Sat Apr 13, 2024 5:06 am
Good news, you only need one wireguard interface to accomplish all your tasks.
The key is in the firewall rules for what you allow or not allow. You can put all all admin users in one firewall address list and all the general users in another firewall address list.
Another option is to use two different addresses for the same interface, all legal.
Setting ether 3 as interface list item, is not useful as ether3 belongs to the bridge......... but its not needed so no loss by removing it.
By NOT adding the Wireguard to the LAN interface list, you can avoid the internet access quite successfully.
HOwever the right way to do this is directly on the remote users setup. ON remote users setup they need something like
Admin users:
allowedIPs=192.168.100.0/24,192.168.88.0/24 endpoint-address=............. endpoint-port=13231 interface=WG_ALL
public-key="mdmdmdmdm" persistent-keep-alive=40s.
General users:
allowedIPs=192.168.101.0/24,192.168.88.2/32 endpoint-address=............. endpoint-port=13231 interface=WG_ALL
public-key="mdmdmdmdm" persistent-keep-alive=35s.
( Just in case they change their settings, we still ensure they cannot access WAN by not adding them to the LAN )
Make sure you dont use the real keys in any configs you put on the forum........
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
So, will keep to one interface but use a separate IP address to keep the users distinct for firewall rules.
Removed all the port forwarding rules,,,,,,,,, not required. If user access the router via wireguard, they only need firewall access.
So disabled port forwarding rule.
Cleaned up and simplified firewall rules, they were a mess.
Major changes shown...........
/interface wireguard
add listen-port=13231 mtu=1420 name=WG_ALL
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface list member
add comment=defconf interface=local list=LAN
add comment=defconf interface="ether1[WAN]" list=WAN
/interface wireguard peers
add allowed-address=192.168.100.3/32 comment="Administracion - Dynabook ESM" \
interface=WG_ALL public-key= "Y="
add allowed-address=192.168.100.4/32 comment="Admintracion - iPad Pro 11 ESM" |
interface=WG_ALL public-key="1FDtjRED4="
add allowed-address=192.168.100.5/32 comment="Administracion - Macbook Pro ESM" \
interface=WG_ALL public-key="+K1jTw="
add allowed-address=192.168.100.6/32 comment="Administracion - iPhone ESM" \
interface=WG_ALL public-key="CWQ="
add allowed-address=192.168.101.2/32 comment="General user 1 \
interface=WG_ALL public-key="CWQnGupqf6rQQ="
add allowed-address=192.168.101.3/32 comment="MacBookESM \
interface=WG_ALL public-key="CWQnGupq="
/ip address
add address=192.168.88.1/24 comment=defconf interface=local network=\
192.168.88.0
add address=192.168.100.1/24 comment="Wireguard full lan access" interface=\
WG_ALL network=192.168.100.0
add address=192.168.101.1/24 comment="Wireguard Users Group" interface=\
WG_ALL network=192.168.101.0
add address=190.999.999.999/30 comment="WAN static IP" interface="ether1[WAN]" \
network=190.141.32.176
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="Drop all else"
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" disabled=yes \
connection-nat-state=dstnat
add action=accept chain=forward comment=\
"WG Administracion - trusted users to ALL connections" in-interface=\
WG_ALL src-address=192.168.100.0/24 out-interface-list=LAN
add action=accept chain=forward comment="WG-users1 - general users group1" \
in-interface=WG_ALL src-address=192.168.101.0/24 dst-address=192.168.88.2
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
Last edited by
anav on Sun Apr 14, 2024 3:10 pm, edited 1 time in total.