Page 1 of 1

WireGuard server on Windows with a MikroTik router as a client

Posted: Fri Nov 03, 2023 12:46 pm
by vla328
Hello,

This is my first MikroTik configuration setup. I’m not sure I implemented everything right, especially the firewall. So I decided to post my configuration here and may be someone would suggest something to improve it before putting it into production
Network.drawio.png
My setup consists of 4 vlans:
1. 10.0.10.0/24 - vlan10-base
2. 10.0.20.0/24 - vlan20-cloud
3. 10.0.30.0/24 - vlan30-iot
4. 10.0.40.0/24 - vlan40-guests

vlan10-base, vlan20-cloud is used for home computers and smartphones
vlan30-iot - for IOT devices
vlan40-guests - for guests

vlan10-base, vlan30-iot, vlan40-guests should have direct access to the internet
vlan20-cloud should access the internet through the WireGuard tunnel only

Devices from vlan20-cloud should be able to access devices in vlan10-base
Devices from vlan10-base and vlan20-cloud should be able to access local resources of the Windows Server

Winbox access to the router should be limited to a few devices from vlan10-base and vlan20-cloud
The router should block accessing my vlans from the Windows Server
Each vlan should have a corresponding Wi-Fi
Wi-Fi clients of vlan30-iot and vlan40-guests should be isolated
The router security should be tightened up before putting into production

The router configuration:
# 2023-11-03 11:48:21 by RouterOS 7.11.2
# software id = 
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = 
/interface bridge
add admin-mac=48:A9:... auto-mac=no name=bridge protocol-mode=none \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan
set [ find default-name=ether2 ] name=ether2-base
set [ find default-name=ether3 ] name=ether3-cloud
set [ find default-name=ether4 ] name=ether4-iot
set [ find default-name=ether5 ] name=ether5-guests
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac configuration.mode=ap .ssid=WIFI-BASE disabled=no \
    name=wifi1-base security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac configuration.mode=ap .ssid=WIFI-IOT \
    datapath.client-isolation=yes disabled=no name=wifi2-iot \
    security.authentication-types=wpa2-psk,wpa3-psk
add configuration.mode=ap .ssid=WIFI-CLOUD disabled=no mac-address=\
    4A:A9:... master-interface=wifi1-base name=wifi3-cloud \
    security.authentication-types=wpa2-psk,wpa3-psk
add configuration.mode=ap .ssid=WIFI-GUESTS datapath.client-isolation=yes disabled=\
    no mac-address=4A:A9:... master-interface=wifi2-iot name=\
    wifi4-guests security.authentication-types=wpa2-psk,wpa3-psk
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-wan name=pppoe-out \
    user="pppoe_user_name"
/interface wireguard
add listen-port={router_wireguard_port} mtu=1420 name=wireguard
/interface vlan
add interface=bridge name=vlan10-base vlan-id=10
add interface=bridge name=vlan20-cloud vlan-id=20
add interface=bridge name=vlan30-iot vlan-id=30
add interface=bridge name=vlan40-guests vlan-id=40
/interface list
add name=WAN
add name=LAN
/ip pool
add name=pool10-base ranges=10.0.10.2-10.0.10.254
add name=pool20-cloud ranges=10.0.20.2-10.0.20.254
add name=pool30-iot ranges=10.0.30.2-10.0.30.254
add name=pool40-guests ranges=10.0.40.2-10.0.40.254
/ip dhcp-server
add address-pool=pool10-base interface=vlan10-base name=dhcp10-base
add address-pool=pool20-cloud interface=vlan20-cloud name=dhcp20-cloud
add address-pool=pool30-iot interface=vlan30-iot name=dhcp30-iot
add address-pool=pool40-guests interface=vlan40-guests name=dhcp40-guests
/routing table
add fib name=cloud
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2-base pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wifi1-base pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3-cloud pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wifi3-cloud pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4-iot pvid=30
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wifi2-iot pvid=30
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5-guests pvid=40
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wifi4-guests pvid=40
/ip firewall connection tracking
set loose-tcp-tracking=no
/ip neighbor discovery-settings
set discover-interface-list=none
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=10
add bridge=bridge tagged=bridge vlan-ids=20
add bridge=bridge tagged=bridge vlan-ids=30
add bridge=bridge tagged=bridge vlan-ids=40
/interface list member
add interface=pppoe-out list=WAN
add interface=wireguard list=WAN
add interface=vlan10-base list=LAN
add interface=vlan20-cloud list=LAN
add interface=vlan30-iot list=LAN
add interface=vlan40-guests list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment=Cloud endpoint-address={windows_server_public_ip} \
    endpoint-port={windows_server_wireguard_port} interface=wireguard persistent-keepalive=25s \
    public-key={public_key}
/ip address
add address=10.255.0.0 interface=wireguard network=10.255.0.0
add address=10.0.10.1/24 interface=vlan10-base network=10.0.10.0
add address=10.0.20.1/24 interface=vlan20-cloud network=10.0.20.0
add address=10.0.30.1/24 interface=vlan30-iot network=10.0.30.0
add address=10.0.40.1/24 interface=vlan40-guests network=10.0.40.0
/ip cloud
set update-time=no
/ip dhcp-server lease
add address=10.0.10.110 client-id=1:20:a5... comment="macOS" \
    mac-address=20:A5:... server=dhcp10-base
add address=10.0.20.110 client-id=1:20:a5... comment="macOS" \
    mac-address=20:A5:... server=dhcp20-cloud
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=10.0.10.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=\
    10.0.20.1
add address=10.0.30.0/24 dns-server=10.0.30.1 gateway=10.0.30.1
add address=10.0.40.0/24 dns-server=10.0.40.1 gateway=10.0.40.1
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220
/ip firewall address-list
add address=10.0.10.110 list=admins
add address=10.0.20.110 list=admins
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log-prefix=-drop_invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow winbox for admins" dst-port=\
    {winbox_port} in-interface-list=LAN protocol=tcp src-address-list=admins
add action=accept chain=input comment="allow DNS" dst-port=53 \
    in-interface-list=LAN log-prefix=+accept_tcp_dns protocol=tcp
add action=accept chain=input comment="allow DNS" dst-port=53 \
    in-interface-list=LAN log-prefix=+accept_udp_dns protocol=udp
add action=accept chain=input comment="allow DHCP discover?" dst-port=67 \
    in-interface-list=LAN log=yes log-prefix=+accept_udp_dhcp_discover \
    protocol=udp src-port=68
add action=accept chain=input comment="allow NetBIOS?" dst-port=137 \
    in-interface-list=LAN log=yes log-prefix=+accept_udp_netbios protocol=udp \
    src-port=137
add action=accept chain=input comment="macOS???" dst-port=5678 \
    in-interface-list=LAN log=yes log-prefix=+accept_udp_5678 protocol=udp
add action=reject chain=input comment="for tracking LAN issues" \
    in-interface-list=LAN log=yes log-prefix=-reject_LAN reject-with=\
    icmp-admin-prohibited
add action=drop chain=input comment="drop all else" log=yes log-prefix=\
    -drop_all_else
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log-prefix=-drop_invalid
add action=accept chain=forward comment="allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=\
    "allow traffic from vlan20-cloud to vlan10-base" in-interface=\
    vlan20-cloud out-interface=vlan10-base
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=reject chain=forward comment="for tracking LAN issues" \
    in-interface-list=LAN log-prefix=-reject_LAN reject-with=\
    icmp-admin-prohibited
add action=drop chain=forward comment="drop all else" log-prefix=\
    -drop_all_else
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add dst-address=0.0.0.0/0 gateway=wireguard routing-table=cloud
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port={ssh_port}
set api disabled=yes
set winbox address=10.0.10.110/32,10.0.20.110/32 port={winbox_port}
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ipv6 firewall filter
add action=drop chain=input comment="drop everything"
add action=drop chain=forward comment="drop everything"
/routing rule
add action=lookup-only-in-table dst-address=10.255.0.1/32 src-address=\
    10.0.10.0/24 table=cloud
add action=lookup-only-in-table dst-address=10.0.10.0/24 src-address=\
    10.0.20.0/24 table=main
add action=lookup-only-in-table dst-address={windows_server_public_ip} src-address=\
    10.0.20.0/24 table=main
add action=lookup-only-in-table src-address=10.0.20.0/24 table=cloud
/system note
set show-at-login=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

WireGuard configuration on Windows Server:
[Interface]
PrivateKey = {private_key}
ListenPort = {server_port}
Address = 10.255.0.1/32
PostUp = powershell -command ". C:\WireGuard\PostUp.ps1"

[Peer]
PublicKey = {public_key}
AllowedIPs = 10.255.0.0/32

Any help would be appreciated

Re: WireGuard server on Windows with a MikroTik router as a client

Posted: Fri Nov 03, 2023 4:08 pm
by anav
I respect such a good first post.
a. network diagram CHECK
b. complete config including associated wg config CHECK
c. decent set of requirements CHECK.

