Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

wireguard question

Post Reply
 
jwa
newbie
Topic Author
Posts: 26
Joined: Thu Jan 11, 2024 12:36 am

wireguard question

Sun Feb 18, 2024 9:52 pm

Hello,

I have question related to wireguard. I ve setup this vpn and it partially works. I can connect, I can go to the internet through wireguard (confirmed by traceroute). But I dont see computers on LAN (2 vlans). It has probably something to do with VLANs, because in my previous setup without VLANs it was working OK.

Setup is following:
1 bridge, with two VLANS (192.168.78.0 and 192.168.88.0). Wireguard has network 192.168.68.0 with address 192.168.68.1. Wireguard interface is in list of LAN interfaces.

Code: Select all
# model = CCR2116-12G-4S+
add name=bridge vlan-filtering=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=sfp-sfpplus2 max-mru=1492 max-mtu=1492 mrru=1500 name=pppoe-out1 user=\
    xxxxxxxxxxxxxxxxxx
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge name=vlan-home-88 vlan-id=88
add interface=bridge name=vlan-servers-78 vlan-id=78
/interface ethernet switch
set 0 l3-hw-offloading=yes
/interface ethernet switch port
set 1 l3-hw-offloading=no
/interface list
add name=LAN
add name=WAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool1-88 ranges=192.168.88.2-192.168.88.255
add name=pool2-78 ranges=192.168.78.2-192.168.78.255
/ip dhcp-server
add address-pool=pool1-88 interface=vlan-home-88 name=dhcp1
add address-pool=pool2-78 interface=vlan-servers-78 name=dhcp2
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge interface=ether1 pvid=88
add bridge=bridge interface=ether2 pvid=78
add bridge=bridge interface=ether3 pvid=78
add bridge=bridge interface=ether4 pvid=78
add bridge=bridge interface=ether5 pvid=78
add bridge=bridge interface=ether6 pvid=78
add bridge=bridge interface=ether7 pvid=78
add bridge=bridge interface=ether8 pvid=78
add bridge=bridge interface=ether9 pvid=78
add bridge=bridge interface=ether10 pvid=78
add bridge=bridge interface=ether11 pvid=88
add bridge=bridge interface=ether12 pvid=88
add bridge=bridge interface=sfp-sfpplus1 pvid=78
add bridge=bridge interface=sfp-sfpplus3 pvid=88
add bridge=bridge interface=sfp-sfpplus4 pvid=88
/ip firewall connection tracking
set loose-tcp-tracking=no tcp-unacked-timeout=1m
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set rp-filter=loose
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=\
    ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,sfp-sfpplus1 vlan-ids=78
add bridge=bridge tagged=bridge untagged=ether1,sfp-sfpplus3,sfp-sfpplus4 vlan-ids=88
/interface list member
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=ether13 list=MGMT
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=WAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LAN
add disabled=yes interface=bridge list=LAN
add interface=vlan-servers-78 list=LAN
add interface=vlan-home-88 list=LAN
add interface=pppoe-out1 list=WAN
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=192.168.68.150/32 comment=aaaaa interface=wireguard1 public-key=\
    "xxxxxxxxxxxxxx"
add allowed-address=192.168.68.140/32 comment=bbbb interface=wireguard1 public-key=\
    "xxxxxxxxxxxxxxx"
add allowed-address=192.168.68.130/32 comment=ccccc interface=wireguard1 public-key=\
    "xxxxxxxxxxxxxxxxxxxxxxxxxxx"
add allowed-address=192.168.68.120/32 comment=ddddd interface=wireguard1 public-key=\
    "xxxxxxxxxxxxxxxxxxxxxxxxxxx"
/ip address
add address=192.168.78.1/24 interface=vlan-servers-78 network=192.168.78.0
add address=192.168.88.1/24 interface=vlan-home-88 network=192.168.88.0
add address=192.168.58.1/24 interface=ether13 network=192.168.58.0
add address=192.168.68.1/24 interface=wireguard1 network=192.168.68.0
/ip dhcp-server network
add address=192.168.78.0/24 dns-server=192.168.78.1 gateway=192.168.78.1
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall address-list
add list=ddos-attackers
add list=ddos-targets
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=1.1.1.1 list=secure_dns
add address=8.8.8.8 list=secure_dns
add list=bad_attempts
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=input comment="Accepting established, related, untracked connections" connection-state=\
    established,related,untracked
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward comment="wireguard no internet" disabled=yes in-interface=wireguard1 out-interface-list=WAN
add action=accept chain=input comment="accept local" in-interface-list=LAN
add action=accept chain=forward in-interface-list=LAN
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
    in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv4
add action=jump chain=forward comment="All new jump to detect-ddos" connection-state=new jump-target=detect-ddos \
    src-address=!192.168.0.0/16
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-targets address-list-timeout=25m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers address-list-timeout=25m chain=detect-ddos
