh=60
/tool netwatch
add comment="update DNS when Ubound is down" disabled=no down-script="updatedns"

 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mullvad wireguard on existing VLAN

Wed May 31, 2023 3:50 pm

Fair enough, it can seem daunting but to avoid chasing thoughts, a coherent plan is required.
Provide a diagram that shows the equipment and vlans flowing between them.
List your requirements
a. identify users/devices groups of users/devices ( vlans, single devices, admin etc....)
b. identity what you want them to be able to achieve in terms of traffic flow.

Once you do that I am willing to look at the config and make some coherent suggestions.......
 
ronajon
just joined
Topic Author
Posts: 21
Joined: Fri Feb 10, 2023 11:06 pm

Re: Mullvad wireguard on existing VLAN

Wed May 31, 2023 5:24 pm

here's a try at a diagram of the network

current setup simplified
vlan-internet: internet connection to my ISP
vlan1: management network, only accessible for myself
vlan105: database servers. only accessible by admin
vlan110: all sorts of services and devices (home assistant, radarr, sonarr, LMS, nodered, teslamate, Television, Amplifiers, etc) . some can connect to vlan105 through specified ports in the firewall
vlan120: guest network, for guests. no access to other vlans
vlan60: test for Mullvad Wireguard VPN

access point 1: admin on vlan1
access point 2: normal users on vlan110
access point 3: guest users on vlan120

i have a wireguard server on the RB4011, which gives access to vlan105,vlan110,vlan120. My phone has a always-on wireguard connection with my home
iprange 10.0.0.x

at this moment, vlan60 is connected to mullvad vpn. this is working. i also got a container in proxmox that is connected through vlan60 to mullvad VPN

what i want
instead of vlan60, i would like vlan110 to connect to the internet through mullvad wireguard, so netflix, radarr, etc (tv and proxmox containers) are behind the VPN
vlan60 is just a test and should be removed after vlan110 has connection to Mullvad
also, vlan110 should remain accessible from within my network through wifi, as it is now and still be able to connect to vlan105 for specific connections (eg. database)

hope this makes more clear. if there is more info needed i will provide
network.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mullvad wireguard on existing VLAN

Wed May 31, 2023 6:32 pm

Yeah, I dont do vlan1, ONce I go vlans the only thing the bridge does is bridging, no dchp etc..
Also No, one does not attach wireguard to the bridge....

Besides that you have two wireguard interfaces on the go, one for home, one for mulvvad sweden.
You want vlan110 to use sweden vpn and thats the only vlan....

You mention a promox container currently on vlan60, a vlan you want to get rid of so whats the plan for the promox container,
What purpose is the container, ( not familiar with promox device) also its shown on the diagram on vlan1 not vlan60?

Also you fail to mention you also have a container on the router itself, what is that for??
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mullvad wireguard on existing VLAN

Wed May 31, 2023 8:00 pm

Modified
/interface vlan
add interface=ether1-WAN name=vlan-internet vlan-id=300
add comment=servers interface=bridge-local name=vlan105 vlan-id=105
add comment="IOT network" interface=bridge-local name=vlan110 vlan-id=110
add comment="guest network" interface=bridge-local name=vlan120 vlan-id=120
add comment="mgmt network" interface=bridge-local name=Mvlan5 vlan-d=5


/ip pool
add name=dhcp-local ranges=192.168.0.180-192.168.0.254
add name=pool-vlan110 ranges=192.168.110.180-192.168.110.249
add name=pool-vlan120 ranges=192.168.120.180-192.168.120.254
add name=pool-vlan105 ranges=192.168.105.180-192.168.105.185



/ip dhcp-server
add interface=vlan105 lease-time=10m name=dhcp-vlan105
add address-pool=dhcp-local interface=Mvlan5 lease-time=5m name=\
dhcp-local

add address-pool=pool-vlan110 interface=vlan110 lease-time=5m name=\
dhcp-vlan110
add address-pool=pool-vlan120 interface=vlan120 lease-time=5m name=\
dhcp-vlan120
add address-pool=pool-vlan105 comment=server lease-time=10m interface=vlan105\
name=dhcp-vlan105


/interface bridge port
add bridge=bridge-local ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether2-TV pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether3-Chromecast \
pvid=110
add bridge=bridge-local ingress-filtering=no interface=ether4 pvid=110 ( hybrid port )
add bridge=bridge-local ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether5 pvid=110 ( access port )
add bridge=bridge-local ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether6-switch pvid=110 ( access port )
add bridge=bridge-local ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether7-arcam pvid=110 ( access port )
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether9-RB260GSP ( trunk port )
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether10-R500 ( trunk port )
add bridge=bridge-local ingress-filtering=yes frame-types=admit-priority-and-untagged interface=sfp-sfpplus1 pvid=5 ( access port )
add bridge=bridge-local ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether8 pvid=5 ( access port )
add bridge=bridge-local interface=veth1

/interface list member
add interface=bridge-local list=LAN
add interface=vlan-internet list=WAN
add interface=wireguard list=LAN


/interface wireguard peers
add allowed-address=10.0.0.2/32 comment="mobile" interface=wireguard \
public-key="xxx"
add allowed-address=10.0.0.3/32 comment="laptop" interface=wireguard \
public-key="xxx"
add allowed-address=0.0.0.0/0 comment=mullvad endpoint-address=\
185.213.154.68 endpoint-port=51820 interface=mullvad-upstream public-key=\
"xxx" persistent-keep-alive=35s


/ip address
add address=192.168.0.1/24 interface=Mvlan5 network=192.168.0.0
add address=192.168.110.1/24 interface=vlan110 network=192.168.110.0
add address=192.168.120.1/24 interface=vlan120 network=192.168.120.0
add address=10.0.0.1/24 interface=wireguard network=10.0.0.0
add address=192.168.105.1/24 interface=vlan105 network=192.168.105.0
add address=10.66.250.98/24 comment=mullvad interface=mullvad-upstream network=\
10.124.0.0


/ip dhcp-server network0.1
add address=192.168.0.0/24 dns-server=192.168.0.12,192.168.0.11 domain=local \
gateway=192.168.0.1
add address=192.168.105.0/24 dns-server=192.168.0.12,192.168.0.11 domain=\
local gateway=192.168.105.1 netmask=24
add address=192.168.110.0/24 dns-server=DNS PROVIDED BY MULLVAD domain=\
local gateway=192.168.110.1 netmask=24
add address=192.168.120.0/24 dns-server=192.168.0.12,192.168.0.11 domain=\
local gateway=192.168.120.1 netmask=24


/ip route
add comment=mullvad disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
mullvad-upstream
pref-src="" routing-table=mullvad scope=30 \
suppress-hw-offload=no target-scope=10


/routing rule
add action=lookup-only-in-table comment="local traffic" dst-address=192.168.0.0/16 table=main
add action=lookup-only-in-table comment="response to wireguard" dst-address-=10.0.0.0/24 table=main
add action=lookup-only-in-table comment=mullvad src-address=192.168.110.0/24 table=mullvad



/ip firewall mangle
add action=mark-routing chain=prerouting comment=mullvad in-interface=mullvad \
new-routing-mark=mullvad DISABLED=YES
mangling NOT required!!!

