Can't access device on management VLAN remotely via Wireguard

comiconomenclaturist · Mon Dec 11, 2023 7:53 pm

Hi,

I have set up our RB2011UiAS-RM with 3 VLANs and a wireguard client which connects to a VPS running the wireguard server.
The problem I have is that I can't access the managed switch on the management VLAN remotely via Wireguard.
I have added the subnet range that includes all the VLANs to AllowedAddresses in the wireguard config on my laptop, and on the wireguard server.
I can ping the RB2011 from my laptop, and ssh into it via any of the gateway IP addresses of the three VLANs including the management VLAN IP address. I can also access other devices on non-management VLANs, just not the switch on the management VLAN.

When connected directly to the RB2011 with an ethernet cable plugged into a management access port I can access the managed switch web interface.
I have added the wireguard-client interface on the RB2011 to the MGMT interface list.

Any suggestions as to what the problem could be welcome

thanks

# 2023-12-11 17:39:10 by RouterOS 7.12.1
# model = RB2011UiAS
/interface bridge
add name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp1 ] disabled=yes
/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard-client
/interface vlan
add interface=bridge name=MGMT_VLAN vlan-id=10
add interface=bridge name=VLAN_2_VLAN vlan-id=30
add interface=bridge name=VLAN_1_VLAN vlan-id=20
/interface list
add name=WAN
add name=LAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=121 name="Advertise VLANS to MGMT clients" value=0x100A2C0A2C0A01
/ip pool
add name=MGMT_POOL ranges=192.168.10.3-192.168.10.6
add name=VLAN_2_POOL ranges=192.168.30.2-192.168.30.254
add name=VLAN_1_POOL ranges=192.168.20.2-192.168.20.14
/ip dhcp-server
add address-pool=MGMT_POOL interface=MGMT_VLAN lease-time=8h name=MGMT
add address-pool=VLAN_1_POOL interface=VLAN_1_VLAN lease-time=6d name=VLAN_1
add address-pool=VLAN_2_POOL interface=VLAN_2_VLAN lease-time=8h name=VLAN_2
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether6 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether7 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether8 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether9 pvid=20
add bridge=bridge interface=ether3
add bridge=bridge interface=ether5 pvid=10
/interface bridge vlan
add bridge=bridge tagged=bridge,ether3 vlan-ids=10
add bridge=bridge tagged=bridge,ether3 vlan-ids=20
add bridge=bridge tagged=bridge,ether3 vlan-ids=30
/interface list member
add interface=VLAN_1_VLAN list=LAN
add interface=ether1 list=WAN
add interface=MGMT_VLAN list=LAN
add interface=VLAN_2_VLAN list=LAN
add interface=MGMT_VLAN list=MGMT
add interface=wireguard-client list=MGMT
add interface=wireguard-client list=LAN
/interface wireguard peers
add allowed-address=10.0.8.0/24,192.168.0.0/16 endpoint-address=example.com endpoint-port=51820 interface=wireguard-client \
    persistent-keepalive=25s public-key="XXXX"
/ip address
add address=192.168.20.1/28 interface=VLAN_1_VLAN network=192.168.20.0
add address=192.168.30.1/24 interface=VLAN_2_VLAN network=192.168.30.0
add address=192.168.10.1/29 interface=MGMT_VLAN network=192.168.10.0
add address=10.0.8.7/24 interface=wireguard-client network=10.0.8.0
/ip dhcp-client
add interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.10.2 comment="D-Link Switch" mac-address=BC:22:28:7C:BE:A0 server=MGMT
/ip dhcp-server network
add address=192.168.10.0/29 dhcp-option="Advertise VLANS to MGMT clients" dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/28 dns-server=192.168.20.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9,8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input comment="allow SSH" dst-port=1044 protocol=tcp
add action=accept chain=input comment="allow WireGuard" dst-port=51820 protocol=udp
add action=accept chain=forward comment="Allow access to all VLANs from MGMT list" in-interface-list=MGMT out-interface-list=LAN
add action=accept chain=forward comment="Allow access to VLAN_2 VLAN from VLAN_1 VLAN" in-interface=VLAN_1_VLAN out-interface=\
    VLAN_2_VLAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment=internet in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-port=80 protocol=tcp to-addresses=192.168.20.7 to-ports=8000
add action=dst-nat chain=dstnat disabled=yes dst-port=1194 protocol=udp to-addresses=192.168.30.4 to-ports=1194
/ip firewall service-port
set ftp disabled=yes
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway="" pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=\
    10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=1044
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote strong-crypto=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/lcd
set backlight-timeout=5m default-screen=stat-slideshow
/lcd pin
set hide-pin-number=yes pin-number=XXXX
/system clock
set time-zone-name=Europe/London
/system identity
set name=Mikrotik
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.uk.pool.ntp.org
add address=1.uk.pool.ntp.org
add address=2.uk.pool.ntp.org
add address=3.uk.pool.ntp.org
/system routerboard settings
set silent-boot=yes
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=MGMT
/tool mac-server mac-winbox
set allowed-interface-list=MGMT

