I have a working routeros hex s (new to me) erased and updated to 7.9
I ran through the default config and got basic things working, lan dhcp, wan masquerade, ntp client/server, dns caching, and queing with cake..
I then setup wireguard following the docs with a peer, everything works except I cannot use the routeros dnscache via the wireguard peer..
when I use a different upstream recursor everything resolves and full tunnel wireguard does work..
I do have allow-remote-requests=yes on the dns
eth1 is wan
eth[2-5] is bridge and lan
wireguard is 192.0.2.254/28 and the peer is 192.0.2.241 (I did not see any type of bogon/rfc filtering that would cause the test-net-1 range not to work)
clients from the lan can ping 192.0.2.254 and seemingly resolve from it..
drill www.google.com @192.0.2.254
At that I am lost and not sure how to continue..
the wg peer does connect (192.0.2.241) and I can ping it from the lan when it is connected..
I could not find commands for showing the wg peer connected in the cli, but from the gui it does show connected and passing traffic..
Thank you in advance for taking the time to read this..
Suggestions or questions are greatly appreciated.
Re: wireguard 'road warrior' cannot use my dns
Network diagram, ( since you never stated what you are connected to for ISP or wireguard )
/export file=anynameyouwish (minus router serial number and any public WANIP info)
/export file=anynameyouwish (minus router serial number and any public WANIP info)
Re: wireguard 'road warrior' cannot use my dns
What is the DNS for your DHCP?
Provide a network diagram, please.
Provide a network diagram, please.
Re: wireguard 'road warrior' cannot use my dns
Code: Select all
/export compact terse show-sensitive
# may/12/2023 07:25:24 by RouterOS 7.9
#
# model = RB760iGS
/interface bridge add admin-mac=AA:BB:CC:11:22:33 auto-mac=no comment=defconf name=bridge
/interface wireguard add listen-port=51820 mtu=1420 name=wireguard1 private-key="8< -- SNIP -- >8"
/disk set sd1 type=hardware
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface lte apn set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile set [ find default=yes ] html-directory=hotspot
/ip pool add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/port set 0 name=serial0
/queue type add cake-atm=ptm cake-diffserv=besteffort cake-mpu=88 cake-overhead=40 kind=cake name=cake-default
/queue type add cake-ack-filter=filter cake-atm=ptm cake-bandwidth=37.0Mbps cake-diffserv=besteffort cake-mpu=88 cake-nat=yes cake-overhead=40 kind=cake name=cake-up
/queue type add cake-atm=ptm cake-bandwidth=225.0Mbps cake-diffserv=besteffort cake-mpu=88 cake-nat=yes cake-overhead=40 cake-wash=yes kind=cake name=cake-down
/queue simple
# CAKE type with bandwidth setting detected, configure traffic limits within queue itself
add bucket-size=0.001/0.001 name=cake queue=cake-down/cake-up target=ether1 total-queue=cake-default
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
/ip neighbor discovery-settings set discover-interface-list=LAN
/ipv6 settings set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet set detect-interface-list=all
/interface list member add comment=defconf interface=bridge list=LAN
/interface list member add comment=defconf interface=ether1 list=WAN
/interface list member add interface=wireguard1 list=LAN
/interface ovpn-server server set auth=sha1,md5
/interface wireguard peers add allowed-address=192.0.2.241/32 comment=Peer1-XS interface=wireguard1 public-key="8< -- SNIP -- >8"
/ip address add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip address add address=192.0.2.254/28 interface=wireguard1 network=192.0.2.240
/ip dhcp-client add comment=defconf interface=ether1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns set allow-remote-requests=yes max-concurrent-queries=512 servers=working,addresses,here
/ip dns static add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter add action=accept chain=input comment="allow Wireguard" dst-port=51820 protocol=udp
/ip firewall filter add action=accept chain=input comment="allow Wireguard traffic" src-address=192.0.2.240/28
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock set time-zone-name=America/New_York
/system identity set name=RouterOS
/system note set show-at-login=no
/system ntp client set enabled=yes
/system ntp server set enabled=yes
/system ntp client servers add address=time.cloudflare.com
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN
Again, thank you in advance..
Re: wireguard 'road warrior' cannot use my dns
(1) Your incoming peer address does not match your input chain rule to allow access to config router....
/interface wireguard peers add allowed-address=192.0.2.241/32
/ip firewall filter add action=accept chain=input comment="allow Wireguard traffic" src-address=192.0.2.240/28
The incoming wireguard user (assuming thats you the ADMIN) to access DNS must have access on the input chain which the above rule provides. Its really designed to allow ADMIN to configure router remotely.
For other wireguard users that are not ADMIN but may be coming into the router but should not have OPEN access to the router would not be on the above rule but would be covered by adding the wireguard1 interface to the LAN list and thus your rule below would permit DNS.
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
(2) Set this to none, at least while troubleshooting.
