Hello,
I'm trying to setup on my MK router two wireguard tunnels, one for administration with access to all the lan machines connected to the router and another tunnel for general users only to access a server on the LAN called DS02 whit IP 192.168.88.2 and connected to the router Eth3. Also both WG tunnels only to access local and not to use the WG VPN to surf the internet.
The router does have a public static IP to access the internet and I have successfully set up the first tunnel (administration) so I can access all the machines but not the second tunnel to access only the server DS02.
Can pls anyone help me to set up also the second tunnel.
This is the diagram of how I want to set up
This is my router configuration:
I would much appreciate anyone could me help to solve this; I'm a beginner still learning RouterOS.
Enrico
-
-
enricosm60
just joined
- Posts: 23
- Joined:
- Location: Panama
configure two wireguard tunnels
You do not have the required permissions to view the files attached to this post.
Re: configure two wireguard tunnels
Good news, you only need one wireguard interface to accomplish all your tasks.
The key is in the firewall rules for what you allow or not allow. You can put all all admin users in one firewall address list and all the general users in another firewall address list.
Another option is to use two different addresses for the same interface, all legal.
Setting ether 3 as interface list item, is not useful as ether3 belongs to the bridge......... but its not needed so no loss by removing it.
By NOT adding the Wireguard to the LAN interface list, you can avoid the internet access quite successfully.
HOwever the right way to do this is directly on the remote users setup. ON remote users setup they need something like
Admin users:
allowedIPs=192.168.100.0/24,192.168.88.0/24 endpoint-address=............. endpoint-port=13231 interface=WG_ALL
public-key="mdmdmdmdm" persistent-keep-alive=40s.
General users:
allowedIPs=192.168.101.0/24,192.168.88.2/32 endpoint-address=............. endpoint-port=13231 interface=WG_ALL
public-key="mdmdmdmdm" persistent-keep-alive=35s.
( Just in case they change their settings, we still ensure they cannot access WAN by not adding them to the LAN )
Make sure you dont use the real keys in any configs you put on the forum........
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
So, will keep to one interface but use a separate IP address to keep the users distinct for firewall rules.
Removed all the port forwarding rules,,,,,,,,, not required. If user access the router via wireguard, they only need firewall access.
So disabled port forwarding rule.
Cleaned up and simplified firewall rules, they were a mess.
Major changes shown...........
/interface wireguard
add listen-port=13231 mtu=1420 name=WG_ALL
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface list member
add comment=defconf interface=local list=LAN
add comment=defconf interface="ether1[WAN]" list=WAN
/interface wireguard peers
add allowed-address=192.168.100.3/32 comment="Administracion - Dynabook ESM" \
interface=WG_ALL public-key= "Y="
add allowed-address=192.168.100.4/32 comment="Admintracion - iPad Pro 11 ESM" |
interface=WG_ALL public-key="1FDtjRED4="
add allowed-address=192.168.100.5/32 comment="Administracion - Macbook Pro ESM" \
interface=WG_ALL public-key="+K1jTw="
add allowed-address=192.168.100.6/32 comment="Administracion - iPhone ESM" \
interface=WG_ALL public-key="CWQ="
add allowed-address=192.168.101.2/32 comment="General user 1 \
interface=WG_ALL public-key="CWQnGupqf6rQQ="
add allowed-address=192.168.101.3/32 comment="MacBookESM \
interface=WG_ALL public-key="CWQnGupq="
/ip address
add address=192.168.88.1/24 comment=defconf interface=local network=\
192.168.88.0
add address=192.168.100.1/24 comment="Wireguard full lan access" interface=\
WG_ALL network=192.168.100.0
add address=192.168.101.1/24 comment="Wireguard Users Group" interface=\
WG_ALL network=192.168.101.0
add address=190.999.999.999/30 comment="WAN static IP" interface="ether1[WAN]" \
network=190.141.32.176
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="Drop all else"
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" disabled=yes \
connection-nat-state=dstnat
add action=accept chain=forward comment=\
"WG Administracion - trusted users to ALL connections" in-interface=\
WG_ALL src-address=192.168.100.0/24 out-interface-list=LAN
add action=accept chain=forward comment="WG-users1 - general users group1" \
in-interface=WG_ALL src-address=192.168.101.0/24 dst-address=192.168.88.2
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
The key is in the firewall rules for what you allow or not allow. You can put all all admin users in one firewall address list and all the general users in another firewall address list.