add action=jump chain=forward comment="SYN Flood protect" connection-state=new jump-target=SYN-Protect protocol=tcp \
    src-address=!192.168.0.0/16 tcp-flags=syn
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp protocol=icmp
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types"
add action=accept chain=SYN-Protect connection-state=new limit=150,5:packet protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect connection-state=new protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=dst-nat chain=dstnat comment=aaaaaa dst-port=5000 in-interface=pppoe-out1 protocol=tcp \
    src-address-list=secure to-addresses=192.168.78.21 to-ports=5000
add action=dst-nat chain=dstnat comment=aaaaaaa dst-port=2593 in-interface=pppoe-out1 protocol=tcp \
    src-address-list=secure to-addresses=192.168.78.21 to-ports=5000
add action=dst-nat chain=dstnat comment=aaaaaaa dst-port=13000 in-interface=pppoe-out1 protocol=tcp \
    to-addresses=192.168.78.21 to-ports=3389
add action=dst-nat chain=dstnat comment=aaaaaaa dst-port=13003 in-interface=pppoe-out1 protocol=tcp \
    src-address-list=ccccc to-addresses=192.168.78.21 to-ports=3306
add action=dst-nat chain=dstnat comment="aaaaaaa" disabled=yes dst-port=13004 in-interface=pppoe-out1 \
    protocol=tcp src-address-list=ccccc to-addresses=192.168.78.21 to-ports=23
add action=dst-nat chain=dstnat comment=aaaaaa dst-port=13005 in-interface=pppoe-out1 protocol=tcp \
    src-address-list=secure to-addresses=192.168.78.21 to-ports=2597
add action=dst-nat chain=dstnat comment=aaaaaa dst-port=13006 in-interface=pppoe-out1 protocol=tcp \
    src-address-list=secure to-addresses=192.168.78.21 to-ports=2598
add action=dst-nat chain=dstnat comment=aaaaaaa dst-port=23 in-interface=pppoe-out1 protocol=tcp \
    src-address-list=ccccc to-addresses=192.168.78.21 to-ports=23
add action=dst-nat chain=dstnat comment=aaaaaaaa dst-port=24 in-interface=pppoe-out1 protocol=tcp \
    src-address-list=ccccc to-addresses=192.168.78.27 to-ports=24
add action=dst-nat chain=dstnat comment=aaaaaaa dst-port=13001 in-interface=pppoe-out1 protocol=tcp \
    to-addresses=192.168.78.27 to-ports=3389
add action=dst-nat chain=dstnat comment=aaaaaaa dst-port=8080 in-interface=pppoe-out1 protocol=tcp \
    to-addresses=192.168.78.27 to-ports=8080
add action=dst-nat chain=dstnat comment=aaaaaa dst-port=13002 in-interface=pppoe-out1 protocol=tcp \
    to-addresses=192.168.78.31 to-ports=3389
add action=dst-nat chain=dstnat comment=aaaaaaa dst-port=5010 in-interface=pppoe-out1 protocol=tcp \
    src-address-list=secure to-addresses=192.168.78.31 to-ports=5010
add action=dst-nat chain=dstnat comment=aaaaaaaaaaaaa dst-address=public_ip dst-port=80 in-interface=\
    pppoe-out1 protocol=tcp to-addresses=192.168.78.15 to-ports=80
/ip firewall raw
add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes
add action=drop chain=prerouting src-address-list=ddos-attackers
add action=accept chain=prerouting comment="accept only google and cloudfare DNS" protocol=udp src-address-list=\
    secure_dns src-port=53
add action=accept chain=prerouting comment="accept only google and microsoft NTP" protocol=udp src-address-list=\
    "secure NTP" src-port=123
add action=accept chain=prerouting comment="defconf: accept DHCP discover" disabled=yes dst-address=255.255.255.255 \
    dst-port=67 in-interface-list=LAN protocol=udp src-address=0.0.0.0 src-port=68
add action=accept chain=prerouting comment=wireguard dst-port=13231 protocol=udp
add action=drop chain=prerouting comment="drop DNS (UDP)" in-interface-list=!LAN protocol=udp
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface=pppoe-out1 src-address-list=\
    not_global_ipv4
add action=drop chain=prerouting comment="defconf: drop forward to local lan from WAN" dst-address=192.168.0.0/16 \
    in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop local if not from default IP range" in-interface-list=LAN \
    src-address=!192.168.0.0/16 src-address-list=""
add action=jump chain=prerouting comment="defconf: jump to TCP chain" jump-target=tcp protocol=tcp
add action=jump chain=prerouting comment="defconf: jump to bad TCP chain" jump-target=bad_tcp protocol=tcp
add action=accept chain=tcp protocol=tcp src-address-list=ccccc
add action=accept chain=tcp dst-address=192.168.0.0/16 in-interface=pppoe-out1
add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.0.0/16
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.0.0/16
set api-ssl disabled=yes
/system clock
set time-zone-name=xxxxxxxxxxx
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=40.119.148.38
add address=216.239.35.4
/system routerboard settings
set enter-setup-on=delete-key
/tool graphing
set store-every=24hours
/tool graphing interface
add interface=sfp-sfpplus2
add interface=vlan-servers-78
Thanks for any insights!
Top
 
