Hello MT community,
i am setting up a config for a MT router which is behind NAT, has multiple subnets devided in VLANs. What i need is to setup Wireguard connectivity for different user to their own subnet/VLAN. Attached config is from my EVE lab and not online.
Example
10.99.99.0/24 is mgmt subnet with vlan999
10.30.30.0/24 is camera subnet with vlan300
10.20.20.0/24 is home automation subnet with vlan200
So, now .. i need to setup WG connectivity to this site with dynamic public IP for different users/different VLANS.
Although i have setup this config with the help of different YT videos, I still have few questions:
.can i use dyndns.com address in order to connect to the site? (in the config is missing script for dyndns.com or i could use cloud address)
.in the firewall i have taken from another config those lines (172.0.. is my WG subnet and the 192.168... is the subnet of.. what?) do i need to enter all VLANs subnets here?
add action=accept chain=forward comment="fwd LAN to WG" disabled=yes dst-address=172.16.0.0/24 src-address=192.168.88.0/24
add action=accept chain=forward comment="fwd WG to LAN" disabled=yes dst-address=192.168.88.0/24 dst-address-list="" src-address=172.16.0.0/24
.Is this the right way to enable different WG users only to their subnet/vlan:
/interface wireguard peers
add allowed-address=10.200.200.0/24 endpoint-address=address.dyndns.com interface=wg1 public-key="public-key1"
add allowed-address=10.30.30.0/24 endpoint-address=address.dyndns.com interface=wg1 public-key="public-key2"
add allowed-address=10.99.99.0/24 endpoint-address=address.dyndns.com interface=wg1 public-key="public-key"
My script:
Thank you for any help/info/tipp/guidance!
korg
i am setting up a config for a MT router which is behind NAT, has multiple subnets devided in VLANs. What i need is to setup Wireguard connectivity for different user to their own subnet/VLAN. Attached config is from my EVE lab and not online.
Example
10.99.99.0/24 is mgmt subnet with vlan999
10.30.30.0/24 is camera subnet with vlan300
10.20.20.0/24 is home automation subnet with vlan200
So, now .. i need to setup WG connectivity to this site with dynamic public IP for different users/different VLANS.
Although i have setup this config with the help of different YT videos, I still have few questions:
.can i use dyndns.com address in order to connect to the site? (in the config is missing script for dyndns.com or i could use cloud address)
.in the firewall i have taken from another config those lines (172.0.. is my WG subnet and the 192.168... is the subnet of.. what?) do i need to enter all VLANs subnets here?
add action=accept chain=forward comment="fwd LAN to WG" disabled=yes dst-address=172.16.0.0/24 src-address=192.168.88.0/24
add action=accept chain=forward comment="fwd WG to LAN" disabled=yes dst-address=192.168.88.0/24 dst-address-list="" src-address=172.16.0.0/24
.Is this the right way to enable different WG users only to their subnet/vlan:
/interface wireguard peers
add allowed-address=10.200.200.0/24 endpoint-address=address.dyndns.com interface=wg1 public-key="public-key1"
add allowed-address=10.30.30.0/24 endpoint-address=address.dyndns.com interface=wg1 public-key="public-key2"
add allowed-address=10.99.99.0/24 endpoint-address=address.dyndns.com interface=wg1 public-key="public-key"
My script:
Code:
# mar/18/2024 13:28:58 by RouterOS 7.9.1# software id = #/interface bridgeadd ingress-filtering=no name=bridge1 pvid=999 vlan-filtering=yes/interface pppoe-clientadd add-default-route=yes disabled=no interface=ether1 name=pppoe-out1/interface wireguardadd comment="WG connection to main site" listen-port=13299 mtu=1420 name=wg1 \ private-key="private-key="/interface vlanadd interface=bridge1 name=vlan100-corp vlan-id=100add interface=bridge1 name=vlan200-guest vlan-id=200add interface=bridge1 name=vlan300-camera vlan-id=300add interface=bridge1 name=vlan999-mgmt vlan-id=999/interface listadd name=LAN/interface wireless security-profilesset [ find default=yes ] supplicant-identity=MikroTik/ip pooladd name=dhcp_pool0 ranges=10.100.100.1-10.100.100.253add name=dhcp_pool1 ranges=10.200.200.1-10.200.200.253add name=dhcp_pool2 ranges=10.30.30.1-10.30.30.253add name=dhcp_pool3 