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=Sweden-vpn out-interface=mullvad-upstream


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++

KEEEP UR PHUCKING RULE CHAINS TOGETHER...........

/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" \
connection-state=invalid

add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=wireguard dst-port=13231 log-prefix=\
wireguard protocol=udp
add action=accept chain=input comment="api access from homeassistant" \
dst-port=8728 protocol=tcp src-address=192.168.110.105
add action=accept chain=input comment="telegraf snmp" dst-address=192.168.0.1 \
protocol=udp src-address=192.168.105.14
add action=drop chain=input comment="defcon: drop all not coming from LAN" \
in-interface-list=!LAN
+++++++++++++++++++++++++++++++++++++++++++++++++

YOUR FORWARD CHAIN IS A COMPLETE MESS.
NOTE: DNS issues are not dealt with in the forward chain but in the NAT chain! You didnt mention pi-hole in the requirements......................
All you do is provide allow traffic here, and then block all else with a DROP rule.
So allow LAn to WAN traffic,
Allow users to a DNS source for example ( if there is a DNS server and thats just part of other places you will need to make dns changes if so)
Allow port forwarding for example
Allow a certain VLAN to vpn sweden for example.
ANY other specific allow rules.
DONE.

( get rid of the default rule --> defconf: drop all from WAN not DSTNATed )
Example....
/ip firewall
{default rules}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=NO hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
{admin rules}
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="wireguard admin to vlans" in-interface=wireguard out-interface-list=LAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=accept chain=forward comment="allow vpn sweden" in-interface=vlan110 out-interface=mullvad-upstream
ANY OTHER ALLOW RULES YOU NEED
add action=stop chain=forward comment="drop all else"

Note: no need to add any drop rules...............
 
ronajon
just joined
Topic Author
Posts: 21
Joined: Fri Feb 10, 2023 11:06 pm

Re: Mullvad wireguard on existing VLAN

Wed May 31, 2023 11:06 pm

Yeah, I dont do vlan1, ONce I go vlans the only thing the bridge does is bridging, no dchp etc..
Also No, one does not attach wireguard to the bridge....

Besides that you have two wireguard interfaces on the go, one for home, one for mulvvad sweden.
You want vlan110 to use sweden vpn and thats the only vlan....

You mention a promox container currently on vlan60, a vlan you want to get rid of so whats the plan for the promox container,
What purpose is the container, ( not familiar with promox device) also its shown on the diagram on vlan1 not vlan60?

Also you fail to mention you also have a container on the router itself, what is that for??
thx for the help!
Proxmox is a virtual environment (VE) that is a type-1 hypervisor and it’s based on Debian GNU/Linux.
the container vlan60 is just for testing. there are other containers running on proxmox, for instance Radarr, HomeAssistant, LMS (logitech media server) but also influx and postgres.
some of them are on vlan105 others vlan110

the container on the router itself is an mDns container to make the arcam SA30 amplifier and Chromecast visible in other vlans than vlan110

i did forget to mention 2 piholes. (192.168.0.12 and 192.168.0.11) as dns servers for all networks. (except vlan110 when it is connected to mullvad vpn)

i'm going to test the changes friday when there is no one at home so i can try without bothering others in my house :)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mullvad wireguard on existing VLAN

Thu Jun 01, 2023 1:18 am

Why do you need two piholes?
 
ronajon
just joined
Topic Author
Posts: 21
Joined: Fri Feb 10, 2023 11:06 pm

Re: Mullvad wireguard on existing VLAN

Thu Jun 01, 2023 7:42 am

For backup.
One is on a raspberry pi, the other runs in a container on the proxmox server
 
ronajon
just joined
Topic Author
Posts: 21
Joined: Fri Feb 10, 2023 11:06 pm

Re: Mullvad wireguard on existing VLAN

Sat Jun 03, 2023 4:34 pm

i've tried combining setting up the router with a new config together with the provide config, but somehow after that a lot goes wrong :shock:

- if i connect wired to ether5, i can't access the router, nor do i get an ip address. only way to get access is by lan ether4 (because it's not configured yet i can access it through Romon)
- devices connected to the routers ethernet ports don't get an ip address (ether-2 pvid 110, ether3, ether6, ether7)
- somehow the devices connected to the switch (which is connected to ether6) are accessible


/interface bridge
add name=bridge-local vlan-filtering=yes

/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] comment=192.168.110.16 name=ether2-TV
set [ find default-name=ether3 ] name=ether3-Chromecast
set [ find default-name=ether6 ] comment=meterkast name=ether6-switch
set [ find default-name=ether7 ] comment="arcam SA30" name=ether7-arcam
set [ find default-name=ether9 ] name=ether9-RB260GSP
set [ find default-name=ether10 ] name=ether10-R500 poe-priority=1
set [ find default-name=sfp-sfpplus1 ] disabled=yes

/interface veth
add address=172.17.0.2/24 gateway=172.17.0.1 name=veth1

/interface vlan
add comment="ISP" interface=ether1-WAN name=vlan-internet vlan-id=300
add comment="servers" interface=bridge-local name=vlan105 vlan-id=105
add comment="IOT network" interface=bridge-local name=vlan110 vlan-id=110
add comment="guest network" interface=bridge-local name=vlan120 vlan-id=120
add comment="mgmt network" interface=bridge-local name=Mvlan5 vlan-id=5

/interface wireguard
add comment=mullvad listen-port=4063 mtu=1420 name=mullvad-upstream private-key="xxx"
add listen-port=13231 mtu=1420 name=wireguard private-key="xxx"

/interface wireguard peers
add allowed-address=10.0.0.2/32 comment="mobiel ronald" interface=wireguard public-key="xxx"
add allowed-address=10.0.0.3/32 comment="carbon x1" interface=wireguard public-key="xxx"
add allowed-address=0.0.0.0/0 comment=mullvad endpoint-address=185.213.154.68 endpoint-port=51820 interface=mullvad-upstream public-key="xxx" persistent-keepalive=35s

/interface list
add comment="WAN interface" name=WAN
add comment="LAN interface" name=LAN

/interface list member
add interface=bridge-local list=LAN
add interface=vlan-internet list=WAN
add interface=wireguard list=LAN

