Wireguard DNS/Internet

fobo · Fri Apr 26, 2024 7:46 am

Hello,

I am struggling with my wireguard setup. Connecting to it is working as expected, however, I am not able to access the internet, resolve DNS names or access other VLANs. Could somebody please have a look at my configuration?

/interface bridge
add ingress-filtering=no name=bridge port-cost-mode=short protocol-mode=none vlan-filtering=yes
/interface veth
add address=172.17.0.2/24 gateway=172.17.0.1 gateway6="" name=veth-dockers
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard_home
/interface vlan
add interface=bridge name=base-vlan vlan-id=10
add interface=bridge name=container-vlan vlan-id=60
add interface=bridge name=extern-vlan vlan-id=50
add interface=bridge name=iot-vlan vlan-id=20
add interface=ether1 name=isp-vlan vlan-id=32
add interface=bridge name=surveillance-vlan vlan-id=40
add interface=bridge name=voip-vlan vlan-id=30
/container mounts
add dst=/etc/pihole name=etc_pihole src=/ext-disk/etc
add dst=/etc/dnsmasq.d name=dnsmasq_pihole src=/ext-disk/etc-dnsmasq.d
/interface list
add name=WAN
add name=VLAN
add name=BASE
add name=VLAN-LOCAL
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add interface=base-vlan lease-time=10m name=base-dhcp
add interface=surveillance-vlan lease-time=10m name=surveillance-dhcp
add interface=extern-vlan lease-time=10m name=extern-dhcp
/ip pool
add name=base-pool ranges=10.0.10.10-10.0.10.254
add name=iot-pool ranges=10.0.20.10-10.0.20.254
add name=voip-pool ranges=10.0.30.10-10.0.30.254
add name=surveillance-pool ranges=10.0.40.10-10.0.40.254
add name=extern-pool ranges=10.0.50.10-10.0.50.254
/ip dhcp-server
add address-pool=iot-pool interface=iot-vlan lease-time=10m name=iot-dhcp
add address-pool=voip-pool interface=voip-vlan lease-time=10m name=voip-dhcp
/ip smb users
set [ find default=yes ] disabled=yes
/user group
add name=home-assistant-group policy=reboot,read,write,policy,test,api,!local,!telnet,!ssh,!ftp,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api
/container
add envlist=pihole_envs interface=veth-dockers mounts=etc_pihole,dnsmasq_pihole root-dir=ext-disk/pihole start-on-boot=yes
/container config
set registry-url=https://registry-1.docker.io tmpdir=ext-disk/pull
/container envs
add key=TZ name=pihole_envs value=Europe/Vienna
add key=WEBPASSWORD name=pihole_envs value=XXXX
add key=DNSMASQ_USER name=pihole_envs value=root
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether4 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether5 internal-path-cost=10 path-cost=10 pvid=20
add bridge=bridge interface=veth-dockers pvid=60
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether6 internal-path-cost=10 path-cost=10 pvid=50
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether7 internal-path-cost=10 path-cost=10 pvid=40
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether8 internal-path-cost=10 path-cost=10 pvid=30
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=BASE
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2,ether3,sfp-sfpplus1 untagged=ether4 vlan-ids=10
add bridge=bridge tagged=bridge,ether2,ether3,sfp-sfpplus1 untagged=ether5 vlan-ids=20
add bridge=bridge tagged=bridge,ether2,ether3,sfp-sfpplus1 untagged=ether8 vlan-ids=30
add bridge=bridge tagged=bridge,ether2,ether3,sfp-sfpplus1 untagged=ether7 vlan-ids=40
add bridge=bridge tagged=bridge,ether2,ether3,sfp-sfpplus1 untagged=ether7 vlan-ids=50
add bridge=bridge tagged=bridge,ether2,ether3 vlan-ids=60
/interface list member
add interface=isp-vlan list=WAN
add interface=base-vlan list=VLAN
add interface=iot-vlan list=VLAN
add interface=voip-vlan list=VLAN-LOCAL
add interface=surveillance-vlan list=VLAN-LOCAL
add interface=extern-vlan list=VLAN
add interface=ether4 list=BASE
add interface=base-vlan list=BASE
add interface=container-vlan list=VLAN
add interface=container-vlan list=BASE
add interface=wireguard_home list=BASE
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.0.100.2/32 comment="iPhone " interface=wireguard_home public-key="XXX"
add allowed-address=10.0.100.3/32 comment="iPhone " interface=wireguard_home private-key="XXX" public-key="XXX"
/ip address
add address=10.0.10.1/24 interface=base-vlan network=10.0.10.0