Another option is to use two different addresses for the same interface, all legal.
Setting ether 3 as interface list item, is not useful as ether3 belongs to the bridge......... but its not needed so no loss by removing it.
By NOT adding the Wireguard to the LAN interface list, you can avoid the internet access quite successfully.
HOwever the right way to do this is directly on the remote users setup. ON remote users setup they need something like
Admin users:
allowedIPs=192.168.100.0/24,192.168.88.0/24 endpoint-address=............. endpoint-port=13231 interface=WG_ALL
public-key="mdmdmdmdm" persistent-keep-alive=40s.
General users:
allowedIPs=192.168.101.0/24,192.168.88.2/32 endpoint-address=............. endpoint-port=13231 interface=WG_ALL
public-key="mdmdmdmdm" persistent-keep-alive=35s.
( Just in case they change their settings, we still ensure they cannot access WAN by not adding them to the LAN )
Make sure you dont use the real keys in any configs you put on the forum........
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
So, will keep to one interface but use a separate IP address to keep the users distinct for firewall rules.
Removed all the port forwarding rules,,,,,,,,, not required. If user access the router via wireguard, they only need firewall access.
So disabled port forwarding rule.
Cleaned up and simplified firewall rules, they were a mess.
Major changes shown...........
/interface wireguard
add listen-port=13231 mtu=1420 name=WG_ALL
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface list member
add comment=defconf interface=local list=LAN
add comment=defconf interface="ether1[WAN]" list=WAN
/interface wireguard peers
add allowed-address=192.168.100.3/32 comment="Administracion - Dynabook ESM" \
interface=WG_ALL public-key= "Y="
add allowed-address=192.168.100.4/32 comment="Admintracion - iPad Pro 11 ESM" |
interface=WG_ALL public-key="1FDtjRED4="
add allowed-address=192.168.100.5/32 comment="Administracion - Macbook Pro ESM" \
interface=WG_ALL public-key="+K1jTw="
add allowed-address=192.168.100.6/32 comment="Administracion - iPhone ESM" \
interface=WG_ALL public-key="CWQ="
add allowed-address=192.168.101.2/32 comment="General user 1 \
interface=WG_ALL public-key="CWQnGupqf6rQQ="
add allowed-address=192.168.101.3/32 comment="MacBookESM \
interface=WG_ALL public-key="CWQnGupq="
/ip address
add address=192.168.88.1/24 comment=defconf interface=local network=\
192.168.88.0
add address=192.168.100.1/24 comment="Wireguard full lan access" interface=\
WG_ALL network=192.168.100.0
add address=192.168.101.1/24 comment="Wireguard Users Group" interface=\
WG_ALL network=192.168.101.0
add address=190.999.999.999/30 comment="WAN static IP" interface="ether1[WAN]" \
network=190.141.32.176
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="Drop all else"
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" disabled=yes \
connection-nat-state=dstnat
add action=accept chain=forward comment=\
"WG Administracion - trusted users to ALL connections" in-interface=\
WG_ALL src-address=192.168.100.0/24 out-interface-list=LAN
add action=accept chain=forward comment="WG-users1 - general users group1" \
in-interface=WG_ALL src-address=192.168.101.0/24 dst-address=192.168.88.2
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
Last edited by anav on Sun Apr 14, 2024 3:10 pm, edited 1 time in total.
Re: configure two wireguard tunnels
What I didnt understand is your IP routes...... ??? What is the purpose of this config??? Specifically the routes in orange?? Dont think they are needed. Okay I see that they are disabled.
Should remove clutter to a config, far less confusing.
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=190.999.999.999 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=190.999.999.999 \
pref-src="" routing-table=*400 scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=190.219.92.1 \
pref-src="" routing-table=*401 scope=30 suppress-hw-offload=no \
target-scope=10
Should remove clutter to a config, far less confusing.
