Wireguard client allow for all bridge subnets

untrue · Mon Apr 15, 2024 3:45 pm

Dear board members, I am struggling with wireguard client firewall settings. I am able to connect to the wireguard interface with my client (192.168.90.100) and access the router via the web interface (192.168.88.1 - allowed via a firewall rule). There is another device on the network of the 88 ("bridge1") subnet, e.g. 192.168.88.2 but even if I allow this device explicitly in the firewall, analogue to the allow-wireguard-router rule, it does not work. The same problem appears with the dhcp subnet and devices on this (e.g. 192.168.89.250) - I cannot ping or access them.

In my wiregurad client config, I set the Permitted-Networks to 192.168.0.0/16 (just to be sure) - and the subnet-jump from 192.168.90.x to 88.x seems to work. Or maybe this only works because the "wireguard" interface is in the .90.x subnet and thus accessible...?

What am I missing here? Maybe someone can help me since I am struggling for a while now. Thanks a lot in advance.

Find my config below

# apr/15/2024 14:29:11 by RouterOS 7.8
# software id = EZFV-DY09
#
# model = CCR2004-1G-12S+2XS
# serial number = removed
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no name=wan-sfpplus1 \
speed=1Gbps
/interface wireguard
add listen-port=xxx name=wireguard-vpn
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.89.2-192.168.91.254
/ip dhcp-server
add address-pool=dhcp interface=bridge1 name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 interface=sfp-sfpplus3
add bridge=bridge1 interface=sfp-sfpplus4
add bridge=bridge1 interface=sfp-sfpplus5
add bridge=bridge1 interface=sfp-sfpplus6
add bridge=bridge1 interface=sfp-sfpplus7
add bridge=bridge1 interface=sfp-sfpplus8
add bridge=bridge1 interface=sfp-sfpplus9
add bridge=bridge1 interface=sfp-sfpplus10
add bridge=bridge1 interface=sfp-sfpplus11
add bridge=bridge1 interface=sfp-sfpplus12
add bridge=bridge1 interface=sfp28-1
add bridge=bridge1 interface=sfp28-2
add bridge=bridge1 disabled=yes interface=wan-sfpplus1
/interface detect-internet
set detect-interface-list=all internet-interface-list=WAN lan-interface-list=\
LAN wan-interface-list=WAN
/interface list member
add interface=wan-sfpplus1 list=WAN
add interface=bridge1 list=LAN
add interface=wireguard-vpn list=LAN
/interface wireguard peers
add allowed-address=192.168.90.100/32 comment=removed interface=\
wireguard-vpn public-key=removed
/ip address
add address=removed comment=defconf disabled=yes interface=wan-sfpplus1 \
network=removed
add address=192.168.88.1/22 interface=bridge1 network=192.168.88.0
add address=removed interface=wan-sfpplus1 network=removed
add address=192.168.90.10/24 interface=wireguard-vpn network=192.168.90.0
/ip dhcp-client
add disabled=yes interface=wan-sfpplus1
/ip dhcp-server config
set store-leases-disk=2h5m
/ip dhcp-server lease
add address=192.168.88.2 client-id=removed mac-address=\
removed server=dhcp1
add address=192.168.89.250 client-id=removed mac-address=\
removed server=dhcp1
/ip dhcp-server network
add address=0.0.0.0/24 dns-server=0.0.0.0 gateway=0.0.0.0 netmask=24
add address=192.168.88.0/22 dns-server=192.168.88.1 gateway=192.168.88.1 \
netmask=22
/ip dns
set allow-remote-requests=yes servers=removed
/ip firewall filter
add action=accept chain=input comment="WAN -> Firewall Wireguard Access" \
dst-port=xyz protocol=udp
add action=accept chain=input connection-state=established,related
add action=accept chain=input in-interface=bridge1
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward in-interface=bridge1
add action=accept chain=input comment="Allow Wireguard access" disabled=yes \
in-interface=wireguard-vpn
add action=accept chain=input disabled=yes dst-address=192.168.88.1 \
in-interface=wireguard-vpn
add action=accept chain=input dst-address=192.168.88.0/22 in-interface=\
wireguard-vpn
add action=drop chain=input
add action=accept chain=forward comment="Wireguard to LAN Access " \
dst-address=192.168.88.0/22 in-interface=wireguard-vpn out-interface=\
bridge1
add action=drop chain=forward
add action=log chain=input disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name= removed
/system routerboard settings
set enter-setup-on=delete-key

