Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

WireGuard config trouble with Fritzbox #portforwarding #VLAN #FW pls help me  [SOLVED]

Post Reply
 
Centurio3
just joined
Topic Author
Posts: 4
Joined: Fri Nov 03, 2023 10:39 pm

WireGuard config trouble with Fritzbox #portforwarding #VLAN #FW pls help me

Fri Nov 03, 2023 11:44 pm

Hi guys,

I do not have a computer scince degree and thus spent hours (24 maybe) to setup the first mikrtik device as I imagined and started over countless times. However, after the steep learning curve and following the docs, as specially the FW part, the setups works quiet goot. Altought I am not sure if it is flawless, specially the management part. But the reason why I open this post after reading quietly for a while, is the wireguard setup. I again tried over 4 hours, but can not setup connection, nor trace the error...

It is always asked, so I do provide the config /export hide-sensitive and a easy made netplan in advance.

Goal:
Connect trusted devices from WAN with wireguard to my VLAN10 to be as if I would be at home. IP is dynamic, but no worry if changing once a month.

Problems:
IPS Router has no monitoring options. I "think" portforwarding works.
Until now I think only requests arrive at wirguard interface. But I do not see any drops sum up in firewall section.

Options:
Eliminate obviuous security problems
Eliminate errors
Create a "untrsted" peer who can temporarly acces a particular Server or NAS in VLAN20 or 30.

Note:
With all the testing done in last hours, there could be missplaced or unneeded FW rules in place. But for now, I will not make any changes to have the setup as described. Backup done.