/interface detect-internet set detect-interface-list=all
(3) Ensure your ip dhcp-server network setting is complete.
shows:
/ip dhcp-server network add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
SHOULD BE
/ip dhcp-server network add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
(4) You dont have any other servers assigned ( and have no idea what you have on the IP DHCP client settings, that I can see so
from
/ip dns set allow-remote-requests=yes max-concurrent-queries=512 servers=???working,addresses,here???
TO
/ip dns set allow-remote-requests=yes max-concurrent-queries=512 servers=1.1.1.1
///////////// Dont see anything else after a quick viewing.
/interface wireguard peers add allowed-address=192.0.2.241/32
/ip firewall filter add action=accept chain=input comment="allow Wireguard traffic" src-address=192.0.2.240/28
The incoming wireguard user (assuming thats you the ADMIN) to access DNS must have access on the input chain which the above rule provides. Its really designed to allow ADMIN to configure router remotely.
For other wireguard users that are not ADMIN but may be coming into the router but should not have OPEN access to the router would not be on the above rule but would be covered by adding the wireguard1 interface to the LAN list and thus your rule below would permit DNS.
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
(2) Set this to none, at least while troubleshooting.
/interface detect-internet set detect-interface-list=all
(3) Ensure your ip dhcp-server network setting is complete.
shows:
/ip dhcp-server network add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
SHOULD BE
/ip dhcp-server network add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
(4) You dont have any other servers assigned ( and have no idea what you have on the IP DHCP client settings, that I can see so
from
/ip dns set allow-remote-requests=yes max-concurrent-queries=512 servers=???working,addresses,here???
TO
/ip dns set allow-remote-requests=yes max-concurrent-queries=512 servers=1.1.1.1
///////////// Dont see anything else after a quick viewing.
Re: wireguard 'road warrior' cannot use my dns
Also its not clear what client selected for DNS, try 1.1.1.1, try 192.168.88.1
Re: wireguard 'road warrior' cannot use my dns
Thank you for the response.
Will review the changes suggested and see what happens..
The dns servers are valid, just not public.. I was trying to figure out how the MikroTik DNS client distributed queries..
Fastest, round robin, etc..
(I have a set of dnsdist servers that I was using to try and diagnose the recursion problem.. while being curious about the client..)
Will get doh going and see how the client works..
I could not formulate a query to show how/why the dns was being blocked but that everything else worked..
I was looking for some type of “ss” command to show that the dns client was listening on the wg interface..
Again, thank you for your help..
Will report back..
Will review the changes suggested and see what happens..
The dns servers are valid, just not public.. I was trying to figure out how the MikroTik DNS client distributed queries..
Fastest, round robin, etc..
(I have a set of dnsdist servers that I was using to try and diagnose the recursion problem.. while being curious about the client..)
Will get doh going and see how the client works..
I could not formulate a query to show how/why the dns was being blocked but that everything else worked..
I was looking for some type of “ss” command to show that the dns client was listening on the wg interface..
Again, thank you for your help..
Will report back..
Re: wireguard 'road warrior' cannot use my dns
If you have DOH setup, then your approach for DNS is wrong.
Point the client wireguard to 192.168.88.1, setup DOH properly, ensure the wireguard user has a path to DNS services ( as I have noted in input chain (for admin, and for other wg users).
Hint here is mine to adguard DNS DOH
/ip dns
set allow-remote-requests=yes cache-max-ttl=1h servers=94.140.14.14,94.140.15.15 \
use-doh-server=https://dns.adguard-dns.com/dns-query verify-doh-cert=yes
You need at least one public DNS server so that the router can find and connect to the DOH server and further DNS traffic is then encryped.
the 94.x servers are their public non DOH servers...........
Round robin from what I understand..........
Point the client wireguard to 192.168.88.1, setup DOH properly, ensure the wireguard user has a path to DNS services ( as I have noted in input chain (for admin, and for other wg users).
Hint here is mine to adguard DNS DOH
/ip dns
set allow-remote-requests=yes cache-max-ttl=1h servers=94.140.14.14,94.140.15.15 \
use-doh-server=https://dns.adguard-dns.com/dns-query verify-doh-cert=yes
You need at least one public DNS server so that the router can find and connect to the DOH server and further DNS traffic is then encryped.
the 94.x servers are their public non DOH servers...........
Round robin from what I understand..........
Re: wireguard 'road warrior' cannot use my dns
I am not sure if the attachments help illustrate the problem better..
Specifically Data Sent and Data Received entries.. (no dns no data moving..)
From Wireguard I cannot use my dns cache hosted on the router endpoint, using any of the directly connected/configured interfaces..
The dns cache works, there are cache hits within the process.
Lan clients do not have this problem, or any other problem.. just Wireguard clients using the router dns cache.. that seems to be the exclusive problem.
Thank you again..
Specifically Data Sent and Data Received entries.. (no dns no data moving..)
From Wireguard I cannot use my dns cache hosted on the router endpoint, using any of the directly connected/configured interfaces..
The dns cache works, there are cache hits within the process.
Lan clients do not have this problem, or any other problem.. just Wireguard clients using the router dns cache.. that seems to be the exclusive problem.
Thank you again..
