I have question related to wireguard. I ve setup this vpn and it partially works. I can connect, I can go to the internet through wireguard (confirmed by traceroute). But I dont see computers on LAN (2 vlans). It has probably something to do with VLANs, because in my previous setup without VLANs it was working OK.
Setup is following:
1 bridge, with two VLANS (192.168.78.0 and 192.168.88.0). Wireguard has network 192.168.68.0 with address 192.168.68.1. Wireguard interface is in list of LAN interfaces.
Code: Select all
# model = CCR2116-12G-4S+
add name=bridge vlan-filtering=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=sfp-sfpplus2 max-mru=1492 max-mtu=1492 mrru=1500 name=pppoe-out1 user=\
xxxxxxxxxxxxxxxxxx
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge name=vlan-home-88 vlan-id=88
add interface=bridge name=vlan-servers-78 vlan-id=78
/interface ethernet switch
set 0 l3-hw-offloading=yes
/interface ethernet switch port
set 1 l3-hw-offloading=no
/interface list
add name=LAN
add name=WAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool1-88 ranges=192.168.88.2-192.168.88.255
add name=pool2-78 ranges=192.168.78.2-192.168.78.255
/ip dhcp-server
add address-pool=pool1-88 interface=vlan-home-88 name=dhcp1
add address-pool=pool2-78 interface=vlan-servers-78 name=dhcp2
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge interface=ether1 pvid=88
add bridge=bridge interface=ether2 pvid=78
add bridge=bridge interface=ether3 pvid=78
add bridge=bridge interface=ether4 pvid=78
add bridge=bridge interface=ether5 pvid=78
add bridge=bridge interface=ether6 pvid=78
add bridge=bridge interface=ether7 pvid=78
add bridge=bridge interface=ether8 pvid=78
add bridge=bridge interface=ether9 pvid=78
add bridge=bridge interface=ether10 pvid=78
add bridge=bridge interface=ether11 pvid=88
add bridge=bridge interface=ether12 pvid=88
add bridge=bridge interface=sfp-sfpplus1 pvid=78
add bridge=bridge interface=sfp-sfpplus3 pvid=88
add bridge=bridge interface=sfp-sfpplus4 pvid=88
/ip firewall connection tracking
set loose-tcp-tracking=no tcp-unacked-timeout=1m
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set rp-filter=loose
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=\
ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,sfp-sfpplus1 vlan-ids=78
add bridge=bridge tagged=bridge untagged=ether1,sfp-sfpplus3,sfp-sfpplus4 vlan-ids=88
/interface list member
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=ether13 list=MGMT
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=WAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LAN
add disabled=yes interface=bridge list=LAN
add interface=vlan-servers-78 list=LAN
add interface=vlan-home-88 list=LAN
add interface=pppoe-out1 list=WAN
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=192.168.68.150/32 comment=aaaaa interface=wireguard1 public-key=\
"xxxxxxxxxxxxxx"
add allowed-address=192.168.68.140/32 comment=bbbb interface=wireguard1 public-key=\
"xxxxxxxxxxxxxxx"
add allowed-address=192.168.68.130/32 comment=ccccc interface=wireguard1 public-key=\
"xxxxxxxxxxxxxxxxxxxxxxxxxxx"
add allowed-address=192.168.68.120/32 comment=ddddd interface=wireguard1 public-key=\
"xxxxxxxxxxxxxxxxxxxxxxxxxxx"
/ip address
add address=192.168.78.1/24 interface=vlan-servers-78 network=192.168.78.0
add address=192.168.88.1/24 interface=vlan-home-88 network=192.168.88.0
add address=192.168.58.1/24 interface=ether13 network=192.168.58.0
add address=192.168.68.1/24 interface=wireguard1 network=192.168.68.0
/ip dhcp-server network
add address=192.168.78.0/24 dns-server=192.168.78.1 gateway=192.168.78.1
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall address-list
add list=ddos-attackers
add list=ddos-targets
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=1.1.1.1 list=secure_dns
add address=8.8.8.8 list=secure_dns
add list=bad_attempts
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=input comment="Accepting established, related, untracked connections" connection-state=\
established,related,untracked
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward comment="wireguard no internet" disabled=yes in-interface=wireguard1 out-interface-list=WAN
add action=accept chain=input comment="accept local" in-interface-list=LAN
add action=accept chain=forward in-interface-list=LAN
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv4
add action=jump chain=forward comment="All new jump to detect-ddos" connection-state=new jump-target=detect-ddos \
src-address=!192.168.0.0/16
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-targets address-list-timeout=25m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers address-list-timeout=25m chain=detect-ddos
