Wireguard VPN Setup to access NAS behind Microtik

abhi8569 · Thu Sep 14, 2023 4:41 pm

Dear Everyone,

I am currently in the process of setting up a Network Attached Storage (NAS) system for my family's backup needs. My plan is to make the NAS accessible to them via VPN. At the moment, I'm using a DSL internet connection (in Germany) with a DSL router, which I intend to keep due to its excellent wifi range. I'm also using a Microtik hap AX2 router, which is designed to act as a VPN server for the NAS behind it (Network diagram in the attachment). However, I am facing a few issues:

1. I am struggling to correctly set up the VPN. Despite following numerous guides, the Wireguard client on my Android device is stuck at the handshake stage. I have managed to perform port forwarding on the DSL router (I verified this by opening the HTTPS port on both routers and was able to access the NAS from outside the network).
2. I would like to ensure that users connecting via VPN can only access the NAS and not any other devices connected to the Microtik. How can I achieve this?
3. Is there a way to allow devices connected to the DSL router to access the NAS without having to go through the VPN?

Please let me know if there are any details I may have missed. I am relatively new to networking, so any help is much appreciated.

Router Config:

# 2023-09-14 11:07:54 by RouterOS 7.11.2
# software id = AWCY-N1TB
#
# model = C52iG-5HaxD2HaxD
# serial number = HEA08KQB2M4
/interface bridge
add admin-mac=48:A9:8A:98:40:91 auto-mac=no comment=defconf name=bridge
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
10min-cac .width=20/40/80mhz configuration.mode=ap .ssid=MikroTik-984095 \
disabled=no security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
10min-cac .width=20/40mhz configuration.mode=ap .ssid=MikroTik-984096 \
disabled=no security.authentication-types=wpa2-psk,wpa3-psk
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=192.168.100.2/32 interface=wireguard1 public-key=\
"FdNiAaZ1+29VH3qYtxDMkBg8dtlZzSNFksSQiOIgnBM="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
192.168.100.0/24
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input comment="allow wireguard" dst-port=13231 \
protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-port=8569 in-interface=\
ether1 protocol=tcp to-addresses=192.168.88.254 to-ports=8569
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Berlin
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

anav · Thu Sep 14, 2023 7:33 pm

Okay, a bit complicated as I am assuming the ISP router is not vlan capable otherwise you could use the MT simply as an AP/Switch and not have double NAT.
Seeing as this probably not the case you are using the MT as a second router.......

With that in mind..... mostly changes...
Recommend NOT using IP DHCP Client as we know its fixed static so added IP address
Moved admin rules to after default rules in input chain.
Got rid of duplicate rule you had for wireguard handshake to listening port.
Disable ipv6 if not using and remove all ipv6 rules.
mac server by itself is not secure, set to none.
ENSURE you forward port 13231 on ISP modem/router to lan IP 192.168.2.133 ( and 8698 if port forwarding to that server )
Add IP Route.
( adding wireguard to interface list LAN will ensure better functionality ( will get dns etc.....)

#
# model = C52iG-5HaxD2HaxD
# serial number = CONFIDENTIAL
/interface bridge
add admin-mac=48:A9:8A:98:40:91 auto-mac=no comment=defconf name=bridge
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=LAN
/ip address
add address=192.168.2.133/24 interface=ether1 network=192.168.2.0
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
/ip dhcp-client
add comment=defconf interface=ether1 disabled=yes
/ip firewall filter
.......
.......
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
192.168.100.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-table=main
/ipv6 settings
set disable-ipv6=yes forward=no
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN

abhi8569 · Thu Sep 21, 2023 7:13 pm

Hello @anav

Thank you very much for your response and apologies for late response.
I am now trying to setup the router from start. I did reset and applied the changes that you suggested (haven't setup VPN till now). Unfortunately after these changes my devices connected to the ISP WIFI router starts giving some issues like buffering while playing YouTube videos, frequent WhatsApp call disconnect. As soon as I remove the connection between ISP router and Microtik device, everything works fine. I am posring the config again in case there is some issue that you can point to.