anav · Mon Dec 11, 2023 9:18 pm

(1) This makes me ponder.......
/ip address
add address=192.168.20.1/28 interface=VLAN_1_VLAN network=192.168.20.0
add address=192.168.30.1/24 interface=VLAN_2_VLAN network=192.168.30.0
add address=192.168.10.1/29 interface=MGMT_VLAN network=192.168.10.0
add address=10.0.8.7/24 interface=wireguard-client network=10.0.8.0

/interface wireguard peers
add allowed-address=10.0.8.0/24,192.168.0.0/16 endpoint-address=example.com endpoint-port=51820 interface=wireguard-client \
persistent-keepalive=25s public-key="XXXX"

What was the purpose of adding a range of 192.168.0.0/16 addresses that also overlap YOUR OWN local subnets???
The CHR to my knowledge is just there for the wireguard connection does it really have a bunch of subnets and a full blown network as well???

(2) WHY OH WHY do you have this input chain rule on the RB2011........
add action=accept chain=input comment="allow WireGuard" dst-port=51820 protocol=udp

Do you expect the server to contact and make a handshake with a client device ?????

(3) Why is your Firewall ruleset DISORGANIZED making it harder to read................
try putting input chain rules together and foreward chain rules together....

Currently they are significantly out of whack affecting performance.

(4) I would take this rule and make access to the router more secure, not to every tom dick and harry on your network.
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
I see you have partially done that from a winbox persepective but
I would change the mac-server only entry to NONE.
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=MGMT

(5) Your disabled dst nat rules wont work anyway they are incomplete.

(7) Seeing the WG rules from the CHR would be helpful.

(8) Not sure why you cannot config the router from the LAN side, but if you clean up the above first, then post both configs to view........... more will be discernible.

comiconomenclaturist · Mon Dec 18, 2023 8:09 pm

Hi Anav,

thanks for this detailed info. I've updated the config with the changes you recommended. To address the points you made:

1) I've removed the VLAN subnets from the allowed address in /interface/wireguard/peers. I think I was mistaking the allowed address for what the wireguard client can provide access to, not the ip address of the client / peer, or it was possibly related to point 2 below.

2) I've removed this firewall rule:

add action=accept chain=input comment="allow WireGuard" dst-port=51820 protocol=udp

It was from when I was running a Wireguard server on the Mikrotik device, but I am now routing traffic via the VPS.

3) I've reorganised the rules so that input chain and forward chain rules are together.

4) I've changed the

/tool mac-server allowed-interface-list

to none

5) I don't really need them anyway. I'll probably delete them

7) This is the output of the Mikrotik router client from the VPS when running

sudo wg show

# Mikrotik router
[Peer]
PublicKey = XXXX
AllowedIPs = 10.0.8.7/32, fd25:1463:3f58::7/128, 192.168.0.0/16
PersistentKeepAlive = 25

I still can't access the switch at 192.168.10.2, but I can access the RB2011 at 192.168.10.1 and all the other devices in the 192.168.20.0/28 and 192.168.30.0/24 VLANs.

