Community discussions

MikroTik App
 
ameer456
just joined
Topic Author
Posts: 5
Joined: Thu May 31, 2018 6:58 am

Want Virtual Wireless clients access intenet only through wireguard

Fri Nov 18, 2022 8:18 pm

I have remote server (like AWS, oracle) successfully installed wireguard easily using https://pivpn.io/
I can connect my phone to internet through wireguard successfully.

I successfully added wireguard interface in mikrotik and handshaked as peer (endpoint is remote server). (so mikrotik now supposedly connected to remote server)

My request: I want to create virtual wireless, so the clients connected to it will connect to internet immediately from wireguard interface in mikrotik.
I don't want the clients to have internal IP from remote server (because server may reject additional IP, I don't want to mess with its setup)
I just want the Mikrotik to issue IP for wireless clients, with internet service coming from wireguard interface.

The end results will be like this:
- Physical lan & wireless through typical connection.
- one virtual wireless through wireguard as internet provider.

I used this solution from "sindy": viewtopic.php?t=186836#p939878
His last step: "add a default route via the Wireguard interface to the routing table of the VRF" I couldn't understand it, it seems routeros automatically created it under IP > Routes.
I can connect to virtual wireless, but still no internet from wireless client!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14483
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Want Virtual Wireless clients access intenet only through wireguard

Sat Nov 19, 2022 10:48 pm

post your config please

/export file=anynameyouwish ( minus router serial number and any public WANIP information )
 
ameer456
just joined
Topic Author
Posts: 5
Joined: Thu May 31, 2018 6:58 am

Re: Want Virtual Wireless clients access intenet only through wireguard

Sun Nov 20, 2022 8:51 pm

post your config please

/export file=anynameyouwish ( minus router serial number and any public WANIP information )
Here..
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14483
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Want Virtual Wireless clients access intenet only through wireguard

Mon Nov 21, 2022 2:39 am

Okay the config is confused...............
Let me know what the requirements are........
I see one wlan for home
I see one wlan for guests
I see one wlan that people should use if they want to go out wireguard.

So in a sense we have 3 subnets.
Much better approach, simpler to have one bridge and 3 vlans.

Also will need to know some basic information about your AWS install.
Is it a mikrotik instance or some linux instance, and if so, what are the wireguard settings that you can share.........

Also what is this setting for............ on the wlan for wireguard --> wds-default-bridge=bridge
Did you put that there??

What are you doing with VRF here, not required.
Bridge filters are very tricky and usually not required.

What is going on with your DNS settings. What is 10.0.0.2
and what is 192.168.1.1

Very disorganized firewall rules. have the chains together so that all input chains rules are together and all forward chain rules are together, much easier to make sense of! (and not in the right order either)

Why do you have a wireguard rule for incoming connections?? Your router gets a private IP? Does the router in front of your router port forward 51820 to LANIP 192.168.1.60 ??
If it does port forward to your router then okay! Makes sense IN which case I would use a different port number for the different direction, just makes it clearer to the reader...
52820 for example / port 51820 is what the AWS is listening out for and what the mt will handshake with if the initiator!

What the heck is ALL ETHERNET ????
add action=dst-nat chain=dstnat disabled=yes dst-port=10554 in-interface=\
all-ethernet
protocol=tcp to-addresses=10.0.0.2 to-ports=10554

How are you doing port forwarding when you have a router in front of you??
IS that router port forwarding all those ports to your router traffic to 192.168.1.60
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14483
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Want Virtual Wireless clients access intenet only through wireguard

Mon Nov 21, 2022 3:34 am

Please review EVERY LINE and ask questions of what you dont understand.