Code: Select all
# nov/03/2023 21:43:44 by RouterOS 7.7
# software id = **ELIDED**
#
# model = RB4011iGS+5HacQ2HnD
# serial number = **ELIDED**
/interface bridge
add ingress-filtering=no name=vlan-bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="2 FritzBox"
set [ find default-name=ether2 ] comment="CRS326 Uplink"
set [ find default-name=ether3 ] comment="CRS326 Reserve"
set [ find default-name=ether4 ] comment=Teufel
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard-vpn
/interface vlan
add interface=vlan-bridge name=vlan1 vlan-id=1
add comment=Office interface=vlan-bridge name=vlan10 vlan-id=10
add comment=IoT interface=vlan-bridge name=vlan20 vlan-id=20
add comment="Guest WiFi only" interface=vlan-bridge name=vlan30 vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    office supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=guest \
    supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=IoT \
    supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    Management supplicant-identity=""
/interface wireless
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-eC \
    country=switzerland disabled=no frequency=auto hide-ssid=yes \
    installation=indoor mode=ap-bridge multicast-helper=full name=WLan_2Ghz \
    radio-name=2GHz security-profile=office ssid=T15 vlan-id=10 vlan-mode=\
    use-tag wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan1 ] band=5ghz-n/ac channel-width=20/40/80mhz-XXXX \
    country=switzerland disabled=no frequency=auto hide-ssid=yes mode=\
    ap-bridge multicast-helper=full name=WLan_5Ghz radio-name=5GHz \
    secondary-frequency=auto security-profile=office ssid=T15 vlan-id=10 \
    vlan-mode=use-tag wireless-protocol=802.11 wps-mode=disabled
add disabled=no hide-ssid=yes mac-address=**ELIDED** master-interface=\
    WLan_2Ghz multicast-helper=full name=guest_2Ghz security-profile=guest \
    ssid=Guest vlan-id=30 vlan-mode=use-tag wps-mode=disabled
add disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=**ELIDED**\
    master-interface=WLan_5Ghz multicast-buffering=disabled \
    multicast-helper=full name=guest_5Ghz security-profile=guest ssid=Guest \
    vlan-id=30 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
add disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=**ELIDED**\
    master-interface=WLan_2Ghz multicast-buffering=disabled \
    name=IoT security-profile=IoT ssid=IoT vlan-id=20 vlan-mode=use-tag \
    wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=**ELIDED**\
    master-interface=WLan_2Ghz multicast-buffering=disabled \
    name=Management security-profile=Management ssid=chef vlan-mode=use-tag \
    wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip pool
add name=pool1 ranges=192.168.1.100-192.168.1.200
add name=pool10 ranges=192.168.10.10-192.168.10.200
add name=pool20 ranges=192.168.20.100-192.168.20.200
add name=pool30 ranges=192.168.30.100-192.168.30.200
/ip dhcp-server
add address-pool=pool1 interface=vlan1 lease-script="# DNS TTL to set for DNS \
    entries\r\
    \n:local dnsttl \"00:15:00\";\r\
    \n\r\
    \n###\r\
    \n# Script entry point\r\
    \n#\r\
    \n# Expected environment variables:\r\
    \n# leaseBound         1 = lease bound, 0 = lease removed\r\
    \n# leaseServerName    Name of DHCP server\r\
    \n# leaseActIP         IP address of DHCP client\r\
    \n# leaseActMAC        MAC address of DHCP client\r\
    \n###\r\
    \n\r\
    \n:local scriptName \"dhcp2dns\"\r\
    \n:do {\r\
    \n  :local scriptObj [:parse [/system script get \$scriptName source]]\r\
    \n  \$scriptObj leaseBound=\$leaseBound leaseServerName=\$leaseServerName \
    leaseActIP=\$leaseActIP leaseActMAC=\$leaseActMAC\r\
    \n} on-error={ :log warning \"DHCP server '\$leaseServerName' lease script\
    \_error\" };\r\
    \n\r\
    \n# \"a.b.c.d\" -> \"a-b-c-d\" for IP addresses used as replacement for mi\
    ssing host names\r\
    \n:local ip2Host do=\\\r\
    \n{\r\
    \n  :local outStr\r\
    \n  :for i from=0 to=([:len \$inStr] - 1) do=\\\r\
    \n  {\r\
    \n    :local tmp [:pick \$inStr \$i];\r\
    \n    :if (\$tmp =\".\") do=\\\r\
    \n    {\r\
    \n      :set tmp \"-\"\r\
    \n    }\r\
    \n    :set outStr (\$outStr . \$tmp)\r\
    \n  }\r\
    \n  :return \$outStr\r\
    \n}\r\
    \n\r\
    \n:local mapHostName do={\r\
    \n# param: name\r\
    \n# max length = 63\r\
    \n# allowed chars a-z,0-9,-\r\
    \n  :local allowedChars \"abcdefghijklmnopqrstuvwxyz0123456789-\";\r\
    \n  :local numChars [:len \$name];\r\
    \n  :if (\$numChars > 63) do={:set numChars 63};\r\
    \n  :local result \"\";\r\
    \n\r\
    \n  :for i from=0 to=(\$numChars - 1) do={\r\
    \n    :local char [:pick \$name \$i];\r\
    \n    :if ([:find \$allowedChars \$char] < 0) do={:set char \"-\"};\r\
    \n    :set result (\$result . \$char);\r\
    \n  }\r\
    \n  :return \$result;\r\
    \n}\r\
    \n\r\
    \n:local lowerCase do={\r\
    \n# param: entry\r\
    \n  :local lower \"abcdefghijklmnopqrstuvwxyz\";\r\
    \n  :local upper \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\";\r\
    \n  :local result \"\";\r\
    \n  :for i from=0 to=([:len \$entry] - 1) do={\r\
    \n    :local char [:pick \$entry \$i];\r\
    \n    :local pos [:find \$upper \$char];\r\
    \n    :if (\$pos > -1) do={:set char [:pick \$lower \$pos]};\r\
    \n    :set result (\$result . \$char);\r\
    \n  }\r\
    \n  :return \$result;\r\
    \n}\r\
    \n\r\
    \n:local token \"\$leaseServerName-\$leaseActMAC\";\r\
    \n:local LogPrefix \"DHCP2DNS (\$leaseServerName)\"\r\
    \n\r\
    \n:if ( [ :len \$leaseActIP ] <= 0 ) do=\\\r\
    \n{\r\
    \n  :log error \"\$LogPrefix: empty lease address\"\r\
    \n  :error \"empty lease address\"\r\
    \n}\r\
    \n\r\
    \n:if ( \$leaseBound = 1 ) do=\\\r\
    \n{\r\
    \n  # new DHCP lease added\r\
    \n  /ip dhcp-server\r\
    \n  #:local dnsttl [ get [ find name=\$leaseServerName ] lease-time ]\r\
    \n  network\r\
    \n  :local domain [ get [ find \$leaseActIP in address ] domain ]\r\
    \n  #:log info \"\$LogPrefix: DNS domain is \$domain\"\r\
    \n\r\
    \n  :local hostname [/ip dhcp-server lease get [:pick [find mac-address=\$\
    leaseActMAC and server=\$leaseServerName] 0] value-name=host-name]\r\
    \n  #:log info \"\$LogPrefix: DHCP hostname is \$hostname\"\r\
    \n\r\
    \n #Hostname cleanup\r\
    \n  :if ( [ :len \$hostname ] <= 0 ) do=\\\r\
    \n  {\r\
    \n    :set hostname [ \$ip2Host inStr=\$leaseActIP ]\r\
    \n    :log info \"\$LogPrefix: Empty hostname for '\$leaseActIP', using ge\
    nerated host name '\$hostname'\"\r\
    \n  }\r\
    \n  :set hostname [\$lowerCase entry=\$hostname]\r\
    \n  :set hostname [\$mapHostName name=\$hostname]\r\
    \n  #:log info \"\$LogPrefix: Clean hostname for FQDN is \$hostname\";\r\
    \n\r\
    \n  :if ( [ :len \$domain ] <= 0 ) do=\\\r\
    \n  {\r\
    \n    :log warning \"\$LogPrefix: Empty domainname for '\$leaseActIP', can\
    not create static DNS name\"\r\
    \n    :error \"Empty domainname for '\$leaseActIP'\"\r\
    \n  }\r\
    \n\r\
    \n  :local fqdn (\$hostname . \".\" .  \$domain)\r\
    \n  #:log info \"\$LogPrefix: FQDN for DNS is \$fqdn\"\r\
    \n\r\
    \n    :if ([/ip dhcp-server lease get [:pick [find mac-address=\$leaseActM\
    AC and server=\$leaseServerName] 0] ]) do={\r\
    \n      # :log info message=\"\$LogPrefix: \$leaseActMAC -> \$hostname\"\r\
    \n      :do {\r\
    \n        /ip dns static add address=\$leaseActIP name=\$fqdn ttl=\$dnsttl\
    \_comment=\$token;\r\
    \n      } on-error={:log error message=\"\$LogPrefix: Failure during dns r\
    egistration of \$fqdn with \$leaseActIP\"}\r\
    \n    }\r\
    \n\r\
    \n} else={\r\
    \n# DHCP lease removed\r\
    \n  /ip dns static remove [find comment=\$token];\r\
    \n} " name=server1
add address-pool=pool10 interface=vlan10 name=server2
add address-pool=pool20 interface=vlan20 name=server3
add address-pool=pool30 interface=vlan30 name=server4
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=vlan-bridge comment="Uplink Switch" interface=ether2
add bridge=vlan-bridge comment="Reserve Uplink Switch" interface=ether3
add bridge=vlan-bridge comment=Pihole interface=ether4
add bridge=vlan-bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether8 pvid=20
add bridge=vlan-bridge interface=ether9 pvid=20
add bridge=vlan-bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether7 pvid=10
add bridge=vlan-bridge frame-types=admit-only-vlan-tagged interface=WLan_2Ghz \
    pvid=10
add bridge=vlan-bridge frame-types=admit-only-vlan-tagged interface=WLan_5Ghz \
    pvid=10
add bridge=vlan-bridge frame-types=admit-only-vlan-tagged interface=IoT pvid=\
    20
add bridge=vlan-bridge frame-types=admit-only-vlan-tagged interface=\
    guest_2Ghz pvid=30
add bridge=vlan-bridge interface=guest_5Ghz pvid=30
add bridge=vlan-bridge frame-types=admit-only-vlan-tagged interface=\
    Management
/ip settings
set rp-filter=strict tcp-syncookies=yes
/interface bridge vlan
add bridge=vlan-bridge tagged=vlan-bridge,ether2 untagged=ether4 vlan-ids=1
add bridge=vlan-bridge tagged=\
    vlan-bridge,ether2,ether3,WLan_2Ghz,WLan_5Ghz,ether4 vlan-ids=10
add bridge=vlan-bridge tagged=vlan-bridge,ether2,ether3,IoT,ether4 vlan-ids=\
    20
add bridge=vlan-bridge tagged=vlan-bridge,ether2,ether3,guest_2Ghz,guest_5Ghz \
    vlan-ids=30
/interface list member
add comment=defconf interface=vlan20 list=LAN
add comment=defconf interface=ether1 list=WAN
add comment=defconf interface=vlan10 list=LAN
add comment=defconf interface=vlan30 list=LAN
add interface=vlan1 list=LAN
add interface=WLan_5Ghz list=LAN
add interface=WLan_2Ghz list=LAN
add interface=guest_2Ghz list=LAN
add interface=guest_5Ghz list=LAN
add interface=IoT list=LAN
add interface=Management list=LAN
add interface=wireguard-vpn list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.40.2/32 comment="Pixel 6" interface=wireguard-vpn \
    public-key="Fo1HOsr9lDLhLToYHc41JIDZh6yOlOh0zLl7OfuyelE="
/ip address
add address=192.168.178.2/24 interface=ether1 network=192.168.178.0
add address=192.168.1.1/24 interface=vlan1 network=192.168.1.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.30.1/24 interface=vlan30 network=192.168.30.0
add address=192.168.40.1/24 interface=wireguard-vpn network=192.168.40.0
/ip dhcp-server lease
add address=192.168.20.199 comment="SMA 9kW" mac-address=**ELIDED** \
    server=server3
add address=192.168.20.198 client-id=1:0:40:ad:b0:77:b0 comment="SMA SBS 3.6" \
    mac-address=**ELIDED** server=server3
add address=192.168.20.197 client-id=1:a8:3:2a:31:5f:ff comment=\
    "Thinkerforge Warp2 Smart Ladestation" mac-address=**ELIDED** \
    server=server3
add address=192.168.20.196 client-id=1:0:d0:93:49:ca:73 comment=Homemanager \
    mac-address=**ELIDED** server=server3
add address=192.168.20.195 comment="SMA 15kW" mac-address=**ELIDED** \
    server=server3
add address=192.168.10.200 client-id=1:0:50:b6:b5:1c:12 comment=X13 \
    mac-address=**ELIDED** server=server2