add address=10.0.20.1/24 interface=iot-vlan network=10.0.20.0
add address=10.0.30.1/24 interface=voip-vlan network=10.0.30.0
add address=10.0.40.1/24 interface=surveillance-vlan network=10.0.40.0
add address=10.0.50.1/24 interface=extern-vlan network=10.0.50.0
add address=172.17.0.1/24 interface=container-vlan network=172.17.0.0
add address=10.0.100.1/24 interface=wireguard_home network=10.0.100.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=isp-vlan use-peer-dns=no
/ip dhcp-server lease
add address=10.0.10.12 client-id="XX:XX:XX:XX:XX:XX" comment="WLAN-AP EG" mac-address="XX:XX:XX:XX:XX:XX" server=base-dhcp
add address=10.0.50.10 comment=Wallbox mac-address="XX:XX:XX:XX:XX:XX" server=extern-dhcp
add address=10.0.10.11 client-id="XX:XX:XX:XX:XX:XX" comment=NAS mac-address="XX:XX:XX:XX:XX:XX" server=base-dhcp
add address=10.0.10.10 client-id="XX:XX:XX:XX:XX:XX" comment=POE-Switch mac-address="XX:XX:XX:XX:XX:XX" server=base-dhcp
add address=10.0.10.14 client-id="XX:XX:XX:XX:XX:XX" comment=WLAN-AP-Outdoor mac-address="XX:XX:XX:XX:XX:XX" server=base-dhcp
add address=10.0.40.10 client-id="XX:XX:XX:XX:XX:XX" comment=IPCamCarport mac-address="XX:XX:XX:XX:XX:XX" server=surveillance-dhcp
add address=10.0.20.11 client-id="XX:XX:XX:XX:XX:XX" comment=Printer mac-address="XX:XX:XX:XX:XX:XX" server=iot-dhcp
add address=10.0.40.11 client-id="XX:XX:XX:XX:XX:XX" comment=IPCamDoor mac-address="XX:XX:XX:XX:XX:XX" server=surveillance-dhcp
add address=10.0.40.12 client-id="XX:XX:XX:XX:XX:XX" comment=IPCamCarden mac-address="XX:XX:XX:XX:XX:XX" server=surveillance-dhcp
add address=10.0.30.12 client-id="XX:XX:XX:XX:XX:XX" comment="IPPhone Gast" mac-address="XX:XX:XX:XX:XX:XX" server=voip-dhcp
add address=10.0.30.10 client-id="XX:XX:XX:XX:XX:XX" comment=PBX-Server mac-address="XX:XX:XX:XX:XX:XX" server=voip-dhcp
add address=10.0.30.11 client-id="XX:XX:XX:XX:XX:XX" comment="IPPhone B\FCro" mac-address="XX:XX:XX:XX:XX:XX" server=voip-dhcp
add address=10.0.30.13 client-id="XX:XX:XX:XX:XX:XX" comment="IPPhone Werkstatt" mac-address="XX:XX:XX:XX:XX:XX" server=voip-dhcp
add address=10.0.20.10 client-id="XX:XX:XX:XX:XX:XX" comment=X1 mac-address="XX:XX:XX:XX:XX:XX" server=iot-dhcp
add address=10.0.20.12 client-id="XX:XX:XX:XX:XX:XX" comment=Wechselrichter mac-address="XX:XX:XX:XX:XX:XX" server=iot-dhcp
add address=10.0.10.13 client-id="XX:XX:XX:XX:XX:XX" comment="WLAN-AP KG" mac-address="XX:XX:XX:XX:XX:XX" server=base-dhcp
add address=10.0.20.13 comment="W\E4rmepumpe" mac-address="XX:XX:XX:XX:XX:XX" server=iot-dhcp
add address=10.0.20.14 comment=Ofen mac-address="XX:XX:XX:XX:XX:XX" server=iot-dhcp
add address=10.0.10.15 client-id="XX:XX:XX:XX:XX:XX" comment="MAC mini - Celler" mac-address="XX:XX:XX:XX:XX:XX" server=base-dhcp
add address=10.0.20.15 client-id="XX:XX:XX:XX:XX:XX" comment="iPhone " mac-address="XX:XX:XX:XX:XX:XX" server=iot-dhcp
add address=10.0.20.16 client-id="XX:XX:XX:XX:XX:XX" comment="iPhone " mac-address="XX:XX:XX:XX:XX:XX" server=iot-dhcp
add address=10.0.10.254 client-id="XX:XX:XX:XX:XX:XX" comment="PC " mac-address="XX:XX:XX:XX:XX:XX" server=base-dhcp
add address=10.0.20.23 client-id="XX:XX:XX:XX:XX:XX" comment="iPad " mac-address="XX:XX:XX:XX:XX:XX" server=iot-dhcp
add address=10.0.10.253 comment="PC VM" mac-address="XX:XX:XX:XX:XX:XX" server=base-dhcp
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=10.0.10.1 gateway=10.0.10.1 ntp-server=10.0.10.11
add address=10.0.20.0/24 dns-server=10.0.20.1 gateway=10.0.20.1 ntp-server=10.0.10.11
add address=10.0.30.0/24 dns-server=10.0.30.1 gateway=10.0.30.1 ntp-server=10.0.10.11
add address=10.0.40.0/24 dns-server=10.0.40.1 gateway=10.0.40.1 ntp-server=10.0.10.11
add address=10.0.50.0/24 dns-server=10.0.50.1 gateway=10.0.50.1 ntp-server=10.0.10.11
/ip dns
set allow-remote-requests=yes servers=172.17.0.2
/ip dns static
add address=10.0.10.1 name=router.local
add address=10.0.10.11 name=nas.local
add address=10.0.10.10 name=switch.local
add address=10.0.10.12 name=wlan-ap-eg.local
add address=10.0.10.13 name=wlan-ap-kg.local
add address=10.0.10.14 name=wlan-ap-outdoor.local
add address=10.0.20.10 name=gira-x1.local
add address=10.0.20.11 name=printer.local
add address=10.0.20.12 name=inverter.local