#model = RBD52G-5HacD2HnD-TC
# serial number = *******

/interface bridge
add admin-mac=CD:2D:E0:FF:05:0F auto-mac=no comment=defconf name=bridge
/interface vlans
add interface=bridge name=vlan10-H vlan-ids=10
add interface=bridge name=vlan11-G vlan-ids=11
add interface=bridge name=vlan12-W vlan-ids=12
/interface wireguard
add listen-port=52820 mtu=1420 name=aws-london-sameer
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=10.0.0.100-10.0.0.150
add name=dhcp_pool2 ranges=11.1.1.2-11.1.1.30
add name=wireguard_pool ranges=11.12.1.2-11.12.1.254
/ip dhcp-server
add address-pool=dhcp interface=vlan10-H name=local
add address-pool=dhcp_pool2 interface=vlan11-G bridgeguest name=dhcpguest
add address-pool=wireguard_pool interface=vlan12-W name=dhcp1
/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan1 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan2 pvid=11
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan-wireguard pvid=12
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether2-master pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether3 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether4 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether5 pvid=10
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=wlan1,ether2-master,ether3,ether4,ether5 vlan-ids=10
add bridge=bridge tagged=bridge untagged=wlan2 vlan-ids=11
add bridge=bridge tagged=bridge untagged=wlan-wireguard vlan-ids=12
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=NONE
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=vlan10-H list=LAN
add interface=vlan11-G list=LAN
add interface=vlan12-W list=LAN
add interface=aws-london-sameer list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=**.**.**.** endpoint-port=\
    51820 interface=aws-london-sameer persistent-keepalive=30s public-key=\
    "*************************"
/ip address
add address=192.168.1.60/24 interface=ether1 network=192.168.1.0
add address=10.0.0.1/24 interface=vlan10-H network=10.0.0.0
add address=11.1.1.1/24 interface=vlan11-G network=11.1.1.0
add address=11.12.1.1/24 interface=vlan12-W network=11.12.1.0
add address=10.6.0.4/24 interface=aws-london-sameer 
/ip firewall filter
add action=accept chain=input comment=\
"NEW defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input accept ICMP" protocol=icmp
add action=accept chain=input dst-port=52820 protocol=udp  { verify that prior router port forwards to the mikrotik router }
add action=drop chain=input in-interface-list=!LAN
++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface=vlan12-W out-interface=aws-london-sameer
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=aws-london-sameer  { so the AWS sees only the IP address assigned to the MT and is thus permitted traffic }
++++++++++++++++++++++++++++++++++++++++++++++++++++
/routing table
add name=useWG fib
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.1.1
add dst-address=0.0.0.0/0 gwy=aws-london-sameer table=useWG
/ip routing rule
add src-address=11.12.1.0/24 action=lookup table=useWG
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=Asia/Riyadh
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN
...................

Also the way the routing works is that all the LAN will go out the normal WANIP except for the vlan12-W the wireguard subnet which is accessible to users, via wlan-wireguard.
Right now you will notice that the forced action is action=lookup
This means that if the wireguard tunnel is not working, the router will go to the main table and fine the other route and those users will then go out the normal local internet.

IF you do not want the users on wlan-wireguard to have access to the normal local internet if the wireguard tunnel is not working then you need
action=lookup-only-in-table
Last edited by anav on Mon Nov 21, 2022 11:32 pm, edited 2 times in total.
 
ameer456
just joined
Topic Author
Posts: 5
Joined: Thu May 31, 2018 6:58 am

Re: Want Virtual Wireless clients access intenet only through wireguard

Mon Nov 21, 2022 5:31 pm

Please review EVERY LINE and ask questions of what you dont understand.
My God!
I feel like I'm a bad student :D
Ok, this is my router for many years, back in the first week I was literally like this
I remember that I wanted to use port forward, since it is hard to pinpoint which Ethernet port & whatnot .. I choose all-ethernet!
I do all settings only through GUI.
Very disorganized firewall rules. have the chains together so that all input chains rules are together and all forward chain rules are together, much easier to make sense of! (and not in the right order either)
Ok, I have to learn this trick, I'll leave it for the time being.

