Two LANs configuration, wireguard?

jaclaz · Sat Dec 28, 2024 6:01 pm

I am working (in GNS3) on a possible setup.
The "main" LAN is 192.168.0.0/24.
The "child" LAN is 10.0.1.0/24.
Internet connection is through a router/modem at 192.168.0.1 (gateway).
The "main" LAN should only connect to the internet, exception made for a single PC (PC1-Linux) with a static IP of 192.168.0.100 that needs to communicate with a device in the "child" network, (represented by PC3) with a fixed IP address of 10.0.1.2.
The PC-1 Linux has an added route to 10.0.1.2 with gateway 192.168.0.20. (the Ax Lite simulated).
As well the "child" LAN should only connect to the internet (and not to devices on the "main" LAN) with the only exception above (10.0.1.2 can connect to 192.168.0.100).
The MikrotikWinbox-1 represents a laptop that I can connect to ether4 of the Ax Lite to manage its configuration.
I am attaching a drawing and here is the current configuration of the Ax Lite:

 
# 2024-12-28 14:41:01 by RouterOS 7.15.3
# software id =
#
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no
set [ find default-name=ether4 ] disable-running-check=no
/interface list
add name=WAN
add name=LAN
add name=MGMT
/ip pool
add name=dhcp_pool0 ranges=10.0.1.21-10.0.1.253
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
add interface=ether4 list=MGMT
/ip address
add address=192.168.0.20/24 interface=ether1 network=192.168.0.0
add address=10.0.1.254/24 interface=bridge1 network=10.0.1.0
add address=192.168.88.1/24 interface=ether4 network=192.168.88.0
/ip dhcp-server network
add address=10.0.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.0.1.254
/ip firewall address-list
add address=192.168.0.0/16 list=bogons
add address=10.0.0.0/8 list=bogons
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="Accept single outer LAN IP" \
    dst-address=10.0.1.2 in-interface=ether1 out-interface=bridge1 \
    src-address=192.168.0.100
add action=accept chain=forward comment="Accept single inner LAN IP" \
    dst-address=192.168.0.100 in-interface=bridge1 out-interface=ether1 \
    src-address=10.0.1.2
add action=drop chain=forward comment="Drop bogons" dst-address-list=bogons \
    out-interface=ether1
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.0.1 routing-table=main \
    suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=MGMT
/tool mac-server mac-winbox
set allowed-interface-list=MGMT

It would be appreciated if some of the more expert members could do a check on the configuration (I may well have opened too large holes in the firewall or made some other newbie mistake).

But here are the BIG questions, while working of the configuration I thought:
Can I avoid the need to connect physically the laptop to ether4 when needing to make changes to the Ax Lite configuration?
Can I use Wireguard with one end on the "PC1-Linux" (that could also be running Windows) and the other one on the Ax Lite?
All the examples I have seen around are about making a VPN tunnel between two remote locations through the public IP addresses (possibly of two Mikrotik boxes), but from the little I understand it could be possible to make also a "local" wireguard tunnel.
Or there is some other method/way to access (safely) the Ax Lite from its WAN port (ether1) for configuration (possibly via Winbox) and only from 192.168.0.100?
I know I could add ether1 as MGMT in interface-list and limit Winbox to accept connections from 192.168.0.100 and 192.168.88.2 (Available from), but is it a good way?

anav · Sat Dec 28, 2024 7:28 pm

Does the Mikrotik get a public IP??
Are both switches, managed (smart devices)? If so what brand?
Why do you have the AX lite acting as router instead of an AP/Switch ???

jaclaz · Sat Dec 28, 2024 7:50 pm

a. no, all the addresses at play are in the 192.168.0.0/24 and 10.0.1.0/24 ranges.
b. no, they are dumb switches.
c. how would the Ax Lite as switch keep those separated? Possibly IF the switches were managed ones one could use somehow VLANs, but the only configurable device is the Mikrotik Ax Lite, and before you ask why I chose this particular model, there are several reasons:
1) I am cheap
2) I already have an unused/spare Ax Lite at hand.
3) the devices on the Lan are largely 100 Mb and anyway the (DSL) connection to internet is 30 Mb or so.