If I could give a reward I would. MT should send you a free mug LOL.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
In terms of approach you dont need to isolate a vlan to a single port in case you didnt know but I also prefer vlans so the approach is reasonable!
I would also take etherport5 OFF the bridge and do all my initial configuring and emergency access from there (sometimes bridges burp and its hard to get back into the router).
Something to consider down the line and let me know if interested.
How to --> viewtopic.php?t=181718

Also, I am not familiar with the windows server for wireguard.
Can you have another peer setup? I am thinking for you as admin 10.255.0.3/32 on your laptop, or iphone/ipad to be able to reach the router for config purposes.
If you are allowed multiple peers on the Windows wireguard server, its easy to access the cloud server, and if the server was CHR/MT, then easy to reach the MT as well.
With windows not sure what would be needed to reach the Windows Server remotely and then tunnel onwards to the MT, but food for thought.

Finally, although you note that v10 and v20 should be able to access WIndows Server resources, you dont give any indication of the subnet those resources are assigned to???
Thus will use 192.168.11.0/24


Modifications:
(optional)
1. changed name of table from cloud to useWG
2. Changed wg port representation to xxxxxx
3. Added BASE interface and added base vlan to the interface list (aka trusted) and interface list to neighbours discovery
4. Added untagged to /interface bridge vlans as I prefer to see them so that they appear on the export and can match up with /interface bridge ports very clearly.
5. Added ingress filtering to /interface bridge ports
6. Added some additional firewall address list entries for admins.
7. Changed LAN to BASE for input chain rule to access router.

Mandatory
9. A. ON MICROTIK ROUTER --> Wireguard IP address is incorrect. add address=10.255.0.0 interface=wireguard network=10.255.0.0
Should be: add address=10.255.0.2/24 interface=wireguard network=10.255.0.0

B. ON WINDOWS MS SERVER --> Peer Allowed IPs for MT Router is incorrect AllowedIPs = 10.255.0.0/32
Should be: AllowedIPs = 10.255.0.2/32

C. I am also not sure about how you have stated the wireguard interface address on the windows server ( the 10.255.0.1 ) part is okay just not sure if /32 is correct or if it should be 24.
Make the other changes and if still no joy then try changing this one. For now just leave it as is.....

10. MISSING, the forward chain rule to allow vlan10 and vlan20 to enter wireguard tunnel for local Windows Server resources.
11. MISSING, route for windows server local resources.

RECOMMENDED:
12. DON'T LOG drop all else rule in input chain OR forward chain, will fill up log with lots of unnecessary garbage.
13. Get rid of unnecessary firewall rules input chain
Basically. default rules, then allow any VPN, then allow admin access, then allow user to services (dns), the DROP all else.
All the other rules are NOT necessary and may interfere.......
14. Routing rules simplified........ Specifically removed this one as I saw no purpose for it and found it very confusing..........
add action=lookup-only-in-table dst-address={windows_server_public_ip} src-address=\
10.0.20.0/24 table=main


Note: Using action=lookup-only-in-table for vlan20 means that if wireguard is down there will be no internet at all for those users.

15. Added BASE interface list to this config line. /tool mac-server mac-winbox

FIXED UP as per the above..........
Feel free to ask all the questions this may pose. Overall a very impressive setup!!

.................................
/interface bridge
add admin-mac=48:A9:... auto-mac=no name=bridge protocol-mode=none \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan
set [ find default-name=ether2 ] name=ether2-base
set [ find default-name=ether3 ] name=ether3-cloud
set [ find default-name=ether4 ] name=ether4-iot
set [ find default-name=ether5 ] name=ether5-guests
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac configuration.mode=ap .ssid=WIFI-BASE disabled=no \
    name=wifi1-base security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac configuration.mode=ap .ssid=WIFI-IOT \
    datapath.client-isolation=yes disabled=no name=wifi2-iot \
    security.authentication-types=wpa2-psk,wpa3-psk
add configuration.mode=ap .ssid=WIFI-CLOUD disabled=no mac-address=\
    4A:A9:... master-interface=wifi1-base name=wifi3-cloud \
    security.authentication-types=wpa2-psk,wpa3-psk
add configuration.mode=ap .ssid=WIFI-GUESTS datapath.client-isolation=yes disabled=\
    no mac-address=4A:A9:... master-interface=wifi2-iot name=\
    wifi4-guests security.authentication-types=wpa2-psk,wpa3-psk
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-wan name=pppoe-out \
    user="pppoe_user_name"
/interface wireguard
add listen-port=xxxxxx  mtu=1420 name=wireguard
/interface vlan
add interface=bridge name=vlan10-base vlan-id=10
add interface=bridge name=vlan20-cloud vlan-id=20
add interface=bridge name=vlan30-iot vlan-id=30
add interface=bridge name=vlan40-guests vlan-id=40
/interface list
add name=WAN
add name=LAN
add name=BASE
/ip pool
add name=pool10-base ranges=10.0.10.2-10.0.10.254
add name=pool20-cloud ranges=10.0.20.2-10.0.20.254
add name=pool30-iot ranges=10.0.30.2-10.0.30.254
add name=pool40-guests ranges=10.0.40.2-10.0.40.254
/ip dhcp-server
add address-pool=pool10-base interface=vlan10-base name=dhcp10-base
add address-pool=pool20-cloud interface=vlan20-cloud name=dhcp20-cloud
add address-pool=pool30-iot interface=vlan30-iot name=dhcp30-iot
add address-pool=pool40-guests interface=vlan40-guests name=dhcp40-guests
/routing table
add fib name=useWG
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2-base pvid=10  ingress-filtering=yes
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wifi1-base pvid=10 ingress-filtering=yes
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3-cloud pvid=20 ingress-filtering=yes
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wifi3-cloud pvid=20 ingress-filtering=yes
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4-iot pvid=30 ingress-filtering=yes
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wifi2-iot pvid=30 ingress-filtering=yes
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5-guests pvid=40 ingress-filtering=yes
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wifi4-guests pvid=40 ingress-filtering=yes
/ip firewall connection tracking
set loose-tcp-tracking=no
/ip neighbor discovery-settings
set discover-interface-list=BASE
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether2,wifi1-base vlan-ids=10
add bridge=bridge tagged=bridge untagged=ether3,wifi3-cloud vlan-ids=20
add bridge=bridge tagged=bridge untagged=ether4,wifi2-iot vlan-ids=30
add bridge=bridge tagged=bridge untagged=ether5,wifi4-guests vlan-ids=40
/interface list member
add interface=pppoe-out list=WAN
add interface=wireguard list=WAN
add interface=vlan10-base list=LAN
add interface=vlan20-cloud list=LAN
add interface=vlan30-iot list=LAN
add interface=vlan40-guests list=LAN
add interface=vlan10-base list=BASE
add interface=vlan20-cloud list=BASE
add interface=wireguard list=BASE comment="Future consideration?"
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment=Cloud endpoint-address={windows_server_public_ip} \
    endpoint-port=xxxxxx  interface=wireguard persistent-keepalive=25s  public-key={public_key}
/ip address
add address=10.255.0.2/24 interface=wireguard network=10.255.0.0
add address=10.0.10.1/24 interface=vlan10-base network=10.0.10.0
add address=10.0.20.1/24 interface=vlan20-cloud network=10.0.20.0
add address=10.0.30.1/24 interface=vlan30-iot network=10.0.30.0
add address=10.0.40.1/24 interface=vlan40-guests network=10.0.40.0
/ip cloud
set update-time=no
/ip dhcp-server lease
add address=10.0.10.110 client-id=1:20:a5... comment="macOS" \
    mac-address=20:A5:... server=dhcp10-base
add address=10.0.20.110 client-id=1:20:a5... comment="macOS" \
    mac-address=20:A5:... server=dhcp20-cloud
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=10.0.10.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=\
    10.0.20.1
add address=10.0.30.0/24 dns-server=10.0.30.1 gateway=10.0.30.1
add address=10.0.40.0/24 dns-server=10.0.40.1 gateway=10.0.40.1
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220
/ip firewall address-list
add address=10.0.10.110/32 list=admins comment="admin desktop wired"
add address=10.0.10.11X/32 list=admins  comment="admin on local wifi"
add address=10.0.20.110/32 list=admins
add address=10.255.0.3/32  list=admins comment="Future remote wg access?"
add address
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log-prefix=-drop_invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow winbox for admins" dst-port=\
    {winbox_port} in-interface-list=BASE protocol=tcp src-address-list=admins
add action=accept chain=input comment="allow DNS" dst-port=53 \
    in-interface-list=LAN log-prefix=+accept_tcp_dns protocol=tcp
add action=accept chain=input comment="allow DNS" dst-port=53 \
    in-interface-list=LAN log-prefix=+accept_udp_dns protocol=udp
add action=reject chain=input comment="for tracking LAN issues" \
    in-interface-list=LAN log=yes log-prefix=-reject_LAN reject-with=\
    icmp-admin-prohibited
add action=drop chain=input comment="drop all else" 
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log-prefix=-drop_invalid
add action=accept chain=forward comment="allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=\
    "allow cloud to base" in-interface=vlan20-cloud out-interface=vlan10-base
add action=accept chain=forward comment="cloud&base to WServer"  \
     in-interface-list=BASE  out-interface=wireguard
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=reject chain=forward comment="for tracking LAN issues" \
    in-interface-list=LAN log-prefix=-reject_LAN reject-with=\
    icmp-admin-prohibited
add action=drop chain=forward comment="drop all else" 
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add dst-address=0.0.0.0/0 gateway=wireguard routing-table=useWG
add dst-address=192.168.11.0/24 gateway=wireguard routing-table=main comment="access WServer resources"
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port={ssh_port}
set api disabled=yes
set winbox address=10.0.10.110/32,10.0.20.110/32,10.255.0.3? port={winbox_port}
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ipv6 firewall filter
add action=drop chain=input comment="drop everything"
add action=drop chain=forward comment="drop everything"
/routing rule
add action=lookup-only-in-table dst-address=10.0.10.0/24 table=main comment="for any vlan20 related traffic"
add action=lookup-only-in-table src-address=10.0.20.0/24 table=useWG
/system note
set show-at-login=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=BASE
/tool mac-server ping
set enabled=no