My home network is like this:
ISP(Internet) >> Fiber Modem (192.168.1.1) >> Mikrotik (static IP "DMZ enabled" from fiber 192.168.1.60) (internal mikrotik address 10.0.0.1) + ad-block dns server (10.0.0.2)>> 2 physical wireless (2.4GHz/5GHz) + 1 virtual guest wireless (2.4GHz) + new virtual wireguard wireless (5GHz).


Wireguard server in AWS: just ubuntu instance + pi vpn installed on it, when add a new wireguard user it gives me this:
[Interface]
Address = 10.6.0.3/24
DNS = 1.1.1.1, 1.0.0.1
PrivateKey = ***********************

[Peer]
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = *.*.*.*:51820
PreSharedKey = *************************
PublicKey = *******************
Which it works fine using wireguard software in both mobile & PC.
Also what is this setting for............ on the wlan for wireguard --> wds-default-bridge=bridge
Well, forgot why!
WDS Mode is disabled anyway in GUI, ok changed it to none.
still no internet!
What are you doing with VRF here, not required.
I'm just following sindy post viewtopic.php?t=186836#p939878
Ok deleted it Now internet works through virtual wireguard, but internet isn't coming from AWS server, it is from my ISP.
Please review EVERY LINE and ask questions of what you dont understand.
Well I understand the concept, may I know how to inject it through command line? I uploaded it to files (in gui) then restore, but nothing happened it said files not found!

....
Edit: some wrong codes?
set detect-interface-list=NONE >>> input does not match any value of detect-interface-list
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan1 pvid=10 >> syntax error (line 1 column 53)

add interface=bridge name=vlan10-H vlan-ids=10 >> I removed "s" vlan-id=10

add listen-port=52820 mtu=1420 name=aws-london-sameer <<< Why? the port is 51820 on AWS!


add action=accept chain=input accept ICMP" protocol=icmp >>> error, maybe: add action=accept chain=input protocol=icmp

add dst-address=0.0.0.0/0 gatewy=aws-london-sameer table=useWG >>> error:expected end of command (line 1 column 27)

/ip routing rule >> error: bad command name routing (line 1 column 5)

add address=X.X.X.X/24 >>> it ask for what interface! is it: aws-london-sameer ?? , also, you have to know AWS instance may not provide ip!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14483
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Want Virtual Wireless clients access intenet only through wireguard

Mon Nov 21, 2022 5:56 pm

Hmm okay so you cannot put the ISP modem into bridge mode?
You can only port forward ALL ports to the Mikrotik via its lanip aka DMZ.

I am assuming since you do port forwarding, the public IP of the ISP router/modem is reachable. I imagine you simply use your IP Cloud address to detect that IP.
Well that still means you could initiate the tunnel in either direction and that you could access the wireguard directly from a remote location and dont necessarily need to access the ubuntu to do so!! So that will change things a bit................

Lets say on the ubuntu you want to be able to do TWO main things.
a. provide internet for specific mikrotik users or at least the wifi users using the wireguard SSID.
b. provide the ability to you as the admin to access the MT subnets/devices and to be able to config the MT Router
c. provide the ability to config the ubuntu.

Lets say on the MT router you want to be able to
a. send wireguard WIFI clients out internet via WG to Ubuntu
b. config UBUNTU
c. have remote access, as the admin, to the MT router directly via wireguard.

Did I cover everything????


So in essence lets say you have windows laptop, and an IPAD, you would have two remote devices and could have two wireguard setups for each.
1 for ubuntu direct ---> and from there can also reach MT in a relay method
2 for MT direct ---> and from there can also reach Ubuntu in a relay method

(relay means come out of tunnel and the re-enter tunnel to other device)
 
ameer456
just joined
Topic Author
Posts: 5
Joined: Thu May 31, 2018 6:58 am

Re: Want Virtual Wireless clients access intenet only through wireguard

Mon Nov 21, 2022 10:02 pm

the public IP of the ISP router/modem is reachable
Yes of course!
Lets say on the ubuntu you want to
a. Yes! only through virtual wireguard ssid that I can easily disable it whenever I want, I already -for months- access internet through wireguard my phone/PC, this time I want one wireguard user provide all virtual wireless clients internet service, of course ubuntu see traffic through one wireguard client. (so I don't even want wireless client to touch remote server's dhcp)
b. No
c. No
I don't want to access ubuntu, nor want to configure MT router from either side, I can do both via normal classic methods.
Lets say on the MT router you want to be able to
a. Yes!
b. No.
c. No.