add address=10.0.20.13 name=heat-pump.local
add address=10.0.30.10 name=voip.local
add address=10.0.30.11 name=void-phone-og.local
add address=10.0.30.12 name=void-phone-eg.local
add address=10.0.30.13 name=void-phone-kg.local
add address=10.0.40.10 name=camera-carport.local
add address=10.0.40.11 name=camera-door.local
add address=10.0.40.12 name=camera-garden.local
add address=10.0.50.10 name=wallbox.local
add address=172.17.0.2 name=pi-hole.local
add address=192.168.100.1 name=dishy.local
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related,untracked
add action=accept chain=input comment="Allow WireGuard handshake" dst-port=13231 protocol=udp
add action=accept chain=input comment="Allow WireGuard traffic" in-interface=wireguard_home src-address=10.0.100.0/24
add action=accept chain=input comment="Allow BASE Full Access" in-interface-list=BASE
add action=accept chain=input comment="Allow VLAN DNS Server Access" connection-state=new dst-port=53 in-interface-list=VLAN protocol=tcp
add action=accept chain=input connection-state=new dst-port=53 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow VLANs NTP access" connection-nat-state="" connection-state=new dst-port=123 in-interface-list=VLAN-LOCAL protocol=udp
add action=accept chain=input connection-state=new dst-port=123 in-interface-list=VLAN protocol=udp
add action=drop chain=input comment=Drop
add action=fasttrack-connection chain=forward comment=Fasttrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Allow Estab & Related & Untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="Allow BASE access to all VLANs" connection-state="" in-interface-list=BASE out-interface-list=VLAN
add action=accept chain=forward comment="Allow BASE access to all VLANs" connection-state="" in-interface-list=BASE out-interface-list=VLAN-LOCAL
add action=accept chain=forward comment="Allow VLAN Internet Access" connection-state="" in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="Allow IOT SMB Access to NAS" connection-state="" dst-address=10.0.10.11 dst-port=445 in-interface=iot-vlan out-interface=base-vlan protocol=tcp
add action=accept chain=forward comment="Allow X1 Access to Surveillance Station" connection-state="" dst-address=10.0.10.11 dst-port=9900 in-interface=iot-vlan out-interface=base-vlan protocol=tcp
add action=accept chain=forward comment="Allow Mobile Access to InfluxDB" connection-state=new dst-address=10.0.10.11 dst-port=8086 in-interface=iot-vlan out-interface=base-vlan protocol=tcp src-port=""
add action=accept chain=forward comment="Allow Mobile Access to Surveillance Station" connection-state="" dst-address=10.0.10.11 dst-port=9901 in-interface=iot-vlan out-interface=base-vlan protocol=tcp
add action=accept chain=forward comment="Allow Mobile Access to File Station" connection-state="" dst-address=10.0.10.11 dst-port=7001 in-interface=iot-vlan out-interface=base-vlan protocol=tcp
add action=accept chain=forward comment="Allow Mobile Access to Home Assistant" connection-state="" dst-address=10.0.10.11 dst-port=8123 in-interface=iot-vlan out-interface=base-vlan protocol=tcp
add action=drop chain=forward comment=Drop
add action=drop chain=input comment="Drop Invalid" connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN
add action=masquerade chain=srcnat src-address=172.17.0.0/24
add action=dst-nat chain=dstnat dst-address=10.0.10.1 dst-port=888 protocol=tcp to-addresses=172.17.0.2 to-ports=80
/ip smb shares
set [ find default=yes ] directory=/pub
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=base-vlan type=internal
add interface=iot-vlan type=internal
/routing igmp-proxy interface
add alternative-subnets=10.0.20.0/24 interface=base-vlan upstream=yes
add interface=iot-vlan
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=Router
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes enabled=yes
/system ntp client servers
add address=0.at.pool.ntp.org
add address=1.at.pool.ntp.org
add address=2.at.pool.ntp.org
add address=3.at.pool.ntp.org
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
/tool sniffer
set file-limit=10000KiB file-name=wireguard_sniff filter-interface=wireguard_home filter-operator-between-entries=and filter-stream=yes streaming-server=10.0.10.254