anav · Mon Apr 15, 2024 4:49 pm

(1) Why do you have your WAN address down twice ??? Oh I see the first one is disabled! Get rid of it, its garbage that creates confusion.
/ip address
add address=removed comment=defconf disabled=yes interface=wan-sfpplus1 \
network=removed
add address=192.168.88.1/22 interface=bridge1 network=192.168.88.0
add address=removed interface=wan-sfpplus1 network=removed
add address=192.168.90.10/24 interface=wireguard-vpn network=192.168.90.0

(2) why is your IP pool so big?? or is it a typo? Ah I see you have a /22 network, OKAY.
/ip pool
add name=dhcp ranges=192.168.89.2-192.168.91.254

(3) Dont keep garbage around remove the config line of wan on bridge ports!!
add bridge=bridge1 disabled=yes interface=wan-sfpplus1

(4) I see you have one wireguard peer,

(5) Assuming you have fixed static public IP address (not private).

(6) Please fix your settings from ( never seen first line before self-invented?, regardless not required, do not put in net masks either )
/ip dhcp-server network
add address=0.0.0.0/24 dns-server=0.0.0.0 gateway=0.0.0.0 netmask=24
add address=192.168.88.0/22 dns-server=192.168.88.1 gateway=192.168.88.1 \
netmask=22

TO
/ip dhcp-server network
add address=192.168.88.0/22 dns-server=192.168.88.1 gateway=192.168.88.1

(7) Why are servers removed from /ip dns ( nothing hidden about 1.1.1.1, or 8.8.8.8 for example )

(8) Your firewall rules are woefully lacking for being an internet facing router, adjust to the following:
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="wireguard handshake" dst-port=54896 protocol=udp
add action=accept chain=input comment="accept LAN traffic only" in-interface-list=LAN
add action=drop chain=input comment="Drop all else"
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="wg to LAN" in-interface=wireguard-vpn dst-address=192.168.88.0/22
add action=accept chain=foward comment="port forwarding" disabled =yes connection-nat-state=dstnat { enable if required or remove }
add action=drop chain=forward comment="Drop all else"

If your WANIP is a static public IP then you could do this instead for sourcenat rule.
/ip firewall nat
add action=src-nat chain=srcnat out-interface=wan-sfpplus1 to-address=static-WAN-IP

untrue · Tue Apr 16, 2024 10:14 am

Thanks for your advice on my configuration. I adjusted it and implemented your suggestions.

Still, I can't access the other subnet(s). I.e. a connection between my Wireguard client and the Mikrotik is possible. But not to any other device on the net, e.g. another client or AP.

anav · Tue Apr 16, 2024 1:25 pm

post your lastest config and perhaps a network diagram.

untrue · Wed Apr 17, 2024 9:16 am

Sure, thanks for your time.

I thought the "input" and "forward" part of the firewall that you also proposed should allow the WG client to access or even just ping the AP or any client in the 192.168.88.x network but it does not work. Is there some kind of additional interface separation I am missing? Thanks in advance.
I did the quick network diagram with draw.io, tell me if you need more information or if I can help clarify.