many thanks for any advice in solving this

# 2023-12-18 17:36:59 by RouterOS 7.12.1
# model = RB2011UiAS
/interface bridge
add name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp1 ] disabled=yes
/interface wireguard
add listen-port=51820 mtu=1380 name=wireguard-client
/interface vlan
add interface=bridge name=MGMT_VLAN vlan-id=10
add interface=bridge name=VLAN_2_VLAN vlan-id=30
add interface=bridge name=VLAN_1_VLAN vlan-id=20
/interface list
add name=WAN
add name=LAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=121 name="Advertise VLANS to MGMT clients" value=0x100A2C0A2C0A01
/ip pool
add name=MGMT_POOL ranges=192.168.10.3-192.168.10.6
add name=VLAN_2_POOL ranges=192.168.30.2-192.168.30.254
add name=VLAN_1_POOL ranges=192.168.20.2-192.168.20.14
/ip dhcp-server
add address-pool=MGMT_POOL interface=MGMT_VLAN lease-time=8h name=MGMT
add address-pool=VLAN_1_POOL interface=VLAN_1_VLAN lease-time=6d name=VLAN_1
add address-pool=VLAN_2_POOL interface=VLAN_2_VLAN lease-time=8h name=VLAN_2
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether6 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether7 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether8 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether9 pvid=20
add bridge=bridge interface=ether3
add bridge=bridge interface=ether5 pvid=10
/interface bridge vlan
add bridge=bridge tagged=bridge,ether3 vlan-ids=10
add bridge=bridge tagged=bridge,ether3 vlan-ids=20
add bridge=bridge tagged=bridge,ether3 vlan-ids=30
/interface list member
add interface=VLAN_1_VLAN list=LAN
add interface=ether1 list=WAN
add interface=MGMT_VLAN list=LAN
add interface=VLAN_2_VLAN list=LAN
add interface=MGMT_VLAN list=MGMT
add interface=wireguard-client list=MGMT
add interface=wireguard-client list=LAN
/interface wireguard peers
add allowed-address=10.0.8.0/24 endpoint-address=example.com endpoint-port=51820 interface=wireguard-client persistent-keepalive=\
    25s public-key="XXXX"
/ip address
add address=192.168.20.1/28 interface=VLAN_1_VLAN network=192.168.20.0
add address=192.168.30.1/24 interface=VLAN_2_VLAN network=192.168.30.0
add address=192.168.10.1/29 interface=MGMT_VLAN network=192.168.10.0
add address=10.0.8.7/24 interface=wireguard-client network=10.0.8.0
/ip dhcp-client
add interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.10.2 comment="D-Link Switch" mac-address=BC:22:28:7C:BE:A0 server=MGMT
/ip dhcp-server network
add address=192.168.10.0/29 dhcp-option="Advertise VLANS to MGMT clients" dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/28 dns-server=192.168.20.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9,8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input comment="allow SSH" dst-port=22 protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="Allow access to all VLANs from MGMT list" in-interface-list=MGMT out-interface-list=LAN
add action=accept chain=forward comment="Allow access to VLAN_2 VLAN from VLAN_1 VLAN" in-interface=VLAN_1_VLAN out-interface=\
    VLAN_2_VLAN
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment=internet in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-port=80 protocol=tcp to-addresses=192.168.20.7 to-ports=8000
add action=dst-nat chain=dstnat disabled=yes dst-port=1194 protocol=udp to-addresses=192.168.30.4 to-ports=1194
/ip firewall service-port
set ftp disabled=yes
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway="" pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=\
    10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=22
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote strong-crypto=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/lcd
set backlight-timeout=5m default-screen=stat-slideshow
/lcd pin
set hide-pin-number=yes pin-number=XXXX
/lcd interface
set sfp1 disabled=yes
/system clock
set time-zone-name=Europe/London
/system identity
set name=Mikrotik
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.uk.pool.ntp.org
add address=1.uk.pool.ntp.org
add address=2.uk.pool.ntp.org
add address=3.uk.pool.ntp.org
/system routerboard settings
set silent-boot=yes
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MGMT

anav · Mon Dec 18, 2023 8:12 pm

Why is MTU on your mikrotik set to 1380?? Shouldnt change it from defaults at either MT device.
So the sole purpose of wireguard is so that you can remote in to your vlans and your Router for config purposes......
No traffic goes out VPS for internet etc...??

ORDER within firewall is screwed up fixed below...

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow SSH" dst-port=22 protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment=internet in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow access to all VLANs from MGMT list" in-interface-list=MGMT out-interface-list=LAN
add action=accept chain=forward comment="Allow access to VLAN_2 VLAN from VLAN_1 VLAN" in-interface=VLAN_1_VLAN out-interface=\
VLAN_2_VLAN
add action=accept chain=forward comment="wireguard lan access" in-interface=wireguard-client out-interface=MGMT_VLAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"

comiconomenclaturist · Mon Dec 18, 2023 8:53 pm

I had to reduce the MTU on the Mikrotik wireguard peer otherwise the shell would freeze. I could usually login ok, but if for example, I exported the config in the RB2011 it would freeze/hang. A similar thing happened on other servers on the VLANs when I accessed them via wireguard over ssh. The MTU value of 1380 seems to have fixed this issue. Also, there is only one Mikrotik device. The VPS is a Debian server and my wireguard client is usually a Macbook.

The purpose of the wireguard tunnel is so that I can proxy requests from Nginx on the VPS to servers on the VLANs, as well as for remote administration.