# 2023-09-21 18:05:06 by RouterOS 7.11.2
# software id =
#
# model = C52iG-5HaxD2HaxD
# serial number = XxXxXxXxX
/interface bridge
add admin-mac=**ELIDED** auto-mac=no comment=defconf name=bridge
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40/80mhz configuration.mode=ap .ssid=MikroTik-984095 \
    security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration.mode=ap .ssid=MikroTik-984096 \
    security.authentication-types=wpa2-psk,wpa3-psk
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes forward=no
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.2.100/24 interface=ether1 network=192.168.2.0
/ip dhcp-client
add comment=defconf interface=ether1
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Berlin
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Thanks a lot!

anav · Fri Sep 22, 2023 2:48 am

Well you sort of made some changes, but not all.

(1) Recommend trying changing the lease time from 10m to 30m or even 2d! Especially for the wifi!!

(2) The main error I believe is stil in IP DHCP Client settings!!! You have a duplicate... Get rid of the one in orange, since you have defined the IP address of the WAN, the client should be disabled.

/ip dhcp-client
add comment=defconf interface=ether1
add comment=defconf disabled=yes interface=ether1

This should fix your issues I believe.

note1: Should be set to NONE. as mac-server by itself is not a secure access method.
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

note2: if not using ipv6 ensure you add this rule to your config.
/ipv6 settings
set disable-ipv6=yes forward=no

+++++++++++++++++++
Once normal connectivity is sorted out we can add the wireguard.

abhi8569 · Fri Sep 22, 2023 9:42 pm

Hello @anav,

I have made changes and did some testing.

Case 1

When DHCP client is disabled

/ip dhcp-client
add comment=defconf disabled=yes interface=ether1

I am not able to access the internet. I tried plugging in the ethernet port from the ISP router to both ETH1 and other ETH ports, but the devices connected to Microtik router (both ethernet and WIFI) couldn't access the internet.

Case 2

When DHCP Client is enabled

/ip dhcp-client
add comment=defconf interface=ether1

devices can access the internet without any issues when Internet-in is connected to ETH1 (the internet doesn't work if Internet-in is connected to any other port, but I think this is expected behavior).

I am attaching the configuration for case 2 which is active on my router. Is it possible to set up wireguard with DHCP Client enabled? If yes, I'll proceed with setting up the wireguard server.

# 2023-09-22 10:52:59 by RouterOS 7.11.2
# software id = AWCY-N1TB
#
# model = C52iG-5HaxD2HaxD
# serial number = asdieqbdi
/interface bridge
add admin-mac=ahkahhdhkd auto-mac=no comment=defconf name=bridge
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40/80mhz configuration.mode=ap .ssid=MikroTik-984095 \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration.mode=ap .ssid=MikroTik-984096 \
    security.authentication-types=wpa2-psk,wpa3-psk
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=2d name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes forward=no
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.2.100/24 interface=ether1 network=192.168.2.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

anav · Sat Sep 23, 2023 3:26 am

I dont care about that.

You have to understand that if you have a dynamic IP address one needs to use IP DHCP client.
If you have a Static WANIP, always the same then its best NOT to use IP DHCP client and simply use IP address for the WANIP.
NOT BOTH.

So make up your mind!!
One or the other but not both.
The rest looks fine to me.

/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=192.168.2.100/24 interface=ether1 network=192.168.2.0

/ip dhcp-client
add comment=defconf interface=ether1

abhi8569 · Sat Sep 23, 2023 12:04 pm

So I decided to remove the bold part as its the only way I found with working internet. I assigned Microtik router static IP from ISP router.

/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=192.168.2.100/24 interface=ether1 network=192.168.2.0

/ip dhcp-client
add comment=defconf interface=ether1

I'll now try to setup the wireguard and will let you know in case of any issues.

abhi8569 · Sat Sep 23, 2023 3:20 pm

So I created new wireguard interface and added peer. The process is still stuck at handshake. This is my router configuration:

# 2023-09-23 14:07:50 by RouterOS 7.11.2
# software id = AWCY-N1TB
#
# model = C52iG-5HaxD2HaxD
# serial number = xxxxxxxxxxxxxxx
/interface bridge
add admin-mac=xxxxxxxxxxxxx auto-mac=no comment=defconf name=bridge
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40/80mhz configuration.mode=ap .ssid=MikroTik-984095 \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration.mode=ap .ssid=MikroTik-984096 \
    security.authentication-types=wpa2-psk,wpa3-psk
/interface wireguard
add listen-port=13231 mtu=1420 name=WGTunnel
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=2d name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes forward=no
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=10.10.0.2/32 interface=WGTunnel public-key=\
    "Q1xxxxxxxxxxxxxxxxxxxxxxxs="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.10.0.0/24 interface=WGTunnel network=10.10.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
    10.10.0.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=8569 in-interface=ether1 protocol=\
    tcp to-addresses=192.168.88.254 to-ports=8569
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-table=main
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Berlin
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

This is how configuration look on my android device:

[Interface]
Address = 10.10.0.2/32
DNS = 8.8.8.8
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxx

[Peer]
AllowedIPs = 0.0.0.0/0
Endpoint = nas.mydomain.de:13231
PersistentKeepalive = 20
PublicKey = fdxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxk=

I am able to access HTTPS port on my NAS using Domain name (nas.mydomain.de:8569) from outside of the network after enabling port forward on both ISP and Microtik router. For wireguard, I did port forward 13231 (UDP) from ISP router to the Microtik Router.

Thank you very much for your patience and help!

abhi8569 · Sat Sep 23, 2023 6:32 pm

It is working now. I moved these two firewall rules to NUmber 1 and 2 respectively.

add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
    10.10.0.0/24

Thank you very much for your support. Have a nice weekend

anav · Sat Sep 23, 2023 7:11 pm

No need to move those rules, they should be after the default rules as any other admin created rule.

aka.
establ relate
drop bad
allow icmp
allow 127
++++++++
vpn allow
vpn allow
admin allow to configure router
services allowed to LAN (dns etc.)
Drop all else

abhi8569 · Sat Sep 23, 2023 7:18 pm

Thank you. I moved them according to your suggestions!

May I know if there is a way to allow VPN client to access only NAS (192.168.88.254) through VPN and redirect all other traffic through their own internet connection?

I changed the configuration on the Client side and it seems to be working fine. I just want to make sure it is the correct way and there is no traffic leakage.

[Interface]
Address = 10.10.0.2/32
DNS = 8.8.8.8
PrivateKey = xcxcxcxcxcxcxcxcxcxcxc

[Peer]
AllowedIPs = 10.10.0.2/32, 192.168.88.254/32
Endpoint = nas.mydomain.de:13231
PreSharedKey = xvxvxvxvxvxvxvxvxvxvxvxv
PublicKey = xyxyxyxyxyxyxyxyxyxyxyxy

anav · Sat Sep 23, 2023 7:42 pm

Well, the easy way is not to put 0.0.0.0/0 on the client allowed IPs
Just the wireguard subnet they are on, and any IP addresses they need to visit,
I typically dont narrow it down to IP but to subnet 192.168.88.0/24 as it allows flexibility.
They may not know what IP you have set or changed something too for example.

If a client tries to put it an IP that is not on the allowed list, then its rejected and will not enter the tunnel.
However you may not have control over what the client does!!!
Lets say he changes the allowed IPs to 0.0.0.0/0 and that covers wireguard subnet, all local subnets on router and internet addresses as well.

So dont assume what is on the client if there is potential non-admins accessing your router then take the steps necessary.
Especially because generally we have rules that allow traffic from the LAN AND its actually advantageous and efficient in most cases to ensure the wireguard subnet is part of the LAN interface.

For example if you add wg to LAN interface list and then you have a rule
add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN,
Then they will be able to use your internet.

To prevent this, you can be more prescriptive who on the LAN is allowed to use WAN and change that standard type of rule to:
add chain=forward action=accept src-address=local_subnet out-interface-list=WAN
Or if you had a bunch of local subnets, make an interface list for them
add chain=forward action=accept in-interface-list=local-SUBnets out-interface-list=WAN

You could also get cute like this and combine on one rule, if perhaps there was only one remote user not an admin....... coming in on wireguard that you didnt trust fully.
add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN src-address=!wireguardIP-untrusted ,
OR IF THERE WERE SEVERAL make a firewall address list
add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN src-address-list=!wireguardLIST-untrusted ,

Lots of way to deal with this on the router side.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

I would assume you do not have control over clients and so they use 0.0.0.0/0 for allowed IPs which covers
a. the wireguard subnet
b. any subnet on the router
c. internet on the router.