# apr/17/2024 08:08:08 by RouterOS 7.8
# software id = EZFV-DY09
#
# model = CCR2004-1G-12S+2XS
# serial number = xxx
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no name=wan-sfpplus1 \
speed=1Gbps
/interface wireguard
add listen-port=xxx name=wireguard-vpn
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.89.2-192.168.91.254
/ip dhcp-server
add address-pool=dhcp interface=bridge1 name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 interface=sfp-sfpplus3
add bridge=bridge1 interface=sfp-sfpplus4
add bridge=bridge1 interface=sfp-sfpplus5
add bridge=bridge1 interface=sfp-sfpplus6
add bridge=bridge1 interface=sfp-sfpplus7
add bridge=bridge1 interface=sfp-sfpplus8
add bridge=bridge1 interface=sfp-sfpplus9
add bridge=bridge1 interface=sfp-sfpplus10
add bridge=bridge1 interface=sfp-sfpplus11
add bridge=bridge1 interface=sfp-sfpplus12
add bridge=bridge1 interface=sfp28-1
add bridge=bridge1 interface=sfp28-2
/interface detect-internet
set detect-interface-list=all internet-interface-list=WAN lan-interface-list=\
LAN wan-interface-list=WAN
/interface list member
add interface=wan-sfpplus1 list=WAN
add interface=bridge1 list=LAN
add interface=wireguard-vpn list=LAN
/interface wireguard peers
add allowed-address=192.168.90.100/32 comment=client1 interface=\
wireguard-vpn public-key="xyz"
/ip address
add address=192.168.88.1/22 interface=bridge1 network=192.168.88.0
add address=xyz interface=wan-sfpplus1 network=xyz
add address=192.168.90.10/24 interface=wireguard-vpn network=192.168.90.0
/ip dhcp-client
add disabled=yes interface=wan-sfpplus1
/ip dhcp-server config
set store-leases-disk=2h5m
/ip dhcp-server lease
add address=192.168.88.2 client-id=xyz mac-address=\
xyz server=dhcp1
add address=192.168.89.250 client-id=xyz mac-address=\
xyz server=dhcp1
/ip dhcp-server network
add address=192.168.88.0/22 dns-server=192.168.88.1 gateway=192.168.88.1 \
netmask=22
/ip dns
set allow-remote-requests=yes servers=82.144.41.8,82.145.9.8
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="Wireguard Client Acccess" dst-port=\
54896 protocol=udp
add action=accept chain=input comment="accept LAN traffic only" in-interface=\
bridge1
add action=accept chain=input dst-address=192.168.88.0/22 in-interface=\
wireguard-vpn
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=yes
add action=accept chain=forward connection-state=\
established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface=\
bridge1 out-interface=wan-sfpplus1
add action=accept chain=forward comment="Wireguard to LAN Netzwerkzugriff " \
dst-address=192.168.88.0/22 in-interface=wireguard-vpn
add action=drop chain=forward
add action=log chain=input disabled=yes
add action=accept chain=input connection-state=established,related,untracked \
disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=mikrotik
/system routerboard settings
set enter-setup-on=delete-key

Bildschirmfoto 2024-04-17 um 08.12.55.png

llamajaja · Wed Apr 17, 2024 4:31 pm

1. Would recommend upgrade firmware to at least 7.12.2 later.

2. Modify this rule. From
add action=accept chain=input comment="accept LAN traffic only" in-interface=bridge1

TO:
add action=accept chain=input comment="accept LAN traffic only" in-interface-list=LAN

3. REMOVE this rules its nonsensical. You are trying to control traffic through the router ( lan to lan, lan to wan, wan to lan) not in the proper forward chain, but in the input chain. which is traffic TO the router.
add action=accept chain=input dst-address=192.168.88.0/22 in-interface=\
wireguard-vpn

4. Modify this rule:........ From"
add action=accept chain=forward comment="internet traffic" in-interface=\
bridge1 out-interface=wan-sfpplus1

TO:
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface=wan-sfpplus1

+++++++++++++++++++++
Should be good to go.

untrue · Thu Apr 18, 2024 11:33 am

Thanks for your comments! I adjusted the rules.