Yes, internet traffic from the LAN goes out as normal, not via the wireguard tunnel / VPS.

What is wrong with the order of the firewall rules?

anav · Mon Dec 18, 2023 11:46 pm

fixed above
FOR MTU Set MTU back to default 1420? and try this instead.

/ip firewall mangle
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=wireguard-client passthrough=yes protocol=tcp tcp-flags=syn

comiconomenclaturist · Wed Dec 20, 2023 11:19 pm

Thanks for these suggestions. I've made the changes to the firewalll order, although I wasn't quite sure which position to put this rule:

 add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid

It looks like you put it in position 1 and 4.
I've put it in position 1:

/ip/firewall/filter> print
Flags: X - disabled, I - invalid; D - dynamic 
 0    ;;; defconf: accept established,related, untracked
      chain=input action=accept connection-state=established,related,untracked log=no log-prefix="" 

 1    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid

I've also changed the MTU back to 1420 and added the mangle rule. That seems to be working ok now, thanks.

I've added the forward rule for wireguard to access the MGMT VLAN but it's still not working unfortunately. The device I'm trying to access is a DLink switch which I can ping from the RB2011:

> ping 192.168.10.2 count=3      
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                  
    0 192.168.10.2                                 56  64 1ms965us  
    1 192.168.10.2                                 56  64 1ms865us  
    2 192.168.10.2                                 56  64 1ms855us  
    sent=3 received=3 packet-loss=0% min-rtt=1ms855us avg-rtt=1ms895us max-rtt=1ms965us

And I can ping the RB2011 from my laptop over the Wireguard tunnel:

$ ping -c3 192.168.10.1
PING 192.168.10.1 (192.168.10.1): 56 data bytes
64 bytes from 192.168.10.1: icmp_seq=0 ttl=63 time=74.738 ms
64 bytes from 192.168.10.1: icmp_seq=1 ttl=63 time=61.369 ms
64 bytes from 192.168.10.1: icmp_seq=2 ttl=63 time=61.328 ms

--- 192.168.10.1 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 61.328/65.812/74.738/6.312 ms

But I can't ping the switch from my laptop over the Wireguard tunnel:

$ ping -c3 192.168.10.2
PING 192.168.10.2 (192.168.10.2): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1

--- 192.168.10.2 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss

The switch has a default IP address of 10.90.90.90 but I've added a secondary IP address of 192.168.10.2 tagged in the MGMT VLAN, which is clearly working as I can ping it from the RB2011.
FWIW I can't ping the swtich from the VPS server over the wireguard tunnel either.

anav · Thu Dec 21, 2023 12:37 am

You got it, fixed the config I presented to remove the duplicate.

Yes its problematic that your Switch has any address that is not known to the router.
The advice is to give the switch ONLY an Ip address on the managment subnet and ditch the other one.
I am sure it will be accessible after that.

By the way, one should have access from wireguard to the local managment subnet as this firewall rule permits it.
add action=accept chain=forward comment="wireguard lan access" in-interface=wireguard-client out-interface=MGMT_VLAN

remember the client is point to point to the VPS,
Since you are coming in on a wireguard address, the VPS should allow your remote entry to the VPS site.
Then you have to get to the Client router.
Thus allowed IPs on the VPS should include 192.168.0.0/16 ( on the VPS allowed IPs, not the mt client router ).
Then the VPS will know that the traffic from the remote client has a match outgoing to the mT client device in the wireguard part of routing.
SO
ON VPS ensure
a normal route exists telling the VPS for non-local traffic ( aka the mt subnets) where to route such traffic!! - if the VPS was an MT it would be
add address=1092.168.0.0/16 gateway=wireguard-client routing-table=main

In other words the VPS has to know where to send that traffic!!!

Secondly, if it was an MT VPS we need a firewall rule to allow wireguard traffic coming in or exiting the tunnel to go out and reenter the tunnel for the MT peer.
add chain=forward action=accept in-interface=wireguard out-interface=wireguard-client

comiconomenclaturist · Thu Dec 21, 2023 11:25 pm

Thanks for confirming those things. It will probably be in the new year when I am back on site now, but I suspect the switch's default IP address is the problem.

Thanks for all you help!

verbylab · Sun Dec 31, 2023 3:37 am

(2) WHY OH WHY do you have this input chain rule on the RB2011........
add action=accept chain=input comment="allow WireGuard" dst-port=51820 protocol=udp

Do you expect the server to contact and make a handshake with a client device ?????