Re: WireGuard server on Windows with a MikroTik router as a client

Posted: Fri Nov 03, 2023 5:28 pm
by anav
What DNS server is the WIndows Server pointing out...................
If you have any web browsing issues, lockups or slow downs consider adding this to the MT Client device.
/ip firewall mangle
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn

Re: WireGuard server on Windows with a MikroTik router as a client

Posted: Wed Nov 08, 2023 10:52 am
by vla328
Thank you, anav, for so many suggestions

I'm not sure if I need to implement a port OFF the bridge right now. May be I'll do it later

I added a new requirement for admins to access the router from the Internet using WireGuard as you suggested. The admins should also be able to access devices in the base and cloud vlans. I added a new WireGuard interface for this purpose and provided the new interface access to winbox. I wouldn't like to provide access to winbox to the existing WireGuard interface because other people have access to the Windows Server and it is not trusted. I'm not sure this is the best solution though
Network.drawio.png
By accessing Windows Server resources I mean using of shared folders on Windows Server and accessing the Windows Server by RDP via local address. The Windows Server is not a part of any other local network. It's a VPS. And there is no specific setting for the Windows Server's DNS: it obtains DNS server address automatically.

Regarding getting rid of unnecessary firewall rules (udp ports 67,137,5678). Can getting rid of the rules result in my LAN devices not working properly?

I did not use the mangle firewall rule because web browsing works fine. But thank you for that. May be someone else would use it

I think I fixed almost everything you suggested. Thank you for your suggestions. I appreciate that.

New router config:
# 2023-11-07 12:16:14 by RouterOS 7.11.2
# software id = 
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = 
/interface bridge
add admin-mac=48:A9:... auto-mac=no name=bridge protocol-mode=none \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan
set [ find default-name=ether2 ] name=ether2-base
set [ find default-name=ether3 ] name=ether3-cloud
set [ find default-name=ether4 ] name=ether4-iot
set [ find default-name=ether5 ] name=ether5-guests
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac configuration.mode=ap .ssid=WIFI-BASE disabled=no \
    name=wifi1-base security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac configuration.mode=ap .ssid=WIFI-IOT \
    datapath.client-isolation=yes disabled=no name=wifi2-iot \
    security.authentication-types=wpa2-psk,wpa3-psk
add configuration.mode=ap .ssid=WIFI-CLOUD disabled=no mac-address=\
    4A:A9:... master-interface=wifi1-base name=wifi3-cloud \
    security.authentication-types=wpa2-psk,wpa3-psk
add configuration.mode=ap .ssid=WIFI-GUESTS datapath.client-isolation=yes disabled=\
    no mac-address=4A:A9:... master-interface=wifi2-iot name=\
    wifi4-guests security.authentication-types=wpa2-psk,wpa3-psk
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-wan name=pppoe-out \
    user=pppoe_user_name
/interface wireguard
add listen-port=61587 mtu=1420 name=wireguard-cloud
add listen-port=63574 mtu=1420 name=wireguard-mgmt
/interface vlan
add interface=bridge name=vlan10-base vlan-id=10
add interface=bridge name=vlan20-cloud vlan-id=20
add interface=bridge name=vlan30-iot vlan-id=30
add interface=bridge name=vlan40-guests vlan-id=40
/interface list
add name=WAN
add name=LAN
add name=MGMT
add name=MGMT-LAN
/ip pool
add name=pool10-base ranges=10.0.10.2-10.0.10.254
add name=pool20-cloud ranges=10.0.20.2-10.0.20.254
add name=pool30-iot ranges=10.0.30.2-10.0.30.254
add name=pool40-guests ranges=10.0.40.2-10.0.40.254
/ip dhcp-server
add address-pool=pool10-base interface=vlan10-base name=dhcp10-base
add address-pool=pool20-cloud interface=vlan20-cloud name=dhcp20-cloud
add address-pool=pool30-iot interface=vlan30-iot name=dhcp30-iot
add address-pool=pool40-guests interface=vlan40-guests name=dhcp40-guests
/routing table
add fib name=wireguard-cloud-table
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2-base pvid=10 ingress-filtering=yes
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wifi1-base pvid=10 ingress-filtering=yes
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3-cloud pvid=20 ingress-filtering=yes
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wifi3-cloud pvid=20 ingress-filtering=yes
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4-iot pvid=30 ingress-filtering=yes
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wifi2-iot pvid=30 ingress-filtering=yes
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5-guests pvid=40 ingress-filtering=yes
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wifi4-guests pvid=40 ingress-filtering=yes
/ip firewall connection tracking
set loose-tcp-tracking=no
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether2-base,wifi1-base vlan-ids=10
add bridge=bridge tagged=bridge untagged=ether3-cloud,wifi3-cloud vlan-ids=20
add bridge=bridge tagged=bridge untagged=ether4-iot,wifi2-iot vlan-ids=30
add bridge=bridge tagged=bridge untagged=ether5-guests,wifi4-guests vlan-ids=\
    40
/interface list member
add interface=pppoe-out list=WAN
# Is wireguard interface usually included in WAN interface list?
add interface=wireguard-cloud list=WAN
add interface=vlan10-base list=LAN
add interface=vlan10-base list=MGMT
add interface=vlan10-base list=MGMT-LAN
add interface=vlan20-cloud list=LAN
add interface=vlan20-cloud list=MGMT
add interface=vlan20-cloud list=MGMT-LAN
add interface=vlan30-iot list=LAN
add interface=vlan40-guests list=LAN
add interface=wireguard-mgmt list=MGMT
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment=Cloud endpoint-address={windows_server_public_ip} \
    endpoint-port=59875 interface=wireguard-cloud persistent-keepalive=25s \
    public-key={wireguard_cloud_public_key}
add allowed-address=10.255.1.3/32 comment="Admin PC" interface=wireguard-mgmt \
    public-key={wireguard_mgmt_public_key}
/ip address
add address=10.255.0.1/24 interface=wireguard-cloud network=10.255.0.0
add address=10.255.1.1/24 interface=wireguard-mgmt network=10.255.1.0
add address=10.0.10.1/24 interface=vlan10-base network=10.0.10.0
add address=10.0.20.1/24 interface=vlan20-cloud network=10.0.20.0
add address=10.0.30.1/24 interface=vlan30-iot network=10.0.30.0
add address=10.0.40.1/24 interface=vlan40-guests network=10.0.40.0
/ip cloud
set update-time=no
/ip dhcp-server lease
add address=10.0.10.110 client-id=1:20:a5... comment="macOS" \
    mac-address=20:A5:... server=dhcp10-base
add address=10.0.20.110 client-id=1:20:a5... comment="macOS" \
    mac-address=20:A5:... server=dhcp20-cloud
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=10.0.10.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=\
    10.0.20.1
add address=10.0.30.0/24 dns-server=10.0.30.1 gateway=10.0.30.1
add address=10.0.40.0/24 dns-server=10.0.40.1 gateway=10.0.40.1
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220
/ip firewall address-list
add address=10.0.10.110 list=ADMINS
add address=10.0.20.110 list=ADMINS
add address=10.255.1.3 list=ADMINS
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log-prefix=-drop_invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow wireguard-mgmt" dst-port=63574 \
    protocol=udp
add action=accept chain=input comment="allow winbox for admins" dst-port=\
    60245 in-interface-list=MGMT protocol=tcp src-address-list=ADMINS
add action=accept chain=input comment="allow DNS" dst-port=53 \
    in-interface-list=LAN log-prefix=+accept_tcp_dns protocol=tcp
add action=accept chain=input comment="allow DNS" dst-port=53 \
    in-interface-list=LAN log-prefix=+accept_udp_dns protocol=udp
add action=reject chain=input comment="for tracking LAN issues" \
    in-interface-list=LAN log-prefix=-reject_LAN reject-with=\
    icmp-admin-prohibited
add action=drop chain=input comment="drop all else" log-prefix=-drop_all_else
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log-prefix=-drop_invalid
add action=accept chain=forward comment="allow internet traffic" \
    in-interface-list=LAN out-interface=pppoe-out
add action=accept chain=forward comment=\
    "allow base & cloud vlan to Windows Server" in-interface-list=MGMT-LAN \
    out-interface=wireguard-cloud
add action=accept chain=forward comment=\
    "allow wireguard-mgmt to base & cloud vlan" in-interface=wireguard-mgmt \
    out-interface-list=MGMT-LAN
add action=accept chain=forward comment="allow cloud to base" in-interface=\
    vlan20-cloud out-interface=vlan10-base
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=reject chain=forward comment="for tracking LAN issues" \
    in-interface-list=LAN log-prefix=-reject_LAN reject-with=\
    icmp-admin-prohibited
add action=drop chain=forward comment="drop all else" log-prefix=\
    -drop_all_else
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add comment="using wiregard-cloud tunnel for cloud vlan" dst-address=\
    0.0.0.0/0 gateway=wireguard-cloud routing-table=wireguard-cloud-table
# There is a web application on the Windows Server. And I would like to access the web application
# directly from the cloud vlan. 
# I also need this rule in order to connect from the cloud vlan to the Windows Server via RDP 
# using {windows_server_public_ip}. I cann't connect without this rule
add comment="direct access to Windows Server from cloud vlan" dst-address=\
    {windows_server_public_ip}/32 gateway=pppoe-out routing-table=wireguard-cloud-table
add comment="direct access to other IP from cloud vlan" dst-address=\
    {exception_for_direct_access_ip}/32 gateway=pppoe-out routing-table=wireguard-cloud-table
add comment="access cloud vlan from wireguard-mgmt" dst-address=10.255.1.0/24 \
    gateway=wireguard-mgmt routing-table=wireguard-cloud-table
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=62598
set api disabled=yes
set winbox address=10.0.10.110/32,10.0.20.110/32,10.255.1.3/32 port=60245
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ipv6 firewall filter
add action=drop chain=input comment="drop everything"
add action=drop chain=forward comment="drop everything"
/routing rule
add action=lookup-only-in-table comment="for any cloud vlan related traffic" \
    dst-address=10.0.10.0/24 table=main
add action=lookup-only-in-table src-address=10.0.20.0/24 table=\
    wireguard-cloud-table
/system note
set show-at-login=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
/tool mac-server ping
set enabled=no