Still, I cannot ping or otherwise access a device in the "ether1" ethernet belonging to "bridge1" in the 192.168.88.x subnet from my Wireguard client in the 192.168.90.x subnet. I put a log in the firewall and can see that the ping attempts go into the appropriate forward rule of the firewall, the packets are not dropped there. So I assume it's not a firewall problem?! I feel like I am missing something basic here.

anav · Thu Apr 18, 2024 1:15 pm

Post your latest config with the changes please.

untrue · Mon Apr 22, 2024 11:58 am

Sure, here we go

# apr/22/2024 10:54:20 by RouterOS 7.8
# software id = EZFV-DY09
#
# model = CCR2004-1G-12S+2XS
# serial number = xxx
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no name=wan-sfpplus1 \
speed=1Gbps
/interface wireguard
add listen-port=xxx name=wireguard-vpn
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.89.2-192.168.91.254
/ip dhcp-server
add address-pool=dhcp interface=bridge1 name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 interface=sfp-sfpplus3
add bridge=bridge1 interface=sfp-sfpplus4
add bridge=bridge1 interface=sfp-sfpplus5
add bridge=bridge1 interface=sfp-sfpplus6
add bridge=bridge1 interface=sfp-sfpplus7
add bridge=bridge1 interface=sfp-sfpplus8
add bridge=bridge1 interface=sfp-sfpplus9
add bridge=bridge1 interface=sfp-sfpplus10
add bridge=bridge1 interface=sfp-sfpplus11
add bridge=bridge1 interface=sfp-sfpplus12
add bridge=bridge1 interface=sfp28-1
add bridge=bridge1 interface=sfp28-2
/interface detect-internet
set detect-interface-list=all internet-interface-list=WAN lan-interface-list=\
LAN wan-interface-list=WAN
/interface list member
add interface=wan-sfpplus1 list=WAN
add interface=bridge1 list=LAN
add interface=wireguard-vpn list=LAN
add interface=ether1 list=LAN
/interface wireguard peers
add allowed-address=192.168.90.100/32 comment=xxx interface=\
wireguard-vpn public-key="xxx"
/ip address
add address=192.168.88.1/22 interface=bridge1 network=192.168.88.0
add address=xxx interface=wan-sfpplus1 network=xxx
add address=192.168.90.10/24 interface=wireguard-vpn network=192.168.90.0
/ip dhcp-client
add disabled=yes interface=wan-sfpplus1
/ip dhcp-server config
set store-leases-disk=2h5m
/ip dhcp-server lease
add address=192.168.88.2 client-id=xxx mac-address=\
xxx server=dhcp1
add address=192.168.89.250 client-id=xxx mac-address=\
xxx server=dhcp1
/ip dhcp-server network
add address=192.168.88.0/22 dns-server=192.168.88.1 gateway=192.168.88.1 \
netmask=22
/ip dns
set allow-remote-requests=yes servers=82.144.41.8,82.145.9.8
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="Wireguard Client Acccess" dst-port=\
54896 protocol=udp
add action=accept chain=input comment="accept LAN traffic only" \
in-interface-list=LAN
add action=accept chain=input disabled=yes dst-address=192.168.88.0/22 \
in-interface=wireguard-vpn
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=yes
add action=accept chain=forward connection-state=\
established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=\
LAN out-interface=wan-sfpplus1
add action=log chain=forward in-interface=wireguard-vpn log=yes
add action=accept chain=forward disabled=yes in-interface=wireguard-vpn \
out-interface=bridge1
add action=accept chain=forward comment="Wireguard to LAN Netzwerkzugriff " \
dst-address=192.168.88.0/22 in-interface=wireguard-vpn
add action=drop chain=forward
add action=log chain=input disabled=yes
add action=accept chain=input connection-state=established,related,untracked \
disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=xxx
/system routerboard settings
set enter-setup-on=delete-key

anav · Mon Apr 22, 2024 7:55 pm

When people get cute they run into issues...
For example why do you have such a huge /22 network for the main subnet??
In any case, I think thats where you run into problems, overlap maybe??