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=190.999.999.999 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=190.999.999.999 \
pref-src="" routing-table=*400 scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=190.219.92.1 \
pref-src="" routing-table=*401 scope=30 suppress-hw-offload=no \
target-scope=10
-
-
enricosm60
just joined
- Posts: 23
- Joined:
- Location: Panama
Re: configure two wireguard tunnels
Hello ANAV,
Your config worked well and I'm cleaning all the unnecessary router rules.
Still processing all the new info you put on the post and amazed how powerful is the Mikrotik OS.
Many tks for your excellent support.
This post can be labeled as SOLVED
Enrico
Your config worked well and I'm cleaning all the unnecessary router rules.
Still processing all the new info you put on the post and amazed how powerful is the Mikrotik OS.
Many tks for your excellent support.
This post can be labeled as SOLVED
Enrico
Re: configure two wireguard tunnels
Glad you got it working!!
Last point, if you decide to add more servers, then change the rules accordingly.
/ip firewall address-list
add address=192.168.88.2/32 list=SERVERS comment="server A"
add address=192.168.88.XX/32 list=SERVERS comment="server B"
add action=accept chain=forward comment="WG - general users group1" \
in-interface=WG_ALL src-address=192.168.101.0/24 dst-address-list=SERVERS
Last point, if you decide to add more servers, then change the rules accordingly.
/ip firewall address-list
add address=192.168.88.2/32 list=SERVERS comment="server A"
add address=192.168.88.XX/32 list=SERVERS comment="server B"
add action=accept chain=forward comment="WG - general users group1" \
in-interface=WG_ALL src-address=192.168.101.0/24 dst-address-list=SERVERS
-
-
enricosm60
just joined
- Posts: 23
- Joined:
- Location: Panama
Re: configure two wireguard tunnels
Hello,
I did set up the config suggested in your previous post and it has been working fine. Nonetheless the Wireguard users with lan access only to the server 192.168.88.2 cannot surf the web when Wireguard is up and I need to allow for them web surfing.
The firewall rule for this users is line -90- in the attached router config. Would you please let give me an idea of how can I modify this to allow for then only access locally the server IP and surf the web?
Tks in advance,
Enrico
This is my router config:
1 # 2024-10-04 18:08:16 by RouterOS 7.16
2 # software id = UE3C-1FI0
3 #
4 # model = RB760iGS
5 # serial number =
6 /interface bridge
7 add admin-mac=00:00:00:00:00:00 auto-mac=no comment=defconf name=local \
port-cost-mode=short
8 /interface ethernet
9 set [ find default-name=ether1 ] name="ether1[WAN]"
10 set [ find default-name=sfp1 ] disabled=yes
11 /interface wireguard
12 add listen-port=35001 mtu=1420 name=WG_ALL
13 /interface list
14 add comment=defconf name=WAN
15 add comment=defconf name=LAN
16 /ip pool
17 add name=dhcp ranges=192.168.88.2-192.168.88.254
18 /ip dhcp-server
19 add address-pool=dhcp interface=local lease-time=10m name=defconf
20 /ip smb users
21 set [ find default=yes ] disabled=yes
22 /port
23 set 0 name=serial0
24 /interface bridge port
25 add bridge=local comment=defconf interface=ether2 internal-path-cost=10 \
path-cost=10
26 add bridge=local comment=defconf interface=ether3 internal-path-cost=10 \
path-cost=10
27 add bridge=local comment=defconf interface=ether4 internal-path-cost=10 \
path-cost=10
28 add bridge=local comment=defconf interface=ether5 internal-path-cost=10 \
path-cost=10
29 add bridge=local comment=defconf interface=sfp1 internal-path-cost=10 \
path-cost=10
30 /ip firewall connection tracking
31 set udp-timeout=10s
32 /ip neighbor discovery-settings
33 set discover-interface-list=all
34 /ipv6 settings
35 set disable-ipv6=yes forward=no
36 /interface list member
37 add comment=defconf interface=local list=LAN
38 add comment=defconf interface="ether1[WAN]" list=WAN
39 /interface wireguard peers
40 add allowed-address=192.168.100.3/32 client-dns=192.168.88.1 interface=WG_ALL \
name="Adm - Dynabook X30L-K ESM" public-key=\
41 add allowed-address=192.168.100.5/32 interface=WG_ALL name=\
"Adm - MacBook Air M1 ESM" preshared-key=\
“” private-key=\ “” public-key=\ “”
42 add allowed-address=192.168.100.4/32 interface=WG_ALL name=\
"Adm - iPad Pro 12.9 ESM" preshared-key=\ “” private-key=\”” public-key=\””
43 add allowed-address=192.168.100.6/32 interface=WG_ALL name=\
"Adm - iPhone15ProMax ESM" public-key=\ “”