My goal is simple: I want wireguard-wifi clients access internet as if they are located in london! Just that, as if it were a free vpn wifi hotspot to bypass restriction of regional media content.
Just want very simple configs to do that.
 
sindy
Forum Guru
Forum Guru
Posts: 9902
Joined: Mon Dec 04, 2017 9:19 pm

Re: Want Virtual Wireless clients access intenet only through wireguard

Mon Nov 21, 2022 10:34 pm

The easiest way is to create a normal local subnet for this special SSID (a dedicated IP address and DHCP server attached directly to the virtual wireless interface), and use a routing rule:

/routing/table/add fib name=via-uk
/ip/route/add routing-table=via-uk gateway=wg1
/routing/rule/add src-address=sub.net.add.ress/mask action=lookup-only-in-table table=via-uk


This will send all the traffic via Wireguard interface wg1, except maybe the traffic to Mikrotik's own IP addresses, but I'm not sure here - not familiar with the subtle changes in ROS 7 and they keep changing the behaviour. The peer hooked to that wireguard interface will take care of the rest. Of course the allowed-address on Mikrotik end must be 0.0.0.0/0, on the Ubuntu end it must be sub.net.add.ress/mask.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14483
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Want Virtual Wireless clients access intenet only through wireguard

Mon Nov 21, 2022 11:13 pm

So Sindy what you are saying in effect is that there are two options.
The one you advised and the one already advised which is IDENTICAL.
What is the purpose....... You dont like use-WG and prefer via-uk ?? ;-)

(1)
/routing table
add fib name=via-uk

/ip route
add dst-address=0.0.0.0/0 gwy=192.168.1.1 table=main
add dst-address=0.0.0.0/0 gwy=aws-london-sameer table=via-uk

/routing rule
add src-address=11.12.1.0/24 action=lookup table=via-uk

OR

/routing table
add name=useWG fib

(2) /ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.1.1 table=main
add dst-address=0.0.0.0/0 gwy=aws-london-sameer table=useWG

/ip routing rule
add src-address=11.12.1.0/24 action=lookup table=useWG
Last edited by anav on Mon Nov 21, 2022 11:31 pm, edited 3 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14483
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Want Virtual Wireless clients access intenet only through wireguard

Mon Nov 21, 2022 11:14 pm

duplicate: nm
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14483
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Want Virtual Wireless clients access intenet only through wireguard

Mon Nov 21, 2022 11:24 pm

so the config I provided will do just what you asked,
What you need to change on the ubuntu as already noted.

[Interface]
Address = 10.6.0.3/24
DNS = 1.1.1.1, 1.0.0.1
PrivateKey = ***********************

[Peer]
AllowedIPs = 10.6.0.4/32
Endpoint = *.*.*.*:51820
PreSharedKey = *************************
PublicKey = *******************

and ensure on the MIKROTIK the following:
/ip address
add address=192.168.1.60/24 interface=ether1 network=192.168.1.0
add address=10.0.0.1/24 interface=vlan10-H network=10.0.0.0
add address=11.1.1.1/24 interface=vlan11-G network=11.1.1.0
add address=11.12.1.1/24 interface=vlan12-W network=11.12.1.0

add address=10.6.0.4/24 interface=aws-london-sameer { matches IP subnet of wireguard and allowed IPs on ubuntu)