add address=192.168.10.143 client-id=1:c0:bd:d1:b5:77:62 mac-address=**ELIDED** server=server2
add address=192.168.10.189 client-id=1:f0:9e:4a:7e:9:5f mac-address=**ELIDED** server=server2
add address=192.168.10.55 client-id=1:50:1e:2d:2d:9c:c4 comment="Teufel One" \
    mac-address=**ELIDED** server=server2
add address=192.168.20.192 client-id=1:2:81:85:aa:9a:87 comment=\
    "Multiplus II" mac-address=**ELIDED** server=server3
add address=192.168.10.49 client-id=1:ea:80:4e:1b:5b:22 mac-address=**ELIDED** server=server2
add address=192.168.10.43 client-id=\
    ff:5d:e2:6c:15:0:2:0:0:ab:11:3a:83:32:50:46:6a:ed:4f mac-address=**ELIDED**\
    server=server2
add address=192.168.10.50 client-id=1:48:8f:5a:8:ac:a7 comment=\
    "Switch CRS326" mac-address=**ELIDED** server=server2
add address=192.168.10.36 client-id=1:3c:7c:3f:26:95:8b mac-address=**ELIDED**\
    server=server2
add address=192.168.10.159 client-id=1:2:a:12:73:41:fe comment="iPhone Caro" \
    mac-address=**ELIDED** server=server2
add address=192.168.20.190 client-id=1:34:ea:e7:6:a0:41 comment=\
    "P1 Meter BKW Z\E4hler" mac-address=**ELIDED** server=server3
add address=192.168.20.188 comment="Shelly 1PM (PM2)" mac-address=\
    **ELIDED** server=server3
add address=192.168.10.16 client-id=1:f6:b8:82:4:2f:4d comment=Pixel \
    mac-address=**ELIDED** server=server2
add address=192.168.10.13 client-id=1:bc:e6:3f:f:82:86 mac-address=**ELIDED** server=server2
add address=192.168.10.19 client-id=1:c4:12:34:c:b3:f5 mac-address=**ELIDED** server=server2
add address=192.168.10.35 client-id=\
    ff:e4:3a:18:f0:0:2:0:0:ab:11:93:b7:c:7:70:43:4b:c8 mac-address=**ELIDED** server=server2
add address=192.168.20.186 client-id=1:2:e6:2c:ae:b:f3 comment=S19k \
    mac-address=**ELIDED** server=server3
add address=192.168.20.181 client-id=1:e4:5f:1:2b:82:ff mac-address=**ELIDED** server=server3
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.100,1.1.1.1 domain=vlan1.home \
    gateway=192.168.1.1 netmask=24 ntp-server=195.176.26.204
add address=192.168.10.0/24 dns-server=192.168.1.100,1.1.1.1 domain=\
    vlan10.home gateway=192.168.10.1 netmask=24 ntp-server=195.176.26.204
add address=192.168.20.0/24 dns-server=192.168.1.100,1.1.1.1 domain=\
    vlan20.home gateway=192.168.20.1 netmask=24 ntp-server=195.176.26.204
add address=192.168.30.0/24 dns-server=192.168.1.100,1.1.1.1 domain=\
    vlan30.home gateway=192.168.30.1 netmask=24 ntp-server=195.176.26.204
/ip dns
set cache-max-ttl=1d max-concurrent-queries=400 max-concurrent-tcp-sessions=\
    100 servers=192.168.1.100,1.1.1.1
/ip dns static
add address=192.168.1.110 comment=server2-02:47:D4:8E:24:35 name=\
    192-168-1-110.vlan1.home ttl=15m
add address=192.168.1.111 comment=server2-F6:27:44:E3:4B:16 name=\
    192-168-1-111.vlan1.home ttl=15m
add address=192.168.1.112 comment=server2-F2:16:1F:10:31:41 name=\
    192-168-1-112.vlan1.home ttl=15m
add address=192.168.1.130 comment=server2-92:62:F2:AC:75:4B name=\
    192-168-1-130.vlan1.home ttl=15m
add address=192.168.1.131 comment=server2-32:DA:B0:CE:B9:F1 name=\
    192-168-1-131.vlan1.home ttl=15m
add address=192.168.1.132 comment=server2-0E:EA:BF:6A:4E:35 name=\
    192-168-1-132.vlan1.home ttl=15m
add address=192.168.1.133 comment=server2-7A:2B:F9:47:A3:14 name=\
    192-168-1-133.vlan1.home ttl=15m
add address=192.168.1.134 comment=server2-12:41:E3:47:51:B0 name=\
    192-168-1-134.vlan1.home ttl=15m
add address=192.168.1.135 comment=server2-EE:E7:80:4D:A9:A8 name=\
    192-168-1-135.vlan1.home ttl=15m
add address=192.168.1.136 comment=server2-BE:99:09:2F:54:E9 name=\
    192-168-1-136.vlan1.home ttl=15m
add address=192.168.1.137 comment=server2-FE:30:F8:CA:C0:C9 name=\
    192-168-1-137.vlan1.home ttl=15m
add address=192.168.1.138 comment=server2-42:6D:14:0A:CB:C2 name=\
    192-168-1-138.vlan1.home ttl=15m
add address=192.168.1.139 comment=server2-4A:6B:BA:AE:65:FF name=\
    192-168-1-139.vlan1.home ttl=15m
add address=192.168.1.140 comment=server2-3A:49:04:F9:5B:C9 name=\
    192-168-1-140.vlan1.home ttl=15m
add address=192.168.1.141 comment=server2-8A:53:75:23:90:66 name=\
    192-168-1-141.vlan1.home ttl=15m
add address=192.168.1.142 comment=server2-2E:18:F6:3E:D3:21 name=\
    192-168-1-142.vlan1.home ttl=15m
add address=192.168.1.143 comment=server2-5E:83:BB:74:38:1D name=\
    192-168-1-143.vlan1.home ttl=15m
add address=192.168.1.144 comment=server2-7A:73:D5:5A:DB:43 name=\
    192-168-1-144.vlan1.home ttl=15m
add address=192.168.1.145 comment=server2-3A:E4:34:C1:54:05 name=\
    192-168-1-145.vlan1.home ttl=15m
add address=192.168.1.146 comment=server2-9E:58:37:23:55:69 name=\
    192-168-1-146.vlan1.home ttl=15m
add address=192.168.1.147 comment=server2-1A:32:21:41:9A:51 name=\
    192-168-1-147.vlan1.home ttl=15m
add address=192.168.1.148 comment=server2-CE:09:A2:C3:E4:D5 name=\
    192-168-1-148.vlan1.home ttl=15m
add address=192.168.1.149 comment=server2-8E:4D:C1:7A:64:91 name=\
    192-168-1-149.vlan1.home ttl=15m
add address=192.168.1.150 comment=server2-12:D7:27:1D:E0:9F name=\
    192-168-1-150.vlan1.home ttl=15m
add address=192.168.1.151 comment=server2-AE:FC:C3:B4:92:61 name=\
    192-168-1-151.vlan1.home ttl=15m
add address=192.168.1.152 comment=server2-32:44:B4:24:6C:51 name=\
    192-168-1-152.vlan1.home ttl=15m
add address=192.168.20.199 comment=server3-00:40:AD:99:22:A3 name=\
    192-168-20-199.vlan20.home ttl=15m
add address=192.168.20.197 comment=server3-A8:03:2A:31:5F:FF name=\
    warp2.vlan20.home ttl=15m
add address=192.168.20.195 comment=server3-00:40:AD:AD:41:EE name=\
    192-168-20-195.vlan20.home ttl=15m
add address=192.168.10.50 comment=server2-48:8F:5A:08:AC:A7 name=\
    mikrotik.vlan10.home ttl=15m
add address=192.168.10.49 comment=server2-EA:80:4E:1B:5B:22 name=\
    galaxy-tab-s6-lite.vlan10.home ttl=15m
add address=192.168.10.55 comment=server2-50:1E:2D:2D:9C:C4 name=\
    192-168-10-55.vlan10.home ttl=15m
add address=192.168.20.198 comment=server3-00:40:AD:B0:77:B0 name=\
    sma3009917376.vlan20.home ttl=15m
add address=192.168.20.196 comment=server3-00:D0:93:49:CA:73 name=\
    sma3004913685.vlan20.home ttl=15m
add address=192.168.10.159 comment=server2-02:0A:12:73:41:FE name=\
    192-168-10-159.vlan10.home ttl=15m
add address=192.168.20.200 comment=server3-C0:41:F6:1F:05:7D name=\
    192-168-20-200.vlan20.home ttl=15m
add address=192.168.10.189 comment=server2-F0:9E:4A:7E:09:5F name=\
    spcclt-007.vlan10.home ttl=15m
add address=192.168.30.155 comment=server4-94:44:44:89:06:F9 name=\
    192-168-30-155.vlan30.home ttl=15m
/ip firewall address-list
add address=192.168.1.0-192.168.10.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" disabled=yes list=\
    not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\
    not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" disabled=yes list=\
    bad_dst_ipv4
add address=192.168.10.0/24 comment=trusted list=vlan10
add address=192.168.20.0/24 comment=untrusted list=vlan20
add address=192.168.30.0/24 comment=untrusted list=vlan30
/ip firewall filter
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
    192.168.40.0/24
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
    protocol=udp
add action=accept chain=input in-interface=wireguard-vpn log-prefix="[FW]"
add action=accept chain=forward comment="VPN -> LAN | Netzwerkzugriff" \
    in-interface=wireguard-vpn log=yes log-prefix="[FW]" out-interface=ether1
add action=accept chain=input comment="default configuration" \
    connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input log-prefix="[drop]"
add action=accept chain=input comment="defconf: accept ICMP after RAW" \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat
add action=accept chain=forward dst-address-list=vlan20 src-address-list=\
    vlan10
add action=accept chain=forward dst-address-list=vlan30 src-address-list=\
    vlan10
add action=accept chain=forward comment="warp charger to evcc" dst-address=\
    192.168.10.35 src-address=192.168.20.197
add action=drop chain=forward dst-address-list=vlan10 src-address-list=vlan20
add action=drop chain=forward dst-address-list=vlan10 src-address-list=vlan30
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    dst-address-list=no_forward_ipv4
/ip firewall nat
add action=dst-nat chain=dstnat disabled=yes dst-port=13231 out-interface=\
    vlan20 protocol=udp to-addresses=192.168.40.1
add action=accept chain=srcnat comment=\
    "defconf: accept all that matches IPSec policy" ipsec-policy=out,ipsec
add action=masquerade chain=srcnat comment="defconf: masquerade" log-prefix=\
    "[nat]" out-interface-list=WAN
/ip firewall raw
add action=accept chain=prerouting comment=\
    "defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
    dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=\
    udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
    in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment=\
    "defconf: drop forward to local lan from WAN" dst-address=192.168.1.0/24 \
    in-interface-list=WAN
add action=drop chain=prerouting comment=\
    "defconf: drop local if not from default IP range" in-interface=\
    vlan-bridge in-interface-list=LAN
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \
    protocol=udp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
    jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
    protocol=tcp
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.178.1 \
    pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet address=192.168.0.0/16 disabled=yes
set ftp address=192.168.0.0/16 disabled=yes
set www address=192.168.0.0/16 disabled=yes
set ssh address=192.168.0.0/16 port=2200
set www-ssl address=192.168.0.0/16 certificate=webfig disabled=no
set api address=192.168.0.0/16 disabled=yes
set winbox address=192.168.0.0/16
set api-ssl address=192.168.0.0/16 certificate=MikroTik.local
/ip ssh
set host-key-size=4096 strong-crypto=yes
/ipv6 firewall address-list
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=\
    no_forward_ipv6
add address=::1/128 comment="defconf: RFC6890 lo" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: RFC6890 IPv4 mapped" list=\
    bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" \
    protocol=icmpv6
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/16
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept IPSec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept IPSec ESP" protocol=\
    ipsec-esp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" \
    protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Zurich
/system identity
set name=Router
/system ntp client
set enabled=yes
/system ntp client servers
add address=ntp11.metas.ch
add address=ntp12.metas.ch
add address=ntp13.metas.ch
/tool bandwidth-server
set enabled=no
/tool graphing interface
add allow-address=192.168.0.0/16
/tool graphing queue
add allow-address=192.168.0.0/16
/tool graphing resource
add allow-address=192.168.0.0/16
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
/tool romon
set enabled=yes