Mesquite
Member
Member
Posts: 420
Joined: Tue Jan 23, 2024 9:16 pm

Re: wireguard question

Sun Feb 18, 2024 10:40 pm

(1) Shorten interface list members to:

/interface list member
add interface=sfp-sfpplus2 list=WAN
add interface=pppoe-out1 list=WAN
add interface=ether13 list=MGMT
add interface=vlan-servers-78 list=LAN
add interface=vlan-home-88 list=LAN
add interface=wireguard1 list=LAN

(2) ORGANIZE your firewall rules, much easier to read and troubleshoot if the chains are viewed together!!

(3) Why are you allowing access to the router (winbox etc) to every one on all the subnets....
You have a bloated bunch of firewall rules and yet really dont seem to care about limiting the most important thing.....
at least though nothing on the external side is allowed, which is a bonus but you can do that without all the bloated rules...

In any case its personal choice and if you are happy with, thats fine!!

Your forward chain does not block wireguard to LAN traffic so not sure why its not being routed by the router...
If any case stick in there to be sure
add chain=forward action=accept in-interface=wireguard1 out-interface-list=LAN
Top
 
jwa
newbie
Topic Author
Posts: 26
Joined: Thu Jan 11, 2024 12:36 am

Re: wireguard question

Mon Feb 19, 2024 11:45 pm

Thanks for your effort!
Top
Post Reply

Who is online

Users browsing this forum: Pilo2710, vingjfg and 27 guests
  4. RouterOS
  5. Beginner Basics