1) The config shows both:Observations:
RB5009 Where is the WAN information??
1. DHCP SERVER-NETWORK PROBLEM:
From:
/ip dhcp-server network
add address=0.0.0.0/24 dns-server=0.0.0.0 gateway=0.0.0.0 netmask=24
TO:
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
2. Your Firewall rules are LACKING. Does this router connect directly to the internet ( aka you get a public IP , or are you forwarding the WG port from an upstream router? )
3. WWW IP service should be DISABLED , its not a secure access method and is a security risk.
4. mac-server by itself also not a secure access method and should be set to NONE.
CLIENT
5. Don't see persistent keep alive set??? but from the text above, appears there must be one..........
Code:
/ip dhcp-server networkadd address=0.0.0.0/24 dns-server=0.0.0.0 gateway=0.0.0.0 netmask=24add address=192.168.0.0/24 dns-server=198.168.0.1,8.8.8.8 gateway=192.168.0.1Are you recommending I remove the first entry
Code:
add address=0.0.0.0/24 dns-server=0.0.0.0 gateway=0.0.0.0 netmask=24Code:
(add address=192.168.0.0/24 dns-server=198.168.0.1,8.8.8.8 gateway=192.168.0.1)2) My RB5009 SFP+ is configured as a WAN interface and connects directly to my ISP modem. The 'address acquisition' is set to automatic. Could you help clarify what other settings are recommended? My SFP+ port is configured for the WAN access to my ISP and all other ports are bridged for a local LAN. At this time, I only want to allow WireGuard connections for roadwarriors. Roadwarriors would route all traffic through Wireguard and have access to internet and all LAN devices. Access to the router web configuration or winbox to be limited to users on the local lan or remote users using Wireguard. I'll work on creating VLANs in the future to separate IOT devices but once I better educate myself.
3) With the configuration file allowing 192.168.0.0/24 which is the local LAN, how does would this be a security risk? Could you clarify or provide a recommendation?
4) I started off using winbox for my initial configuration. I may need to turn this off as I need to better understand what this is for. My initial assumption was to allow access for winbox on the local lan which is why I set the allowed interface list to 'listBridge' which are my bridged lan ports.
5) The client file does not have a PersistentKeepalive entry. I need to read up on this option and educate myself. Is this a setting for both the RB5009 and client file?
Statistics: Posted by rlm — Fri Jan 12, 2024 6:27 pm