So never assume they do not do this even if told,
So the important thing is to lock down entry to your LAN and WAN rules if this is a concern.

abhi8569 · Sat Sep 23, 2023 7:49 pm

This is a really helpful insight. I'll add subnet to the allowed IP.

May I know how can I add this restriction on the router side so that clients can't pass internet traffic through VPN?

anav · Sat Sep 23, 2023 8:00 pm

Added it to the above post.

abhi8569 · Sat Sep 23, 2023 9:42 pm

So as per your instruction I added firewall address list:

 /ip firewall address-list
add address=10.10.0.0/24 list=WGAddressList

and blocked WAN access to the Wireguard subnet (added this just before wireguard related firewall rules):

 
 add action=accept chain=forward comment="No INternet Access for WGTunnel" \
    in-interface-list=LAN out-interface-list=WAN src-address-list=\
    !WGAddressList

And on the Client side added 0.0.0.0/0 to the allowed IP. But I my internet traffic is passing through the router. Is there something I did wrong?

anav · Sat Sep 23, 2023 10:59 pm

Please post the full config, looking at snippets is not enough.
The problem in your config is your are blocking the entire WG subnet.
The idea was to narrow that down to the specific /32 Ip addresses of wireguard clients.......

So try again with that in mind and see if the client can access internet via router.
If that doesnt work, but dont see why then try the alternative method.

/interface list
add name=WAN
add name=LAN
add name=local_subnet
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=WGTunnel list=LAN
add interface=bridge list=local_subnet
add comment=defconf interface=ether1 list=WAN

Then modify the LAN to WAN rule as follows
add chain=forward action=accept in-interface-list=local_subnet out-interface-list=WAN

abhi8569 · Sun Sep 24, 2023 10:39 am

Blocking only the wireguard client IP from WAN Access is not working. This is the configuration I tried:

# 2023-09-24 09:32:42 by RouterOS 7.11.2
# software id = AWCY-N1TB
#
# model = C52iG-5HaxD2HaxD
# serial number = xxxxxxxxxxxxxxxxxxxxxxxx
/interface bridge
add admin-mac=xxxxxxxxxxxxxxxxxx auto-mac=no comment=defconf name=bridge
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40/80mhz configuration.mode=ap .ssid=MikroTik-984095 \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration.mode=ap .ssid=MikroTik-984096 \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk
/interface wireguard
add listen-port=13231 mtu=1420 name=WGTunnel
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=local_subnet
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=2d name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes forward=no
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=10.10.0.2/32 interface=WGTunnel public-key=\
    "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.10.0.0/24 interface=WGTunnel network=10.10.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=10.10.0.2 list=WGAddressList
/ip firewall filter
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN \
    src-address-list=!WGAddressList
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow WireGuard traffic" log=yes \
    src-address=10.10.0.0/24
add action=accept chain=input comment="allow WireGuard" dst-port=13231 log=\
    yes protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-table=main
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Berlin
/system logging
add prefix=wireguard topics=wireguard
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

I also tried the alternative method suggested by you in the above comment. But client can still access internet through router. Here is config for the alternate method:

# 2023-09-24 09:25:46 by RouterOS 7.11.2
# software id = AWCY-N1TB
#
# model = C52iG-5HaxD2HaxD
# serial number = xxxxxxxxxxxxxxx
/interface bridge
add admin-mac=xxxxxxxxxxxxxxxxxxxxxxx auto-mac=no comment=defconf name=bridge
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40/80mhz configuration.mode=ap .ssid=MikroTik-984095 \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration.mode=ap .ssid=MikroTik-984096 \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk
/interface wireguard
add listen-port=13231 mtu=1420 name=WGTunnel
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=local_subnet
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=2d name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes forward=no
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment=Wireguard interface=WGTunnel list=LAN
add interface=bridge list=local_subnet
/interface wireguard peers
add allowed-address=10.10.0.2/32 interface=WGTunnel public-key=\
    "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.10.0.0/24 interface=WGTunnel network=10.10.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=10.10.0.2 list=WGAddressList
/ip firewall filter
add action=accept chain=forward in-interface-list=local_subnet \
    out-interface-list=WAN
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow WireGuard traffic" log=yes \
    src-address=10.10.0.0/24
add action=accept chain=input comment="allow WireGuard" dst-port=13231 log=\
    yes protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-table=main
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Berlin
/system logging
add prefix=wireguard topics=wireguard
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

anav · Sun Sep 24, 2023 5:30 pm

You confirm client access how?
Assuming via cell phone turning off wifi and using cellular service and then using whats my IP??