AND

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN

add action=masquerade chain=srcnat out-interface=aws-london-sameer { already on the config provided }
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14483
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Want Virtual Wireless clients access intenet only through wireguard

Mon Nov 21, 2022 11:33 pm

I am curious what is classic method you use to config mikrotik if you are at a remote location ???
 
sindy
Forum Guru
Forum Guru
Posts: 9902
Joined: Mon Dec 04, 2017 9:19 pm

Re: Want Virtual Wireless clients access intenet only through wireguard

Tue Nov 22, 2022 10:59 am

The one you advised and the one already advised which is IDENTICAL.
What is the purpose....... You dont like use-WG and prefer via-uk ?? ;-)
It's because I did not filter through all that visual noise and just responded the OP's
My goal is simple: I want wireguard-wifi clients access internet as if they are located in london! Just that, as if it were a free vpn wifi hotspot to bypass restriction of regional media content.
Just want very simple configs to do that.
that followed your novel. So I figured the solution was not in there.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14483
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Want Virtual Wireless clients access intenet only through wireguard

Tue Nov 22, 2022 3:44 pm

Understand, but if someone asks how to put a bandaid on their finger and you notice they have a bloody nose, one may try to help with that as well. :-)

[ Also one never knows the nefarious sources the OP used for reference such as "using https://pivpn.io/" AND " I used this solution from "sindy": viewtopic...... ;-)) ]
 
sindy
Forum Guru
Forum Guru
Posts: 9902
Joined: Mon Dec 04, 2017 9:19 pm

Re: Want Virtual Wireless clients access intenet only through wireguard

Tue Nov 22, 2022 4:23 pm

[ Also one never knows the nefarious sources the OP used for reference such as "using https://pivpn.io/" AND " I used this solution from "sindy": viewtopic...... ;-)) ]
In fact, the referred post wasn't one of my brightest, as I've understood the requirement wrongly that he wanted to move the wireless part alone from the RPi to Mikrotik, whereas it was the other way round - everything except wireless already was on Mikrotik.
 
ameer456
just joined
Topic Author
Posts: 5
Joined: Thu May 31, 2018 6:58 am

Re: Want Virtual Wireless clients access intenet only through wireguard

Tue Nov 22, 2022 7:18 pm

Still no internet!
(I started from the beginning, restored my old backup, so please don't scream on "all ethernet" ) I attached the new export after your & sindy's post above.

on the ubuntu end I edit the file wg0.conf by terminal & changed the line:
[Peer]
PublicKey = sameer_pub
PresharedKey = sameer_psk
AllowedIPs = 10.6.0.3/32

To:

[Peer]
PublicKey = sameer_pub
PresharedKey = sameer_psk
AllowedIPs = 10.6.0.4/32

...

My phone connected to wireless, got auto IP (with dns 11.12.1.0 & subnet 255.0.0.0) but no internet!

......
I am curious what is classic method you use to config mikrotik if you are at a remote location ???
I just connect to my home network through wireguard that installed on my unraid (NAS) server then open a browser and type mikrotik ip , that my classic :) !
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14483
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Want Virtual Wireless clients access intenet only through wireguard

Tue Nov 22, 2022 9:28 pm

The rest of the config, makes me queasy LOL,
but in terms of wireguard the only thing that I Can see funny is your /routing rules. THEY ARE CONFUSED........

From
/routing rule
add action=lookup-only-in-table disabled=no dst-address=0.0.0.0/0 interface=\
aws-london-sameer table=via-uk
add action=lookup disabled=no src-address=11.12.1.0/24 table=via-uk
add action=lookup-only-in-table disabled=no src-address=10.6.0.4/32 table=\
via-uk

TO:
/routing rule
add src-address=11.12.1.0/24 action=lookup-only-in-table table=via-uk



If that doesnt work, then I am afraid its the config (Not the wireguard settings) that is the problem and I already fixed that once! ;-)

Who is online

Users browsing this forum: Semrush [Bot] and 9 guests