Wed Apr 17, 2024 7:31 pm
RouterA
(1) Remove pre-shared keys from wireguard. I have not ever seen it used, so for this testing remove.
Once we get a good working config, feel free to play with it at your leisure.
(2) Remove ether1 from Bridge, WAN is not part of LAN bridge.
(3) Modify as follows:
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=bridge list=LAN
add interface="WireGuard - Cloud" list=LAN
(3) Modify so only this shows in your Allowed IPs.....
/interface wireguard peers
add allowed-address=10.0.1.2/32,192.168.222.0/24 Comment="To Router B" \
interface="WireGuard - Cloud" public-key= "HK----="
add allowed-address=10.0.1.3/32,192.168.233.0/24 Comment="To Router C" \
"WireGuard - Cloud" public-key="UD-------2I="
add allowed-address=10.0.1.5/32 Comment=" Admin Remote Laptop" \
interface="WireGuard - Cloud" public-key="HH-------2I=" [/i]
add allowed-address=10.0.1.6/32 Comment=" Admin Remote smartphone/ipad" \
interface="WireGuard - Cloud" public-key="ZZ-------2I="[/i]
(4) Remove all IPV6 noise, firewall filter, address list etc..... since its disabled..
(5) Simply routes: You do not need routes for wireguard peers, as the route is created automagically by the WG IP address. YOu do need routes for all remote subnets, also identified in allowed IPs.
/ip route
add dst-address=0.0.0.0/0 gateway=ether1-gateway-IP routing-table=main
add dst-address=192.168.222.0/24 gateway="WireGuard - Cloud" \
routing-table=main
add dst-address=192.168.233.0/24 gateway="WireGuard - Cloud" \
routing-table=main
(6) Fix Firewall Rules.........
/ip firewall address-list { use static dhcp leases where applicable }
add address=192.168..4.X list=Authorized comment="admin local desktop wired"
add address=192.168..4.Y list=Authorized comment="admin laptop wired/wifi"
add address=192.168.222.A list=Authorized comment="admin remote desktop router B"
add address=192.168.223.B list=Authorized comment="admin remote desktop router C"
add address=10.0.1.5/32 list=Authorized comment="admin laptop remote"
add address=10.0.1.6/32 list=Authorized comment="admin smartphone/ipad remote"
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
dst-address=127.0.0.1
add action=accept chain=input comment="Wireguard handshake" dst-port=52810 protocol=udp
add action=accept chain=input comment="Admin Access" src-address-list=Authorized
add action=accept chain=input comment="users to services" dst-port=53 protocol=udp in-interface-list=LAN
add action=accept chain=input comment="users to services" dst-port=53 protocol=tcp in-interface-list=LAN
add action=drop chain=input comment="Drop all else" { put this rule in last so you dont lock yourself out }
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid disabled=yes
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward out-interface="WireGuard - Cloud" src-address=192.168.4.0/24 \
comment="allow local RA users to access wg tunnel"
add action=accept chain=forward in-interface="WireGuard - Cloud" dst-address=192.168.4.0/24 \
src-address=192.168.222.0/24 Comment="allow RB users access to local LAN"
add action=accept chain=forward interface="WireGuard - Cloud" dst-address=192.168.4.0/24 \
src-address=192.168.233.0/24 Comment="allow RC users access to local LAN"
add action=accept chain=forward in-interface="WireGuard - Cloud" out-interface="WireGuard - Cloud" \
comment=" Relay rule if you want RB users and RC users to be able to reach each other"
add action=accept chain=forward comment-="port forwarding" connection-nat-state=dst-nat disabled=yes { enable if required, or remove }
add action=drop chain=forward comment="Drop All else"
NOTE: My preference is to be flexible on entering the wg tunnel and being specific as to where users can land. For example if you dont want RC users to access local LAN simply remove the rule.
(7) Ensure this rule is ENABLED!
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=no \
ipsec-policy=out,none out-interface-list=WAN