(1) Try changing wireguard IP address to 192.168.80.1/24 interface=wireguard-vpn network=192.168.80.0
( shouldnt make a difference but grasping at straws here ). Of course, adjust client IP as well ( 192.168.80.100/32 )

(2) Minor, Remove ether1 from list=LAN, its covered by the fact that list=LAN includes bridge1, and ether1 is listed as a bridge port.

(3) Why is this rule here. what purpose do you think it serves?
add action=accept chain=input disabled=yes dst-address=192.168.88.0/22 \
in-interface=wireguard-vpn ???

(4) Why is this rule still in your config??
add action=accept chain=forward disabled=yes in-interface=wireguard-vpn \
out-interface=bridge1

(5) Duplicate rule at end needs to be removed.
add action=accept chain=input connection-state=established,related,untracked \
disabled=yes

(6)

jaclaz · Mon Apr 22, 2024 8:24 pm

Passing-by question, if a rule is "disabled=yes" isn't its effect the same as it is not there (none)?

anav · Mon Apr 22, 2024 8:45 pm

Hi Jaclaz, yes that is true....
Keep in mind that I read thoroughly all the configs, everytime I read a disabled rule that has no potential purpose I BARF,
Its a distraction and a waste of my time, to read a cluttered config full of garbage.
The cleaner and leaner the config, its easier for all to spot errors and do so efficiently.

Therefore I care little that the last rule in the firewall rule, which was a duplicate, was also disabled.
I had to read the line, understand the line and then see that it was disabled................ Once or twice fine, after a few 100 configs it gets old fast.

Its just good practice as well to keep a clean config, be it software coding or MT configs. Comments are good to let the reader know what you are doing as well.

jaclaz · Tue Apr 23, 2024 12:13 am

Maybe this should be a request to Mikrotik, set an option in
/export
such as
hide-disabled=yes
or (possibly more in Mikrotik style)
show-not-enabled=no

anav · Tue Apr 23, 2024 2:06 am

I want to see the config, warts and all LOL and it may provide OP intentions thus I dont favour your approach.
I have no heartache with disabled rules that may have a purpose.

Case in point. ( planning on port forwarding later )
add action=accept chain=forward comment="internet traffic" in-interface=list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat disabled=yes
add action=drop chain=forward comment="Drop all else"

jaclaz · Tue Apr 23, 2024 2:36 am

So maybe a Mikrotik code parser for Scite/Scintilla or Notepad++ or similar that can find entries with disabled=yes and renders them striken or bold or anyway highlighted ...

anav · Tue Apr 23, 2024 3:01 am

Nope, just a first post process that eliminates 99% of the problems I see on initial posts and one of the points would be cleaning up disabled rules that have no purpose.

untrue · Tue Apr 30, 2024 1:37 pm

Hey, sorry for the late reply.

Thanks a lot for your help so far. Indeed the overlapping subnets posed a problem. I am now able to ping the hosts in the bridge1 subnets / also the dhcp clients from the wireguard client.

Still, I cannot access e.g. the web interface of the AP (in the DHCP subnet xxx.xxx.88.2 , see my graphics). I can ping it without a problem. Web access to the mikrotik router (x.x.88.1) works fine. Web interface access with a client in the network on-site works fine. Any ideas?

anav · Tue Apr 30, 2024 1:53 pm

Not without the latest config

untrue · Tue Apr 30, 2024 2:04 pm

Sure!

Ah and regarding question (3): This rule is supposed to allow access to the local subnet from wireguard. If I disable it, pings don't work e.g.

