Hi, I'm trying to confiigure mikrotik as it presented in the network diagram below.
I've already managed some of the main setting but there are a few I'm stuck with.
1) L2TP+IPSec tunnel between Main Office and Office2 with access to local networks behind routers. - Done
2) WireGuard interface (wg-snet) to access Main Office and Office2 local networks ONLY (without tunneling other data) for the remote user (WG SNET USER). - Partitialy done, I have access to Main Office local network but can't connect to Office2.
3) WireGuard interface (wg-vpn) for tunneling all data through Main Office WAN ONLY (without access to local networks) for the remote user (WG VPN USER). - Done
4) Access to MT1 from specific WG SNET USER. - Done
5) Access to MT2 from specific WG SNET USER.
6) Isolate WG peers from each other. - Done
So looks L2TP+IPSec tunnel and WG interfaces are working well and the main problem is connecting to Office2 local network from WG SNET USER. I would really appreciate if you could help me with it.
You can find MT1, MT2 and WG peers configs below.
MT1
I've already managed some of the main setting but there are a few I'm stuck with.
1) L2TP+IPSec tunnel between Main Office and Office2 with access to local networks behind routers. - Done
2) WireGuard interface (wg-snet) to access Main Office and Office2 local networks ONLY (without tunneling other data) for the remote user (WG SNET USER). - Partitialy done, I have access to Main Office local network but can't connect to Office2.
3) WireGuard interface (wg-vpn) for tunneling all data through Main Office WAN ONLY (without access to local networks) for the remote user (WG VPN USER). - Done
4) Access to MT1 from specific WG SNET USER. - Done
5) Access to MT2 from specific WG SNET USER.
6) Isolate WG peers from each other. - Done
So looks L2TP+IPSec tunnel and WG interfaces are working well and the main problem is connecting to Office2 local network from WG SNET USER. I would really appreciate if you could help me with it.
You can find MT1, MT2 and WG peers configs below.
MT1
MT2# 2024-01-07 15:08:06 by RouterOS 7.11.2
# software id = 38WX-HX7F
#
# model = RBD52G-5HacD2HnD
# serial number = XXXXXXXXXX
/interface bridge
add admin-mac=48:XX:XX:XX:XX:1B auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] comment=d
/interface l2tp-server
add comment=snet name=l2tp-in1 user=snet
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
country=xxx disabled=no distance=indoors frequency=auto installation=\
indoor mode=ap-bridge ssid=mainoffice wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX \
country=xxx disabled=no distance=indoors frequency=auto installation=\
indoor mode=ap-bridge ssid=mainoff1ce wireless-protocol=802.11
/interface pppoe-client
add add-default-route=yes comment=isp disabled=no interface=ether1 name=\
pppoe-out1 use-peer-dns=yes user=v41701542
/interface wireguard
add listen-port=22522 mtu=1420 name=wg-snet
add listen-port=13531 mtu=1420 name=wg-vpn
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=l2tp_pool ranges=10.10.5.1-10.10.5.100
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=1m name=defconf
/ppp profile
add local-address=l2tp_pool name=l2tp remote-address=l2tp_pool
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set authentication=mschap2 default-profile=l2tp enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface wireguard peers
add allowed-address=10.11.12.13/32 comment=d-laptop interface=wg-snet persistent-keepalive=25s public-key=\
"4i+kXXXXXXXXXYXOEI="
add allowed-address=10.9.8.7/32 comment=d-laptop interface=wg-snet persistent-keepalive=25s public-key=\
"BuKMXITRXXXXXXRAQ="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=10.11.12.1/24 interface=wg-snet network=10.11.12.0
add address=10.9.8.1/24 interface=wg-vpn network=10.9.8.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment=l2tp dst-port=1701,500,4500 \
in-interface-list=WAN protocol=udp
add action=accept chain=input comment=wg-snet dst-port=22522 in-interface-list=\
WAN protocol=udp
add action=accept chain=input comment=wg-vpn dst-port=13531 in-interface-list=\
WAN protocol=udp
add action=accept chain=input comment="Access MT from d-laptop" dst-port=\
22,23,80,8291 in-interface=wg-snet protocol=tcp src-address=\
10.11.12.13
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Block Internet for WG-SNet" \
out-interface-list=WAN src-address=10.11.12.0/24
add action=drop chain=forward comment="Block LAN for WG-VPN" \
out-interface-list=LAN src-address=10.9.8.0/24
add action=reject chain=forward comment="Isolating wg-snet peers" in-interface=wg-snet out-interface=wg-snet reject-with=\
icmp-network-unreachable
add action=reject chain=forward comment="Isolating wg-vpn peers" in-interface=wg-vpn out-interface=wg-vpn reject-with=\
icmp-network-unreachable
/ip firewall mangle
add action=mark-packet chain=prerouting connection-state=new dst-address=\
111.111.111.111 in-interface=bridge new-packet-mark=nat-loopback \
passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="NAT Loopback replace address" \
packet-mark=nat-loopback
/ip route
add disabled=no distance=1 dst-address=192.168.111.0/24 gateway=l2tp-in1 \
pref-src=192.168.88.1 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=pppoe-out1 type=external
/ppp secret
add name=skynet profile=l2tp service=l2tp
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Athens
/system note
set show-at-login=no
/system package update
set channel=testing
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
WG SNET USERMT2
# jan/07/2024 15:36:47 by RouterOS 6.49.6
# software id = BGGS-1Q5G
#
# model = 951Ui-2nD
# serial number = XXXXXXXX
/interface bridge
add admin-mac=64:XX:XX:XX:XX:D6 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=ISP
set [ find default-name=ether2 ] comment=LTE
/interface l2tp-client
add allow=mschap2 comment=snet connect-to=111.111.111.111 disabled=no name=l2tp-out1 use-ipsec=yes \
user=snet
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors \
frequency=auto installation=indoor mode=ap-bridge ssid=Office2 wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=\
MikroTik
/ip pool
add name=dhcp ranges=192.168.111.10-192.168.111.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add list=LAN
add interface=ether2 list=WAN
/ip address
add address=192.168.111.1/24 comment=defconf interface=bridge network=192.168.111.0
/ip dhcp-client
add add-default-route=no comment="Primary WAN" disabled=no interface=ether1
add add-default-route=no comment="Redundant WAN" disabled=no interface=ether2
/ip dhcp-server network
add address=192.168.111.0/24 comment=defconf dns-server=1.1.1.1,1.0.0.1 \
gateway=192.168.111.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.111.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=\
127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=\
!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes out-interface=*9
/ip route
add comment="primary gateway" distance=2 gateway=192.168.1.1
add comment="secondary gateway" distance=3 gateway=192.168.222.1
add distance=1 dst-address=8.8.8.8/32 gateway=192.168.1.1
add distance=1 dst-address=192.168.88.0/24 gateway=l2tp-out1 pref-src=192.168.111.1
/ip service
set ssh disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Athens
/system package update
set channel=long-term
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[Interface]
PrivateKey = XXXXXXXX=
Address = 10.11.12.13/32
[Peer]
PublicKey = XXXXXXX=
AllowedIPs = 10.11.12.0/24, 192.168.88.0/24, 192.168.111.0/24
Endpoint = 111.111.111.111:22522
PersistentKeepalive = 25
Statistics: Posted by Juhani — Sun Jan 07, 2024 10:18 pm