Wireguard server config:
[Interface]
PrivateKey = {private_key}
ListenPort = 59875
Address = 10.255.0.2/32
PostUp = powershell -command ". C:\WireGuard\PostUp.ps1"

[Peer]
PublicKey = {public_key}
AllowedIPs = 10.255.0.1/32

Wireguard client config for admin pc:
[Interface]
PrivateKey = {private_key}
ListenPort = 64563
Address = 10.255.1.3/32

[Peer]
PublicKey = {public_key}
AllowedIPs = 10.255.1.1/32, 10.0.0.0/16
Endpoint = {router_public_ip}:63574

Is there may be anything else in the configs to be fixed?

Re: WireGuard server on Windows with a MikroTik router as a client

Posted: Wed Nov 08, 2023 3:41 pm
by anav
Ahh okay so the second interface is using the MT router as a wireguard server for the initial handshake from PC.

PC
- allowed IPs=10.255.1.0/24, 10.0.0.0/16

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
For the other wireguard network I would reverse the ips and use .1 for the windows server address and .2 for the Mt device, but thats personal preference

MT ROUTER
YES its typical but not mandatory to include wireguard interfaces within list interfaces.
normally its
a. To third party VPN server: set interface to WAN
b. Incoming remote users (is an MT server): set interface to LAN

Thus in your case, the cloud wireguard interface is appropriate for WAN interface as you have it.
I would add the wireguard managment interface to the LAN list AND the management list.
Keeping the lists together makes it much easier to read ( all wan, then LAN, then mngmg-lan, then mangmt :-)

Why does vlan20 have different dns server from the other vlans???
Why do you limit admin access from remote admin PC, to only two LANS (10/20) and not IOT or guest lan...... to ping them for testing...
The IOT especially as you may want to access a device directly??

+++++++++++++++++++++++++++++++++++++++++++++++++++

ISSUES NEEDED CLARITY
You have not been honest or complete in the requirements for traffic to the Windows Server.

You need to confirm and better describe the following:
1. vlan20 needs internet access through the vpn tunnel to the window server
2. vlan20 needs access to Server Devices, through the tunnel ( to what ip adddress or subnets on the server etc.)
3. vlan20 needs access to some RDP instance on the server through the tunnel ( rdp server on windows server? IP address? )
4. vlan20 needs access to Server Devices, through the tunnel
5. admin (from PC) needs to remote in and access vlans on MT router
6. admin (from PC) needs to remote in and confing MT router
7. admin (from PC) needs to reach MT router and then reach Server Devices through tunnel to Server
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Currently your routing rules and routes etc are not in good shape.
The whole idea for vpn is so that there is no traffic direct from MT clients or admin PC to windows server (all being enccrypted)."
The exception maybe that if for some reason we cannot send RDP through the tunnel you elect to do that outside the tunnel but RDP is a flawed protocol to use these days.

Re: WireGuard server on Windows with a MikroTik router as a client

Posted: Thu Nov 23, 2023 3:48 pm
by vla328
Thank you, anav. Sorry for the late reply
Ahh okay so the second interface is using the MT router as a wireguard server for the initial handshake from PC.

yes
PC
- allowed IPs=10.255.1.0/24, 10.0.0.0/16

fixed
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
For the other wireguard network I would reverse the ips and use .1 for the windows server address and .2 for the Mt device, but thats personal preference
MT ROUTER
YES its typical but not mandatory to include wireguard interfaces within list interfaces.
normally its
a. To third party VPN server: set interface to WAN
b. Incoming remote users (is an MT server): set interface to LAN
Thus in your case, the cloud wireguard interface is appropriate for WAN interface as you have it.
I would add the wireguard managment interface to the LAN list AND the management list.
Keeping the lists together makes it much easier to read ( all wan, then LAN, then mngmg-lan, then mangmt :-)
Why does vlan20 have different dns server from the other vlans???

I believe this makes the router to use the vpn connection for dns queries. Am I correct?
Why do you limit admin access from remote admin PC, to only two LANS (10/20) and not IOT or guest lan...... to ping them for testing...
The IOT especially as you may want to access a device directly??

You are right, it's more logical, fixed:
/ip firewall filter
    add action=accept chain=forward comment="allow wireguard-mgmt to LAN" in-interface=wireguard-mgmt out-interface-list=LAN
+++++++++++++++++++++++++++++++++++++++++++++++++++

ISSUES NEEDED CLARITY
You have not been honest or complete in the requirements for traffic to the Windows Server.
You need to confirm and better describe the following:
1. vlan20 needs internet access through the vpn tunnel to the window server

correct
2. vlan20 needs access to Server Devices, through the tunnel ( to what ip adddress or subnets on the server etc.)

I'm not sure I understend what you mean by Server Devices. The server is a standalone VPS. There is one public IP address for the only one server instance. There are no subnets
3. vlan20 needs access to some RDP instance on the server through the tunnel ( rdp server on windows server? IP address? )

vlan20 needs access to the Windows Server via RDP and access to Shared Folders of the Windows Server. Ideally I would allow internet access through the vpn tunnel to the window server to any device in vlan20, but limiting any other access (like RDP and Shared Folders) to ADMINS only. But I have no idea how to implement this. The local address 10.255.0.2 will be used to access the Windows Server via RDP in most cases. But in case the wireguard connection fails I would like to be able to access the Windows Server via RDP by the server's public IP address from vlan20.
4. vlan20 needs access to Server Devices, through the tunnel

See 2.
5. admin (from PC) needs to remote in and access vlans on MT router

correct
6. admin (from PC) needs to remote in and confing MT router

correct
7. admin (from PC) needs to reach MT router and then reach Server Devices through tunnel to Server

See 2.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Currently your routing rules and routes etc are not in good shape.
The whole idea for vpn is so that there is no traffic direct from MT clients or admin PC to windows server (all being enccrypted)."
The exception maybe that if for some reason we cannot send RDP through the tunnel you elect to do that outside the tunnel but RDP is a flawed >protocol to use these days.

I think I understand the whole idea of vpn. I just tried to avoid VPN over VPN scenario. And in case the VPN connetion fails I wanted to be able to connect to the Windows Server via RDP by its public IP address and be able to use a critical web service. I'll explain it in more details below.

I've already fixed my routing rules according to your suggestions in the previous post. So I believe the routing rules are OK:
/routing rule
    add action=lookup-only-in-table comment="for any cloud vlan related traffic" \
        dst-address=10.0.10.0/24 table=main
    add action=lookup-only-in-table src-address=10.0.20.0/24 table=\
        wireguard-cloud-table

+++++++++++++++
route 1
+++++++++++++++
/ip route
    add comment="using wiregard-cloud tunnel for cloud vlan" dst-address=\
        0.0.0.0/0 gateway=wireguard-cloud routing-table=wireguard-cloud-table

This route I believe is correct. See the route comment.