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++

SECOND CONFIG

The new rule is first on the list and thus not in the right order it should be placed here in between the two rules shown-->*****
add action=accept chain=forward in-interface-list=local_subnet out-interface-list=WAN

/ip firewall filter
........................
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
*****
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN

FIRST CONFIG

Same story, this line should not be first but be placed in the same position as in the other config noted above!!
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN src-address-list=!WGAddressList

+++++++++++++++++++++++++++++++++++++++++++
Both of the above configs WILL WORK.
THE REAL PROBLEM IS on both configs you have this:

/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.10.0.0/24 interface=WGTunnel network=10.10.0.0

Should be
add address=10.10.0.1/24 interface=WGTunnel network=10.10.0.0

abhi8569 · Sun Sep 24, 2023 7:57 pm

At this point I am going along with the first config from my last post. I have now positioned the Firewall rule correctly and made changes to the IP address according to your suggestion. Here is the updated config:

# 2023-09-24 18:44:31 by RouterOS 7.11.2
# software id = AWCY-N1TB
#
# model = C52iG-5HaxD2HaxD
# serial number = xxxxxxxxxxxxxxxxx
/interface bridge
add admin-mac=xxxxxxxxxxxxxxxxxxxxx auto-mac=no comment=defconf name=bridge
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40/80mhz configuration.mode=ap .ssid=MikroTik-984095 \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration.mode=ap .ssid=MikroTik-984096 \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk
/interface wireguard
add listen-port=13231 mtu=1420 name=WGTunnel
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=local_subnet
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=2d name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes forward=no
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=10.10.0.2/32 interface=WGTunnel public-key=\
    "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.10.0.1/24 interface=WGTunnel network=10.10.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=10.10.0.0/24 list=WGAddressList
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow WireGuard traffic" log=yes \
    src-address=10.10.0.0/24
add action=accept chain=input comment="allow WireGuard" dst-port=13231 log=\
    yes protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN \
    src-address-list=!WGAddressList
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-table=main
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Berlin
/system logging
add prefix=wireguard topics=wireguard
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

For testing I am blocking complete wireguard subnet, and on the client client side I have only added 0.0.0.0/0 to allowed IP.

To make sure if my client's internet is routing through the Microtik, I am turning off the WIFI and checking whatsmyip. I am also checking the Wireguard interface traffic when accessing Youtube. When I had added the NAS IP specifically in the allowed List on the client side, I could see that accessing Youtube did not cause any spike in the traffic on Wireguard Interface. But with this config (posted in this comment) I could see traffic on the Wireguard interface.

Thank you very much for all your help!

anav · Sun Sep 24, 2023 8:51 pm

So its working as expected / desired ??

abhi8569 · Sun Sep 24, 2023 8:58 pm

Sorry for misunderstanding, it is working only when I explicitly add NAS IP to the allowed address on client side. With the current config posted above, it is not working.

anav · Mon Sep 25, 2023 12:14 am

I would focus on the firewall rules as everything else seems to be correct as far as I can tell.
You dont need the firewall address list or addition to the rule because you have not made wireguard part of the LAN.
Since they are not going out internet they dont need to be because we do that so they are part of the DNS rule in input chain and part of lan to WAN rule in the forward chain.
Since you did not make the wireguard part of the LAN interface no need...
The logic is, a. outside user cannot access DNS service on router for external WAN traffic and b. not included in the allow LAN to WAN rule. Traffic should not be possible.
Ensure you have the drop all rule at the end of the forward chain like shown!!

The only thing to do is ensure the ADMIN coming in wireguard has access on the input chain to config the router remotely.