erlinden · Fri Apr 26, 2024 9:23 am

Couple of things I notice:

add action=accept chain=forward comment="Allow VLAN Internet Access" connection-state="" in-interface-list=VLAN out-interface-list=WAN

Am missing the rule:

add action=accept chain=forward comment="Allow BASE Internet Access" connection-state="" in-interface-list=VLAN out-interface-list=BASE

Assuming BASE should have internet access (as the wireguard interface is part of the BASE address list).

Think these rules are unneccesary:

BASE is granted access, so there is no need to Allow wireguard specifically

add action=accept chain=input comment="Allow WireGuard traffic" in-interface=wireguard_home src-address=10.0.100.0/24

Is this hit, as you have a dedicated NTP server on your NAS?

add action=accept chain=input comment="Allow VLANs NTP access" connection-nat-state="" connection-state=new dst-port=123 in-interface-list=VLAN-LOCAL protocol=udp
add action=accept chain=input connection-state=new dst-port=123 in-interface-list=VLAN protocol=udp

On the forward chain, the rule above this rule drops all:

add action=drop chain=input comment="Drop Invalid" connection-state=invalid

Brrr....:

/ip upnp interfaces
set enabled=yes
/ip upnp interfaces
add interface=base-vlan type=internal
add interface=iot-vlan type=internal

Love the firewall rules from a readability perspective! Be aware to remove any passwords

fobo · Fri Apr 26, 2024 9:51 am

First of all, thank you for taking the time to take a look

Am missing the rule:

add action=accept chain=forward comment="Allow BASE Internet Access" connection-state="" in-interface-list=VLAN out-interface-list=BASE

Awww, how could I have missed this? Thanks, that helped a lot, the internet access is now working.

Think these rules are unnecessary:
BASE is granted access, so there is no need to Allow wireguard specifically

add action=accept chain=input comment="Allow WireGuard traffic" in-interface=wireguard_home src-address=10.0.100.0/24

You are right, not needed, not hit. Thank you.