44 add allowed-address=192.168.100.7/32 interface=WG_ALL name=\
"Adm - iPadPro 11 Jenny" public-key=\ “”
45 add allowed-address=192.168.101.3/32 interface=WG_ALL name=\
"G24A1U01A - MacBook Air M1 ESM" private-key=\”” public-key=\””
46 add allowed-address=192.168.101.4/32 interface=WG_ALL name=\
"G24A1U02A - MacBook Air M1 ESM" private-key=\”” public-key=\””
47 add allowed-address=192.168.102.2/32 client-address=::/0 interface=WG_ALL \
name=G24B1U01A private-key="" \ public-key=\””
48 /ip address
49 add address=192.168.88.1/24 comment=defconf interface=local network=\
192.168.88.0
50 add address=192.168.100.1/24 comment="Wireguard full lan access" interface=\
WG_ALL network=192.168.100.0
51 add address=190.141.32.176/30 comment="WAN static IP" interface="ether1[WAN]" \
network=190.141.32.176
52 add address=192.168.101.1/24 comment="Wireguard G24A1" interface=WG_ALL \
network=192.168.101.0
53 add address=192.168.102.1/24 comment="Wireguard G24A02" interface=WG_ALL \
network=192.168.102.0
54 /ip arp
55 add address=192.168.88.253 interface=local mac-address=00:00:00:00:00:00
56 add address=192.168.88.2 interface=local mac-address=00:00:00:00:00:00
57 /ip cloud
58 set ddns-update-interval=15m
59 /ip dhcp-server lease
60 add address=192.168.0.0 client-id=1:00:00:00:00:00:00 mac-address=\
00:00:00:00:00:00 server=defconf
61 add address=dhcp comment="DS1517+ SUNSET55N1" mac-address=00:00:00:00:00:00 \
server=defconf use-src-mac=yes
62 /ip dhcp-server network
63 add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
64 /ip dns
65 set allow-remote-requests=yes use-doh-server=\
https://cloudflare-dns.com/dns-query verify-doh-cert=yes
66 /ip dns static
67 add address=104.16.248.249 name=cloudflare-dns.com type=A
68 add address=104.16.249.249 name=cloudflare-dns.com type=A
69 add address=192.168.88.1 name=router.local type=A
70 add address=192.168.88.2 comment="ofidatalab host" disabled=yes name=\
ofidatalab type=A
71 add address=192.168.88.2 comment="ofidatalab FS23A01" name=fs23a01 type=A
72 add address=192.168.88.2 comment="ofidatalab NC24A01" name=nc24a01 type=A
73 add address=192.168.88.2 comment="ofidatalab FS24A01" name=fs24a01 type=A
74 add address=192.168.88.2 comment="ofidatalab NC24A02" name=nc24a02 type=A
75 add address=192.168.88.2 name=hm23a01 type=A
76 add address=192.168.88.2 name=fs24a02 type=A
77 add address=192.168.88.253 name=DYNABK-ESM type=A
78 /ip firewall filter
79 add action=drop chain=input comment="Block Port Scanners" src-address-list=\
PORT-SCANNERS
80 add action=fasttrack-connection chain=forward comment=\
"OK defconf: fasttrack (MK Forum 2023-04-12 ANAV)" connection-state=\
established,related hw-offload=yes
81 add action=accept chain=forward comment="OK defconf: accept established,relate\
d, untracked (MK Forum 2023-04-12 ANAV)" connection-state=\
established,related,untracked
82 add action=drop chain=forward comment=\
"OK defconf: drop invalid (MK Forum 2023-04-12 ANAV)" connection-state=\
invalid
83 add action=accept chain=forward comment=\
"OK allow internet traffic (MK Forum 2023-04-12 ANAV)" \
in-interface-list=LAN out-interface-list=WAN
84 add action=accept chain=forward dst-address=192.168.88.2 dst-port=80 \
in-interface="ether1[WAN]" protocol=tcp
85 add action=accept chain=forward dst-address=192.168.88.2 dst-port=443 \
in-interface="ether1[WAN]" protocol=tcp
86 add action=accept chain=forward disabled=yes dst-address=192.168.88.2 \
dst-port=9083 in-interface="ether1[WAN]" protocol=tcp
87 add action=accept chain=forward dst-address=192.168.88.2 dst-port=6690 \
in-interface="ether1[WAN]" protocol=tcp
88 add action=accept chain=forward comment=\
"OK WG Administracion (MK Forum 2023-04-12 ANAV)" in-interface=WG_ALL \
out-interface-list=LAN src-address=192.168.100.0/24
89 add action=accept chain=forward comment=\
"OK WG-Users G24A1 (MK Forum 2023-04-12 ANAV)" in-interface=WG_ALL \
out-interface-list=LAN src-address=192.168.101.0/24
90 add action=accept chain=forward comment=\
"WG-Users G24A2 (MK Forum 2024-04-12 ANAV)" dst-address=192.168.88.2 \
in-interface=WG_ALL src-address=192.168.102.0/24
91 add action=drop chain=forward comment="drop all else"
92 add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
93 add action=accept chain=input comment="defconf: accept ICMP" in-interface=\
"ether1[WAN]" packet-mark="" protocol=icmp
94 add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
95 add action=accept chain=forward comment="defconf: accept in ipsec policy" \
connection-state=established,related ipsec-policy=in,ipsec