You do not have the required permissions to view the files attached to this post.
Re: wireguard 'road warrior' cannot use my dns
(1) Keep the MTUs the same on sender receiver, so give it a go with both at default 1420, and then try the funky 1384.
(2) Why did the listening port CHANGE on the two examples ( thought you were showing me using 1.1.1.1 and using 192.168.88.1 and both not working )??
(neither matched config listening port)
(2) Why did the listening port CHANGE on the two examples ( thought you were showing me using 1.1.1.1 and using 192.168.88.1 and both not working )??
(neither matched config listening port)
Re: wireguard 'road warrior' cannot use my dns
Possibly the iOS client works differently..
The port shown is the local ephemeral port.
When you make a change to the client it reconnects and chooses a new local ephemeral port for its outbound connection.
Admittedly I am not a Wireguard contributor, but changing the dns to a server that is not RouterOS works, all mtu’s being configured as shown..
I will just accept that there is a problem and will be unable to use the local interface for dns via Wireguard.
The port shown is the local ephemeral port.
When you make a change to the client it reconnects and chooses a new local ephemeral port for its outbound connection.
Admittedly I am not a Wireguard contributor, but changing the dns to a server that is not RouterOS works, all mtu’s being configured as shown..
I will just accept that there is a problem and will be unable to use the local interface for dns via Wireguard.
Re: wireguard 'road warrior' cannot use my dns
I'm using Wireguard on iOS and I don't have such issue. Can you access router with Mikrotik iOS app when you are connected over Wireguard?Possibly the iOS client works differently..
The port shown is the local ephemeral port.
When you make a change to the client it reconnects and chooses a new local ephemeral port for its outbound connection.
Admittedly I am not a Wireguard contributor, but changing the dns to a server that is not RouterOS works, all mtu’s being configured as shown..
I will just accept that there is a problem and will be unable to use the local interface for dns via Wireguard.
Edit: Sry for confusion, I see now you have DNS cache issue, not connection... I'm using DNS server (Pi-Hole) running in container which is also set for Wireguard, probably that's why I don't have such issue, before I was on ROS DNS but I didn't noticed cache issue (if was even persisted).
Re: wireguard 'road warrior' cannot use my dns
Yup its very strange..........
There is something non-standard the oP is doing with DNS setup is the only assumption that I can make.
It works for everyone else, ( and I use IOS quite successfully )
There is something non-standard the oP is doing with DNS setup is the only assumption that I can make.
It works for everyone else, ( and I use IOS quite successfully )
Re: wireguard 'road warrior' cannot use my dns
I ended up making a new wg instance..
and all is working as it should..
Thank you for all the responses..
OT:
I'm not sure why more people don't talk about this..
Why would anyone want to make wg configs by hand..
https://www.wireguardconfig.com
and all is working as it should..
Thank you for all the responses..
OT:
I'm not sure why more people don't talk about this..
Why would anyone want to make wg configs by hand..
https://www.wireguardconfig.com
Re: wireguard 'road warrior' cannot use my dns
That configuration tool seems to be for generic linux and does not apply to RoS, nor IOS for that matter. nothing burger.
More important to understand the use/significance of each parameter.
More important to understand the use/significance of each parameter.
Re: wireguard 'road warrior' cannot use my dns [Wireguard Config Generator]
You do not have the required permissions to view the files attached to this post.
Re: wireguard 'road warrior' cannot use my dns
As I said those tools are not all that helpful. Much more important to know how to config the Mikrotik RoS and wireguard is not all that difficult to understand.
viewtopic.php?t=182340
viewtopic.php?t=182340
Re: wireguard 'road warrior' cannot use my dns
Adding my wireguard interface to the LAN list resolved the DNS access issue for me, however it doesn't work with just the input chain firewall rule for my wireguard subnet. My wireguard server subnet is 192.168.222.0/24, the client has 192.168.222.1 (router wireguard interface IP) for DNS and my firewall filter rule is as below:/interface wireguard peers add allowed-address=192.0.2.241/32
/ip firewall filter add action=accept chain=input comment="allow Wireguard traffic" src-address=192.0.2.240/28
The incoming wireguard user (assuming thats you the ADMIN) to access DNS must have access on the input chain which the above rule provides. Its really designed to allow ADMIN to configure router remotely.
For other wireguard users that are not ADMIN but may be coming into the router but should not have OPEN access to the router would not be on the above rule but would be covered by adding the wireguard1 interface to the LAN list and thus your rule below would permit DNS.
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall filter add action=accept chain=input comment="vpn server" src-address-list=192.168.222.0/24
Shouldn't this still work without adding the wireguard interface to the LAN list because the firewall rule is accepting traffic from the source subnet without any restriction on ports or destination address?
In addition, which is preferrable for security implications? I only have the defconf drop all not coming from LAN rule using the LAN list at the moment.
Re: wireguard 'road warrior' cannot use my dns
You would have to post your config for me to comment accurately.