Is this hit, as you have a dedicated NTP server on your NAS?

add action=accept chain=input comment="Allow VLANs NTP access" connection-nat-state="" connection-state=new dst-port=123 in-interface-list=VLAN-LOCAL protocol=udp
add action=accept chain=input connection-state=new dst-port=123 in-interface-list=VLAN protocol=udp

You are right, outdated, not hit. Thank you.

On the forward chain, the rule above this rule drops all:
Code: Select all
add action=drop chain=input comment="Drop Invalid" connection-state=invalid

Not hit, makes sense, removed as well. Thank you.

Brrr....:

/ip upnp interfaces
set enabled=yes
/ip upnp interfaces
add interface=base-vlan type=internal
add interface=iot-vlan type=internal

Don't ask

I will try to get rid of it.

Love the firewall rules from a readability perspective! Be aware to remove any passwords

Thank you! I am not too concerned about this one, but have to admit that I overlooked removing it. Thanks for the hint.

I have one final question if you do not mind. In case I want to be able to resolve static DNS names that I defined through a wireguard connection (eg. nas.local), what would be required?

erlinden · Fri Apr 26, 2024 10:01 am

In case I want to be able to resolve static DNS names that I defined through a wireguard connection (eg. nas.local), what would be required?

I would expect it to be enough to set the DNS server client side to 10.0.100.1.

fobo · Fri Apr 26, 2024 10:14 am

I would expect it to be enough to set the DNS server client side to 10.0.100.1.

I have that already, but unfortunately, it does not work, and an attempt to resolve a DN times out. Using the IP works however.

erlinden · Fri Apr 26, 2024 10:30 am

Can you provide client config?
Is all Internet traffic routed through Wireguard?

fobo · Fri Apr 26, 2024 10:40 am

Can you provide client config?
Is all Internet traffic routed through Wireguard?

All traffic is routed through wireguard (at least that was my intention setting allowed IPs to 0.0.0.0/0)
Ofc, peer config:

Addresses: 10.0.100.2/32
DNS Server: 10.0.100.1
Listen Port: auto
MTU: auto
Endpoint: XXX.subdomain.com
Allowed IPs 0.0.0.0/0
Exclude private IPs: off
Persistent keepalive: off

erlinden · Fri Apr 26, 2024 11:00 am

That should work (assuming the device can reach the MikroTiks DNS server).
And I think that is prohibited to VLAN as well...

fobo · Fri Apr 26, 2024 11:10 am

That should work (assuming the device can reach the MikroTiks DNS server).
And I think that is prohibited to VLAN as well...

I am not able to follow. If my understanding is correct, the wireguard_home interface is part of BASE and therefore should be covered by the accept input rule. VLAN also has two input rules for DNS access.

add interface=wireguard_home list=BASE

add action=accept chain=input comment="Allow BASE Full Access" in-interface-list=BASE

add action=accept chain=input comment="Allow VLAN DNS Server Access" connection-state=new dst-port=53 in-interface-list=VLAN protocol=tcp
add action=accept chain=input connection-state=new dst-port=53 in-interface-list=VLAN protocol=udp

erlinden · Fri Apr 26, 2024 11:30 am

I see now...can you test the DNS server on the client?
By using nslookup (or any other Linux/iOS/Android equivalent)?
Does DNS resolve correct on any VLAN clients?

fobo · Fri Apr 26, 2024 11:52 am

I see now...can you test the DNS server on the client?
By using nslookup (or any other Linux/iOS/Android equivalent)?

That's strange.
DN lookup works (eg. tested printer.local) and the IP is correct, however, the ping of the domain name fails, and so does a request to the web interface in the browser. If I use the resolved IP (from NSLookup) instead everything works fine.

Does DNS resolve correct on any VLAN clients?

Yes, that works without problems.

Wireguard DNS/Internet

Wireguard DNS/Internet

Re: Wireguard DNS/Internet

Re: Wireguard DNS/Internet

Re: Wireguard DNS/Internet

Re: Wireguard DNS/Internet

Re: Wireguard DNS/Internet

Re: Wireguard DNS/Internet

Re: Wireguard DNS/Internet

Re: Wireguard DNS/Internet

Re: Wireguard DNS/Internet

Re: Wireguard DNS/Internet

Who is online