/ip pool
add name=dhcp-local ranges=192.168.0.180-192.168.0.254
add name=pool-vlan105 ranges=192.168.105.180-192.168.105.249
add name=pool-vlan110 ranges=192.168.110.180-192.168.110.249
add name=pool-vlan120 ranges=192.168.120.180-192.168.120.190

/ip address
add address=192.168.0.1/24 interface=Mvlan5 network=192.168.0.0 comment=mgmt
add address=192.168.105.1/24 interface=vlan105 network=192.168.105.0 comment=servers
add address=192.168.110.1/24 interface=vlan110 network=192.168.110.0 comment=iot
add address=192.168.120.1/24 interface=vlan120 network=192.168.120.0 comment=guest
add address=10.0.0.1/24 interface=wireguard network=10.0.0.0 comment=vpn
add address=10.66.250.98/24 interface=mullvad-upstream network=10.124.0.0 comment=mullvad

/ip dhcp-server
add address-pool=dhcp-local comment=mgmt interface=Mvlan5 lease-time=5m name=dhcp-local
add address-pool=pool-vlan105 comment=servers interface=vlan105 lease-time=10m name=dhcp-vlan105
add address-pool=pool-vlan110 comment=iot interface=vlan110 lease-time=5m name=dhcp-vlan110
add address-pool=pool-vlan120 comment=guest interface=vlan120 lease-time=5m name=dhcp-vlan120

/ip dhcp-client
add interface=vlan-internet use-peer-ntp=no

/interface bridge port
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether2-TV pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether3-Chromecast pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=5
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether6-switch pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether7-arcam pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether9-RB260GSP
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether10-R500
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus1 pvid=5
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether8 pvid=5
add bridge=bridge-local interface=veth1

/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.12,192.168.0.11 domain=local gateway=192.168.0.1 netmask=24
add address=192.168.105.0/24 dns-server=192.168.0.12,192.168.0.11 domain=local gateway=192.168.105.1 netmask=24
add address=192.168.110.0/24 dns-server=192.168.0.12,192.168.0.11 domain=local gateway=192.168.110.1 netmask=24
add address=192.168.120.0/24 dns-server=192.168.0.12,192.168.0.11 domain=local gateway=192.168.120.1 netmask=24

/routing table
add fib name=""
add comment=mullvad disabled=no fib name=mullvad

/ip route
add comment=mullvad disabled=no distance=1 dst-address=0.0.0.0/0 gateway=mullvad-upstream pref-src="" routing-table=mullvad scope=30 suppress-hw-offload=no target-scope=10

/routing rule
add action=lookup-only-in-table comment="local traffic" dst-address=192.168.0.0/16 table=main
add action=lookup-only-in-table comment="response to wireguard" dst-address=10.0.0.0/24 table=main
add action=lookup-only-in-table comment=mullvad src-address=192.168.110.0/24 table=mullvad

/ip firewall mangle
add action=mark-routing chain=prerouting comment=mullvad in-interface=mullvad new-routing-mark=mullvad disabled=yes

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=Sweden-vpn out-interface=mullvad-upstream

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=wireguard dst-port=13231 log-prefix=wireguard protocol=udp
add action=accept chain=input comment="api access from homeassistant" dst-port=8728 protocol=tcp src-address=192.168.110.105
add action=accept chain=input comment="telegraf snmp" dst-address=192.168.0.1 protocol=udp src-address=192.168.105.14
add action=drop chain=input comment="defcon: drop all not coming from LAN" in-interface-list=!LAN
 
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=no hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="wireguard admin to vlans" in-interface=wireguard out-interface-list=LAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=accept chain=forward comment="allow vpn sweden" in-interface=vlan110 out-interface=mullvad-upstream

 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mullvad wireguard on existing VLAN

Sat Jun 03, 2023 7:28 pm

OKay, the config is looking good, now I guessed on the functionality of ports a bit, so lets clarify them to ensure its accurate.

WAN ether1 - is your WAN port (v300)
(access port) ether2 - goes to a dumb device ( TV - 110 )
(access port) ether3 - goes to a dumb device ( media - 110 )
(access port) ether5 - goes to a dumb device ( PC> 5 ) ADMIN?
(access port) ether6 - goes to a dumb device ( dumb switch - 110 )
(access port) ether7 - goes to a dumb device ( camera - 110 )
(access port) ether8 - goes to a dumb device ( PC> 5)
(trunk port) ether9 - goes to a smart device ( smart switch )
(trunk port) ether10 - goes to a smart device ( unknown )
(access port) sfp-sfpplus1 - goes to a dumb device ( PC> 5 ) ADMIN?

++++++++++++++++++++++++++++++++++++

MISSING is your config for
/interface bridge vlan ?????

Also where is any mention of vlan120, Its not any of your bridge settings??
Where is ether4 (purpose) before it was down as a hybrid port, carrying 110 untagged and vlan 105 tagged??


+++++++++++++++++++++++++++++++++++++++++++++++++++


You forgot to change this line........
add address=192.168.110.0/24 dns-server=192.168.0.12,192.168.0.11 domain=local gateway=192.168.110.1 netmask=24

If 110 is truly going to go out mullvad for internet then you need to put the DNS enty(s) that mullvad gave you for their network here...... ( and get rid of local setting ).

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Lets look at the logic......
add action=accept chain=input comment="api access from homeassistant" dst-port=8728 protocol=tcp src-address=192.168.110.105
add action=accept chain=input comment="telegraf snmp" dst-address=192.168.0.1 protocol=udp src-address=192.168.105.14
add action=drop chain=input comment="defcon: drop all not coming from LAN" in-interface-list=!LAN


Reading the last rule, it says, drop anything TO THE ROUTER, unless its coming from the LAN.
If you agree with that, then the two rules above are not required, technically speaking as both sources are coming from the LAN. Leave them be as no harm no foul, that is working etc.. BUt just so you better understand how the rules work.