# 2023-09-24 18:44:31 by RouterOS 7.11.2

/interface wireguard
add listen-port=13231 mtu=1420 name=WGTunne
/interface wireguard peers
add allowed-address=10.10.0.2/32 interface=WGTunnel public-key=\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=10.10.0.1/24 interface=WGTunnel network=10.10.0.0
/ip firewall address-list
add address=10.10.0.2/32 list=WGAddressList
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow WireGuard traffic" log=yes \
src-address=10.10.0.0/24 { WHY? you do not want all users .... limit this to only the admin on wireguard X/32 ! }
add action=accept chain=input comment="allow WireGuard" dst-port=13231 log=\
yes protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"

abhi8569 · Mon Sep 25, 2023 11:02 pm

Unfortunately none of the clients (10.10.0.2 is the admin client) are able to access internet at all.

# 2023-09-25 22:07:54 by RouterOS 7.11.2
# software id = AWCY-N1TB
#
# model = C52iG-5HaxD2HaxD
# serial number = xxxxxxxxxxxxxxxxxxx
/interface bridge
add admin-mac=xxxxxxxxxxxxxxxxxxxxxxx auto-mac=no comment=defconf name=bridge
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40/80mhz configuration.mode=ap .ssid=MikroTik-984095 \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration.mode=ap .ssid=MikroTik-984096 \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk
/interface wireguard
add listen-port=13231 mtu=1420 name=WGTunnel
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=local_subnet
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=2d name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes forward=no
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=10.10.0.2/32 interface=WGTunnel public-key=\
    "xxxxxxxxxxxxxxxxx"
add allowed-address=10.10.0.3/32 interface=WGTunnel public-key=\
    "xxxxxxxxxxxxxxxxxxxxxxxxxxxx"
add allowed-address=10.10.0.4/32 interface=WGTunnel public-key=\
    "xxxxxxxxxxxxxxxxxxxxxxxxxx"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.10.0.1/24 interface=WGTunnel network=10.10.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=10.10.0.2 list=WGAddressList
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow WireGuard traffic" log=yes \
    src-address=10.10.0.2
add action=accept chain=input comment="allow WireGuard" dst-port=13231 log=\
    yes protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-table=main
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Berlin
/system logging
add prefix=wireguard topics=wireguard
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Sorry for my lack of knowledge, but is it possible this is doing something wrong?

/ip route
add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-table=main

anav · Tue Sep 26, 2023 2:06 am

Early on you stated the requirement like this:
I would like to ensure that users connecting via VPN can only access the NAS and not any other devices connected to the Microtik. How can I achieve this?

and later.......
May I know how can I add this restriction on the router side so that clients can't pass internet traffic through VPN?

Therefore its very confusing for you in the last post to state......
Unfortunately none of the clients (10.10.0.2 is the admin client) are able to access internet at all.

You never asked for internet for wireguard client, and in fact you wanted this prevented.
I hope you can understand the confusion you are causing here!

So I will play what if.

(1) What if only the admin should get internet while rest of Wireguard access NAS only.
BASED ON THESE RULES YOU ARE almost ALREADY THERE.

(2) This rule should be removed regardless, it is no longer required..........
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN

(3) Instead put in this rule to allow all wireguard users to NAS device.
add action=accept chain=forward in-interface=WGTunnel dst-address=192.168.88.XX comment="access to NAS"

(4) In this regard to ensure the admin remotely can access config or from internally we create an interface to ensure to include the interfaces the admin may be coming from.
Since all users are on the bridge suggest you create an admin firewall address list to narrow down full access only to admin..........

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MANAGE
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridge list=MANAGE
add interface=WGTunnel list=MANAGE

/ip firewall address-list
add address=10.0.10.2/32 list=Authorized
add address=192.168.88.XX list=Authorized comment="admin desktop or laptop"
add address=102.168.88.YY list=Authorized comment="admin ipad/smartphone"

/ip firewall filter
......
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow admin access" log=yes \
src-address-list=Authorized
......
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward src-address=10.0.10.2/32 out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=accept chain=forward in-interface=WGTunnel dst-address=192.168.88.XX comment="access to NAS"
add action=drop chain=forward comment="drop all else"

/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MANAGE

+++++++++++++++++++++++++++++++++++++++++++++++
Now only the wireguard admin should be able to config the router from wireguard and all wireguard users should be able to access NAS.

abhi8569 · Tue Sep 26, 2023 1:00 pm

Sorry for the confusion. Let me clear few things:

For all WG client, including admin, internet traffic should not pass through the router but their own internet connection (split tunnel, if I am using correct term).