add action=jump chain=forward comment="SYN Flood protect" connection-state=new jump-target=SYN-Protect protocol=tcp \
src-address=!192.168.0.0/16 tcp-flags=syn
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp protocol=icmp
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types"
add action=accept chain=SYN-Protect connection-state=new limit=150,5:packet protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect connection-state=new protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=dst-nat chain=dstnat comment=aaaaaa dst-port=5000 in-interface=pppoe-out1 protocol=tcp \
src-address-list=secure to-addresses=192.168.78.21 to-ports=5000
add action=dst-nat chain=dstnat comment=aaaaaaa dst-port=2593 in-interface=pppoe-out1 protocol=tcp \
src-address-list=secure to-addresses=192.168.78.21 to-ports=5000
add action=dst-nat chain=dstnat comment=aaaaaaa dst-port=13000 in-interface=pppoe-out1 protocol=tcp \
to-addresses=192.168.78.21 to-ports=3389
add action=dst-nat chain=dstnat comment=aaaaaaa dst-port=13003 in-interface=pppoe-out1 protocol=tcp \
src-address-list=ccccc to-addresses=192.168.78.21 to-ports=3306
add action=dst-nat chain=dstnat comment="aaaaaaa" disabled=yes dst-port=13004 in-interface=pppoe-out1 \
protocol=tcp src-address-list=ccccc to-addresses=192.168.78.21 to-ports=23
add action=dst-nat chain=dstnat comment=aaaaaa dst-port=13005 in-interface=pppoe-out1 protocol=tcp \
src-address-list=secure to-addresses=192.168.78.21 to-ports=2597
add action=dst-nat chain=dstnat comment=aaaaaa dst-port=13006 in-interface=pppoe-out1 protocol=tcp \
src-address-list=secure to-addresses=192.168.78.21 to-ports=2598
add action=dst-nat chain=dstnat comment=aaaaaaa dst-port=23 in-interface=pppoe-out1 protocol=tcp \
src-address-list=ccccc to-addresses=192.168.78.21 to-ports=23
add action=dst-nat chain=dstnat comment=aaaaaaaa dst-port=24 in-interface=pppoe-out1 protocol=tcp \
src-address-list=ccccc to-addresses=192.168.78.27 to-ports=24
add action=dst-nat chain=dstnat comment=aaaaaaa dst-port=13001 in-interface=pppoe-out1 protocol=tcp \
to-addresses=192.168.78.27 to-ports=3389
add action=dst-nat chain=dstnat comment=aaaaaaa dst-port=8080 in-interface=pppoe-out1 protocol=tcp \
to-addresses=192.168.78.27 to-ports=8080
add action=dst-nat chain=dstnat comment=aaaaaa dst-port=13002 in-interface=pppoe-out1 protocol=tcp \
to-addresses=192.168.78.31 to-ports=3389
add action=dst-nat chain=dstnat comment=aaaaaaa dst-port=5010 in-interface=pppoe-out1 protocol=tcp \
src-address-list=secure to-addresses=192.168.78.31 to-ports=5010
add action=dst-nat chain=dstnat comment=aaaaaaaaaaaaa dst-address=public_ip dst-port=80 in-interface=\
pppoe-out1 protocol=tcp to-addresses=192.168.78.15 to-ports=80
/ip firewall raw
add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes
add action=drop chain=prerouting src-address-list=ddos-attackers
add action=accept chain=prerouting comment="accept only google and cloudfare DNS" protocol=udp src-address-list=\
secure_dns src-port=53
add action=accept chain=prerouting comment="accept only google and microsoft NTP" protocol=udp src-address-list=\
"secure NTP" src-port=123
add action=accept chain=prerouting comment="defconf: accept DHCP discover" disabled=yes dst-address=255.255.255.255 \
dst-port=67 in-interface-list=LAN protocol=udp src-address=0.0.0.0 src-port=68
add action=accept chain=prerouting comment=wireguard dst-port=13231 protocol=udp
add action=drop chain=prerouting comment="drop DNS (UDP)" in-interface-list=!LAN protocol=udp
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface=pppoe-out1 src-address-list=\
not_global_ipv4
add action=drop chain=prerouting comment="defconf: drop forward to local lan from WAN" dst-address=192.168.0.0/16 \
in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop local if not from default IP range" in-interface-list=LAN \
src-address=!192.168.0.0/16 src-address-list=""
add action=jump chain=prerouting comment="defconf: jump to TCP chain" jump-target=tcp protocol=tcp
add action=jump chain=prerouting comment="defconf: jump to bad TCP chain" jump-target=bad_tcp protocol=tcp
add action=accept chain=tcp protocol=tcp src-address-list=ccccc
add action=accept chain=tcp dst-address=192.168.0.0/16 in-interface=pppoe-out1
add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.0.0/16
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.0.0/16
set api-ssl disabled=yes
/system clock
set time-zone-name=xxxxxxxxxxx
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=40.119.148.38
add address=216.239.35.4
/system routerboard settings
set enter-setup-on=delete-key
/tool graphing
set store-every=24hours
/tool graphing interface
add interface=sfp-sfpplus2
add interface=vlan-servers-78