++++++++++++++++++++++++++++++++++++++++++++++++++++
 
ronajon
just joined
Topic Author
Posts: 21
Joined: Fri Feb 10, 2023 11:06 pm

Re: Mullvad wireguard on existing VLAN

Sat Jun 03, 2023 8:05 pm

most of the ports are right

ether5 is not used, i would like to assign that to vlan110
ether4 is not used, i would like to assign that to management vlan105
ether8 is not used, no porpose for that port
ether9 goes to a RB260gs switch (must provide vlan5, 105, 110 and 120)
ether10 goes to a Ruckus R500 wireless access point (must provide vlan5, 110 and 120)

can i add this for bridge vlan
/interface bridge vlan
add bridge=bridge-local tagged=ether10-R500,ether9-RB260GSP,bridge-local,veth1 untagged=ether2-TV,ether3-Chromecast,ether5,ether7-arcam,ether6-switch vlan-ids=110
add bridge=bridge-local tagged=ether10-R500,ether9-RB260GSP,bridge-local,veth1 vlan-ids=120
add bridge=bridge-local tagged=bridge-local,ether9-RB260GSP vlan-ids=105
i'll remove the local domain from 192.168.110.0/24 and add mullvad dns
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mullvad wireguard on existing VLAN

Sat Jun 03, 2023 8:14 pm

vlan 5 is your managment lan, vlan105 is your server lan,,,,,,,,,,,,,,,,?
 
ronajon
just joined
Topic Author
Posts: 21
Joined: Fri Feb 10, 2023 11:06 pm

Re: Mullvad wireguard on existing VLAN

Sat Jun 03, 2023 8:21 pm

correct, my mistake.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mullvad wireguard on existing VLAN

Sat Jun 03, 2023 8:31 pm

Based on your latest feedback........... I assumed the mistake was you wanted the server vlan on ether4, ( not the manament vlan ), if thats not the case...........will have to modify.......

/interface bridge port
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether2-TV pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether3-Chromecast pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=105
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=110

add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether6-switch pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether7-arcam pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether9-RB260GSP
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether10-R500
add bridge=bridge-local interface=veth1

/interface bridge vlan
add bridge=bridge-local tagged=ether10-R500,ether9-RB260GSP,bridge-local,veth1 untagged=ether2-TV,ether3-Chromecast,ether5,ether7-arcam,ether6-switch vlan-ids=110
add bridge=bridge-local tagged=ether10-R500,ether9-RB260GSP,bridge-local,veth1 vlan-ids=120

add bridge=bridge-local tagged=ether10-R500,ether9-RB260GSP,bridge-local vlan-ids=5[/b]
add bridge=bridge-local tagged=bridge-local,ether9-RB260GSP untagged=ether4 vlan-ids=105


+++++++++++++++++++++++++
As for ether8 you could always use that for off bridge access and I highly recommend with complex bridge setups to do your configuring from this port, to avoid getting locked out at any time.

name it ether8-access
Give it an IP address
10.20.30.1/24 network=10.20.30.0 or whatever IP you want.....
Then ensure its OFF the bridge.
Add it as a LAN interface member ether8-access.
Then ensure you can access it from winbox ( modify any rules as necessary )
You should be able to enter in an iPV4 setting on the pc, and gain access to the router via winbox.

Also always use safe mode!
viewtopic.php?t=181718
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mullvad wireguard on existing VLAN

Sat Jun 03, 2023 8:35 pm

If you meant ether4 should have vlan5 then it would look like............

/interface bridge port
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether2-TV pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether3-Chromecast pvid=110

add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=5
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether6-switch pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether7-arcam pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether9-RB260GSP
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether10-R500
add bridge=bridge-local interface=veth1


/interface bridge vlan
add bridge=bridge-local tagged=ether10-R500,ether9-RB260GSP,bridge-local,veth1 untagged=ether2-TV,ether3-Chromecast,ether5,ether7-arcam,ether6-switch vlan-ids=110
add bridge=bridge-local tagged=ether10-R500,ether9-RB260GSP,bridge-local,veth1 vlan-ids=120
add bridge=bridge-local tagged=ether10-R500,ether9-RB260GSP,bridge-local untagged=ether4 vlan-ids=5
add bridge=bridge-local tagged=bridge-local,ether9-RB260GSP vlan-ids=105
 
ronajon
just joined
Topic Author
Posts: 21
Joined: Fri Feb 10, 2023 11:06 pm

Re: Mullvad wireguard on existing VLAN

Sun Jun 04, 2023 11:16 pm

getting there, this is helping a lot!
the off bridge access was just implemented, so finally i don't deny myself access anymore.
Before i had to hardware reset the router to default config for access :shock:

one other question.
my wifi accesspoint is on ether10-R500
i have 3 wifi networks, one for vlan1, vlan110 and vlan120
the vlan110 and 120 networks i can connect to with wifi, but the vlan1 wifi i cannot.
should i change the settings of vlan1network to vlan5 ?
i should get an ipaddress
Screenshot_2023-06-04_22-12-45.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mullvad wireguard on existing VLAN

Mon Jun 05, 2023 12:26 am

YES!!! ( use v5)

Do not use vlan1 for traffic. ( clue, we do not have any ports carrying data on vlan1 )
Its always there in the background on smart devices on all trunk ports, and is only removed when one has a access port ( untagged pvid setting ).
 
ronajon
just joined
Topic Author
Posts: 21
Joined: Fri Feb 10, 2023 11:06 pm

Re: Mullvad wireguard on existing VLAN

Mon Jun 05, 2023 5:59 pm

for some reason, i can connect to the wifi access point on ether10-R500, but am unable to access the admin page 192.168.0.5

ether9-rb260gs is on vlan1 and is connected to a mikrotik switch (RB260GS). the switch has ip address 192.168.0.2
ether10-r500 is also on vlan1 and is connected to a Ruckus R500 Access Point, and should be accessible on ip address 192.168.0.5

the switch is accessible, but the access point is not ?

i tried to connect directly on the winbox console, and through a laptop which is connected to ether4-vlan5. both do connect to de switch, but not the AP

for a complete picture, i have 2 Ruckus accesspoints who are combined and create 3 wifi networks. (for every vlan a separate network)
the master AP is connected directly to the router (ether10-r500), the slave AP is connected to a port on the switch (RB260GS) which is connected to the router on port ether9-rb260gs. The master AP is also the controller for the wifi networks
Last edited by ronajon on Mon Jun 05, 2023 6:38 pm, edited 1 time in total.
 
ronajon
just joined
Topic Author
Posts: 21
Joined: Fri Feb 10, 2023 11:06 pm

Re: Mullvad wireguard on existing VLAN

Mon Jun 05, 2023 6:17 pm

i tried connecting to the wireless networks.

the vlan5 wireless network i get a connection to, but am unable to access the admin page (192.168.0.5)
the vlan110 network connects, even provides a connection to the internet (probably because it connects with the VPN)
the vlan120 network connects, has internet connection through DNS 192.168.0.11
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mullvad wireguard on existing VLAN

Mon Jun 05, 2023 6:52 pm

There is no vlan1 for traffic or control.
Every smart device should be on vlan5 and get an IP from vlan5!!
 
ronajon
just joined
Topic Author
Posts: 21
Joined: Fri Feb 10, 2023 11:06 pm

Re: Mullvad wireguard on existing VLAN

Tue Jun 06, 2023 11:15 am

so what is vlan1 used for ?
can i see that as a sort of trunk port, both to the switch (ether9-rb260gs) and the wifi network (ether10-r500) ?