96 add action=add-src-to-address-list address-list=PORT-SCANNERS \
address-list-timeout=1d chain=input comment="Port Scanner Detector" log=\
yes protocol=tcp psd=21,3s,3,1
97 add action=drop chain=input dst-port=53 in-interface="ether1[WAN]" protocol=\
tcp
98 add action=drop chain=input dst-port=53 in-interface="ether1[WAN]" protocol=\
udp
99 add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
100 add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
101 /ip firewall nat
102 add action=masquerade chain=srcnat comment=\
"defconf: masquerade (MK Forum 2023-04-12 ANAV))" ipsec-policy=out,none \
out-interface-list=WAN
103 add action=dst-nat chain=dstnat dst-port=80 in-interface="ether1[WAN]" \
protocol=tcp to-addresses=192.168.88.2 to-ports=80
104 add action=dst-nat chain=dstnat dst-port=443 in-interface="ether1[WAN]" \
protocol=tcp to-addresses=192.168.88.2 to-ports=443
105 add action=dst-nat chain=dstnat disabled=yes dst-port=9082 in-interface=\
"ether1[WAN]" protocol=tcp to-addresses=192.168.88.2 to-ports=9083
106 add action=dst-nat chain=dstnat dst-port=6690 in-interface="ether1[WAN]" \
protocol=tcp to-addresses=192.168.88.2 to-ports=6690
107 /ip hotspot profile
108 set [ find default=yes ] html-directory=hotspot
109 /ip ipsec profile
110 set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
111 /ip route
112 add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=190.141.32.177 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
113 /ip service
114 set telnet disabled=yes
115 set ftp disabled=yes
116 set www address= port=
117 set ssh address= port=
118 set api disabled=yes
119 set winbox address=
120 set api-ssl disabled=yes
121 /ip smb shares
122 set [ find default=yes ] directory=/flash/pub
123 /ip ssh
124 set strong-crypto=yes
125 /ipv6 firewall address-list
126 add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
127 add address=::1/128 comment="defconf: lo" list=bad_ipv6
128 add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
129 add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
129 add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
130 add address=100::/64 comment="defconf: discard only " list=bad_ipv6
131 add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
132 add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
133 add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
134 /ipv6 firewall filter
135 add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
136 add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
137 add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
138 add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
139 add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
140 add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
141 add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
142 add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
143 add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
144 add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
145 add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
146 add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
147 add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
148 add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
149 add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
150 add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
151 add action=accept chain=forward comment="defconf: accept HIP" protocol=139
152 add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
153 add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
154 add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
155 add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
156 add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
157 /system clock
set time-zone-name=America/Panama
158 /system identity
159 set name="MK hEX S Casa 55"
160 /system note
161 set note=none@hotmail.com
162 /system ntp client
163 set enabled=yes
164 /system ntp server
165 set enabled=yes manycast=yes multicast=yes
166 /system ntp client servers
167 add address=pool.ntp.org
168 /tool mac-server
169 set allowed-interface-list=LAN
170 /tool mac-server mac-winbox
171 set allowed-interface-list=LAN
I did set up the config suggested in your previous post and it has been working fine. Nonetheless the Wireguard users with lan access only to the server 192.168.88.2 cannot surf the web when Wireguard is up and I need to allow for them web surfing.