+++++++++++++++
route 2
+++++++++++++++
/ip route
    add comment="direct access to Windows Server from cloud vlan" dst-address=\
        {windows_server_public_ip}/32 gateway=pppoe-out routing-table=wireguard-cloud-table

I don't have physical access to the Windows Server. So I need to access it via RDP using its public IP address if wirguard connection fails. I could probably use the console instead of RDP over public IP address. I'll think about it

There is a requirement I did not mention. The Windows Server is used to host a web service. And I need to access this web service from the internet and from vlan10 and vlan20 even if the wireguard connection fails. The web service uses SSL encryption so it's secure by itself.

The Windows Server is behind a firewall. Only two ports are opened: RDP and SSL

+++++++++++++++
route 3
+++++++++++++++
/ip route
    add comment="direct access to other IP from cloud vlan" dst-address=\
        {exception_for_direct_access_ip}/32 gateway=pppoe-out routing-table=wireguard-cloud-table

I also need to access a third party Cisco VPN server from the admin PC in vlan20. And I want to avoid using VPN over VPN.

+++++++++++++++
route 4
+++++++++++++++
/ip route
    add comment="access cloud vlan from wireguard-mgmt" dst-address=10.255.1.0/24 \
        gateway=wireguard-mgmt routing-table=wireguard-cloud-table

I can not access devices in vlan20 from wireguard-mgmt without this route

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

What exactly in my routing rules and routes is not in good shape?

And, by the way, thank you for your help! I deployed the configuration even through it's not perfect yet :)

Re: WireGuard server on Windows with a MikroTik router as a client

Posted: Thu Nov 23, 2023 9:00 pm
by templlama
Need latest full config to apply your questions to please.

Re: WireGuard server on Windows with a MikroTik router as a client

Posted: Fri Nov 24, 2023 3:16 pm
by vla328
The network diagram has not changed
Network.drawio.png

Requirements

Vlans:
1. 10.0.10.0/24 - vlan10-base
2. 10.0.20.0/24 - vlan20-cloud
3. 10.0.30.0/24 - vlan30-iot
4. 10.0.40.0/24 - vlan40-guests

vlan10-base, vlan20-cloud is used for home computers and smartphones
vlan30-iot - for IOT devices
vlan40-guests - for guests

vlan10-base, vlan30-iot, vlan40-guests must have direct access to the internet
vlan20-cloud should only be able to access the internet through the WireGuard tunnel

Devices from vlan20-cloud must have access to devices in vlan10-base
Devices from vlan10-base and vlan20-cloud must have access to the Windows server shared folders and access to the Windows server via RDP using the WireGuard tunnel. Ideally, I would only allow ADMINS to do this.

Winbox access to the router should be limited to a few devices from vlan10-base and vlan20-cloud (ADMINS)
The router should block accessing my vlans from the Windows server
Each vlan should have a corresponding Wi-Fi
Wi-Fi clients of vlan30-iot and vlan40-guests should be isolated
The router security should be tightened up before putting into production

Additional requirements

#1. The Windows server hosts a critical web service. The web service is used from LAN and from the internet. The web service is safe to use without VPN (SSL is used). It is not necessary to encrypt the web service traffic with VPN. Devices from vlan20-cloud should be able to access the web service even if the WireGuard tunnel fails.

I don't have a physical access to the Windows server hardware. It would be convinient to access the Windows server via RDP by its public IP from vlan20-cloud in case the WireGuard tunnel fails. Although there may be more secure alternatives to accessing the server in that case (console)

The Windows server is behind a firewall. Only 3 ports are open: WireGuard, SSL, RDP

#2. Devices from vlan20-cloud should be able to establish a VPN connection to a third party Cisco VPN server directly, without using VPN over VPN

The router configuration:
# 2023-11-24 15:17:19 by RouterOS 7.11.2
# software id =
#
# model = C53UiG+5HPaxD2HPaxD
# serial number =
/interface bridge
add admin-mac=48:A9:... auto-mac=no name=bridge protocol-mode=none \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan
set [ find default-name=ether2 ] name=ether2-base
set [ find default-name=ether3 ] name=ether3-cloud
set [ find default-name=ether4 ] name=ether4-iot
set [ find default-name=ether5 ] name=ether5-guests
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac configuration.mode=ap .ssid=WIFI-BASE disabled=no \
    name=wifi1-base security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac configuration.mode=ap .ssid=WIFI-IOT \
    datapath.client-isolation=yes disabled=no name=wifi2-iot \
    security.authentication-types=wpa2-psk,wpa3-psk
add configuration.mode=ap .ssid=WIFI-CLOUD disabled=no mac-address=\
    4A:A9:... master-interface=wifi1-base name=wifi3-cloud \
    security.authentication-types=wpa2-psk,wpa3-psk
add configuration.mode=ap .ssid=WIFI-GUESTS datapath.client-isolation=yes disabled=\
    no mac-address=4A:A9:... master-interface=wifi2-iot name=\
    wifi4-guests security.authentication-types=wpa2-psk,wpa3-psk
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-wan name=pppoe-out \
    user=pppoe_user_name
/interface wireguard
add listen-port=61587 mtu=1420 name=wireguard-cloud
add listen-port=63574 mtu=1420 name=wireguard-mgmt
/interface vlan
add interface=bridge name=vlan10-base vlan-id=10
add interface=bridge name=vlan20-cloud vlan-id=20
add interface=bridge name=vlan30-iot vlan-id=30
add interface=bridge name=vlan40-guests vlan-id=40
/interface list
add name=WAN
add name=LAN
add name=MGMT
add name=MGMT-LAN
/ip pool
add name=pool10-base ranges=10.0.10.2-10.0.10.254
add name=pool20-cloud ranges=10.0.20.2-10.0.20.254
add name=pool30-iot ranges=10.0.30.2-10.0.30.254
add name=pool40-guests ranges=10.0.40.2-10.0.40.254
/ip dhcp-server
add address-pool=pool10-base interface=vlan10-base name=dhcp10-base
add address-pool=pool20-cloud interface=vlan20-cloud name=dhcp20-cloud
add address-pool=pool30-iot interface=vlan30-iot name=dhcp30-iot
add address-pool=pool40-guests interface=vlan40-guests name=dhcp40-guests
/routing table
add fib name=wireguard-cloud-table
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2-base pvid=10 ingress-filtering=yes
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wifi1-base pvid=10 ingress-filtering=yes
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3-cloud pvid=20 ingress-filtering=yes
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wifi3-cloud pvid=20 ingress-filtering=yes
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4-iot pvid=30 ingress-filtering=yes
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wifi2-iot pvid=30 ingress-filtering=yes
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5-guests pvid=40 ingress-filtering=yes
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wifi4-guests pvid=40 ingress-filtering=yes
/ip firewall connection tracking
set loose-tcp-tracking=no
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether2-base,wifi1-base vlan-ids=10
add bridge=bridge tagged=bridge untagged=ether3-cloud,wifi3-cloud vlan-ids=20
add bridge=bridge tagged=bridge untagged=ether4-iot,wifi2-iot vlan-ids=30
add bridge=bridge tagged=bridge untagged=ether5-guests,wifi4-guests vlan-ids=\
    40
/interface list member
add interface=pppoe-out list=WAN
add interface=wireguard-cloud list=WAN
add interface=vlan10-base list=LAN
add interface=vlan10-base list=MGMT
add interface=vlan10-base list=MGMT-LAN
add interface=vlan20-cloud list=LAN
add interface=vlan20-cloud list=MGMT
add interface=vlan20-cloud list=MGMT-LAN
add interface=vlan30-iot list=LAN
add interface=vlan40-guests list=LAN
add interface=wireguard-mgmt list=MGMT
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment=Cloud endpoint-address={windows_server_public_ip} \
    endpoint-port=59875 interface=wireguard-cloud persistent-keepalive=25s \
    public-key={wireguard_cloud_public_key}
add allowed-address=10.255.1.3/32 comment="Admin PC" interface=wireguard-mgmt \
    public-key={wireguard_mgmt_public_key}
/ip address
add address=10.255.0.1/24 interface=wireguard-cloud network=10.255.0.0
add address=10.255.1.1/24 interface=wireguard-mgmt network=10.255.1.0
add address=10.0.10.1/24 interface=vlan10-base network=10.0.10.0
add address=10.0.20.1/24 interface=vlan20-cloud network=10.0.20.0
add address=10.0.30.1/24 interface=vlan30-iot network=10.0.30.0
add address=10.0.40.1/24 interface=vlan40-guests network=10.0.40.0
/ip cloud
set update-time=no
/ip dhcp-server lease
add address=10.0.10.110 client-id=1:20:a5... comment="macOS" \
    mac-address=20:A5:... server=dhcp10-base
add address=10.0.20.110 client-id=1:20:a5... comment="macOS" \
    mac-address=20:A5:... server=dhcp20-cloud
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=10.0.10.1 gateway=10.0.10.1
add address=10.0.20.0/24 comment="the different DNS server is used to make th\
    e router use the WireGuard VPN connection for DNS queries" dns-server=\
    208.67.222.222,208.67.220.220 gateway=10.0.20.1
add address=10.0.30.0/24 dns-server=10.0.30.1 gateway=10.0.30.1
add address=10.0.40.0/24 dns-server=10.0.40.1 gateway=10.0.40.1
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220
/ip firewall address-list
add address=10.0.10.110 list=ADMINS
add address=10.0.20.110 list=ADMINS
add address=10.255.1.3 list=ADMINS
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log-prefix=-drop_invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow wireguard-mgmt" dst-port=63574 \
    protocol=udp
add action=accept chain=input comment="allow winbox for admins" dst-port=\
    60245 in-interface-list=MGMT protocol=tcp src-address-list=ADMINS
add action=accept chain=input comment="allow DNS" dst-port=53 \
    in-interface-list=LAN log-prefix=+accept_tcp_dns protocol=tcp
add action=accept chain=input comment="allow DNS" dst-port=53 \
    in-interface-list=LAN log-prefix=+accept_udp_dns protocol=udp
add action=reject chain=input comment="for tracking LAN issues" \
    in-interface-list=LAN log-prefix=-reject_LAN reject-with=\
    icmp-admin-prohibited
add action=drop chain=input comment="drop all else" log-prefix=-drop_all_else
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log-prefix=-drop_invalid
add action=accept chain=forward comment="allow internet traffic" \
    in-interface-list=LAN out-interface=pppoe-out
add action=accept chain=forward comment=\
    "allow base & cloud vlan to Windows server" in-interface-list=MGMT-LAN \
    out-interface=wireguard-cloud
add action=accept chain=forward comment="allow wireguard-mgmt to LAN" \
    in-interface=wireguard-mgmt out-interface-list=LAN
add action=accept chain=forward comment="allow cloud to base" in-interface=\
    vlan20-cloud out-interface=vlan10-base
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=reject chain=forward comment="for tracking LAN issues" \
    in-interface-list=LAN log-prefix=-reject_LAN reject-with=\
    icmp-admin-prohibited
add action=drop chain=forward comment="drop all else" log-prefix=\
    -drop_all_else
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add comment="using wiregard-cloud tunnel for cloud vlan" dst-address=\
    0.0.0.0/0 gateway=wireguard-cloud routing-table=wireguard-cloud-table
add comment="direct access to Windows server by its public IP from cloud vlan (RDP, SSL in case the WireGuard tunnel fails); see additional requirement #1" dst-address=\
    {windows_server_public_ip}/32 gateway=pppoe-out routing-table=wireguard-cloud-table
add comment="avoiding VPN over VPN; see additional requirement #2" dst-address=\
    {exception_for_direct_access_ip}/32 gateway=pppoe-out routing-table=wireguard-cloud-table
add comment="required to access cloud vlan from wireguard-mgmt" dst-address=10.255.1.0/24 \
    gateway=wireguard-mgmt routing-table=wireguard-cloud-table
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=62598
set api disabled=yes
set winbox address=10.0.10.110/32,10.0.20.110/32,10.255.1.3/32 port=60245
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ipv6 firewall filter
add action=drop chain=input comment="drop everything"
add action=drop chain=forward comment="drop everything"
/routing rule
add action=lookup-only-in-table comment="for any cloud vlan related traffic" \
    dst-address=10.0.10.0/24 table=main
add action=lookup-only-in-table src-address=10.0.20.0/24 table=\
    wireguard-cloud-table
/system note
set show-at-login=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
/tool mac-server ping
set enabled=no