strangest thing is that i can access the switch config page (192.168.0.2) over vlan 1, but not the config pages for the AP (192.168.0.5)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mullvad wireguard on existing VLAN

Tue Jun 06, 2023 3:18 pm

Vlan1 is a background entity used by the bridge and smart devices and should not concern you in any way.
If you are using vlan1 for data, as I stated replace it with a full vlan ( dhcp etc ).
Then repost your config for review if still having issue.s
 
ronajon
just joined
Topic Author
Posts: 21
Joined: Fri Feb 10, 2023 11:06 pm

Re: Mullvad wireguard on existing VLAN

Wed Jun 07, 2023 8:13 pm

the Ruckus R500 Access Point is not able to have a management VLAN

https://community.ruckuswireless.com/t5 ... /m-p/34541
"Unleashed does not allow Management IP to be on a VLAN (unlike Zone Director / non-Unleashed version) but it does allow Wifi SSID to be assigned to specific VLANs. So configuration I used was to have a trunk port to the Ruckus AP from the switch. However it needs to be configured so the untagged traffic (from the AP) is tagged to your management VLAN and then the SSID VLANs as members. On Juniper switches this is called native-tagging. Exact configuration depends on your switch vendor.

You can then used Advanced options to define the specific VLAN tags for each SSID network.

There is no option to configure tagging for the AP management traffic within Unleashed
"

https://www.reddit.com/r/RuckusWiFi/com ... _to_trunk/
"If you don't have a management VLAN set on the AP, you just need to set the port on the switch to switchport trunk native vlan 500."

i tried setting the vlan of ether10-r500 to pvid5, but that did not help.

/interface bridge
add name=bridge-local vlan-filtering=yes

/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] comment="TV" name=ether2-TV
set [ find default-name=ether3 ] comment=Chromecast name=ether3-Chromecast
set [ find default-name=ether4 ] comment="vlan5 access" name=ether4-vlan5
set [ find default-name=ether5 ] comment="vlan110 access" name=ether5-vlan110
set [ find default-name=ether6 ] comment=meterkast name=ether6-switchMeterkast
set [ find default-name=ether7 ] comment="arcam SA30" name=ether7-arcamSA30
set [ find default-name=ether8 ] comment=access name=ether8-access
set [ find default-name=ether9 ] name=ether9-RB260GSP
set [ find default-name=ether10 ] name=ether10-R500 poe-priority=1
set [ find default-name=sfp-sfpplus1 ] disabled=yes

/interface veth
add address=172.17.0.2/24 gateway=172.17.0.1 name=veth1

/interface vlan
add comment="ISP" interface=ether1-WAN name=vlan-internet vlan-id=300
add comment="mgmt network" interface=bridge-local name=Mvlan5 vlan-id=5
add comment="servers" interface=bridge-local name=vlan105 vlan-id=105
add comment="IOT network" interface=bridge-local name=vlan110 vlan-id=110
add comment="guest network" interface=bridge-local name=vlan120 vlan-id=120

/interface bridge vlan
add bridge=bridge-local tagged=ether10-R500,ether9-RB260GSP,bridge-local,veth1 untagged=ether4 vlan-ids=5
add bridge=bridge-local tagged=bridge-local,ether9-RB260GSP vlan-ids=105
add bridge=bridge-local tagged=ether10-R500,ether9-RB260GSP,bridge-local,veth1 untagged=ether2-TV,ether3-Chromecast,ether5,ether7-arcamSA30,ether6-switchMeterkast vlan-ids=110
add bridge=bridge-local tagged=ether10-R500,ether9-RB260GSP,bridge-local,veth1 vlan-ids=120

/interface wireguard
add comment=mullvad listen-port=4063 mtu=1420 name=mullvad-upstream private-key="xx"
add listen-port=13231 mtu=1420 name=wireguard private-key="xx"

/interface wireguard peers
add allowed-address=10.0.0.2/32 comment="mobiel" interface=wireguard public-key="xx"
add allowed-address=10.0.0.3/32 comment="laptop" interface=wireguard public-key="xx"
add allowed-address=0.0.0.0/0 comment="mullvad nl-ams-wg-004" endpoint-address=193.32.249.69 endpoint-port=51820 interface=mullvad-upstream public-key="xx" persistent-keepalive=35s

/interface list
add comment="WAN interface" name=WAN
add comment="LAN interface" name=LAN
add comment="Trusted" name=Trusted

/interface list member
add interface=bridge-local list=LAN
add interface=vlan-internet list=WAN
add interface=wireguard list=LAN
add interface=ether8-access list=Trusted
add interface=Mvlan5 list=Trusted

/ip pool
add name=dhcp-local ranges=192.168.0.180-192.168.0.254
add name=pool-vlan105 ranges=192.168.105.180-192.168.105.249
add name=pool-vlan110 ranges=192.168.110.180-192.168.110.249
add name=pool-vlan120 ranges=192.168.120.180-192.168.120.190

/ip address
add address=192.168.0.1/24 interface=Mvlan5 network=192.168.0.0 comment=mgmt
add address=192.168.105.1/24 interface=vlan105 network=192.168.105.0 comment=servers
add address=192.168.110.1/24 interface=vlan110 network=192.168.110.0 comment=iot
add address=192.168.120.1/24 interface=vlan120 network=192.168.120.0 comment=guest
add address=10.0.0.1/24 interface=wireguard network=10.0.0.0 comment=vpn
add address=10.66.250.98/32 interface=mullvad-upstream network=10.124.0.0 comment="mullvad upstream"
add address=10.10.10.1/24 interface=ether8 network=10.0.0.0 comment "router access port"

/ip dhcp-server
add address-pool=dhcp-local comment=mgmt interface=Mvlan5 lease-time=5m name=dhcp-local
add address-pool=pool-vlan105 comment=servers interface=vlan105 lease-time=10m name=dhcp-vlan105
add address-pool=pool-vlan110 comment=iot interface=vlan110 lease-time=5m name=dhcp-vlan110
add address-pool=pool-vlan120 comment=guest interface=vlan120 lease-time=5m name=dhcp-vlan120

/ip dhcp-client
add interface=vlan-internet use-peer-ntp=no

/interface bridge port
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether2-TV pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether3-Chromecast pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=5
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether6-switchMeterkast pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether7-arcamSA30 pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether9-RB260GSP
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether10-R500
add bridge=bridge-local interface=veth1