The firewall rule for this users is line -90- in the attached router config. Would you please let give me an idea of how can I modify this to allow for then only access locally the server IP and surf the web?
Tks in advance,
Enrico
This is my router config:
1 # 2024-10-04 18:08:16 by RouterOS 7.16
2 # software id = UE3C-1FI0
3 #
4 # model = RB760iGS
5 # serial number =
6 /interface bridge
7 add admin-mac=00:00:00:00:00:00 auto-mac=no comment=defconf name=local \
port-cost-mode=short
8 /interface ethernet
9 set [ find default-name=ether1 ] name="ether1[WAN]"
10 set [ find default-name=sfp1 ] disabled=yes
11 /interface wireguard
12 add listen-port=35001 mtu=1420 name=WG_ALL
13 /interface list
14 add comment=defconf name=WAN
15 add comment=defconf name=LAN
16 /ip pool
17 add name=dhcp ranges=192.168.88.2-192.168.88.254
18 /ip dhcp-server
19 add address-pool=dhcp interface=local lease-time=10m name=defconf
20 /ip smb users
21 set [ find default=yes ] disabled=yes
22 /port
23 set 0 name=serial0
24 /interface bridge port
25 add bridge=local comment=defconf interface=ether2 internal-path-cost=10 \
path-cost=10
26 add bridge=local comment=defconf interface=ether3 internal-path-cost=10 \
path-cost=10
27 add bridge=local comment=defconf interface=ether4 internal-path-cost=10 \
path-cost=10
28 add bridge=local comment=defconf interface=ether5 internal-path-cost=10 \
path-cost=10
29 add bridge=local comment=defconf interface=sfp1 internal-path-cost=10 \
path-cost=10
30 /ip firewall connection tracking
31 set udp-timeout=10s
32 /ip neighbor discovery-settings
33 set discover-interface-list=all
34 /ipv6 settings
35 set disable-ipv6=yes forward=no
36 /interface list member
37 add comment=defconf interface=local list=LAN
38 add comment=defconf interface="ether1[WAN]" list=WAN
39 /interface wireguard peers
40 add allowed-address=192.168.100.3/32 client-dns=192.168.88.1 interface=WG_ALL \
name="Adm - Dynabook X30L-K ESM" public-key=\
41 add allowed-address=192.168.100.5/32 interface=WG_ALL name=\
"Adm - MacBook Air M1 ESM" preshared-key=\
“” private-key=\ “” public-key=\ “”
42 add allowed-address=192.168.100.4/32 interface=WG_ALL name=\
"Adm - iPad Pro 12.9 ESM" preshared-key=\ “” private-key=\”” public-key=\””
43 add allowed-address=192.168.100.6/32 interface=WG_ALL name=\
"Adm - iPhone15ProMax ESM" public-key=\ “”
44 add allowed-address=192.168.100.7/32 interface=WG_ALL name=\
"Adm - iPadPro 11 Jenny" public-key=\ “”
45 add allowed-address=192.168.101.3/32 interface=WG_ALL name=\
"G24A1U01A - MacBook Air M1 ESM" private-key=\”” public-key=\””
46 add allowed-address=192.168.101.4/32 interface=WG_ALL name=\
"G24A1U02A - MacBook Air M1 ESM" private-key=\”” public-key=\””
47 add allowed-address=192.168.102.2/32 client-address=::/0 interface=WG_ALL \
name=G24B1U01A private-key="" \ public-key=\””
48 /ip address
49 add address=192.168.88.1/24 comment=defconf interface=local network=\
192.168.88.0
50 add address=192.168.100.1/24 comment="Wireguard full lan access" interface=\
WG_ALL network=192.168.100.0
51 add address=190.141.32.176/30 comment="WAN static IP" interface="ether1[WAN]" \
network=190.141.32.176
52 add address=192.168.101.1/24 comment="Wireguard G24A1" interface=WG_ALL \
network=192.168.101.0
53 add address=192.168.102.1/24 comment="Wireguard G24A02" interface=WG_ALL \
network=192.168.102.0
54 /ip arp
55 add address=192.168.88.253 interface=local mac-address=00:00:00:00:00:00
56 add address=192.168.88.2 interface=local mac-address=00:00:00:00:00:00
57 /ip cloud
58 set ddns-update-interval=15m
59 /ip dhcp-server lease
60 add address=192.168.0.0 client-id=1:00:00:00:00:00:00 mac-address=\
00:00:00:00:00:00 server=defconf
