Community discussions

MikroTik App
  4. RouterOS
  5. General

Site to Site Wireguard Firewall Rules  [SOLVED]

Post Reply
 
ungo
just joined
Topic Author
Posts: 3
Joined: Thu Feb 03, 2022 6:54 pm

Site to Site Wireguard Firewall Rules

Mon May 16, 2022 11:48 pm

I've been struggling with this all day, I feel like I'm missing something fundamental.

I have two identical RB5009 set up across the world from each other, each running 7.1.1. I have had wireguard running on each of them successfully for several months now, but just using mobile phones, laptops (192.168.100.0/24). I followed this guide to set up site to site, and finding that firewall rules don't seem to affect the traffic between sites.

I can ping between subnets from 'Office 1' to 'Office 2', configured as shown:

Image

My firewall config is below (most is defconf). I expect Wireguard traffic to come in through rule 2, then go through the firewall rules again as local traffic. I expect that if the traffic is from my mobile Wireguard clients (each a /32 address in the 192.168.100.0/24 subnet), it is accepted and that if it's from my other site (Office 2), then it will be dropped. However, all traffic gets through with this config.

I wonder if, because it's two peers, that the traffic I'm expecting to be filtered in the firewall is considered an established connection due to the Office 1 to Office 2 tunnel? But it shouldn't be, 'Office 2' traffic should be routed through its own Wireguard interface and not back through the already established connection from 'Office 1', right?

Firewall (Office 1)
Code: Select all
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="wireguard server" dst-port=13231 in-interface-list=WAN protocol=udp
add action=accept chain=forward comment="wireguard mobile subnet to LAN" dst-address=172.16.0.0/16 src-address=192.168.100.0/24
add action=accept chain=input comment="defconf: accept ICMP" in-interface-list=!WAN protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log=yes
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
IP addresses (Office 1)
Code: Select all
/ip address
add address=172.16.0.1/16 comment=defconf interface=bridge network=172.16.0.0
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
add address=10.255.255.1/30 comment="wireguard site-to-site bridge" interface=wireguard1 network=10.255.255.0
Routes (Office 1)
Code: Select all
/ip route
add disabled=no distance=1 dst-address=192.168.0.0/24 gateway=10.255.255.2 pref-src=0.0.0.0 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
Top
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1531
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: Site to Site Wireguard Firewall Rules

Tue May 17, 2022 12:35 am

Hi @ungo, welcome to the forum!

You may regard the tunnel as any standard LAN cable between two routers thus the firewall rules applies exactly in the same way as between ordinary subnets.

What do you want to achieve more precisely, ie is your objective to prevent (some/all) traffic from one office to the other or something completely different?
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: Site to Site Wireguard Firewall Rules  [SOLVED]

Tue May 17, 2022 12:55 am

Why do you think that your current firewall should affect traffic from other site? Your current rules (in forward chain) do:

#1 - allows traffic from mobile clients (this should be after #4)
#2 - fasttracks established and related connections
#3 - allows rest of established, related and untracked connections
#4 - drops packets with invalid connection state
#5 - drops new connections from WAN, unless they are forwarded ports
#x - (implicit default action) allows everything else

Unless you added WG interface in WAN interface list, everything coming from there is allowed by #x.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21253
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Site to Site Wireguard Firewall Rules

Tue May 17, 2022 5:07 am

If only he had read para 5 - viewtopic.php?p=906311
Top
 
ungo
just joined
Topic Author
Posts: 3
Joined: Thu Feb 03, 2022 6:54 pm

Re: Site to Site Wireguard Firewall Rules

Wed May 18, 2022 12:26 am

What do you want to achieve more precisely, ie is your objective to prevent (some/all) traffic from one office to the other or something completely different?
Thanks for the welcome Larsa. I want to explicitly allow traffic between sites (e.g., an off-site backup) and deny everything else. A site-to-site config for wireguard would be accessible to anyone who compromised one side, so I would like to limit the damage if that ever happened.

Why do you think that your current firewall should affect traffic from other site? Your current rules (in forward chain) do:
...
Unless you added WG interface in WAN interface list, everything coming from there is allowed by #x.