/export file=anynameyouwish ( minus router serial number and any public WANIP information, keys etc. )
As to the questions....... I would do things differently. I would give the MT Wireguard Server the IP address
192.168.222.1/24 and the IP road warrior 192.168.222.2/32 and the next RW 192.168.222.3/32 etc.........
Then try it with your rule and it should work.
Many variations are possible but if you want to keep the wg interface out of the LAN list ( dont know why its so convenient!! )
then
add chain=input action=accept in-interface=wg { allows all wireguard users ability to config router or get DNS }
OR
add chain=input action=accept in-interface=wg src-address=XXXXX ( if you want to narrow down who coming in over wireguard needs access to router for config ).
add chain=input action=accept in-interface=wg dst-port=53 protocol=udp ( allow rest only dns )
add chain=input action=accept in-interface=wg dst-port=53 protocol=tcp ( allow rest only dns )
/export file=anynameyouwish ( minus router serial number and any public WANIP information, keys etc. )
As to the questions....... I would do things differently. I would give the MT Wireguard Server the IP address
192.168.222.1/24 and the IP road warrior 192.168.222.2/32 and the next RW 192.168.222.3/32 etc.........
Then try it with your rule and it should work.
Many variations are possible but if you want to keep the wg interface out of the LAN list ( dont know why its so convenient!! )
then
add chain=input action=accept in-interface=wg { allows all wireguard users ability to config router or get DNS }
OR
add chain=input action=accept in-interface=wg src-address=XXXXX ( if you want to narrow down who coming in over wireguard needs access to router for config ).
add chain=input action=accept in-interface=wg dst-port=53 protocol=udp ( allow rest only dns )
add chain=input action=accept in-interface=wg dst-port=53 protocol=tcp ( allow rest only dns )
Re: wireguard 'road warrior' cannot use my dns
Allowing DNS from the wireguard interface worked well. I still wasn't able to access Winbox over the tunnel with the src-address rule, but I can look into that later. I'm not against adding the wireguard interface to the LAN list. I was more just curious why it wasn't working the other way and which method was preferred. Thank you for your help!
Re: wireguard 'road warrior' cannot use my dns
Fix up your address structure as recommended...
As for admin access to the router, should work.
Remember you have identified the client you wish to allow in the peer settings so as a RW remote user, you are already noted in allowed IPs, and since the /32 address is part of the WG network on the router, there is already a route <dac> for return traffic in IP routes. Thus the only consideration left is threefold
a. input chain rule --> you know how now to ensure WG traffic is allowed, with or without a firewall address list as well.
b. check your winbox IP System Services LIST, next to the winbox port, ensure the "Available From" is either blank ( allow all ) or if you have used this also to narrow down access ( I typically only use input chain rule ) ensure you include the wg subnet!
c. check your TOOLS --> mac server and specifically the MAC Winbox server ( as an aside comment: the plain mac server is not secure and should be set to NONE )
if you have this enabled or a selection made, the interface list determines what can access winbox. HENCE if you have the LAN list selected, then this is a good reason to add wireguard interface to the LAN list!!!
As for admin access to the router, should work.
Remember you have identified the client you wish to allow in the peer settings so as a RW remote user, you are already noted in allowed IPs, and since the /32 address is part of the WG network on the router, there is already a route <dac> for return traffic in IP routes. Thus the only consideration left is threefold
a. input chain rule --> you know how now to ensure WG traffic is allowed, with or without a firewall address list as well.
b. check your winbox IP System Services LIST, next to the winbox port, ensure the "Available From" is either blank ( allow all ) or if you have used this also to narrow down access ( I typically only use input chain rule ) ensure you include the wg subnet!
c. check your TOOLS --> mac server and specifically the MAC Winbox server ( as an aside comment: the plain mac server is not secure and should be set to NONE )
if you have this enabled or a selection made, the interface list determines what can access winbox. HENCE if you have the LAN list selected, then this is a good reason to add wireguard interface to the LAN list!!!
Re: wireguard 'road warrior' cannot use my dns
Hi anav,
Thanks again for your reply. To confirm... Adding more FW filter rules for the specific ssh and winbox ports does allow me to connect to the router without the wireguard interface in the LAN list. So this portion appears to be working as expected.
The only thing I'm a bit confused about now is the general input chain rules without an interface and / or without a destination port specified. This is my first go with Mikrotik (so far I'm loving the gear) so I'm not sure if it's something where general rules are not processed or can be overriden by blocks, or if it's just operator error
(me).
For example, this rule:
Doesn't allow access blanket access across the tunnel for wireguard traffic the same way adding the interface to the LAN list does. The counters don't increase and the counters do increase on the rule below to drop all traffic not from LAN (3rd rule from the bottom).
But... the following rules do allow access to the specific ports in question (even without the general rule in place):
And drop all traffic not coming from LAN is not incremented.
My guess is I either have a lack of understanding or the rules need to have a certain degree of precision to be accepted over the drop all rule.
Thanks again for your reply. To confirm... Adding more FW filter rules for the specific ssh and winbox ports does allow me to connect to the router without the wireguard interface in the LAN list. So this portion appears to be working as expected.