Wireguard server config:
[Interface]
PrivateKey = {private_key}
ListenPort = 59875
Address = 10.255.0.2/32
PostUp = powershell -command ". C:\WireGuard\PostUp.ps1"

[Peer]
PublicKey = {public_key}
AllowedIPs = 10.255.0.1/32

Wireguard client config for admin pc:
[Interface]
PrivateKey = {private_key}
ListenPort = 64563
Address = 10.255.1.3/32

[Peer]
PublicKey = {public_key}
AllowedIPs = 10.255.1.0/24, 10.0.0.0/16
Endpoint = {router_public_ip}:63574

Re: WireGuard server on Windows with a MikroTik router as a client

Posted: Fri Nov 24, 2023 5:24 pm
by anav
Busy today but will look at i this weekend.

Re: WireGuard server on Windows with a MikroTik router as a client

Posted: Fri Nov 24, 2023 9:04 pm
by vla328
Thank you, anav!

Re: WireGuard server on Windows with a MikroTik router as a client

Posted: Sun Nov 26, 2023 4:18 pm
by anav
Good day,
The requirements are pretty good.
Who needs access to the windows server, vlan10 and vlan20
Who needs access to vlan10, vlan20 does
Who gets internet from wireguard, vlan20 does.
+++++++++++++++++++++++++++++++++++++++++++++++++

Its the additional requirements that get a bit murky.

a. vlan20 needs access to web services through HTTPS, if the wireguard tunnel is down. OKAY, I think this is doable.
b. RDP backup I cannot support since its insecure......... Your on your own.
c. vlan 20 should be able to connect to a different VPN cisco........
Hmmmmmmmm
I think you may be piling on more than is possible with a straight configuration.
May have to do scripting, to handle such a scenario and is beyond my powers...

Will see how far I get.

Re: WireGuard server on Windows with a MikroTik router as a client

Posted: Sun Nov 26, 2023 5:01 pm
by anav
ROUTER COMMENTS ( WOW, nice setup )

(1) Not sure what you mean by this line..............
add address=10.0.20.0/24 comment="the different DNS server is used to make th\
e router use the WireGuard VPN connection for DNS queries" dns-server=\
208.67.222.222,208.67.220.220 gateway=10.0.20.1


For the sake of simplicity I am not sure that is the best course of action......
The key for me is to ensure that we put in the DNS server, what DNS the windows server is using.
Investigating ..............

(2) Where I have troubles is IP routes.
/ip route
First lets deal with the first route.... probably handled in the PPPOE settings so not visible to us so we can assume there is one for the main internet access.

Primary Route - PPOE

Router Created Wireguard Routes
<dac> dst-address=10.255.1.0/25 gateway=wireguard-mgmt routing-table=main
<dac> dst-address=10.255.0.0/24 gateway=wireguard-cloud routing-table=main

Required Routes for Remote Subnets Discussion:
Not required for vlan20 users because the allowed IPs ( for internet ) to the Server via peer settings, allows ALL traffic to leave router towards the windows server and we are forcing all that traffic out the wireguard Tunnel.
However for vlan10 users and if the admin wants to come in remotely from home via WG and then securely access the windows server via wireguard we need the following. SO that the router knows where to send remote server subnet traffic.........
add dst-address=server-subnet1 gateway=wireguard-cloud routing-table=main { If required }
add dst-address=serve-subnet2 gateway=wireguard-cloud routing-table=main { If required }

As far as firewall rules go for these additional routes. VLAN20 is golden as this already exists. BUT we need to let the remote admin come in and reach the other tunnel.
add chain=forward action=accept in-interface=wireguard-mgmt out-interface=wireguard-cloud.

(Note: By the way, the above is the correct way to get remote admin access. The IP route you created to attempt this should be removed. )

Required Route for Vlan20 and internet - you already have this and is fine.
add comment="using wiregard-cloud tunnel for cloud vlan" dst-address=\
0.0.0.0/0 gateway=wireguard-cloud routing-table=wireguard-cloud-table


The other route make no sense to me. More specifically it has nothing to do with the wg-cloud routing table!!!
If you intend to have any DIRECT ROUTES not using wireguard then simply use the pppoe conenction:
dst-address=server IP gateway=ppoe routing-table=main

What I could suggest is the following
/routing table add fib name=directServer
/routing table add fib name=directCISCO


/routing rules { depending on which vlans need access }
add src-address=vlan10 dst-address=publicIPserver action=lookup table=directServer disabled=yes
add src-address=vlan10 dst-address=publicIPserver action=lookup table=cisco disabled=yes
add src-address=vlan20 dst-address=publicIPserver action=lookup table=directServer disabled=yes
add src-address=vlan20 dst-address=publicIPserver action=lookup table=cisco disabled=yes


/ip routes
add dst-address=publicIPofServer gateway=pppoe routing-table=directServer
add dst-address=publicIIPofServer gateway=pppoe routing-table=cisco

Re: WireGuard server on Windows with a MikroTik router as a client

Posted: Thu Nov 30, 2023 12:45 pm
by vla328
Thank you, anav! I have almost no background in networking, your suggestions are valuable to me!

