i am setting up a config for a MT router which is behind NAT, has multiple subnets devided in VLANs. What i need is to setup Wireguard connectivity for different user to their own subnet/VLAN. Attached config is from my EVE lab and not online.
Example
10.99.99.0/24 is mgmt subnet with vlan999
10.30.30.0/24 is camera subnet with vlan300
10.20.20.0/24 is home automation subnet with vlan200
So, now .. i need to setup WG connectivity to this site with dynamic public IP for different users/different VLANS.
Although i have setup this config with the help of different YT videos, I still have few questions:
.can i use dyndns.com address in order to connect to the site? (in the config is missing script for dyndns.com or i could use cloud address)
.in the firewall i have taken from another config those lines (172.0.. is my WG subnet and the 192.168... is the subnet of.. what?) do i need to enter all VLANs subnets here?
add action=accept chain=forward comment="fwd LAN to WG" disabled=yes dst-address=172.16.0.0/24 src-address=192.168.88.0/24
add action=accept chain=forward comment="fwd WG to LAN" disabled=yes dst-address=192.168.88.0/24 dst-address-list="" src-address=172.16.0.0/24
.Is this the right way to enable different WG users only to their subnet/vlan:
/interface wireguard peers
add allowed-address=10.200.200.0/24 endpoint-address=address.dyndns.com interface=wg1 public-key="public-key1"
add allowed-address=10.30.30.0/24 endpoint-address=address.dyndns.com interface=wg1 public-key="public-key2"
add allowed-address=10.99.99.0/24 endpoint-address=address.dyndns.com interface=wg1 public-key="public-key"
My script:
# mar/18/2024 13:28:58 by RouterOS 7.9.1
# software id =
#
/interface bridge
add ingress-filtering=no name=bridge1 pvid=999 vlan-filtering=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1
/interface wireguard
add comment="WG connection to main site" listen-port=13299 mtu=1420 name=wg1 \
private-key="private-key="
/interface vlan
add interface=bridge1 name=vlan100-corp vlan-id=100
add interface=bridge1 name=vlan200-guest vlan-id=200
add interface=bridge1 name=vlan300-camera vlan-id=300
add interface=bridge1 name=vlan999-mgmt vlan-id=999
/interface list
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.100.100.1-10.100.100.253
add name=dhcp_pool1 ranges=10.200.200.1-10.200.200.253
add name=dhcp_pool2 ranges=10.30.30.1-10.30.30.253
add name=dhcp_pool3 ranges=10.99.99.1-10.99.99.253
/ip dhcp-server
add address-pool=dhcp_pool0 interface=vlan100-corp name=dhcp1
add address-pool=dhcp_pool1 interface=vlan200-guest name=dhcp2
add address-pool=dhcp_pool2 interface=vlan300-camera name=dhcp3
add address-pool=dhcp_pool3 interface=vlan999-mgmt name=dhcp4
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=ether3 pvid=200
add bridge=bridge1 interface=ether2 pvid=999
add bridge=bridge1 interface=ether4 pvid=999
add bridge=bridge1 interface=ether8 pvid=999
add bridge=bridge1 interface=ether7 pvid=200
add bridge=bridge1 interface=ether5 pvid=999
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether2,ether4,ether5 vlan-ids=200
add bridge=bridge1 tagged=bridge1,ether2,ether4,ether5 vlan-ids=100
add bridge=bridge1 tagged=bridge1,ether2,ether4,ether5 vlan-ids=300
add bridge=bridge1 tagged=bridge1 untagged=ether4,ether2,ether5 vlan-ids=999
/interface list member
add interface=vlan100-corp list=LAN
add interface=vlan200-guest list=LAN
add interface=vlan300-camera list=LAN
add interface=vlan999-mgmt list=LAN
/interface wireguard peers
add allowed-address=10.200.200.0/24 endpoint-address=address.dyndns.com \
interface=wg1 public-key="public-key1"
add allowed-address=10.30.30.0/24 endpoint-address=address.dyndns.com \
interface=wg1 public-key="public-key2"
add allowed-address=10.99.99.0/24 endpoint-address=address.dyndns.com \
interface=wg1 public-key="public-key"
/ip address
add address=10.0.0.20/24 interface=ether1 network=10.0.0.0
add address=10.100.100.254/24 interface=vlan100-corp network=10.100.100.0
add address=10.200.200.254/24 interface=vlan200-guest network=10.200.200.0
add address=10.30.30.254/24 interface=vlan300-camera network=10.30.30.0
add address=10.99.99.254/24 interface=vlan999-mgmt network=10.99.99.0
add address=172.16.0.1/24 interface=wg1 network=172.16.0.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.30.30.0/24 gateway=10.30.30.254
add address=10.99.99.0/24 gateway=10.99.99.254
add address=10.100.100.0/24 gateway=10.100.100.254
add address=10.200.200.0/24 gateway=10.200.200.254
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=10.99.99.0/24 list=LAN
add address=10.200.200.0/24 list=LAN
add address=10.30.30.0/24 list=LAN
add address=10.100.100.0/24 list=LAN
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="allow wireguard" dst-port=13299 log=\
yes log-prefix=wg protocol=udp
add action=accept chain=input comment="allow wireguard Handshake" dst-port=\
13299 log=yes log-prefix=wg protocol=udp
add action=accept chain=input comment="allow wireguard to other networks" \
in-interface=wg1 log=yes log-prefix=wg
add action=accept chain=forward comment="allow wireguard to LAN" \
in-interface=wg1 out-interface-list=LAN
add action=accept chain=forward comment="allow wireguard to WAN" \
in-interface=wg1 out-interface=ether1
add action=accept chain=forward comment=\
"accept established,related,new,untracked" connection-state=\
established,related,new,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=input comment="Allow ICMP ping" protocol=icmp
add action=accept chain=forward comment="fwd LAN to WG" disabled=yes \
dst-address=172.16.0.0/24 src-address=192.168.88.0/24
add action=accept chain=forward comment="fwd WG to LAN" disabled=yes \
dst-address=192.168.88.0/24 dst-address-list="" src-address=172.16.0.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat comment="masw. wireguard" out-interface=\
ether1
/system identity
set name="Mikrotik Spine"
/system note
set show-at-login=no
Thank you for any help/info/tipp/guidance!
korg