The only thing I'm a bit confused about now is the general input chain rules without an interface and / or without a destination port specified. This is my first go with Mikrotik (so far I'm loving the gear) so I'm not sure if it's something where general rules are not processed or can be overriden by blocks, or if it's just operator error
(me).For example, this rule:
Code: Select all
/ip firewall filter add action=accept chain=input comment="vpn server" in-interface=wgsrv src-address-list=192.168.222.0/24Code: Select all
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LANCode: Select all
/ip firewall filter add action=accept chain=input comment="vpn server - dns tcp" dst-port=53 in-interface=wgsrv protocol=tcp
/ip firewall filter add action=accept chain=input comment="vpn server - dns udp" dst-port=53 in-interface=wgsrv protocol=udp
/ip firewall filter add action=accept chain=input comment="wgsrv winbox access" dst-port=8291 in-interface=wgsrv protocol=tcp src-address=192.168.222.0/24
/ip firewall filter add action=accept chain=input comment="wgsrv ssh access" dst-port=22 in-interface=wgsrv protocol=tcp src-address=192.168.222.0/24My guess is I either have a lack of understanding or the rules need to have a certain degree of precision to be accepted over the drop all rule.
Re: wireguard 'road warrior' cannot use my dns
Interestingly enough this works
When above the wireguard port rule
But not with the subnet 192.168.222.0/24 or the host 192.168.222.201/24 addresses.
Code: Select all
/ip firewall filter add action=accept chain=input comment="vpn server" in-interface=wgsrvCode: Select all
/ip firewall filter add action=accept chain=input comment="vpn server" dst-port=13233 protocol=udpRe: wireguard 'road warrior' cannot use my dns
I would probably need to see a network diagram and or complete config as looking at things in isolation is confusing. I Look at many configs, hard to keep them straight LOL.
In general there are many ways to do things, all 'legal" but maybe not optimal.
For example if one has a vlan20 (192.168.20.0/24) interface= vlanTrusted20 and the vlan is on a bridge called bridgeHome on an interface list of trusted these should allow access to vlan20.
a. add action=accept chain=input src-address=192.168.20.0/24
b. add action=accept chain=input in-interface=vlanTrusted20
c. add action=accept chain=input in-interface-list=Trusted
d. add action=accept chain=input in-interface=bridgeHome
or combinations of the above would suffice.
a+b
a+c
a+b+d
a+c+d
The more conditions you put on a match, the more secure I suppose........... but one can go overboard
In general there are many ways to do things, all 'legal" but maybe not optimal.
For example if one has a vlan20 (192.168.20.0/24) interface= vlanTrusted20 and the vlan is on a bridge called bridgeHome on an interface list of trusted these should allow access to vlan20.
a. add action=accept chain=input src-address=192.168.20.0/24
b. add action=accept chain=input in-interface=vlanTrusted20
c. add action=accept chain=input in-interface-list=Trusted
d. add action=accept chain=input in-interface=bridgeHome
or combinations of the above would suffice.
a+b
a+c
a+b+d
a+c+d
The more conditions you put on a match, the more secure I suppose........... but one can go overboard
Re: wireguard 'road warrior' cannot use my dns
Please forgive my crude network diagram.
I think this should be sanitized well without leaving out anything important.
Some firewall filter rules are disabled because I used them while I was testing a few things out.
Currently I have the dns, winbox and ssh rules disabled.
SW1 is a MikroTik RB5009
AP1 and AP2 are MikroTik HAP ax^2
The wireguard client is Android 13 running the official Wiregaurd app from the Google Play store.
I really appreciate your help.
I think this should be sanitized well without leaving out anything important.
Some firewall filter rules are disabled because I used them while I was testing a few things out.
Currently I have the dns, winbox and ssh rules disabled.