I am not out to only get the solution, but I am kind of desperate to spend that much time for (probably) such a small problem. In any case I will learn again :-)
Tank you a lot.
Marc
You do not have the required permissions to view the files attached to this post.
Last edited by Centurio3 on Sat Nov 11, 2023 12:51 pm, edited 2 times in total.
Top
 
Centurio3
just joined
Topic Author
Posts: 4
Joined: Fri Nov 03, 2023 10:39 pm

Re: WireGuard config trouble with #portforwarding #VLAN #FW pls help me

Mon Nov 06, 2023 8:17 am

Hello all,

Did I make some mistake or what is the reason nobody can help me? I specially added the conigurations and a best effort network map. This weekend I have spent another 2 hours reading tutorials, but failed establishing a connection from phone into my network...

Edit: It seems, the problem is the double NAT. FritzBox does NAT and Mikrotik again...
Last edited by Centurio3 on Mon Nov 06, 2023 9:55 am, edited 1 time in total.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 23318
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: WireGuard config trouble with #portforwarding #VLAN #FW pls help me

Mon Nov 06, 2023 7:34 pm

Nice diagram!
So yes to be able to use the mikrotik as wireguard server for the handshake, there must be a public IP in the mix.
In this case you need two conditions
a. the fritzbox gets a public I P
b. you have access to the fritzbox at least for port forwarding purposes.

If so, the you need to port forward the listening port ( 13321) to LANIP of the MT router on the fritz private LAN.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Observations:
(1) Do not use vlan1 change it to VLAN11 (including ip address, ip dhcp-server, interface list member, vlan interface etc...)
(2) SInce using normal wifi on your MT device get rid of assigning vlans in wifi setups.

viewtopic.php?t=143620

(3) Change to LOOSE and NO
/ip settings
set rp-filter=strict tcp-syncookies=yes

(4) Corrected interface list members!
/interface list member
add comment=defconf interface=ether1 list=WAN
add comment=defconf interface=vlan20 list=LAN
add comment=defconf interface=vlan10 list=LAN { covers both wired ports and WLANS }
add comment=defconf interface=vlan30 list=LAN { covers both guest wlans }
add interface=vlan11 list=LAN
add interface=IoT list=LAN
add interface=Management list=LAN
add interface=wireguard-vpn list=LAN

(5) your firewall chain is disorganized making it harder to read and spot errors.
Put all input chain rules together and then all forward chain rules etc....

Here is an example where lack of organization leads to perfectly good rules made useless...
add action=drop chain=input log-prefix="[drop]"
add action=accept chain=input comment="defconf: accept ICMP after RAW" \
protocol=icmp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN

How much LAN traffic do you think will be able to access Router Services for such things like DNS?
Answer --> NONE except for wireguard traffic and of course the one subnet you identify with this src-address-list=allowed_to_router

(6) You have duplication in your input chain rules..... ( also the input chain icmp allow rule is duplicated, but getting tired of it really)
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
192.168.40.0/24
add action=accept chain=input in-interface=wireguard-vpn log-prefix="[FW]"

(7) Forward chain rules are also a mess...............

(8) An interface is not an etherport or wlan port ??
add bridge=vlan-bridge frame-types=admit-only-vlan-tagged interface=\
Management

(9) Some work to do to illuminate where vlan1 is going?? and used for..... now vlan11.........

(10) It would appear you have a Management interface list member but have not defined anywhere its origins, there is no vlan? or subnet?

(11) According to /interface bridge vlans, you have at least two hybrid ports caused by vlan1, changing this to VLAN11, would make senses if vlan11 is your management vlan.
So you would only have trunk ports to your switches etc.....

(12) What is the purpose of this rule ??????
add action=dst-nat chain=dstnat disabled=yes dst-port=13231 out-interface=\
vlan20 protocol=udp to-addresses=192.168.40.1

(13) First thing I would do is wean off raw rules, like all of them.

(14) Do you use ipv6? if not simply disable it.


viewtopic.php?t=180838
Top
 
Centurio3
just joined
Topic Author
Posts: 4
Joined: Fri Nov 03, 2023 10:39 pm

Re: WireGuard config trouble with #portforwarding #VLAN #FW pls help me

Sat Nov 11, 2023 12:50 pm

Hello forum god!

Thank you! Your extended answer does teach me a lot. I do anser so late, because I tried to figuere out each point. So I will paste all your points, with my comment after each of your points.

WireGuard does (finally) work now. It was very tricky and releated to fritzbox. For all furute useres with similar problem, I will make one more answer and mark it as the solution.


Observations:
(1) Do not use vlan1 change it to VLAN11 (including ip address, ip dhcp-server, interface list member, vlan interface etc...)
Done. From the beginning I have tried to install a management net. But after so many desperate hours failing to get this network working, I was out of mute… Since a while I use it to give my pi hole an address all devices can reach. But I guess here is much potential waiting (or wasted?)…

(2) SInce using normal wifi on your MT device get rid of assigning vlans in wifi setups.
Done. Cool, there is no traffic within one year > deleted.

viewtopic.php?t=143620

(3) Change to LOOSE and NO
/ip settings
set rp-filter=strict tcp-syncookies=yes

Done: I’don’t know why I have set them. Probably to harden the device:
Send out syncookies when the syn backlog queue of a socket overflows. This is to prevent against the common 'SYN flood attack'. syncookies seriously violate TCP protocol, do not allow to use TCP extensions, can result in serious degradation of some services (f.e. SMTP relaying), visible not by you, but your clients and relays, contacting you.
And:
The current recommended practice in RFC3704 is to enable strict mode to prevent IP spoofing from DDoS attacks. If using asymmetric routing or other complicated routing or VRRP, then the loose mode is recommended.
Warning: strict mode does not work with routing tables

(4) Corrected interface list members!
/interface list member
add comment=defconf interface=ether1 list=WAN
add comment=defconf interface=vlan20 list=LAN
add comment=defconf interface=vlan10 list=LAN { covers both wired ports and WLANS }
add comment=defconf interface=vlan30 list=LAN { covers both guest wlans }
add interface=vlan11 list=LAN
add interface=IoT list=LAN
add interface=Management list=LAN
add interface=wireguard-vpn list=LAN

Done. Deleted both WLan entries. IoT Interface == VLAN20 This ist alreade in LAN list also the new VLAN11 alias Management

(5) your firewall chain is disorganized making it harder to read and spot errors.
Put all input chain rules together and then all forward chain rules etc....