That's the fundamental thing I was missing - I was assuming a lot about the MT firewall, and didn't expect it to be default open. This article really helped me nail it down further after your advice.

If only he had read para 5 - viewtopic.php?p=906311

I did come across that a couple times in my searches, but I never made it to 5 before becoming overwhelmed by the volume. And I did get distracted reading the replies - if I had spent the amount of time that I did reading the replies in actually reading the OP, I would have been in good shape!


After some reading up on MT firewalls, I have a working config that I'm satisfied with. Deploying it to my remote site will be a bit tricky, hoping I don't lock myself out!

Thanks to all of you for being so helpful.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21253
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Site to Site Wireguard Firewall Rules

Wed May 18, 2022 1:03 am

I did come across that a couple times in my searches, but I never made it to 5 before becoming overwhelmed by the volume. And I did get distracted reading the replies - if I had spent the amount of time that I did reading the replies in actually reading the OP, I would have been in good shape!
Glad its working for you now!! Good job.
I am keen on how to make the above article better. I did try to state the topics at the top so that if one wanted info on firewalls they could go straight to that. I guess in your case you didnt know where the problems lied due to the fact there was firewall knowledge missing. Unfortunately that comes part and parcel of learning MT OS overall.
If you have any suggestions would love to hear them.
Top
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1531
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: Site to Site Wireguard Firewall Rules

Wed May 18, 2022 10:23 am

After some reading up on MT firewalls, I have a working config that I'm satisfied with. Deploying it to my remote site will be a bit tricky, hoping I don't lock myself out!

@ungo, glad to hear everything worked out!

One way to ensure that you are not completely locked out if something goes wrong is to create an additional wg tunnel just for your self to administer the remote site.

For example regarding admin access to office 2 create a new wireguard2 and set ip address of the peer to something like this "/ip address add address=192.168.100.2/32 interface=wireguard2, allowed ip's are from your end (remember to add a route to your side using wireguard2 as gateway) and lastly add wireguard2 to the interface list "LAN". Test access to wireguard2 from a laptop using a mobile hotspot as your smartphone or using a different ISP just to make sure it won't involve the existing wireguard network.

Don't hesitate to come back with further questions and good luck with the networking!

EDIT:
Here is an even simpler solution for an admin connection where all routing is handled automatically by Mikrotik and the client side (at least on windows and macos).

Pick a small subnet that is unused in Office2 lets say 192.168.100.9-10 (/30). Assign one ip addr to wireguard2 ie "/ip address add interface=wireguard2 address=192.168.100.10/30" and the other 192.168.100.9 to your pc or mac like this:
Code: Select all
[Interface]
PrivateKey = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
Address = 192.168.100.9/32

[Peer]
PublicKey = "public key from mikrotik wireguard2"
AllowedIPs = 192.168.100.0/24
Endpoint = publicipaddress.office2.com:12345
PersistentKeepalive = 25
Last edited by Larsa on Wed May 18, 2022 4:30 pm, edited 1 time in total.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21253
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Site to Site Wireguard Firewall Rules

Wed May 18, 2022 4:01 pm

I use Winbox Remote (free version) as a cheap and easy backup for my wireguard access but that does rely on/go through a 3rd party.
Top
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1531
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: Site to Site Wireguard Firewall Rules

Wed May 18, 2022 4:28 pm

I use Winbox Remote (free version) as a cheap and easy backup for my wireguard access but that does rely on/go through a 3rd party.

Yeah, that's a very good choice for SOHO although there are some things you might want to consider. See the following thread: RemoteWinBox [review]. If they add support for mfa and certificates it would significantly increase both security and flexibility.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21253
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Site to Site Wireguard Firewall Rules

Wed May 18, 2022 4:47 pm

Concur Larsa, I know squat about SSTP but the first thing I said to them was why are you not using certificates?? No good answer other than probably it takes time and effort to manage them ?? $$$
Top
Post Reply

Who is online

Users browsing this forum: faxxe, GoogleOther [Bot], Savanture and 45 guests
  4. RouterOS
  5. General