/ip dhcp-server lease
add address=192.168.110.80 client-id=1:2c:ab:33:9a:29:4 mac-address=2C:AB:33:9A:29:04 server=dhcp-vlan110
add address=192.168.110.16 client-id=1:8c:79:f5:93:ef:14 comment="Samsung Tizen" mac-address=8C:79:F5:93:EF:14 server=dhcp-vlan110
add address=192.168.110.17 client-id=1:c0:56:27:8f:d5:ea mac-address=C0:56:27:8F:D5:EA server=dhcp-vlan110
add address=192.168.110.20 comment=Chromecast mac-address=44:09:B8:FE:EB:8C server=dhcp-vlan110
add address=192.168.110.59 comment="lightswitch slp2" mac-address=DC:4F:22:CB:07:2C server=dhcp-vlan110
add address=192.168.110.62 comment=trap mac-address=DC:4F:22:FA:56:A1 server=dhcp-vlan110
add address=192.168.110.60 comment="lightswitch werkkamer" mac-address=60:01:94:99:7A:26 server=dhcp-vlan110
add address=192.168.110.61 comment="lightswitch slp" mac-address=60:01:94:99:78:4D server=dhcp-vlan110
add address=192.168.110.58 comment="wasmachine PoW r2" mac-address=CC:50:E3:1A:F6:8B server=dhcp-vlan110
add address=192.168.110.50 comment=gateway mac-address=7C:49:EB:1C:F3:47 server=dhcp-vlan110
add address=192.168.110.57 comment=s20 mac-address=B4:E6:2D:25:3F:73 server=dhcp-vlan110
add address=192.168.110.51 comment=gang1 mac-address=60:01:94:D6:08:CB server=dhcp-vlan110
add address=192.168.110.52 comment=gang2 mac-address=60:01:94:D6:C7:B3 server=dhcp-vlan110
add address=192.168.110.63 comment="lightswitch slp1" mac-address=DC:4F:22:C6:A5:22 server=dhcp-vlan110
add address=192.168.110.18 client-id=1:0:11:32:d9:61:16 comment=DS920 mac-address=00:11:32:D9:61:16 server=dhcp-vlan110
add address=192.168.110.66 comment=voorraadkast mac-address=34:CE:00:9B:16:08 server=dhcp-vlan110
add address=192.168.110.69 mac-address=54:48:E6:53:5A:87 server=dhcp-vlan110
add address=192.168.110.68 mac-address=64:90:C1:97:AB:E2 server=dhcp-vlan110
add address=192.168.110.67 mac-address=5C:E5:0C:E1:7B:F0 server=dhcp-vlan110
add address=192.168.110.70 mac-address=54:48:E6:51:C8:C0 server=dhcp-vlan110
add address=192.168.110.40 comment=OTGW mac-address=F4:CF:A2:ED:C2:4B server=dhcp-vlan110
add address=192.168.0.10 client-id=1:e4:5f:1:70:90:93 comment="sensecap M1" mac-address=E4:5F:01:70:90:93 server=dhcp-local
add address=192.168.110.71 mac-address=54:48:E6:53:59:BB server=dhcp-vlan110
add address=192.168.110.22 comment="P1 dongle" mac-address=A8:48:FA:E9:15:68 server=dhcp-vlan110
add address=192.168.110.5 client-id=1:ca:7a:a8:1a:6c:61 comment=docker mac-address=CA:7A:A8:1A:6C:61 server=dhcp-vlan110
add address=192.168.110.142 client-id=1:6a:3f:2d:31:84:4e comment=pixel6 mac-address=6A:3F:2D:31:84:4E server=dhcp-vlan110
add address=192.168.110.24 mac-address=18:FE:34:CF:74:17 server=dhcp-vlan110
add address=192.168.110.81 comment="alfen wallbox" mac-address=3A:65:45:61:7E:46 server=dhcp-vlan110
add address=192.168.110.55 comment="AC werkkamer" mac-address=60:01:94:0C:66:E1 server=dhcp-vlan110
add address=192.168.110.15 client-id=1:0:1b:7c:8:3b:24 comment="arcam SA30" mac-address=00:1B:7C:08:3B:24 server=dhcp-vlan110
add address=192.168.110.56 comment="AC" mac-address=40:F5:20:2D:29:DD server=dhcp-vlan110

/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.12,192.168.0.11 domain=local gateway=192.168.0.1 netmask=24
add address=192.168.105.0/24 dns-server=192.168.0.12,192.168.0.11 domain=local gateway=192.168.105.1 netmask=24
add address=192.168.110.0/24 dns-server=100.64.0.23 gateway=192.168.110.1 netmask=24
add address=192.168.120.0/24 dns-server=192.168.0.12,192.168.0.11 domain=local gateway=192.168.120.1 netmask=24

/routing table
add fib name=""
add comment=mullvad disabled=no fib name=mullvad

/ip route
add comment=mullvad disabled=no distance=1 dst-address=0.0.0.0/0 gateway=mullvad-upstream pref-src="" routing-table=mullvad scope=30 suppress-hw-offload=no target-scope=10

/routing rule
add action=lookup-only-in-table comment="local traffic" dst-address=192.168.0.0/16 table=main
add action=lookup-only-in-table comment="response to wireguard" dst-address=10.0.0.0/24 table=main
add action=lookup-only-in-table comment=mullvad src-address=192.168.110.0/24 table=mullvad

/ip firewall address-list
add address=192.168.105.0/24 list="vlan"
add address=192.168.110.0/24 list="vlan"
add address=192.168.120.0/24 list="vlan"
add address=192.168.0.11 list=dnsservers
add address=192.168.0.12 list=dnsservers

/ip firewall mangle
add action=mark-routing chain=prerouting comment=mullvad in-interface=mullvad new-routing-mark=mullvad disabled=yes

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=Sweden-vpn out-interface=mullvad-upstream

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=wireguard dst-port=13231 log-prefix=wireguard protocol=udp
add action=accept chain=input comment="api access from homeassistant" dst-port=8728 protocol=tcp src-address=192.168.110.105
add action=accept chain=input comment="telegraf snmp" dst-address=192.168.0.1 protocol=udp src-address=192.168.105.14
add action=accept chain=input in-interface=Mvlan5
add action=accept chain=input in-interface=ether8-access src-address=10.10.10.0/24
add action=drop chain=input comment="defcon: drop all not coming from LAN" in-interface-list=!LAN
 
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=no hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="wireguard admin to vlans" in-interface=wireguard out-interface-list=LAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=accept chain=forward comment="allow vpn sweden" in-interface=vlan110 out-interface=mullvad-upstream
add action=accept chain=forward comment="VLAN DNS" dst-address-list=dnsservers dst-port=53 protocol=udp src-address-list="vlan"
add action=accept chain=forward comment="VLAN DNS" dst-address-list=dnsservers dst-port=53 protocol=tcp src-address-list="vlan"

/container
add envlist=repeater_envs hostname=mdns-repeater interface=veth1 start-on-boot=yes file=mdns-repeater.tar