ROUTER COMMENTS ( WOW, nice setup )

(1) Not sure what you mean by this line..............
add address=10.0.20.0/24 comment="the different DNS server is used to make th\
e router use the WireGuard VPN connection for DNS queries" dns-server=\
208.67.222.222,208.67.220.220 gateway=10.0.20.1

For the sake of simplicity I am not sure that is the best course of action......
The key for me is to ensure that we put in the DNS server, what DNS the windows server is using.
Investigating ..............

I'm not sure I know how to trace DNS lookups. Setting dns-server to 208.67.222.222,208.67.220.220 for the cloud dhcp-server network makes the router choose DNS servers from the the region where the Windows server is located rather than from the region where the router is located. This web site ipleak.net shows DNS server location

(2) Where I have troubles is IP routes.
/ip route
First lets deal with the first route.... probably handled in the PPPOE settings so not visible to us so we can assume there is one for the main internet access.

Primary Route - PPOE

Router Created Wireguard Routes
<dac> dst-address=10.255.1.0/25 gateway=wireguard-mgmt routing-table=main
<dac> dst-address=10.255.0.0/24 gateway=wireguard-cloud routing-table=main

Right

Routes for main (my previous configuration):
    DST-ADDRESS     GATEWAY          DISTANCE
DAv 0.0.0.0/0       pppoe-out               1
;;; ISP route
DAc x.x.x.x/32      pppoe-out               0
DAc 10.0.10.0/24    vlan10-base             0
DAc 10.0.20.0/24    vlan20-cloud            0
DAc 10.0.30.0/24    vlan30-iot              0
DAc 10.0.40.0/24    vlan40-guests           0
DAc 10.255.0.0/24   wireguard-cloud         0
DAc 10.255.1.0/24   wireguard-mgmt          0

Routes for wireguard-cloud-table (my previous configuration):
#    DST-ADDRESS                       GATEWAY          DISTANCE
;;; using wiregard-cloud tunnel from vlan20-cloud
0 As 0.0.0.0/0                         wireguard-cloud         1
;;; required to reach devices in vlan20-cloud from wireguard-mgmt
1 As 10.255.1.0/24                     wireguard-mgmt          1
;;; direct access to Windows server by its public IP from vlan20-cloud (RDP, SSL in case the WireGuard tunnel fails); see additional requirement #1
2 As {windows_server_public_ip}/32     pppoe-out               1
;;; avoiding VPN over VPN; see additional requirement #2
3 As {cisco_vpn_server_ip}/32          pppoe-out               1

Required Routes for Remote Subnets Discussion:
Not required for vlan20 users because the allowed IPs ( for internet ) to the Server via peer settings, allows ALL traffic to leave router towards the windows server and we are forcing all that traffic out the wireguard Tunnel.
However for vlan10 users and if the admin wants to come in remotely from home via WG and then securely access the windows server via wireguard we need the following. SO that the router knows where to send remote server subnet traffic.........
add dst-address=server-subnet1 gateway=wireguard-cloud routing-table=main { If required }
add dst-address=serve-subnet2 gateway=wireguard-cloud routing-table=main { If required }

It’s not required now because the Windows server has no subnets yet

As far as firewall rules go for these additional routes. VLAN20 is golden as this already exists. BUT we need to let the remote admin come in and reach the other tunnel.
add chain=forward action=accept in-interface=wireguard-mgmt out-interface=wireguard-cloud.

(Note: By the way, the above is the correct way to get remote admin access. The IP route you created to attempt this should be removed. )

I fixed the firewall rules to allow remote admin to access the Windows server:
/interface list member
    add interface=vlan10-base list=MGMT
    add interface=vlan20-cloud list=MGMT
    add interface=wireguard-mgmt list=MGMT
/ip firewall filter
    add action=accept chain=forward comment=\
        "allow base & cloud vlan and wireguard-mgmt to Windows server" \
        in-interface-list=MGMT out-interface=wireguard-cloud

This route:
/ip route
    add comment="required to reach devices in vlan20-cloud from wireguard-mgmt" dst-address=10.255.1.0/24 \
        gateway=wireguard-mgmt routing-table=wireguard-cloud-table
is used to reach devices in vlan20-cloud from wireguard-mgmt. It is not used to get access to the Windows server from wireguard-mgmt. I believe the route is correct. I can't ping devices in vlan20-cloud from the admin PC connected remotely through wireguard-mgmt without this route

Required Route for Vlan20 and internet - you already have this and is fine.
add comment="using wiregard-cloud tunnel for cloud vlan" dst-address=\
0.0.0.0/0 gateway=wireguard-cloud routing-table=wireguard-cloud-table

The other route make no sense to me. More specifically it has nothing to do with the wg-cloud routing table!!!
If you intend to have any DIRECT ROUTES not using wireguard then simply use the pppoe conenction:
dst-address=server IP gateway=ppoe routing-table=main

What I could suggest is the following
/routing table add fib name=directServer
/routing table add fib name=directCISCO

/routing rules { depending on which vlans need access }
add src-address=vlan10 dst-address=publicIPserver action=lookup table=directServer disabled=yes
add src-address=vlan10 dst-address=publicIPserver action=lookup table=cisco disabled=yes
add src-address=vlan20 dst-address=publicIPserver action=lookup table=directServer disabled=yes
add src-address=vlan20 dst-address=publicIPserver action=lookup table=cisco disabled=yes

/ip routes
add dst-address=publicIPserver gateway=pppoe routing-table=directServer
add dst-address=publicIPserver gateway=pppoe routing-table=cisco

In my current configuration I implemented direct access to the Windows server and the Cisco VPN server from vlan20-cloud with routing rules as you suggested. Is there a reason in adding two new routing tables?
/routing rule
    add action=lookup-only-in-table comment=\
        "accessing vlan10-base from vlan20-cloud" dst-address=10.0.10.0/24 \
        src-address=10.0.20.0/24 table=main
    add action=lookup-only-in-table comment=\
        "direct access to Windows server by its public IP from vlan20-cloud (RDP, SSL in case the WireGuard tunnel fails); see additional requirement #1" dst-address=\
        {windows_server_public_ip}/32 src-address=10.0.20.0/24 table=main
    add action=lookup-only-in-table comment=\
        "avoiding VPN over VPN; see additional requirement #2" dst-address=\
        {cisco_vpn_server_ip}/32 src-address=10.0.20.0/24 table=main
    add action=lookup-only-in-table comment=\
        "accessing the internet from vlan20-cloud through wireguard-cloud tunnel" \
        src-address=10.0.20.0/24 table=wireguard-cloud-table
/ip route
    add comment="using wiregard-cloud tunnel from vlan20-cloud" dst-address=\
        0.0.0.0/0 gateway=wireguard-cloud routing-table=wireguard-cloud-table
    add comment="required to reach devices in vlan20-cloud from wireguard-mgmt" \
        dst-address=10.255.1.0/24 gateway=wireguard-mgmt routing-table=\
        wireguard-cloud-table

Routes for main (my current configuration):
    DST-ADDRESS     GATEWAY          DISTANCE
DAv 0.0.0.0/0       pppoe-out               1
;;; ISP route
DAc x.x.x.x/32      pppoe-out               0
DAc 10.0.10.0/24    vlan10-base             0
DAc 10.0.20.0/24    vlan20-cloud            0
DAc 10.0.30.0/24    vlan30-iot              0
DAc 10.0.40.0/24    vlan40-guests           0
DAc 10.255.0.0/24   wireguard-cloud         0
DAc 10.255.1.0/24   wireguard-mgmt          0

Routes for wireguard-cloud-table (my current configuration):
#    DST-ADDRESS    GATEWAY          DISTANCE
;;; using wiregard-cloud tunnel from cloud vlan
0 As 0.0.0.0/0      wireguard-cloud         1
;;; required to reach devices in vlan20-cloud from wireguard-mgmt
1 As 10.255.1.0/24  wireguard-mgmt          1 

vlan10-base always has direct access to any IP. As far as I understand there is no need in additional routing rules or routes to implement direct access in vlan10-base. Am I correct?