Code: Select all
[administrator@SW1] > /export hide-sensitive terse
# 2023-07-10 23:19:25 by RouterOS 7.10.1
# software id = {redacted}
#
# model = RB5009UPr+S+
# serial number = {redacted}
/interface bridge add admin-mac={redacted} auto-mac=no comment=defconf ingress-filtering=no name=bridge priority=0x6000 vlan-filtering=yes
/interface ethernet set [ find default-name=ether1 ] poe-out=off
/interface wifiwave2 add name=cap-wifi1
/interface wifiwave2 add name=cap-wifi2
/interface wireguard add comment="vpn server" listen-port=13233 mtu=1420 name=wgsrv
/interface vlan add comment="AP Management" interface=bridge name=vlan78 vlan-id=78
/interface vlan add interface=bridge name=vlan96 vlan-id=96
/interface vlan add interface=bridge name=vlan100 vlan-id=100
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface wifiwave2 channel add band=5ghz-ax disabled=no frequency=5150-5350,5470-5725 name=wifi6-5ghz skip-dfs-channels=all width=20/40/80mhz
/interface wifiwave2 channel add band=2ghz-ax disabled=no name=wifi6-2.4ghz width=20/40mhz
/interface wifiwave2 configuration add channel=wifi6-5ghz country=Netherlands datapath.bridge=bridge disabled=no name=cfg-SDNW-50 security.authentication-types=wpa2-psk,wpa3-psk ssid={redacted}
/interface wifiwave2 configuration add channel=wifi6-5ghz country=Netherlands datapath.bridge=bridge .vlan-id=96 disabled=no mode=ap name=cfg-Guest50 security.authentication-types=wpa2-psk,wpa3-psk ssid={redacted}
/interface wifiwave2 configuration add channel=wifi6-2.4ghz country=Netherlands datapath.bridge=bridge disabled=no name=cfg-SDNW-24 security.authentication-types=wpa2-psk,wpa3-psk ssid={redacted}
/ip pool add name=default-dhcp ranges=192.168.10.100-192.168.10.199
/ip pool add name=dhcp78 ranges=192.168.78.100-192.168.78.199
/ip pool add name=dhcp96 ranges=192.168.96.100-192.168.96.199
/ip dhcp-server add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/ip dhcp-server add address-pool=dhcp78 interface=vlan78 lease-time=10m name=dhcp78
/ip dhcp-server add address-pool=dhcp96 interface=vlan96 lease-time=10m name=dhcp96
/zerotier set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" disabled=yes disabled=yes name=zt1 port=9993
/interface bridge port add bridge=bridge interface=ether2
/interface bridge port add bridge=bridge interface=ether3
/interface bridge port add bridge=bridge interface=ether4
/interface bridge port add bridge=bridge interface=ether5
/interface bridge port add bridge=bridge interface=ether6
/interface bridge port add bridge=bridge interface=ether7
/interface bridge port add bridge=bridge interface=ether8
/interface bridge port add bridge=bridge interface=sfp-sfpplus1
/ip neighbor discovery-settings set discover-interface-list=LAN
/interface bridge vlan add bridge=bridge tagged=bridge,ether2,ether3 vlan-ids=100
/interface bridge vlan add bridge=bridge tagged=bridge,ether2,ether3 vlan-ids=78
/interface bridge vlan add bridge=bridge tagged=bridge,ether2,ether3 vlan-ids=96
/interface list member add comment=defconf interface=bridge list=LAN
/interface list member add comment=defconf interface=ether1 list=WAN
/interface list member add comment="vpn server" disabled=yes interface=wgsrv list=LAN
/interface wifiwave2 capsman set ca-certificate={redacted} certificate={redacted} enabled=yes interfaces=bridge package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifiwave2 provisioning add action=create-dynamic-enabled disabled=no master-configuration=cfg-SDNW-50 name-format=%I-5Ghz slave-configurations=cfg-Guest50 supported-bands=5ghz-ax
/interface wifiwave2 provisioning add action=create-dynamic-enabled disabled=yes master-configuration=cfg-SDNW-24 name-format=%I-2.4Ghz supported-bands=2ghz-ax
/interface wireguard peers add allowed-address=192.168.222.201/32 comment="vpn server - GP7A" interface=wgsrv public-key="{redacted}"
/interface wireguard peers add allowed-address=192.168.222.202/32 comment="vpn server - GP6A_B" interface=wgsrv public-key="{redacted}"
/interface wireguard peers add allowed-address=192.168.222.210/32 comment="vpn server - GP7A" endpoint-address="" interface=wgsrv public-key="{redacted}"
/ip address add address=192.168.10.1/24 interface=bridge network=192.168.10.0
/ip address add address=192.168.100.1/24 interface=vlan100 network=192.168.100.0
/ip address add address=192.168.78.1/24 interface=vlan78 network=192.168.78.0
/ip address add address=192.168.96.1/24 interface=vlan96 network=192.168.96.0
/ip address add address=192.168.222.1/24 comment="vpn server" interface=wgsrv network=192.168.222.0
/ip cloud set ddns-enabled=yes
/ip dhcp-client add comment=defconf interface=ether1
/ip dhcp-server lease add address=192.168.10.25 mac-address=1C:83:41:31:37:AB server=defconf
/ip dhcp-server lease add address=192.168.10.26 mac-address=50:76:AF:CF:6B:C4 server=defconf
/ip dhcp-server lease add address=192.168.10.35 mac-address=5C:BB:F6:9E:EE:FA server=defconf
/ip dhcp-server lease add address=192.168.10.30 mac-address=AE:E9:F5:6D:49:B6 server=defconf
/ip dhcp-server lease add address=192.168.10.31 mac-address=00:0C:29:6C:33:A2 server=defconf
/ip dhcp-server lease add address=192.168.10.40 mac-address=00:16:3E:35:8A:4A server=defconf
/ip dhcp-server lease add address=192.168.10.41 mac-address=00:16:3E:1E:5E:AC server=defconf
/ip dhcp-server lease add address=192.168.10.42 mac-address=00:16:3E:C2:E2:70 server=defconf
/ip dhcp-server lease add address=192.168.10.32 mac-address=32:EA:CF:9E:EC:B6 server=defconf
/ip dhcp-server lease add address=192.168.10.44 mac-address=00:16:3E:39:26:A9 server=defconf
/ip dhcp-server network add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