61 add address=dhcp comment="DS1517+ SUNSET55N1" mac-address=00:00:00:00:00:00 \
server=defconf use-src-mac=yes
62 /ip dhcp-server network
63 add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
64 /ip dns
65 set allow-remote-requests=yes use-doh-server=\
https://cloudflare-dns.com/dns-query verify-doh-cert=yes
66 /ip dns static
67 add address=104.16.248.249 name=cloudflare-dns.com type=A
68 add address=104.16.249.249 name=cloudflare-dns.com type=A
69 add address=192.168.88.1 name=router.local type=A
70 add address=192.168.88.2 comment="ofidatalab host" disabled=yes name=\
ofidatalab type=A
71 add address=192.168.88.2 comment="ofidatalab FS23A01" name=fs23a01 type=A
72 add address=192.168.88.2 comment="ofidatalab NC24A01" name=nc24a01 type=A
73 add address=192.168.88.2 comment="ofidatalab FS24A01" name=fs24a01 type=A
74 add address=192.168.88.2 comment="ofidatalab NC24A02" name=nc24a02 type=A
75 add address=192.168.88.2 name=hm23a01 type=A
76 add address=192.168.88.2 name=fs24a02 type=A
77 add address=192.168.88.253 name=DYNABK-ESM type=A
78 /ip firewall filter
79 add action=drop chain=input comment="Block Port Scanners" src-address-list=\
PORT-SCANNERS
80 add action=fasttrack-connection chain=forward comment=\
"OK defconf: fasttrack (MK Forum 2023-04-12 ANAV)" connection-state=\
established,related hw-offload=yes
81 add action=accept chain=forward comment="OK defconf: accept established,relate\
d, untracked (MK Forum 2023-04-12 ANAV)" connection-state=\
established,related,untracked
82 add action=drop chain=forward comment=\
"OK defconf: drop invalid (MK Forum 2023-04-12 ANAV)" connection-state=\
invalid
83 add action=accept chain=forward comment=\
"OK allow internet traffic (MK Forum 2023-04-12 ANAV)" \
in-interface-list=LAN out-interface-list=WAN
84 add action=accept chain=forward dst-address=192.168.88.2 dst-port=80 \
in-interface="ether1[WAN]" protocol=tcp
85 add action=accept chain=forward dst-address=192.168.88.2 dst-port=443 \
in-interface="ether1[WAN]" protocol=tcp
86 add action=accept chain=forward disabled=yes dst-address=192.168.88.2 \
dst-port=9083 in-interface="ether1[WAN]" protocol=tcp
87 add action=accept chain=forward dst-address=192.168.88.2 dst-port=6690 \
in-interface="ether1[WAN]" protocol=tcp
88 add action=accept chain=forward comment=\
"OK WG Administracion (MK Forum 2023-04-12 ANAV)" in-interface=WG_ALL \
out-interface-list=LAN src-address=192.168.100.0/24
89 add action=accept chain=forward comment=\
"OK WG-Users G24A1 (MK Forum 2023-04-12 ANAV)" in-interface=WG_ALL \
out-interface-list=LAN src-address=192.168.101.0/24
90 add action=accept chain=forward comment=\
"WG-Users G24A2 (MK Forum 2024-04-12 ANAV)" dst-address=192.168.88.2 \
in-interface=WG_ALL src-address=192.168.102.0/24
91 add action=drop chain=forward comment="drop all else"
92 add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
93 add action=accept chain=input comment="defconf: accept ICMP" in-interface=\
"ether1[WAN]" packet-mark="" protocol=icmp
94 add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
95 add action=accept chain=forward comment="defconf: accept in ipsec policy" \
connection-state=established,related ipsec-policy=in,ipsec
96 add action=add-src-to-address-list address-list=PORT-SCANNERS \
address-list-timeout=1d chain=input comment="Port Scanner Detector" log=\
yes protocol=tcp psd=21,3s,3,1
97 add action=drop chain=input dst-port=53 in-interface="ether1[WAN]" protocol=\
tcp
98 add action=drop chain=input dst-port=53 in-interface="ether1[WAN]" protocol=\
udp
99 add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
100 add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
101 /ip firewall nat
102 add action=masquerade chain=srcnat comment=\