/container envs
add key=REPEATER_INTERFACES name=repeater_envs value="eth0.110 eth0.120"

/container
start 0

/ip/neighbor/discovery-settings
set discover-interface-list=Trusted

/tool mac-server mac-winbox
set allowed-interface-list=Trusted

/system ntp client
set enabled=yes

/system ntp client servers
add address=64.99.80.121
add address=20.101.57.9

/snmp
set enabled=yes trap-generators="" trap-version=2

/system clock
set time-zone-name=Europe/Amsterdam

/system script
add dont-require-permissions=no name=backup owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":global backupname (\"BACKUP\" . \"-\" . [/system identity get name] . \"-\" . [:pick [/system clock get date] 4 6] . [:pick [/system clock get date] 0 3] . [:pick [/system clock get date] 7 11] . \".backup\");\r\n:global backupnamersc (\"BACKUP\" . \"-\" . [/system identity get name] . \"-\" . [:pick [/system clock get date] 4 6] . [:pick [/system clock get\_date] 0 3] . [:pick [/system clock get date] 7 11] . \".rsc\");\r\n/system backup save name=\$backupname\r\n/export file=\$backupnamersc\r\n/tool fetch address=192.168.110.18 mode=ftp user=ftpaccess password=userftp src-path=\$backupname dst-path=\"/Backup/Mikrotik/\$backupname\" upload=yes\r\n/tool fetch address=192.168.110.18 mode=ftp user=ftpaccess password=userftp src-path=\$backupnamersc dst-path=\"/Backup/Mikrotik/\$backupnamersc\"\_upload=yes"

/tool netwatch
add comment="update DNS when Ubound is down" disabled=no down-script="/ip/dhcp-server/network/set dns-server=1.1.1.1,1.0.0.1 numbers=1,2,3,4 }" host=192.168.0.13 http-codes="" interval=1m start-delay=5m test-script="" type=simple up-script="/ip/dhcp-server/network/set dns-server=192.168.0.12,192.168.0.11 numbers=1,2,3,4 }"

/ipv6/settings
set disable-ipv6=yes

 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mullvad wireguard on existing VLAN

Wed Jun 07, 2023 11:44 pm

Okay so eth10 is problematic..............

NO worries,
Is there a default managment ID or vlan or IP address on the R500 and if so what is it?
If not is it blank?

How I would go about it.
1. TRUNK PORT APPROACH
a. R500: define all vlans required for SSIDs, assign managment vlan to be vlan5 and put in a static IP address that you want the R500 to have on the VLAN5 subnet.
b. Mikrotik, no change required, it is setup to view ether10 as a trunk port.

/interface bridge port
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether2-TV pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether3-Chromecast pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=5
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether6-switch pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether7-arcam pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether9-RB260GSP
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether10-R500
add bridge=bridge-local interface=veth1


/interface bridge vlan
add bridge=bridge-local tagged=ether10-R500,ether9-RB260GSP,bridge-local,veth1 untagged=ether2-TV,ether3-Chromecast,ether5,ether7-arcam,ether6-switch vlan-ids=110
add bridge=bridge-local tagged=ether10-R500,ether9-RB260GSP,bridge-local,veth1 vlan-ids=120
add bridge=bridge-local tagged=ether10-R500,ether9-RB260GSP,bridge-local untagged=ether4 vlan-ids=5
add bridge=bridge-local tagged=bridge-local,ether9-RB260GSP vlan-ids=105


2. HYBRID PORT APPROACH
a. R500 do not assign a mangment vlan, defin all vlans required for SSIDS, put in a static IP address for the R500, that want it to have on the vlan5 subnet
b. MIkrotik, should be untagged on ether10 for vlan5.


/interface bridge port
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether2-TV pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether3-Chromecast pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=5
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether6-switch pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether7-arcam pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether9-RB260GSP
add bridge=bridge-local interface=ether10-R500 pvid=5
add bridge=bridge-local interface=veth1

/interface bridge vlan
add bridge=bridge-local tagged=ether10-R500,ether9-RB260GSP,bridge-local,veth1 untagged=ether2-TV,ether3-Chromecast,ether5,ether7-arcam,ether6-switch vlan-ids=110
add bridge=bridge-local tagged=ether10-R500,ether9-RB260GSP,bridge-local,veth1 vlan-ids=120
add bridge=bridge-local tagged=ether9-RB260GSP,bridge-local untagged=ether10-R500,ether4 vlan-ids=5
add bridge=bridge-local tagged=bridge-local,ether9-RB260GSP vlan-ids=105
 
ronajon
just joined
Topic Author
Posts: 21
Joined: Fri Feb 10, 2023 11:06 pm

Re: Mullvad wireguard on existing VLAN

Mon Jun 12, 2023 10:03 pm

need to try the settings to see if the wifi is working.

meanwhile, i seem to have difficulties getting the devices on the switch RB260GS (SwitchOS) working with the new vlan5 ?

here's what i have right now.

R500_zolder is another wifi AccessPoint working as a mesh with the one connected to the RB4011 Router (should provide vlan5, vlan110, vlan120)
ds920 is a Synology NAS which should be accessible from vlan5 and vlan110
proxmox is a the virtualization server, accessible through 192.168.0.20. it has containers running in vlan5, vlan105 and vlan110)
port5 is the actual HP server on which proxmox runs. accessible only on ip 192.168.0.8
the SFP port i don't use
Screenshot_2023-06-12_21-01-00.png
Screenshot_2023-06-12_21-01-15.png
You do not have the required permissions to view the files attached to this post.
 
ronajon
just joined
Topic Author
Posts: 21
Joined: Fri Feb 10, 2023 11:06 pm

Re: Mullvad wireguard on existing VLAN

Wed Jun 14, 2023 4:56 pm

Okay so eth10 is problematic..............

NO worries,
Is there a default managment ID or vlan or IP address on the R500 and if so what is it?
If not is it blank?

How I would go about it.
1. TRUNK PORT APPROACH
a. R500: define all vlans required for SSIDs, assign managment vlan to be vlan5 and put in a static IP address that you want the R500 to have on the VLAN5 subnet.
b. Mikrotik, no change required, it is setup to view ether10 as a trunk port.

...........

2. HYBRID PORT APPROACH
a. R500 do not assign a mangment vlan, defin all vlans required for SSIDS, put in a static IP address for the R500, that want it to have on the vlan5 subnet
b. MIkrotik, should be untagged on ether10 for vlan5.