Here is an example where lack of organization leads to perfectly good rules made useless...
add action=drop chain=input log-prefix="[drop]"
add action=accept chain=input comment="defconf: accept ICMP after RAW" \
protocol=icmp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN

How much LAN traffic do you think will be able to access Router Services for such things like DNS?
Answer --> NONE except for wireguard traffic and of course the one subnet you identify with this src-address-list=allowed_to_router

Hum… Yeah, after my crazy headless testing, the order became worse. So if I understand your example correct, the orange rule breaks the whole setup. I did try to make order now.


(6) You have duplication in your input chain rules..... ( also the input chain icmp allow rule is duplicated, but getting tired of it really)
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
192.168.40.0/24
add action=accept chain=input in-interface=wireguard-vpn log-prefix="[FW]"

You are totally right! In the meantime, I found one of the duplicate and removed it. However, I think exactly one of this roules should be the game changer. No? I deleted the second one now but let the one with 192.168.40./24 in place.

(7) Forward chain rules are also a mess...............

Done. Here I cleaned up all the wire guard and duplicate stuff. Hope this will not make me new problems. According to the docs Building Advanced Firewall. It is not mentioned on what place to put the rule:
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
So I placed it over (before, lower number) this one:
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

(8) An interface is not an ether port or wlan port ??
add bridge=vlan-bridge frame-types=admit-only-vlan-tagged interface=\
Management

OK. Here I changed from admit all to admit only VLAN tagged. Correct?

(9) Some work to do to illuminate where vlan1 is going?? and used for..... now vlan11.........

Good point. Does it make sense to use it for overlapping service like the pi hole? Or should I attach pi hole in VLAN10 as it is the most used? Guest can have ads and IoT I don’t care. So is there really a need of an management net in my small home setup?

(10) It would appear you have a Management interface list member but have not defined anywhere its origins, there is no vlan? or subnet?
It will be maybe the VLAN11 now…

(11) According to /interface bridge vlans, you have at least two hybrid ports caused by vlan1, changing this to VLAN11, would make senses if vlan11 is your management vlan.
So you would only have trunk ports to your switches etc.....
So much less complexity, then. I changed it to vlan11

(12) What is the purpose of this rule ??????
add action=dst-nat chain=dstnat disabled=yes dst-port=13231 out-interface=\
vlan20 protocol=udp to-addresses=192.168.40.1
This is origin of a tutorial which at the end did not work as well. I should have deleted it before posting. Sorry for that.

(13) First thing I would do is wean off raw rules, like all of them.
Is there anything bad about them? They are in place because I followed the mikrotik documentation about the strict firewall. I mean, do they block the wireguard setup?

(14) Do you use ipv6? if not simply disable it.
No. Had to do research how, but now it is disabled.