Among WG Clients, only admin (10.10.0.2) should be able to access router configuration.

All devices on LAN (192.168.88.xxx) should have access to router configuration

I have already made changes to the configuration as per your above post:


# 2023-09-26 11:39:29 by RouterOS 7.11.2
# software id = AWCY-N1TB
#
# model = C52iG-5HaxD2HaxD
# serial number = xxxxxxxxxxxxx
/interface bridge
add admin-mac=xxxxxxxxxxxxxxxxxxx auto-mac=no comment=defconf name=bridge
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40/80mhz configuration.mode=ap .ssid=MikroTik-984095 \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration.mode=ap .ssid=MikroTik-984096 \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk
/interface wireguard
add listen-port=13231 mtu=1420 name=WGTunnel
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=local_subnet
add name=MANAGE
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=2d name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes forward=no
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridge list=MANAGE
add interface=WGTunnel list=MANAGE
/interface wireguard peers
add allowed-address=10.10.0.2/32 interface=WGTunnel public-key=\
    "xxxxxxxxxxxxxxxx"
add allowed-address=10.10.0.3/32 interface=WGTunnel public-key=\
    "xxxxxxxxxxxxxxxxx"
add allowed-address=10.10.0.4/32 interface=WGTunnel public-key=\
    "xxxxxxxxxxxxxxxxx"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.10.0.1/24 interface=WGTunnel network=10.10.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=10.10.0.2 list=Authorized
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow admin access" log=yes \
    src-address-list=Authorized
add action=accept chain=input comment="allow WireGuard" dst-port=13231 log=\
    yes protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="wg admin access for internet" \
    out-interface-list=WAN src-address=10.10.0.2 src-address-list=""
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat
add action=accept chain=forward comment="access to NAS" dst-address=\
    192.168.88.254 in-interface=WGTunnel
add action=drop chain=forward comment="drop all else"
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-table=main
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Berlin
/system logging
add prefix=wireguard topics=wireguard
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

with this configuration:

All WG Clients are able to access Router configuration page (this should not happen).

All LAN devices are able to access Router Configuration page (this is working as expected, so all good on this front).

WG admin's (10.10.0.2) internet is still routing through the Microtik (which should not happen). Probably because of this rule
Code: Select all
```
add action=accept chain=forward comment="wg admin access for internet" \
    out-interface-list=WAN src-address=10.10.0.2 src-address-list=""
```
(just trying to understand)

Other WG Client are not able to access internet at all, even using their own internet connection. As soon as I connect to the WG, internet ceases to work, I could only access routers configuration page.

anav · Tue Sep 26, 2023 3:33 pm

Okay, tis strange, for example, there is no reason for all persons to have access to config the router, that makes ZERO sense????
What user/devices need, is access ONLY to router services......

To fix your latest config changes shown:

/interface list { removed extra interface list items - not required }
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface list member { same with list member entries }
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN

/ip firewall address-list { modified for admin access to config }
add address=10.10.0.2 list=Authorized
add address=192.168.88.XX list=Authorized comment="admin desktop or laptop on wired LAN"
add address=192.168.88.YY list=Authorized comment="admin ipad/smartphone on LAN WIFI"

/ip firewall filter
.....
add action=accept chain=input comment="allow admin access" log=yes \
src-address-list=Authorized
add action=accept chain=input comment="allow WireGuard" dst-port=13231 log=\
yes protocol=udp
add action=accept chain=input comment="user/device services" dst-port=53 \
protocol=udp in-interface-list=LAN
add action=accept chain=input comment="user/device services" dst-port=53 \
protocol=tcp in-interface-list=LAN
add action=drop chain=input comment="drop all else"
..........

REMOVE THE FOLLOWING ENTRIES in the forward chain that are NOT required!