# apr/30/2024 12:59:07 by RouterOS 7.8
# software id = EZFV-DY09
#
# model = CCR2004-1G-12S+2XS
# serial number = xxx
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no name=wan-sfpplus1 \
speed=1Gbps
/interface wireguard
add listen-port=xxx name=wireguard-vpn
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.89.2-192.168.91.254
/ip dhcp-server
add address-pool=dhcp interface=bridge1 name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 interface=sfp-sfpplus3
add bridge=bridge1 interface=sfp-sfpplus4
add bridge=bridge1 interface=sfp-sfpplus5
add bridge=bridge1 interface=sfp-sfpplus6
add bridge=bridge1 interface=sfp-sfpplus7
add bridge=bridge1 interface=sfp-sfpplus8
add bridge=bridge1 interface=sfp-sfpplus9
add bridge=bridge1 interface=sfp-sfpplus10
add bridge=bridge1 interface=sfp-sfpplus11
add bridge=bridge1 interface=sfp-sfpplus12
add bridge=bridge1 interface=sfp28-1
add bridge=bridge1 interface=sfp28-2
/interface detect-internet
set detect-interface-list=all internet-interface-list=WAN lan-interface-list=\
LAN wan-interface-list=WAN
/interface list member
add interface=wan-sfpplus1 list=WAN
add interface=bridge1 list=LAN
add interface=wireguard-vpn list=LAN
/interface wireguard peers
add allowed-address=192.168.80.100/32 comment=xxx interface=\
wireguard-vpn public-key="xxx"
/ip address
add address=192.168.88.1/22 interface=bridge1 network=192.168.88.0
add address=xxx interface=wan-sfpplus1 network=xxx
add address=192.168.80.1/24 interface=wireguard-vpn network=192.168.80.0
/ip dhcp-server config
set store-leases-disk=2h5m
/ip dhcp-server lease
add address=192.168.88.2 client-id=xxx mac-address=\
xxx server=dhcp1
add address=192.168.89.250 client-id=xxx mac-address=\
xxx server=dhcp1
/ip dhcp-server network
add address=192.168.88.0/22 dns-server=192.168.88.1 gateway=192.168.88.1 \
netmask=22
/ip dns
set allow-remote-requests=yes servers=82.144.41.8,82.145.9.8
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="Wireguard Client Acccess" dst-port=\
54896 protocol=udp
add action=accept chain=input comment="accept LAN traffic only" \
in-interface-list=LAN
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=yes
add action=accept chain=forward connection-state=\
established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=\
LAN out-interface=wan-sfpplus1
add action=accept chain=forward comment="wireguard to LAN access " \
dst-address=192.168.88.0/22 in-interface=wireguard-vpn
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=mikrotik
/system routerboard settings
set enter-setup-on=delete-key

untrue · Tue Apr 30, 2024 3:42 pm

I just started another random web interface on one client in the dhcp subnet (x.x.89.250:3000) with a specific port and it works. SSH too. So I still don't know why the AP web interface (x.x.88.2 http(s)) is not accessible but the major problem of not being able to access the subnets at all is solved I guess.

Remember: never have overlapping subnets. (:

Thanks so much anav!

anav · Tue Apr 30, 2024 4:11 pm

Well it should connect. Perhaps the AP is not recognizing the client wireguard address as being "allowed"?

Wireguard client allow for all bridge subnets

Wireguard client allow for all bridge subnets

Re: Wireguard client allow for all bridge subnets

Re: Wireguard client allow for all bridge subnets

Re: Wireguard client allow for all bridge subnets

Re: Wireguard client allow for all bridge subnets

Re: Wireguard client allow for all bridge subnets

Re: Wireguard client allow for all bridge subnets

Re: Wireguard client allow for all bridge subnets

Re: Wireguard client allow for all bridge subnets

Re: Wireguard client allow for all bridge subnets

Re: Wireguard client allow for all bridge subnets

Re: Wireguard client allow for all bridge subnets

Re: Wireguard client allow for all bridge subnets

Re: Wireguard client allow for all bridge subnets

Re: Wireguard client allow for all bridge subnets

Re: Wireguard client allow for all bridge subnets

Re: Wireguard client allow for all bridge subnets

Re: Wireguard client allow for all bridge subnets

Re: Wireguard client allow for all bridge subnets

Re: Wireguard client allow for all bridge subnets

Re: Wireguard client allow for all bridge subnets

Who is online