The idea is to have two completely separated LANs.(except from the common gateway and from the single device reachable on each lan from the other).

In another (better/easier) setup I would have a separate router/modem gateway for the 10.0.1.2 LAN, but at the moment I have only one and the two LANs have to use the same 192.168.0.1 gateway to the internet..

Physically the router, modem and, switch1 in the 192.168.0.0 lan are in a room from which run the cable to the PC 1, 2, etc., while the Ax lite and switch2 are in another room from which run the other cables to Pc3, Wifi Server, and other devices in 10.0.1.0 LAN.

anav · Sat Dec 28, 2024 9:11 pm

What I would do is use vlans from the getgo on the first MT.
Trunk POrt to AX lite ( acting as an ap/switch )

Ax lite
ether1 - trunk from MT router
ether2 -Access port to dumb switch one which feeds PC1 LINUS and PC2
ether3 - Access port to dumb switch two which feeds Wifi Server and PC3
OFF BRIDGE PORT on ether4 for access and config. 192.168.88.1/30 address

Main MT has two or three vlans
one is managment ( trusted subnet ax gets its IP address from )
one is local MT subnet ( 192.168.0.0/24 ) This could also do double duty as trusted subnet.
one is local MT subnet but sent to the AX (10.0.1.0/24 ) to disseminate.

jaclaz · Sun Dec 29, 2024 1:15 am

There is only one Mikrotik device, the Ax lite, there Is no "main MT", the device in the drawing marked Temp-Mikrotik is only a way to have a switchable on/off device with the "right" 192.168.0.1 address as the "Cloud" device in GNS3 is always on (and has an ip address coming from the host).
Most if not all of the devices connected to both LANs are not anyway compatibile with VLANs, so I would probably need a few other VLAN capable switches.
So while VLANs would probably be in theory a more proper solution, it is not doable in practice.

anav · Sun Dec 29, 2024 4:00 am

Well when you have a real network, I may be of assistance. Not going to chase fake GNS3 musings.

jaclaz · Sun Dec 29, 2024 11:56 am

Well when you have a real network, I may be of assistance. Not going to chase fake GNS3 musings.

There is no particular GNS3 musing, and certainly there is nothing fake.

There is no need, if you cannot or don't want to provide assistance, to accuse me of faking anything.

The GNS3 is only a representation (on which I can work from home, on my laptop, in my spare time and without the risk of interruptions/mis-configurations) of the real network, which is actually running (minus the connection between 10.0.1.2 and 192.168.0.100) since a couple of weeks just fine.

On real hardware I can physically switch the router/modem off and on, in GNS3 this is not possible because Cloud is always on (like switches) so I have to use the Temp-Mikrotik as a workaround, besides, in my gns3 setup on the laptop the cloud gets an IP address of 192.168.1.131, while through the workaround I can use for it the address used in the real network of 192.168.0.1.
Very likely a simple setup like this would have taken you or one of the other experts a couple hours to setup at the most, it took me several days on and off, probably something like ten or twelve hours, and having it replicated on a GNS3 setting is what allowed me to work on it without pressure.

I perfectly know that the topology may be not the best one but there are physical constraints like physical placement of devices, ethernet cables going through walls and conduits, capabilities of the various devices (some of them are not under my control, a few of them are "black boxes" with hardcoded IP's, etc.), essentially it is what it is.

Thanks for reminding me of setting the ether4 MGMT to a /30.

Two LANs configuration, wireguard?

Two LANs configuration, wireguard?

Re: Two LANs configuration, wireguard?

Re: Two LANs configuration, wireguard?

Re: Two LANs configuration, wireguard?

Re: Two LANs configuration, wireguard?

Re: Two LANs configuration, wireguard?

Re: Two LANs configuration, wireguard?

Who is online