Kind regards
centurio


Configuration as of today;
Code: Select all
# nov/03/2023 21:43:44 by RouterOS 7.7
# software id = AA51
#
# model = RB4011iGS
# serial number = tralllala
/interface bridge
add ingress-filtering=no name=vlan-bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="2 FritzBox"
set [ find default-name=ether2 ] comment="CRS326 Uplink"
set [ find default-name=ether3 ] comment="CRS326 Reserve"
set [ find default-name=ether4 ] comment=Teufel
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard-vpn
/interface vlan
add interface=vlan-bridge name=vlan1 vlan-id=1
add comment=Office interface=vlan-bridge name=vlan10 vlan-id=10
add comment=IoT interface=vlan-bridge name=vlan20 vlan-id=20
add comment="Guest WiFi only" interface=vlan-bridge name=vlan30 vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    office supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=guest \
    supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=IoT \
    supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    Management supplicant-identity=""
/interface wireless
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-eC \
    country=switzerland disabled=no frequency=auto hide-ssid=yes \
    installation=indoor mode=ap-bridge multicast-helper=full name=WLan_2Ghz \
    radio-name=2GHz security-profile=office ssid=T15 vlan-id=10 vlan-mode=\
    use-tag wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan1 ] band=5ghz-n/ac channel-width=20/40/80mhz-XXXX \
    country=switzerland disabled=no frequency=auto hide-ssid=yes mode=\
    ap-bridge multicast-helper=full name=WLan_5Ghz radio-name=5GHz \
    secondary-frequency=auto security-profile=office ssid=T15 vlan-id=10 \
    vlan-mode=use-tag wireless-protocol=802.11 wps-mode=disabled
add disabled=no hide-ssid=yes mac-address=2E:C8:1B:BD:96:F2 master-interface=\
    WLan_2Ghz multicast-helper=full name=guest_2Ghz security-profile=guest \
    ssid=Guest vlan-id=30 vlan-mode=use-tag wps-mode=disabled
add disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=\
    DE:2C:6E:1F:54:57 master-interface=WLan_5Ghz multicast-buffering=disabled \
    multicast-helper=full name=guest_5Ghz security-profile=guest ssid=Guest \
    vlan-id=30 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
add disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=\
    2E:C8:1B:BD:96:F1 master-interface=WLan_2Ghz multicast-buffering=disabled \
    name=IoT security-profile=IoT ssid=IoT vlan-id=20 vlan-mode=use-tag \
    wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=\
    2E:C8:1B:BD:96:F3 master-interface=WLan_2Ghz multicast-buffering=disabled \
    name=Management security-profile=Management ssid=chef vlan-mode=use-tag \
    wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip pool
add name=pool1 ranges=192.168.1.100-192.168.1.200
add name=pool10 ranges=192.168.10.10-192.168.10.200
add name=pool20 ranges=192.168.20.100-192.168.20.200
add name=pool30 ranges=192.168.30.100-192.168.30.200
/ip dhcp-server
add address-pool=pool1 interface=vlan1 lease-script="# DNS TTL to set for DNS \
    entries\r\
    \n:local dnsttl \"00:15:00\";\r\
    \n\r\
    \n###\r\
    \n# Script entry point\r\
    \n#\r\
    \n# Expected environment variables:\r\
    \n# leaseBound         1 = lease bound, 0 = lease removed\r\
    \n# leaseServerName    Name of DHCP server\r\
    \n# leaseActIP         IP address of DHCP client\r\
    \n# leaseActMAC        MAC address of DHCP client\r\
    \n###\r\
    \n\r\
    \n:local scriptName \"dhcp2dns\"\r\
    \n:do {\r\
    \n  :local scriptObj [:parse [/system script get \$scriptName source]]\r\
    \n  \$scriptObj leaseBound=\$leaseBound leaseServerName=\$leaseServerName \
    leaseActIP=\$leaseActIP leaseActMAC=\$leaseActMAC\r\
    \n} on-error={ :log warning \"DHCP server '\$leaseServerName' lease script\
    \_error\" };\r\
    \n\r\
    \n# \"a.b.c.d\" -> \"a-b-c-d\" for IP addresses used as replacement for mi\
    ssing host names\r\
    \n:local ip2Host do=\\\r\
    \n{\r\
    \n  :local outStr\r\
    \n  :for i from=0 to=([:len \$inStr] - 1) do=\\\r\
    \n  {\r\
    \n    :local tmp [:pick \$inStr \$i];\r\
    \n    :if (\$tmp =\".\") do=\\\r\
    \n    {\r\
    \n      :set tmp \"-\"\r\
    \n    }\r\
    \n    :set outStr (\$outStr . \$tmp)\r\
    \n  }\r\
    \n  :return \$outStr\r\
    \n}\r\
    \n\r\
    \n:local mapHostName do={\r\
    \n# param: name\r\
    \n# max length = 63\r\
    \n# allowed chars a-z,0-9,-\r\
    \n  :local allowedChars \"abcdefghijklmnopqrstuvwxyz0123456789-\";\r\
    \n  :local numChars [:len \$name];\r\
    \n  :if (\$numChars > 63) do={:set numChars 63};\r\
    \n  :local result \"\";\r\
    \n\r\
    \n  :for i from=0 to=(\$numChars - 1) do={\r\
    \n    :local char [:pick \$name \$i];\r\
    \n    :if ([:find \$allowedChars \$char] < 0) do={:set char \"-\"};\r\
    \n    :set result (\$result . \$char);\r\
    \n  }\r\
    \n  :return \$result;\r\
    \n}\r\
    \n\r\
    \n:local lowerCase do={\r\
    \n# param: entry\r\
    \n  :local lower \"abcdefghijklmnopqrstuvwxyz\";\r\
    \n  :local upper \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\";\r\
    \n  :local result \"\";\r\
    \n  :for i from=0 to=([:len \$entry] - 1) do={\r\
    \n    :local char [:pick \$entry \$i];\r\
    \n    :local pos [:find \$upper \$char];\r\
    \n    :if (\$pos > -1) do={:set char [:pick \$lower \$pos]};\r\
    \n    :set result (\$result . \$char);\r\
    \n  }\r\
    \n  :return \$result;\r\
    \n}\r\
    \n\r\
    \n:local token \"\$leaseServerName-\$leaseActMAC\";\r\
    \n:local LogPrefix \"DHCP2DNS (\$leaseServerName)\"\r\
    \n\r\
    \n:if ( [ :len \$leaseActIP ] <= 0 ) do=\\\r\
    \n{\r\
    \n  :log error \"\$LogPrefix: empty lease address\"\r\
    \n  :error \"empty lease address\"\r\
    \n}\r\
    \n\r\
    \n:if ( \$leaseBound = 1 ) do=\\\r\
    \n{\r\
    \n  # new DHCP lease added\r\
    \n  /ip dhcp-server\r\
    \n  #:local dnsttl [ get [ find name=\$leaseServerName ] lease-time ]\r\
    \n  network\r\
    \n  :local domain [ get [ find \$leaseActIP in address ] domain ]\r\
    \n  #:log info \"\$LogPrefix: DNS domain is \$domain\"\r\
    \n\r\
    \n  :local hostname [/ip dhcp-server lease get [:pick [find mac-address=\$\
    leaseActMAC and server=\$leaseServerName] 0] value-name=host-name]\r\
    \n  #:log info \"\$LogPrefix: DHCP hostname is \$hostname\"\r\
    \n\r\
    \n #Hostname cleanup\r\
    \n  :if ( [ :len \$hostname ] <= 0 ) do=\\\r\
    \n  {\r\
    \n    :set hostname [ \$ip2Host inStr=\$leaseActIP ]\r\
    \n    :log info \"\$LogPrefix: Empty hostname for '\$leaseActIP', using ge\
    nerated host name '\$hostname'\"\r\
    \n  }\r\
    \n  :set hostname [\$lowerCase entry=\$hostname]\r\
    \n  :set hostname [\$mapHostName name=\$hostname]\r\
    \n  #:log info \"\$LogPrefix: Clean hostname for FQDN is \$hostname\";\r\
    \n\r\
    \n  :if ( [ :len \$domain ] <= 0 ) do=\\\r\
    \n  {\r\
    \n    :log warning \"\$LogPrefix: Empty domainname for '\$leaseActIP', can\
    not create static DNS name\"\r\
    \n    :error \"Empty domainname for '\$leaseActIP'\"\r\
    \n  }\r\
    \n\r\
    \n  :local fqdn (\$hostname . \".\" .  \$domain)\r\
    \n  #:log info \"\$LogPrefix: FQDN for DNS is \$fqdn\"\r\
    \n\r\
    \n    :if ([/ip dhcp-server lease get [:pick [find mac-address=\$leaseActM\
    AC and server=\$leaseServerName] 0] ]) do={\r\
    \n      # :log info message=\"\$LogPrefix: \$leaseActMAC -> \$hostname\"\r\
    \n      :do {\r\
    \n        /ip dns static add address=\$leaseActIP name=\$fqdn ttl=\$dnsttl\
    \_comment=\$token;\r\
    \n      } on-error={:log error message=\"\$LogPrefix: Failure during dns r\
    egistration of \$fqdn with \$leaseActIP\"}\r\
    \n    }\r\
    \n\r\
    \n} else={\r\
    \n# DHCP lease removed\r\
    \n  /ip dns static remove [find comment=\$token];\r\
    \n} " name=server1
add address-pool=pool10 interface=vlan10 name=server2
add address-pool=pool20 interface=vlan20 name=server3
add address-pool=pool30 interface=vlan30 name=server4
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=vlan-bridge comment="Uplink Switch" interface=ether2
add bridge=vlan-bridge comment="Reserve Uplink Switch" interface=ether3
add bridge=vlan-bridge comment=Pihole interface=ether4
add bridge=vlan-bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether8 pvid=20
add bridge=vlan-bridge interface=ether9 pvid=20
add bridge=vlan-bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether7 pvid=10
add bridge=vlan-bridge frame-types=admit-only-vlan-tagged interface=WLan_2Ghz \
    pvid=10
add bridge=vlan-bridge frame-types=admit-only-vlan-tagged interface=WLan_5Ghz \
    pvid=10
add bridge=vlan-bridge frame-types=admit-only-vlan-tagged interface=IoT pvid=\
    20
add bridge=vlan-bridge frame-types=admit-only-vlan-tagged interface=\
    guest_2Ghz pvid=30
add bridge=vlan-bridge interface=guest_5Ghz pvid=30
add bridge=vlan-bridge frame-types=admit-only-vlan-tagged interface=\
    Management
/ip settings
set rp-filter=strict tcp-syncookies=yes
/interface bridge vlan
add bridge=vlan-bridge tagged=vlan-bridge,ether2 untagged=ether4 vlan-ids=1
add bridge=vlan-bridge tagged=\
    vlan-bridge,ether2,ether3,WLan_2Ghz,WLan_5Ghz,ether4 vlan-ids=10
add bridge=vlan-bridge tagged=vlan-bridge,ether2,ether3,IoT,ether4 vlan-ids=\
    20
add bridge=vlan-bridge tagged=vlan-bridge,ether2,ether3,guest_2Ghz,guest_5Ghz \
    vlan-ids=30
/interface list member
add comment=defconf interface=vlan20 list=LAN
add comment=defconf interface=ether1 list=WAN
add comment=defconf interface=vlan10 list=LAN
add comment=defconf interface=vlan30 list=LAN
add interface=vlan1 list=LAN
add interface=WLan_5Ghz list=LAN
add interface=WLan_2Ghz list=LAN
add interface=guest_2Ghz list=LAN
add interface=guest_5Ghz list=LAN
add interface=IoT list=LAN
add interface=Management list=LAN
add interface=wireguard-vpn list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.40.2/32 comment="Pix" interface=wireguard-vpn \
    public-key="Fo1HOsr9lDLhLToYHc41JIDZh6yOlOh0zLl7OfuyelE="
/ip address
add address=192.168.178.2/24 interface=ether1 network=192.168.178.0
add address=192.168.1.1/24 interface=vlan1 network=192.168.1.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.30.1/24 interface=vlan30 network=192.168.30.0
add address=192.168.40.1/24 interface=wireguard-vpn network=192.168.40.0
/ip dhcp-server lease
add address=192.168.20.199 comment="SMA 9kW" mac-address=00:40:AD:99:22:A3 \
    server=server3
add address=192.168.20.198 client-id=1:0:40:ad:b0:77:b0 comment="SMA SBS 3.6" \
    mac-address=00:40:AD:B0:77:B0 server=server3
add address=192.168.20.197 client-id=1:a8:3:2a:31:5f:ff comment=\
    "Thinkerforge Warp2 Smart Ladestation" mac-address=A8:03:2A:31:5F:FF \
    server=server3
add address=192.168.20.196 client-id=1:0:d0:93:49:ca:73 comment=Homemanager \
    mac-address=00:D0:93:49:CA:73 server=server3
add address=192.168.20.195 comment="SMA 15kW" mac-address=00:40:AD:AD:41:EE \
    server=server3
add address=192.168.10.200 client-id=1:0:50:b6:b5:1c:12 comment=X13 \
    mac-address=00:50:B6:B5:1C:12 server=server2