ranges=10.99.99.1-10.99.99.253/ip dhcp-serveradd address-pool=dhcp_pool0 interface=vlan100-corp name=dhcp1add address-pool=dhcp_pool1 interface=vlan200-guest name=dhcp2add address-pool=dhcp_pool2 interface=vlan300-camera name=dhcp3add address-pool=dhcp_pool3 interface=vlan999-mgmt name=dhcp4/portset 0 name=serial0/interface bridge portadd bridge=bridge1 interface=ether3 pvid=200add bridge=bridge1 interface=ether2 pvid=999add bridge=bridge1 interface=ether4 pvid=999add bridge=bridge1 interface=ether8 pvid=999add bridge=bridge1 interface=ether7 pvid=200add bridge=bridge1 interface=ether5 pvid=999/ip neighbor discovery-settingsset discover-interface-list=all/interface bridge vlanadd bridge=bridge1 tagged=bridge1,ether2,ether4,ether5 vlan-ids=200add bridge=bridge1 tagged=bridge1,ether2,ether4,ether5 vlan-ids=100add bridge=bridge1 tagged=bridge1,ether2,ether4,ether5 vlan-ids=300add bridge=bridge1 tagged=bridge1 untagged=ether4,ether2,ether5 vlan-ids=999/interface list memberadd interface=vlan100-corp list=LANadd interface=vlan200-guest list=LANadd interface=vlan300-camera list=LANadd interface=vlan999-mgmt list=LAN/interface wireguard peersadd allowed-address=10.200.200.0/24 endpoint-address=address.dyndns.com \ interface=wg1 public-key="public-key1"add allowed-address=10.30.30.0/24 endpoint-address=address.dyndns.com \ interface=wg1 public-key="public-key2"add allowed-address=10.99.99.0/24 endpoint-address=address.dyndns.com \ interface=wg1 public-key="public-key"/ip addressadd address=10.0.0.20/24 interface=ether1 network=10.0.0.0add address=10.100.100.254/24 interface=vlan100-corp network=10.100.100.0add address=10.200.200.254/24 interface=vlan200-guest network=10.200.200.0add address=10.30.30.254/24 interface=vlan300-camera network=10.30.30.0add address=10.99.99.254/24 interface=vlan999-mgmt network=10.99.99.0add address=172.16.0.1/24 interface=wg1 network=172.16.0.0/ip dhcp-clientadd interface=ether1/ip dhcp-server networkadd address=10.30.30.0/24 gateway=10.30.30.254add address=10.99.99.0/24 gateway=10.99.99.254add address=10.100.100.0/24 gateway=10.100.100.254add address=10.200.200.0/24 gateway=10.200.200.254/ip dnsset allow-remote-requests=yes/ip firewall address-listadd address=10.99.99.0/24 list=LANadd address=10.200.200.0/24 list=LANadd address=10.30.30.0/24 list=LANadd address=10.100.100.0/24 list=LAN/ip firewall filteradd action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=input connection-state=invalidadd action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \ protocol=udpadd action=accept chain=input comment="allow IKE" dst-port=500 protocol=udpadd action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udpadd action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcpadd action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcpadd action=accept chain=input comment="allow wireguard" dst-port=13299 log=\ yes log-prefix=wg protocol=udpadd action=accept chain=input comment="allow wireguard Handshake" dst-port=\ 13299 log=yes log-prefix=wg protocol=udpadd action=accept chain=input comment="allow wireguard to other networks" \ in-interface=wg1 log=yes log-prefix=wgadd action=accept chain=forward comment="allow wireguard to LAN" \ in-interface=wg1 out-interface-list=LANadd action=accept chain=forward comment="allow wireguard to WAN" \ in-interface=wg1 out-interface=ether1add action=accept chain=forward comment=\ "accept established,related,new,untracked" connection-state=\ established,related,new,untrackedadd action=drop chain=forward connection-state=invalidadd action=accept chain=input comment="Allow ICMP ping" protocol=icmpadd action=accept chain=forward comment="fwd LAN to WG" disabled=yes \ dst-address=172.16.0.0/24 src-address=192.168.88.0/24add action=accept chain=forward comment="fwd WG to LAN" disabled=yes \ dst-address=192.168.88.0/24 dst-address-list="" src-address=172.16.0.0/24/ip firewall natadd action=masquerade chain=srcnat out-interface=ether1add action=masquerade chain=srcnat comment="masw. wireguard" out-interface=\ ether1/system identityset name="Mikrotik Spine"/system noteset show-at-login=noThank you for any help/info/tipp/guidance!
korg
Statistics: Posted by korg — Mon Mar 18, 2024 3:41 pm