"defconf: masquerade (MK Forum 2023-04-12 ANAV))" ipsec-policy=out,none \
out-interface-list=WAN
103 add action=dst-nat chain=dstnat dst-port=80 in-interface="ether1[WAN]" \
protocol=tcp to-addresses=192.168.88.2 to-ports=80
104 add action=dst-nat chain=dstnat dst-port=443 in-interface="ether1[WAN]" \
protocol=tcp to-addresses=192.168.88.2 to-ports=443
105 add action=dst-nat chain=dstnat disabled=yes dst-port=9082 in-interface=\
"ether1[WAN]" protocol=tcp to-addresses=192.168.88.2 to-ports=9083
106 add action=dst-nat chain=dstnat dst-port=6690 in-interface="ether1[WAN]" \
protocol=tcp to-addresses=192.168.88.2 to-ports=6690
107 /ip hotspot profile
108 set [ find default=yes ] html-directory=hotspot
109 /ip ipsec profile
110 set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
111 /ip route
112 add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=190.141.32.177 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
113 /ip service
114 set telnet disabled=yes
115 set ftp disabled=yes
116 set www address= port=
117 set ssh address= port=
118 set api disabled=yes
119 set winbox address=
120 set api-ssl disabled=yes
121 /ip smb shares
122 set [ find default=yes ] directory=/flash/pub
123 /ip ssh
124 set strong-crypto=yes
125 /ipv6 firewall address-list
126 add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
127 add address=::1/128 comment="defconf: lo" list=bad_ipv6
128 add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
129 add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
129 add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
130 add address=100::/64 comment="defconf: discard only " list=bad_ipv6
131 add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
132 add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
133 add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
134 /ipv6 firewall filter
135 add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
136 add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
137 add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
138 add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
139 add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
140 add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
141 add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
142 add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
143 add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
144 add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
145 add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
146 add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
147 add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
148 add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
149 add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
150 add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
151 add action=accept chain=forward comment="defconf: accept HIP" protocol=139
152 add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
153 add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
154 add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
155 add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
156 add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
157 /system clock
set time-zone-name=America/Panama
158 /system identity
159 set name="MK hEX S Casa 55"
160 /system note
161 set note=none@hotmail.com
162 /system ntp client
163 set enabled=yes
164 /system ntp server
165 set enabled=yes manycast=yes multicast=yes
166 /system ntp client servers
167 add address=pool.ntp.org
168 /tool mac-server
169 set allowed-interface-list=LAN
170 /tool mac-server mac-winbox
171 set allowed-interface-list=LAN