Because that's the way it's documented? See https://help.mikrotik.com/docs/display/ ... figuration.

(3) Why is your Firewall ruleset DISORGANIZED making it harder to read................
try putting input chain rules together and foreward chain rules together....

Currently they are significantly out of whack affecting performance.

How does the order of the rules affect performance exactly?

anav · Sun Dec 31, 2023 4:39 pm

@Verylab

1. The client device has nothing to do with accepting an incoming handshake, the request to join wireguard comes from the client device and is outbound traffic. The router wireguard service is hosted on the Server device at the incoming handshake and thus needs the input chain rule TO the router.

2. Each rule in the firewall chain has a purpose and there is logic. Thus if you deviate from the logic, then the config quickly becomes inefficient.
The rules are viewed first then second and so forth on a particular chain.
The idea being you want to minimize any traffic going through the entire chain so you want the majority of traffic to be executed as quickly as possible.

Hence for example the accepted,established rule is normally first in input chain
and
the fastrack rule, and then accepted,established rules are normally first in the forward chain.

3. Lets say you have a user that wants to go the internet.
The first packets hit the firewall rules and lets say hits the allowed,established rule. Its a new session and thus the router passes the rule to the next rule as there is no match.
Note: One doesnt have to state new, as its implied and if the router doesnt know about it, its new.
The next rule is drop invalid traffic. Since this is legit traffic it passes. For security reasons we want to ensure any invalid traffic is dropped soonest.
The next rule might be allow LAN to WAN traffic ( to the internet ) and we have a match on the first packets.................. as they are 'captured' by the rule and due to routes indicated in IP routes, the traffic heads out the WAN Port.
Now the connection which was new is now considered accepted/established and the rest of the packets ARE NOT put through the the rest of the firewall rules as they hit the first rule ( accepted/established) and then go directly out WAN PORT. Hence why this rule is first, as it is the most efficient way to process traffic through the firewall rules.

4. If you want to better understand packet flow etc.......
https://help.mikrotik.com/docs/display/ ... n+RouterOS

verbylab · Sat Jan 06, 2024 9:15 pm

1) Incoming UDP connections for Wireguard
Good callout, thanks! Essentially the port only needs to be open if we want other peers to establish the connection. The port can also stay closed and we can still proactively establish the tunnel from the router.

2) Order of firewall rules
I understand where you are coming from, but I think there's more nuance to it. The prerouting chain applies to all packets arriving on the network interface, so the order of rules here does impact how much processing needs to be done for each packet.

However, after a routing decision has been made, we are either processing the input, forward, or output chain, and not all at the chains at same time. So if you have a list of unsorted rules, it doesn't mean that all of them will be processed regardless of the routing decision.

After studying the documentation, I don't think you'd get a big performance gain (if any at all), if you'd group together all input, forward, and output rules. If that was the case, you'd always have the make the trade-off which ones to put first, i.e. whether you want ingress or egress traffic to be processed faster.

I think a more helpful heuristic is to consider the order of rules after they have been filtered for the respective chain.

anav · Sat Jan 06, 2024 9:47 pm

Trust me, when attemtping to diagnose errors on my own config and a million other peoples config, its much easier to spot firewall errors when chains are grouped together.
Of course, it doenst matter which chain is in which order, but it does matter within a chain the order. Ordering the chains themselves is to make it easy to read, spot errors or to know where to add new rules etc...........

The idea of firewwall rules is apply the necessary defaults, add the user traffic required and then drop all else ( layer 3 ).
Within the user rules, it makes sense to have the rules with most traffic executed first and the ones tripped over the least as the last rule(s) before the final drop all rule (for efficiency).
Even within the good default rules, ( established, related is first as that covers the majority of traffic )

Can't access device on management VLAN remotely via Wireguard

Can't access device on management VLAN remotely via Wireguard

Re: Can't access device on management VLAN remotely via Wireguard

Re: Can't access device on management VLAN remotely via Wireguard

Re: Can't access device on management VLAN remotely via Wireguard

Re: Can't access device on management VLAN remotely via Wireguard

Re: Can't access device on management VLAN remotely via Wireguard

Re: Can't access device on management VLAN remotely via Wireguard

Re: Can't access device on management VLAN remotely via Wireguard

Re: Can't access device on management VLAN remotely via Wireguard

Re: Can't access device on management VLAN remotely via Wireguard

Re: Can't access device on management VLAN remotely via Wireguard

Re: Can't access device on management VLAN remotely via Wireguard

Re: Can't access device on management VLAN remotely via Wireguard

Who is online