/interface bridge port
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether2-TV pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether3-Chromecast pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=5
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether6-switch pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether7-arcam pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether9-RB260GSP
add bridge=bridge-local interface=ether10-R500 pvid=5
add bridge=bridge-local interface=veth1

/interface bridge vlan
add bridge=bridge-local tagged=ether10-R500,ether9-RB260GSP,bridge-local,veth1 untagged=ether2-TV,ether3-Chromecast,ether5,ether7-arcam,ether6-switch vlan-ids=110
add bridge=bridge-local tagged=ether10-R500,ether9-RB260GSP,bridge-local,veth1 vlan-ids=120
add bridge=bridge-local tagged=ether9-RB260GSP,bridge-local untagged=ether10-R500,ether4 vlan-ids=5
add bridge=bridge-local tagged=bridge-local,ether9-RB260GSP vlan-ids=105
today i tried approach 2: HYBRID PORT APPROACH
unortunately i can only get the wifi working partially.

below is a scematic view of the wifi

port ether10-r500 should act as a hybrid port, providing access to the management interface of the AP (192.168.0.30) through native vlan, and also access to the 3 wifi networks with their own vlan (5,110,120). The AP is also accessible through an AP address (192.168.0.31) because with Ruckus unleashed the accesspoints create a sort of a mesh network, with one management interface and also an interface per AP. I do have another AP which is not in the drawing, providing the same wifi networks. for testing i already disabled that AP, so now there is just the AP on ether10-r500 port.

with the hybrid port approach i can access the magement interface when ether10-r500 is untagged. but then only the management vlan5 does not have access to the network (i can see that because on that SSID i can't get an ip address, on the other 2 SSID's i do)

when i change the vlan5 to have ether10-r500 tagged, i do get an SSID for all wifi networks, but can't connect to the AP. both management ip and AP ip are then un-accessible.
network wifi.png
management ip of the ruckus network
Screenshot_2023-06-14_15-54-55.png
AP interface of one of the access points
Screenshot_2023-06-14_15-55-25.png
You do not have the required permissions to view the files attached to this post.
Last edited by ronajon on Wed Jun 14, 2023 11:39 pm, edited 1 time in total.
 
ronajon
just joined
Topic Author
Posts: 21
Joined: Fri Feb 10, 2023 11:06 pm

Re: Mullvad wireguard on existing VLAN

Wed Jun 14, 2023 4:58 pm

and the VLAN settings for in this case what should become Mvlan5 wifi network
Screenshot_2023-06-14_15-57-45.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mullvad wireguard on existing VLAN

Wed Jun 14, 2023 5:45 pm

I have no idea what you are doing.
The diagram shows the access point it does not show a ruckus controller ??

On the ruckus I have no idea what you are doing with vlan1 again............ not sure what you dont get about NOT using vlan1.
It should be vlan5 if its in the management or trusted vlan.
 
ronajon
just joined
Topic Author
Posts: 21
Joined: Fri Feb 10, 2023 11:06 pm

Re: Mullvad wireguard on existing VLAN

Wed Jun 14, 2023 11:34 pm

the controller software Unleashed runs on the access point(s), there is not a separate controller.

i've updated the scheme to make things more clear

i'm aware of the not using vlan1
the vlan1 setting is from my current ((old) setup, the new one when im testing has vlan5

what i don't get is why when mvlan5 is on the router and the pvid of ether10-r500, and vlan5 is the vlan for the wifi network my wireless clients are connecting to the wifi network, but don't get an ip from the router.

i'll try to start some logging on the AP see whats happening
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mullvad wireguard on existing VLAN

Wed Jun 14, 2023 11:45 pm

Sorry cannot help you there.
One has three options
access port for one untagged vlan
trunk port for all tagged vlans
hybrid port for one untagged vlans and any number of tagged vlans.
 
ronajon
just joined
Topic Author
Posts: 21
Joined: Fri Feb 10, 2023 11:06 pm

Re: Mullvad wireguard on existing VLAN

Fri Jun 16, 2023 5:07 pm

i've tried starting with a blank config, just adding the needed vlan99, interfaces, network.
still the same problem.
untagged, the wifi network is accessible, but the management interface is not
tagged is the other way around

think i need to start looking for access points that support management vlan

thanks for your support this far!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mullvad wireguard on existing VLAN

Fri Jun 16, 2023 5:30 pm

Suggest asking in rukus forums.

How do add AP to a smart switch or
How do add AP@controller to vlan aware router.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Mullvad wireguard on existing VLAN

Fri Jun 16, 2023 5:50 pm

With Ruckus Unleashed one of the AP becomes the master that then pushes config to units. In UniFi terms, Unleashed is like cloudykey was embedded in the APs, or in Mikrotik terms like if you combined CAPsMAN with VRRP. We use it in a few places, works well. But there is some automatic-blackmagic with DNS/mDNS/redirects/etc in how they do it...so I've always put the Ruckus Unleashed as an access port on MT bridge to avoid having to understand it all ;).

But Ruckus Unleashed does support all the VLAN configuration you'd want, so you should be able to feed the APs a trunk from the Mikrotik if you wanted. The management IP support being on a tagged VLAN, it's under Admin>System>Management Interface:

Image
 
ronajon
just joined
Topic Author
Posts: 21
Joined: Fri Feb 10, 2023 11:06 pm

Re: Mullvad wireguard on existing VLAN

Sun Jun 18, 2023 8:33 pm

the vlan management of the ruckus depends on the firmware and the device.
having a R500, the latest firmware unfortunately is not supported.

as you can see, i don't have the vlan options in the Management interface screen
Screenshot_2023-06-18_19-29-46.png
i'll post this issue in the Ruckus forum, perhaps some one over there knows how to solve this
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mullvad wireguard on existing VLAN

Sun Jun 18, 2023 10:08 pm

Your other option may be to not even use a managment interface.
How else can you assign an IP to the access point?
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Mullvad wireguard on existing VLAN

Sun Jun 18, 2023 10:19 pm

Your other option may be to not even use a managment interface.
How else can you assign an IP to the access point?
By default Ruckus bridges the SSID with network on the untagged network and grabs an IP for itself – just like most APs... So if you need only one SSID, just the defaults should be okay and untagged what VLAN you want on the Mikrotik side. If you need multiple SSIDs with different VLANs from Mikrotik, a hybrid port might be an option then (e.g. mgmt untagged, and the SSIDs assigned to the desired VLAN).
 
ronajon
just joined
Topic Author
Posts: 21
Joined: Fri Feb 10, 2023 11:06 pm

Re: Mullvad wireguard on existing VLAN

Sun Jun 18, 2023 10:52 pm

i've tried both ways.
with and without management interface, dhcp on the access points.

and hybrid port.

there are posts on the Ruckus forum explaining it should work, but unfortunately did not get it working here.
the trouble seems to be in the mgmt vlan assignment. looks like the unleashed console only is accessible when using vlan1 (and i don't want to use that )

Who is online

Users browsing this forum: Bing [Bot], kazza, Soleous75 and 63 guests