add address=192.168.10.143 client-id=1:c0:bd:d1:b5:77:62 mac-address=\
    C0:BD:D1:B5:77:62 server=server2
add address=192.168.10.189 client-id=1:f0:9e:4a:7e:9:5f mac-address=\
    F0:9E:4A:7E:09:5F server=server2
add address=192.168.10.55 client-id=1:50:1e:2d:2d:9c:c4 comment="Teufel One" \
    mac-address=50:1E:2D:2D:9C:C4 server=server2
add address=192.168.20.192 client-id=1:2:81:85:aa:9a:87 comment=\
    "Multiplus II" mac-address=02:81:85:AA:9A:87 server=server3
add address=192.168.10.49 client-id=1:ea:80:4e:1b:5b:22 mac-address=\
    EA:80:4E:1B:5B:22 server=server2
add address=192.168.10.43 client-id=\
    ff:5d:e2:6c:15:0:2:0:0:ab:11:3a:83:32:50:46:6a:ed:4f mac-address=\
    84:A9:3E:0B:15:AF server=server2
add address=192.168.10.50 client-id=1:48:8f:5a:8:ac:a7 comment=\
    "Switch CRS326" mac-address=48:8F:5A:08:AC:A7 server=server2
add address=192.168.10.36 client-id=1:3c:7c:3f:26:95:8b mac-address=\
    3C:7C:3F:26:95:8B server=server2
add address=192.168.10.159 client-id=1:2:a:12:73:41:fe comment="iPhone Caro" \
    mac-address=02:0A:12:73:41:FE server=server2
add address=192.168.20.190 client-id=1:34:ea:e7:6:a0:41 comment=\
    "P1 Meter BKW Z\E4hler" mac-address=34:EA:E7:06:A0:41 server=server3
add address=192.168.20.188 comment="Shelly 1PM (PM2)" mac-address=\
    8C:AA:B5:5F:D8:77 server=server3
add address=192.168.10.16 client-id=1:f6:b8:82:4:2f:4d comment=Pixel \
    mac-address=F6:B8:82:04:2F:4D server=server2
add address=192.168.10.13 client-id=1:bc:e6:3f:f:82:86 mac-address=\
    BC:E6:3F:0F:82:86 server=server2
add address=192.168.10.19 client-id=1:c4:12:34:c:b3:f5 mac-address=\
    C4:12:34:0C:B3:F5 server=server2
add address=192.168.10.35 client-id=\
    ff:e4:3a:18:f0:0:2:0:0:ab:11:93:b7:c:7:70:43:4b:c8 mac-address=\
    C6:45:80:CE:D1:98 server=server2
add address=192.168.20.186 client-id=1:2:e6:2c:ae:b:f3 comment=S19k \
    mac-address=02:E6:2C:AE:0B:F3 server=server3
add address=192.168.20.181 client-id=1:e4:5f:1:2b:82:ff mac-address=\
    E4:5F:01:2B:82:FF server=server3
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.100,1.1.1.1 domain=vlan1.home \
    gateway=192.168.1.1 netmask=24 ntp-server=195.176.26.204
add address=192.168.10.0/24 dns-server=192.168.1.100,1.1.1.1 domain=\
    vlan10.home gateway=192.168.10.1 netmask=24 ntp-server=195.176.26.204
add address=192.168.20.0/24 dns-server=192.168.1.100,1.1.1.1 domain=\
    vlan20.home gateway=192.168.20.1 netmask=24 ntp-server=195.176.26.204
add address=192.168.30.0/24 dns-server=192.168.1.100,1.1.1.1 domain=\
    vlan30.home gateway=192.168.30.1 netmask=24 ntp-server=195.176.26.204
/ip dns
set cache-max-ttl=1d max-concurrent-queries=400 max-concurrent-tcp-sessions=\
    100 servers=192.168.1.100,1.1.1.1
/ip dns static
add address=192.168.1.110 comment=server2-02:47:D4:8E:24:35 name=\
    192-168-1-110.vlan1.home ttl=15m
add address=192.168.1.111 comment=server2-F6:27:44:E3:4B:16 name=\
    192-168-1-111.vlan1.home ttl=15m
add address=192.168.1.112 comment=server2-F2:16:1F:10:31:41 name=\
    192-168-1-112.vlan1.home ttl=15m
add address=192.168.1.130 comment=server2-92:62:F2:AC:75:4B name=\
    192-168-1-130.vlan1.home ttl=15m
add address=192.168.1.131 comment=server2-32:DA:B0:CE:B9:F1 name=\
    192-168-1-131.vlan1.home ttl=15m
add address=192.168.1.132 comment=server2-0E:EA:BF:6A:4E:35 name=\
    192-168-1-132.vlan1.home ttl=15m
add address=192.168.1.133 comment=server2-7A:2B:F9:47:A3:14 name=\
    192-168-1-133.vlan1.home ttl=15m
add address=192.168.1.134 comment=server2-12:41:E3:47:51:B0 name=\
    192-168-1-134.vlan1.home ttl=15m
add address=192.168.1.135 comment=server2-EE:E7:80:4D:A9:A8 name=\
    192-168-1-135.vlan1.home ttl=15m
add address=192.168.1.136 comment=server2-BE:99:09:2F:54:E9 name=\
    192-168-1-136.vlan1.home ttl=15m
add address=192.168.1.137 comment=server2-FE:30:F8:CA:C0:C9 name=\
    192-168-1-137.vlan1.home ttl=15m
add address=192.168.1.138 comment=server2-42:6D:14:0A:CB:C2 name=\
    192-168-1-138.vlan1.home ttl=15m
add address=192.168.1.139 comment=server2-4A:6B:BA:AE:65:FF name=\
    192-168-1-139.vlan1.home ttl=15m
add address=192.168.1.140 comment=server2-3A:49:04:F9:5B:C9 name=\
    192-168-1-140.vlan1.home ttl=15m
add address=192.168.1.141 comment=server2-8A:53:75:23:90:66 name=\
    192-168-1-141.vlan1.home ttl=15m
add address=192.168.1.142 comment=server2-2E:18:F6:3E:D3:21 name=\
    192-168-1-142.vlan1.home ttl=15m
add address=192.168.1.143 comment=server2-5E:83:BB:74:38:1D name=\
    192-168-1-143.vlan1.home ttl=15m
add address=192.168.1.144 comment=server2-7A:73:D5:5A:DB:43 name=\
    192-168-1-144.vlan1.home ttl=15m
add address=192.168.1.145 comment=server2-3A:E4:34:C1:54:05 name=\
    192-168-1-145.vlan1.home ttl=15m
add address=192.168.1.146 comment=server2-9E:58:37:23:55:69 name=\
    192-168-1-146.vlan1.home ttl=15m
add address=192.168.1.147 comment=server2-1A:32:21:41:9A:51 name=\
    192-168-1-147.vlan1.home ttl=15m
add address=192.168.1.148 comment=server2-CE:09:A2:C3:E4:D5 name=\
    192-168-1-148.vlan1.home ttl=15m
add address=192.168.1.149 comment=server2-8E:4D:C1:7A:64:91 name=\
    192-168-1-149.vlan1.home ttl=15m
add address=192.168.1.150 comment=server2-12:D7:27:1D:E0:9F name=\
    192-168-1-150.vlan1.home ttl=15m
add address=192.168.1.151 comment=server2-AE:FC:C3:B4:92:61 name=\
    192-168-1-151.vlan1.home ttl=15m
add address=192.168.1.152 comment=server2-32:44:B4:24:6C:51 name=\
    192-168-1-152.vlan1.home ttl=15m
add address=192.168.20.199 comment=server3-00:40:AD:99:22:A3 name=\
    192-168-20-199.vlan20.home ttl=15m
add address=192.168.20.197 comment=server3-A8:03:2A:31:5F:FF name=\
    warp2.vlan20.home ttl=15m
add address=192.168.20.195 comment=server3-00:40:AD:AD:41:EE name=\
    192-168-20-195.vlan20.home ttl=15m
add address=192.168.10.50 comment=server2-48:8F:5A:08:AC:A7 name=\
    mikrotik.vlan10.home ttl=15m
add address=192.168.10.49 comment=server2-EA:80:4E:1B:5B:22 name=\
    galaxy-tab-s6-lite.vlan10.home ttl=15m
add address=192.168.10.55 comment=server2-50:1E:2D:2D:9C:C4 name=\
    192-168-10-55.vlan10.home ttl=15m
add address=192.168.20.198 comment=server3-00:40:AD:B0:77:B0 name=\
    sma3009917376.vlan20.home ttl=15m
add address=192.168.20.196 comment=server3-00:D0:93:49:CA:73 name=\
    sma3004913685.vlan20.home ttl=15m
add address=192.168.10.159 comment=server2-02:0A:12:73:41:FE name=\
    192-168-10-159.vlan10.home ttl=15m
add address=192.168.20.200 comment=server3-C0:41:F6:1F:05:7D name=\
    192-168-20-200.vlan20.home ttl=15m
add address=192.168.10.189 comment=server2-F0:9E:4A:7E:09:5F name=\
    spcclt-007.vlan10.home ttl=15m
add address=192.168.30.155 comment=server4-94:44:44:89:06:F9 name=\
    192-168-30-155.vlan30.home ttl=15m
/ip firewall address-list
add address=192.168.1.0-192.168.10.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" disabled=yes list=\
    not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\
    not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" disabled=yes list=\
    bad_dst_ipv4
add address=192.168.10.0/24 comment=trusted list=vlan10
add address=192.168.20.0/24 comment=untrusted list=vlan20
add address=192.168.30.0/24 comment=untrusted list=vlan30
/ip firewall filter
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
    192.168.40.0/24
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
    protocol=udp
add action=accept chain=input in-interface=wireguard-vpn log-prefix="[FW]"
add action=accept chain=forward comment="VPN -> LAN | Netzwerkzugriff" \
    in-interface=wireguard-vpn log=yes log-prefix="[FW]" out-interface=ether1
add action=accept chain=input comment="default configuration" \
    connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input log-prefix="[drop]"
add action=accept chain=input comment="defconf: accept ICMP after RAW" \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat
add action=accept chain=forward dst-address-list=vlan20 src-address-list=\
    vlan10
add action=accept chain=forward dst-address-list=vlan30 src-address-list=\
    vlan10
add action=accept chain=forward comment="warp charger to evcc" dst-address=\
    192.168.10.35 src-address=192.168.20.197
add action=drop chain=forward dst-address-list=vlan10 src-address-list=vlan20
add action=drop chain=forward dst-address-list=vlan10 src-address-list=vlan30
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    dst-address-list=no_forward_ipv4
/ip firewall nat
add action=dst-nat chain=dstnat disabled=yes dst-port=13231 out-interface=\
    vlan20 protocol=udp to-addresses=192.168.40.1
add action=accept chain=srcnat comment=\
    "defconf: accept all that matches IPSec policy" ipsec-policy=out,ipsec
add action=masquerade chain=srcnat comment="defconf: masquerade" log-prefix=\
    "[nat]" out-interface-list=WAN
/ip firewall raw
add action=accept chain=prerouting comment=\
    "defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
    dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=\
    udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
    in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment=\
    "defconf: drop forward to local lan from WAN" dst-address=192.168.1.0/24 \
    in-interface-list=WAN
add action=drop chain=prerouting comment=\
    "defconf: drop local if not from default IP range" in-interface=\
    vlan-bridge in-interface-list=LAN
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \
    protocol=udp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
    jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
    protocol=tcp
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.178.1 \
    pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet address=192.168.0.0/16 disabled=yes
set ftp address=192.168.0.0/16 disabled=yes
set www address=192.168.0.0/16 disabled=yes
set ssh address=192.168.0.0/16 port=2200
set www-ssl address=192.168.0.0/16 certificate=webfig disabled=no
set api address=192.168.0.0/16 disabled=yes
set winbox address=192.168.0.0/16
set api-ssl address=192.168.0.0/16 certificate=MikroTik.local
/ip ssh
set host-key-size=4096 strong-crypto=yes
/ipv6 firewall address-list
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=\
    no_forward_ipv6
add address=::1/128 comment="defconf: RFC6890 lo" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: RFC6890 IPv4 mapped" list=\
    bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" \
    protocol=icmpv6
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/16
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept IPSec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept IPSec ESP" protocol=\
    ipsec-esp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" \
    protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Zurich
/system identity
set name=Router
/system ntp client
set enabled=yes
/system ntp client servers
add address=ntp11.metas.ch
add address=ntp12.metas.ch
add address=ntp13.metas.ch
/tool bandwidth-server
set enabled=no
/tool graphing interface
add allow-address=192.168.0.0/16
/tool graphing queue
add allow-address=192.168.0.0/16
/tool graphing resource
add allow-address=192.168.0.0/16
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
/tool romon
set enabled=yes
Top
 