This is my current router configuration. The network diagram and the requirements have not changed. I think routing in this configuration does exactly the same with routing rules as my previous configuration with routes:
# 2023-11-29 16:28:40 by RouterOS 7.12.1
# software id =
#
# model = C53UiG+5HPaxD2HPaxD
# serial number =
/interface bridge
add admin-mac=48:A9:... auto-mac=no name=bridge protocol-mode=none \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan
set [ find default-name=ether2 ] name=ether2-base
set [ find default-name=ether3 ] name=ether3-cloud
set [ find default-name=ether4 ] name=ether4-iot
set [ find default-name=ether5 ] name=ether5-guests
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac configuration.mode=ap .ssid=WIFI-BASE disabled=no \
    name=wifi1-base security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac configuration.mode=ap .ssid=WIFI-IOT \
    datapath.client-isolation=yes disabled=no name=wifi2-iot \
    security.authentication-types=wpa2-psk,wpa3-psk
add configuration.mode=ap .ssid=WIFI-CLOUD disabled=no mac-address=4A:A9:... \
    master-interface=wifi1-base name=wifi3-cloud \
    security.authentication-types=wpa2-psk,wpa3-psk
add configuration.mode=ap .ssid=WIFI-GUESTS datapath.client-isolation=yes disabled=no \
    mac-address=4A:A9:... master-interface=wifi2-iot name=\
    wifi4-guests security.authentication-types=wpa2-psk,wpa3-psk
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-wan name=pppoe-out \
    user=pppoe_user_name
/interface wireguard
add listen-port=61587 mtu=1420 name=wireguard-cloud
add listen-port=63574 mtu=1420 name=wireguard-mgmt
/interface vlan
add interface=bridge name=vlan10-base vlan-id=10
add interface=bridge name=vlan20-cloud vlan-id=20
add interface=bridge name=vlan30-iot vlan-id=30
add interface=bridge name=vlan40-guests vlan-id=40
/interface list
add name=WAN
add name=LAN
add name=MGMT
/ip pool
add name=pool10-base ranges=10.0.10.2-10.0.10.254
add name=pool20-cloud ranges=10.0.20.2-10.0.20.254
add name=pool30-iot ranges=10.0.30.2-10.0.30.254
add name=pool40-guests ranges=10.0.40.2-10.0.40.254
/ip dhcp-server
add address-pool=pool10-base interface=vlan10-base name=dhcp10-base
add address-pool=pool20-cloud interface=vlan20-cloud name=dhcp20-cloud
add address-pool=pool30-iot interface=vlan30-iot name=dhcp30-iot
add address-pool=pool40-guests interface=vlan40-guests name=dhcp40-guests
/routing table
add fib name=wireguard-cloud-table
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2-base pvid=10 ingress-filtering=yes
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wifi1-base pvid=10 ingress-filtering=yes
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3-cloud pvid=20 ingress-filtering=yes
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wifi3-cloud pvid=20 ingress-filtering=yes
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4-iot pvid=30 ingress-filtering=yes
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wifi2-iot pvid=30 ingress-filtering=yes
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5-guests pvid=40 ingress-filtering=yes
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wifi4-guests pvid=40 ingress-filtering=yes
/ip firewall connection tracking
set loose-tcp-tracking=no
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether2-base,wifi1-base vlan-ids=10
add bridge=bridge tagged=bridge untagged=ether3-cloud,wifi3-cloud vlan-ids=20
add bridge=bridge tagged=bridge untagged=ether4-iot,wifi2-iot vlan-ids=30
add bridge=bridge tagged=bridge untagged=ether5-guests,wifi4-guests vlan-ids=\
    40
/interface list member
add interface=pppoe-out list=WAN
add interface=wireguard-cloud list=WAN
add interface=vlan10-base list=LAN
add interface=vlan10-base list=MGMT
add interface=vlan20-cloud list=LAN
add interface=vlan20-cloud list=MGMT
add interface=vlan30-iot list=LAN
add interface=vlan40-guests list=LAN
add interface=wireguard-mgmt list=LAN
add interface=wireguard-mgmt list=MGMT
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment=Cloud endpoint-address={windows_server_public_ip} \
    endpoint-port=59875 interface=wireguard-cloud persistent-keepalive=25s \
    public-key={wireguard_cloud_public_key}
add allowed-address=10.255.1.3/32 comment="Admin PC" interface=wireguard-mgmt \
    public-key={wireguard_mgmt_public_key}
/ip address
add address=10.255.0.1/24 interface=wireguard-cloud network=10.255.0.0
add address=10.255.1.1/24 interface=wireguard-mgmt network=10.255.1.0
add address=10.0.10.1/24 interface=vlan10-base network=10.0.10.0
add address=10.0.20.1/24 interface=vlan20-cloud network=10.0.20.0
add address=10.0.30.1/24 interface=vlan30-iot network=10.0.30.0
add address=10.0.40.1/24 interface=vlan40-guests network=10.0.40.0
/ip cloud
set update-time=no
/ip dhcp-server lease
add address=10.0.10.110 client-id=1:20:a5... comment="macOS" \
    mac-address=20:A5:... server=dhcp10-base
add address=10.0.20.110 client-id=1:20:a5... comment="macOS" \
    mac-address=20:A5:... server=dhcp20-cloud
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=10.0.10.1 gateway=10.0.10.1
add address=10.0.20.0/24 comment="the different DNS server is used to make th\
    e router use the WireGuard VPN connection for DNS queries" dns-server=\
    208.67.222.222,208.67.220.220 gateway=10.0.20.1
add address=10.0.30.0/24 dns-server=10.0.30.1 gateway=10.0.30.1
add address=10.0.40.0/24 dns-server=10.0.40.1 gateway=10.0.40.1
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220
/ip firewall address-list
add address=10.0.10.110 list=ADMINS
add address=10.0.20.110 list=ADMINS
add address=10.255.1.3 list=ADMINS
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log-prefix=-drop_invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow wireguard-mgmt" dst-port=63574 \
    protocol=udp
add action=accept chain=input comment="allow winbox for admins" dst-port=\
    60245 in-interface-list=MGMT protocol=tcp src-address-list=ADMINS
add action=accept chain=input comment="allow DNS" dst-port=53 \
    in-interface-list=LAN log-prefix=+accept_tcp_dns protocol=tcp
add action=accept chain=input comment="allow DNS" dst-port=53 \
    in-interface-list=LAN log-prefix=+accept_udp_dns protocol=udp
add action=reject chain=input comment="for tracking LAN issues" \
    in-interface-list=LAN log-prefix=-reject_LAN reject-with=\
    icmp-admin-prohibited
add action=drop chain=input comment="drop all else" log-prefix=-drop_all_else
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log-prefix=-drop_invalid
add action=accept chain=forward comment="allow internet traffic" \
    in-interface-list=LAN out-interface=pppoe-out
add action=accept chain=forward comment=\
    "allow base & cloud vlan and wireguard-mgmt to Windows server" \
    in-interface-list=MGMT out-interface=wireguard-cloud
add action=accept chain=forward comment="allow wireguard-mgmt to LAN" \
    in-interface=wireguard-mgmt out-interface-list=LAN
add action=accept chain=forward comment="allow cloud to base" in-interface=\
    vlan20-cloud out-interface=vlan10-base
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=reject chain=forward comment="for tracking LAN issues" \
    in-interface-list=LAN log-prefix=-reject_LAN reject-with=\
    icmp-admin-prohibited
add action=drop chain=forward comment="drop all else" log-prefix=\
    -drop_all_else
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add comment="using wiregard-cloud tunnel from vlan20-cloud" dst-address=\
    0.0.0.0/0 gateway=wireguard-cloud routing-table=wireguard-cloud-table
add comment="required to reach devices in vlan20-cloud from wireguard-mgmt" \
    dst-address=10.255.1.0/24 gateway=wireguard-mgmt routing-table=\
    wireguard-cloud-table
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=62598
set api disabled=yes
set winbox address=10.0.10.110/32,10.0.20.110/32,10.255.1.3/32 port=60245
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ipv6 firewall filter
add action=drop chain=input comment="drop everything"
add action=drop chain=forward comment="drop everything"
/routing rule
add action=lookup-only-in-table comment=\
    "accessing vlan10-base from vlan20-cloud" dst-address=10.0.10.0/24 \
    src-address=10.0.20.0/24 table=main
add action=lookup-only-in-table comment=\
    "direct access to Windows server by its public IP from vlan20-cloud (RDP, SSL in case the WireGuard tunnel fails); see additional requirement #1" dst-address=\
    {windows_server_public_ip}/32 src-address=10.0.20.0/24 table=main
add action=lookup-only-in-table comment=\
    "avoiding VPN over VPN; see additional requirement #2" dst-address=\
    {cisco_vpn_server_ip}/32 src-address=10.0.20.0/24 table=main
add action=lookup-only-in-table comment=\
    "accessing the internet from vlan20-cloud through wireguard-cloud tunnel" \
    src-address=10.0.20.0/24 table=wireguard-cloud-table
/system note
set show-at-login=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
/tool mac-server ping
set enabled=no

Wireguard server config:
[Interface]
PrivateKey = {private_key}
ListenPort = 59875
Address = 10.255.0.2/32
PostUp = powershell -command ". C:\WireGuard\PostUp.ps1"

[Peer]
PublicKey = {public_key}
AllowedIPs = 10.255.0.1/32

Wireguard client config for admin pc:
[Interface]
PrivateKey = {private_key}
ListenPort = 64563
Address = 10.255.1.3/32

[Peer]
PublicKey = {public_key}
AllowedIPs = 10.255.1.0/24, 10.0.0.0/16
Endpoint = {router_public_ip}:63574

Wireguard client config for admin pc + Internet:
[Interface]
PrivateKey = {private_key}
ListenPort = 64563
Address = 10.255.1.3/32
DNS = 208.67.222.222,208.67.220.220

[Peer]
PublicKey = {public_key}
AllowedIPs = 0.0.0.0/0
Endpoint = {router_public_ip}:63574

Is there anything in this configuration you think is incorrect? :)