/ip dhcp-server network add address=192.168.78.0/24 dns-server=192.168.78.1 gateway=192.168.78.1
/ip dhcp-server network add address=192.168.96.0/24 dns-server=192.168.96.1 gateway=192.168.96.1
/ip dns set allow-remote-requests=yes
/ip firewall address-list add address=192.168.96.0/24 list=obj-guest
/ip firewall address-list add address=192.168.99.0/24 list=obj-inside
/ip firewall address-list add address=192.168.78.0/24 list=obj-inside
/ip firewall address-list add address=192.168.100.0/24 list=obj-inside
/ip firewall address-list add address=192.168.10.0/24 list=obj-inside
/ip firewall address-list add address=192.168.88.0/24 list=obj-inside
/ip firewall filter add action=accept chain=input comment="vpn server" disabled=yes in-interface=wgsrv src-address-list=192.168.222.0/24
/ip firewall filter add action=accept chain=input comment="vpn server" in-interface=wgsrv
/ip firewall filter add action=accept chain=input comment="vpn server" dst-port=13233 protocol=udp
/ip firewall filter add action=accept chain=input comment="vpn server - dns tcp" disabled=yes dst-port=53 in-interface=wgsrv protocol=tcp
/ip firewall filter add action=accept chain=input comment="vpn server - dns udp" disabled=yes dst-port=53 in-interface=wgsrv protocol=udp
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=accept chain=input comment="wgsrv winbox access" disabled=yes dst-port=8291 in-interface=wgsrv protocol=tcp src-address=192.168.222.0/24
/ip firewall filter add action=accept chain=input comment="wgsrv ssh access" disabled=yes dst-port=22 in-interface=wgsrv protocol=tcp src-address=192.168.222.0/24
/ip firewall filter add action=drop chain=input dst-address-list=obj-inside src-address-list=obj-guest
/ip firewall filter add action=drop chain=forward dst-address-list=obj-inside src-address-list=obj-guest
/ip firewall filter add action=accept chain=input in-interface=vlan96 src-address-list=obj-guest
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
/ipv6 firewall address-list add address=::1/128 comment="defconf: lo" list=bad_ipv6
/ipv6 firewall address-list add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
/ipv6 firewall address-list add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
/ipv6 firewall address-list add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
/ipv6 firewall address-list add address=100::/64 comment="defconf: discard only " list=bad_ipv6
/ipv6 firewall address-list add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
/ipv6 firewall address-list add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
/ipv6 firewall address-list add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept HIP" protocol=139
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock set time-zone-name=Europe/Amsterdam
/system identity set name=SW1
/system note set show-at-login=no
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN
/tool romon set enabled=yes
[administrator@SW1] >AP1 and AP2 are MikroTik HAP ax^2
The wireguard client is Android 13 running the official Wiregaurd app from the Google Play store.
I really appreciate your help.
Re: wireguard 'road warrior' cannot use my dns
Got it, I usually ensure I follow this path to get wireguard clients.
https://www.wireguard.com/install/
But it looks like all road lead to where you went.
(1) The AP vlan is incorrect. The APs should be on the trusted network (either home network the admin uses or a separate management network and should get their IP address from this subnet).
You have vlan78 as the AP management but when I look at your diagram I see that they are assigned IPs on the vlan100 subnet ?????
(2) I dont use cap and absolutely despise any vlan settings in wifi. WIFI settings should be for WIFI only, mixing apples and oranges so cannot help you much further on that.
(3) So you are telling me that all the bridge ports are trunk ports going to smart devices ??? /interface bridge ports
(4) Nothing goes to ports 5-sfpplus1 ??
(5) Bridge need not be a LAN member, all vlans should be LAN members.
(6) It would appear this device is the WG server for handshake purposes.
(7) Oh I see you have assigned the bridge to also do DHCP, which I never do once using vlans all subnets are vlans, apples to apples, bridge just does bridging.
(8) Why bother making firewall address lists for subnets??
Especially when you have more subnets identified then whats on your router, I could see: .10, .100, .78, .96, .222 but WHAT IS
.99? .88?
(10) Your firewall rules are mess wrt to proper order and also mixing chains which makes it hard to read and find errors.
(11) This rule, if it was correct, makes sense if you wish to be able to configure the router remotely. Just be sure all WG remote users need that access, otherwise create an actual useful firewall address list of those perhaps subset of wg IP addresses.
/ip firewall filter add action=accept chain=input comment="vpn server" disabled=yes in-interface=wgsrv src-address=192.168.222.0/24 NOT src-address-list.
(12) You dont need both rules for input chain wireguard access, and the second one is fine, but if you want to limit it to only some of the wG remote folks, just add a further matching firewall address list as noted above.
(13) Other firewall changes to be sure but tired of looking at config LOL
https://www.wireguard.com/install/
But it looks like all road lead to where you went.
(1) The AP vlan is incorrect. The APs should be on the trusted network (either home network the admin uses or a separate management network and should get their IP address from this subnet).