(1) You do not want admin to access local internet
add action=accept chain=forward comment="wg admin access for internet" \
out-interface-list=WAN src-address=10.10.0.2 src-address-list=""

(2) I have noted removing this too many times already why is it still here?
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=WAN

+++++++++++++++++++++++++++++++++++

Results:
a. No wireguard clients will have access to the internet through the local router.
b. Only Admin will be able to access router for configuration purposes.
c. All wireguard clients will be able to access NAS.

What has nothing to do with the router configuration is how your remote client devices handle wireguard and internet access local to the device. That is capability that is resident on the OS of the device etc, and nothing to do with wireguard processing or the router.

abhi8569 · Tue Sep 26, 2023 4:30 pm

Only devices that are connected locally to Microtik are admin devices. All other devices are connected to ISP router. Hence there is no issue having admin access to all local devices(192.168.88.xxx) connected to Microtik router.

What has nothing to do with the router configuration is how your remote client devices handle wireguard and internet access local to the device. That is capability that is resident on the OS of the device etc, and nothing to do with wireguard processing or the router.

Thank you! I'll check if there is something needed to change on the Wireguard Client.

Once I am back home, I'll do the config changes and let you know the updates.

anav · Tue Sep 26, 2023 5:38 pm

Got, it didnt understand there was another upstream router at play.

abhi8569 · Sat Oct 07, 2023 12:39 pm

Sorry for the late response, been busy with lot of stuffs.

Now everything is working perfectly fine. I had to change the allowed address on VPN client from 0.0.0.0/0 to 192.168.88.254 to make internet traffic pass through the client's own network.

Thanks a lot for your time and effort

esj · Tue Oct 10, 2023 9:40 am

Hi abhi.

Could you post your final working config please. I’m looking to achieve the same, but with Wireguard dial in users passing all their internet traffic through the VPN too.

Many thanks

llamajaja · Tue Oct 10, 2023 6:26 pm

Sorry for the late response, been busy with lot of stuffs.

Now everything is working perfectly fine. I had to change the allowed address on VPN client from 0.0.0.0/0 to 192.168.88.254 to make internet traffic pass through the client's own network.

Thanks a lot for your time and effort

No worries, that has nothing to do with the Mikorotik setup and everything do with the device the client is using and its limitations be it window, android, linux or IOS.

Wireguard VPN Setup to access NAS behind Microtik

Wireguard VPN Setup to access NAS behind Microtik

Re: Wireguard VPN Setup to access NAS behind Microtik

Re: Wireguard VPN Setup to access NAS behind Microtik

Re: Wireguard VPN Setup to access NAS behind Microtik

Re: Wireguard VPN Setup to access NAS behind Microtik

Re: Wireguard VPN Setup to access NAS behind Microtik

Re: Wireguard VPN Setup to access NAS behind Microtik

Re: Wireguard VPN Setup to access NAS behind Microtik

Re: Wireguard VPN Setup to access NAS behind Microtik

Re: Wireguard VPN Setup to access NAS behind Microtik

Re: Wireguard VPN Setup to access NAS behind Microtik

Re: Wireguard VPN Setup to access NAS behind Microtik

Re: Wireguard VPN Setup to access NAS behind Microtik

Re: Wireguard VPN Setup to access NAS behind Microtik

Re: Wireguard VPN Setup to access NAS behind Microtik

Re: Wireguard VPN Setup to access NAS behind Microtik

Re: Wireguard VPN Setup to access NAS behind Microtik

Re: Wireguard VPN Setup to access NAS behind Microtik

Re: Wireguard VPN Setup to access NAS behind Microtik

Re: Wireguard VPN Setup to access NAS behind Microtik

Re: Wireguard VPN Setup to access NAS behind Microtik

Re: Wireguard VPN Setup to access NAS behind Microtik

Re: Wireguard VPN Setup to access NAS behind Microtik

Re: Wireguard VPN Setup to access NAS behind Microtik

Re: Wireguard VPN Setup to access NAS behind Microtik

Re: Wireguard VPN Setup to access NAS behind Microtik

Re: Wireguard VPN Setup to access NAS behind Microtik

Re: Wireguard VPN Setup to access NAS behind Microtik

Re: Wireguard VPN Setup to access NAS behind Microtik

Re: Wireguard VPN Setup to access NAS behind Microtik

Re: Wireguard VPN Setup to access NAS behind Microtik