Centurio3
just joined
Topic Author
Posts: 4
Joined: Fri Nov 03, 2023 10:39 pm

Re: WireGuard config trouble with Fritzbox #portforwarding #VLAN #FW pls help me  [SOLVED]

Sat Nov 11, 2023 1:10 pm

Here is the solution:

Assuming you are using an avm FritzBox you got preconfigured of your internet service provider (ISP). You have access to the Fritzbox. First important point. Bridge mode is not supported unless you beg your ISP!

If you want to use your Fritzbox as modem only you disable all the specific settings in the device and configure a route to your mikrotik device. So did I. Fritzbox uses 192.168.178.1 address. Now the important part:
Fritzbox (or me) assigned inital the address 192.168.178.99 to mikrotik router. I then marked the checkbox on the Fritzbox settings to "always use same address for mirkotik device. However, the route I added on Fritzbox was 192.168.178.1 > 192.168.178.2 (the mikrotik router). All good till now. Everything works.

In order to configure wireguard server on mirkrotik router I need to forward the wireguard port on Fritzbox to mikrotik router. Makes sense. So in this case you need to add portforwarding in Fritzbox. There you can choos the mikrotik deviece and add the port. Now the interesting point.
You only can choos the 192.168.278.99 device called mikrotik. Setting up the portforward, will not bring you anything, as no device has the .99 IP. Once I realized this, I wanted to add the IP manually. Adding 192.178.168.2 (mikrotik router) I got the error message this IP is already in use.... wft!?

The solution:
Reset the settings concerning the "always use same IP" address. Once this is done, you can magically add the 192.178.168.2 for port forwarding. Crazy, but true. Maybe the screenshots will help one of you. Altough they are in german. Feel free to contact me in case of trouble.
You do not have the required permissions to view the files attached to this post.
Top
 
Njumaen
Frequent Visitor
Frequent Visitor
Posts: 98
Joined: Wed Feb 24, 2016 8:41 pm
Location: Bielefeld, Germany
Contact:
Contact Njumaen

Re: WireGuard config trouble with Fritzbox #portforwarding #VLAN #FW pls help me

Sat Nov 11, 2023 4:14 pm

If the firewall on your Mikrotik is up an running you can enable „exposed host“ on your Fritzbox. Everything (except registed VoIP on the Fritze) will be sent to your mikrotik now!

So beware! ;)

Therefore you have not to beg for bridge-mode.

Caveat: if you have a dualstack you will ony get a /64 from your provider!
Top
 
Centurio3
just joined
Topic Author
Posts: 4
Joined: Fri Nov 03, 2023 10:39 pm

Re: WireGuard config trouble with Fritzbox #portforwarding #VLAN #FW pls help me

Sat Nov 11, 2023 5:54 pm

Oh, this is indeed true. But I don't want a exposed host. So I go with port forwarding.
Top
 
Njumaen
Frequent Visitor
Frequent Visitor
Posts: 98
Joined: Wed Feb 24, 2016 8:41 pm
Location: Bielefeld, Germany
Contact:
Contact Njumaen

Re: WireGuard config trouble with Fritzbox #portforwarding #VLAN #FW pls help me

Sun Nov 12, 2023 1:01 pm

Of course that is up to your decicion BUT having a mikrotik router as exposed host/router with firewall gives you first time full control over your router and network! (blacklist, scripting, logging, statistics (…) only some to mention)

I am doing this for a long time for my own network and the networks of my clients.

Ralf.
Top
Post Reply
  4. RouterOS
  5. Beginner Basics