You have vlan78 as the AP management but when I look at your diagram I see that they are assigned IPs on the vlan100 subnet ?????
(2) I dont use cap and absolutely despise any vlan settings in wifi. WIFI settings should be for WIFI only, mixing apples and oranges so cannot help you much further on that.
(3) So you are telling me that all the bridge ports are trunk ports going to smart devices ??? /interface bridge ports
(4) Nothing goes to ports 5-sfpplus1 ??
(5) Bridge need not be a LAN member, all vlans should be LAN members.
(6) It would appear this device is the WG server for handshake purposes.
(7) Oh I see you have assigned the bridge to also do DHCP, which I never do once using vlans all subnets are vlans, apples to apples, bridge just does bridging.
(8) Why bother making firewall address lists for subnets??
Especially when you have more subnets identified then whats on your router, I could see: .10, .100, .78, .96, .222 but WHAT IS
.99? .88?
(10) Your firewall rules are mess wrt to proper order and also mixing chains which makes it hard to read and find errors.
(11) This rule, if it was correct, makes sense if you wish to be able to configure the router remotely. Just be sure all WG remote users need that access, otherwise create an actual useful firewall address list of those perhaps subset of wg IP addresses.
/ip firewall filter add action=accept chain=input comment="vpn server" disabled=yes in-interface=wgsrv src-address=192.168.222.0/24 NOT src-address-list.
(12) You dont need both rules for input chain wireguard access, and the second one is fine, but if you want to limit it to only some of the wG remote folks, just add a further matching firewall address list as noted above.
(13) Other firewall changes to be sure but tired of looking at config LOL
Re: wireguard 'road warrior' cannot use my dns
Thank you for looking at my config. #11 is my problem. Definitely operator error!
(1) The vlan100 addresses are the management addresses. The idea was to use vlan78 for capsman, but I initially had some trouble with it and just opened it up to all ports at some point and never went back to clean it up.
(2) No problem here. The guest wifi is actually working the way I would like it to work.
(3) Only port 2 and 3 are the trunks. The other ports are just acting as a switch on the bridge all on vlan1, will change my native vlan in the future.
(4) I don't have anything else that uses an SFP, atleast not yet.
(5) That makes sense. I think that's from the defconf script.
(6) Yes, that is correct.
(7) This makes sense as well. This was also from the defconf, but I'll clean this up when I change my native vlan as well.
(8) These address lists are being used to block my guest from accessing everything else and vice versa. .88 is the default MikroTik DHCP subnet and I changed it to .99 temporarily because I had been using one of the Hap ax^2 routers as my primary until I eventually got my hands on the RB5009 due to the stock issues. These subnets don't exist anymore so I have now removed them from the address list.
(10) Sorry, this is because I did the export terse. I probably should have re-ordered them before uploading the config. In reality the order is a bit more logical, but it is still far from perfect for sure.
(11) This is the problem as to why it is not working. I have changed it and it works exactly as expected. I made this rule in the GUI, but the worst part about it is that I have looked at this several times since without even noticing this mistake.
(12) Now that I realize my mistake and that everything works as expected I can configure the rules in a way that makes more sense logically to me atleast.
(13) Thanks, this was a huge help! Hopefully my diagram wasn't too bad.
I think I can elaborate on #2 after reviewing both of our responses. I do want to use the vlans for wifi, but it ultimately doesn't do anything if it's here because this still needs to be changed manually on the APs themselves.
(1) The vlan100 addresses are the management addresses. The idea was to use vlan78 for capsman, but I initially had some trouble with it and just opened it up to all ports at some point and never went back to clean it up.
(2) No problem here. The guest wifi is actually working the way I would like it to work.
(3) Only port 2 and 3 are the trunks. The other ports are just acting as a switch on the bridge all on vlan1, will change my native vlan in the future.
(4) I don't have anything else that uses an SFP, atleast not yet.
(5) That makes sense. I think that's from the defconf script.
(6) Yes, that is correct.
(7) This makes sense as well. This was also from the defconf, but I'll clean this up when I change my native vlan as well.
(8) These address lists are being used to block my guest from accessing everything else and vice versa. .88 is the default MikroTik DHCP subnet and I changed it to .99 temporarily because I had been using one of the Hap ax^2 routers as my primary until I eventually got my hands on the RB5009 due to the stock issues. These subnets don't exist anymore so I have now removed them from the address list.
(10) Sorry, this is because I did the export terse. I probably should have re-ordered them before uploading the config. In reality the order is a bit more logical, but it is still far from perfect for sure.
(11) This is the problem as to why it is not working. I have changed it and it works exactly as expected. I made this rule in the GUI, but the worst part about it is that I have looked at this several times since without even noticing this mistake.
(12) Now that I realize my mistake and that everything works as expected I can configure the rules in a way that makes more sense logically to me atleast.
(13) Thanks, this was a huge help! Hopefully my diagram wasn't too bad.
I think I can elaborate on #2 after reviewing both of our responses. I do want to use the vlans for wifi, but it ultimately doesn't do anything if it's here because this still needs to be changed manually on the APs themselves.