WireGuard config trouble with Fritzbox #portforwarding #VLAN #FW pls help me (2024)

Hello forum god!

Thank you! Your extended answer does teach me a lot. I do anser so late, because I tried to figuere out each point. So I will paste all your points, with my comment after each of your points.

WireGuard does (finally) work now. It was very tricky and releated to fritzbox. For all furute useres with similar problem, I will make one more answer and mark it as the solution.

Observations:
(1) Do not use vlan1 change it to VLAN11 (including ip address, ip dhcp-server, interface list member, vlan interface etc...)
Done. From the beginning I have tried to install a management net. But after so many desperate hours failing to get this network working, I was out of mute… Since a while I use it to give my pi hole an address all devices can reach. But I guess here is much potential waiting (or wasted?)…

(2) SInce using normal wifi on your MT device get rid of assigning vlans in wifi setups.
Done. Cool, there is no traffic within one year > deleted.

viewtopic.php?t=143620

(3) Change to LOOSE and NO
/ip settings
set rp-filter=strict tcp-syncookies=yes

Done: I’don’t know why I have set them. Probably to harden the device:
Send out syncookies when the syn backlog queue of a socket overflows. This is to prevent against the common 'SYN flood attack'. syncookies seriously violate TCP protocol, do not allow to use TCP extensions, can result in serious degradation of some services (f.e. SMTP relaying), visible not by you, but your clients and relays, contacting you.
And:
The current recommended practice in RFC3704 is to enable strict mode to prevent IP spoofing from DDoS attacks. If using asymmetric routing or other complicated routing or VRRP, then the loose mode is recommended.
Warning: strict mode does not work with routing tables

See Also
Top Web Developer Interview Questions and Answers(2024) - GeeksforGeeksJournal articles: '43 Club, London' – Grafiati

(4) Corrected interface list members!
/interface list member
add comment=defconf interface=ether1 list=WAN
add comment=defconf interface=vlan20 list=LAN
add comment=defconf interface=vlan10 list=LAN { covers both wired ports and WLANS }
add comment=defconf interface=vlan30 list=LAN { covers both guest wlans }
add interface=vlan11 list=LAN
add interface=IoT list=LAN
add interface=Management list=LAN
add interface=wireguard-vpn list=LAN

Done. Deleted both WLan entries. IoT Interface == VLAN20 This ist alreade in LAN list also the new VLAN11 alias Management

(5) your firewall chain is disorganized making it harder to read and spot errors.
Put all input chain rules together and then all forward chain rules etc....

Here is an example where lack of organization leads to perfectly good rules made useless...
add action=drop chain=input log-prefix="[drop]"
add action=accept chain=input comment="defconf: accept ICMP after RAW" \
protocol=icmp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN

How much LAN traffic do you think will be able to access Router Services for such things like DNS?
Answer --> NONE except for wireguard traffic and of course the one subnet you identify with this src-address-list=allowed_to_router

Hum… Yeah, after my crazy headless testing, the order became worse. So if I understand your example correct, the orange rule breaks the whole setup. I did try to make order now.

(6) You have duplication in your input chain rules..... ( also the input chain icmp allow rule is duplicated, but getting tired of it really)
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
192.168.40.0/24
add action=accept chain=input in-interface=wireguard-vpn log-prefix="[FW]"

You are totally right! In the meantime, I found one of the duplicate and removed it. However, I think exactly one of this roules should be the game changer. No? I deleted the second one now but let the one with 192.168.40./24 in place.

(7) Forward chain rules are also a mess...............

Done. Here I cleaned up all the wire guard and duplicate stuff. Hope this will not make me new problems. According to the docs Building Advanced Firewall. It is not mentioned on what place to put the rule:
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
So I placed it over (before, lower number) this one:
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

(8) An interface is not an ether port or wlan port ??
add bridge=vlan-bridge frame-types=admit-only-vlan-tagged interface=\
Management

OK. Here I changed from admit all to admit only VLAN tagged. Correct?

(9) Some work to do to illuminate where vlan1 is going?? and used for..... now vlan11.........

Good point. Does it make sense to use it for overlapping service like the pi hole? Or should I attach pi hole in VLAN10 as it is the most used? Guest can have ads and IoT I don’t care. So is there really a need of an management net in my small home setup?

(10) It would appear you have a Management interface list member but have not defined anywhere its origins, there is no vlan? or subnet?
It will be maybe the VLAN11 now…

(11) According to /interface bridge vlans, you have at least two hybrid ports caused by vlan1, changing this to VLAN11, would make senses if vlan11 is your management vlan.
So you would only have trunk ports to your switches etc.....
So much less complexity, then. I changed it to vlan11

(12) What is the purpose of this rule ??????
add action=dst-nat chain=dstnat disabled=yes dst-port=13231 out-interface=\
vlan20 protocol=udp to-addresses=192.168.40.1
This is origin of a tutorial which at the end did not work as well. I should have deleted it before posting. Sorry for that.

(13) First thing I would do is wean off raw rules, like all of them.
Is there anything bad about them? They are in place because I followed the mikrotik documentation about the strict firewall. I mean, do they block the wireguard setup?

(14) Do you use ipv6? if not simply disable it.
No. Had to do research how, but now it is disabled.

Kind regards
centurio

Configuration as of today;

Code: Select all

# nov/03/2023 21:43:44 by RouterOS 7.7# software id = AA51## model = RB4011iGS# serial number = tralllala/interface bridgeadd ingress-filtering=no name=vlan-bridge vlan-filtering=yes/interface ethernetset [ find default-name=ether1 ] comment="2 FritzBox"set [ find default-name=ether2 ] comment="CRS326 Uplink"set [ find default-name=ether3 ] comment="CRS326 Reserve"set [ find default-name=ether4 ] comment=Teufelset [ find default-name=ether8 ] disabled=yesset [ find default-name=ether9 ] disabled=yesset [ find default-name=ether10 ] disabled=yesset [ find default-name=sfp-sfpplus1 ] disabled=yes/interface wireguardadd listen-port=13231 mtu=1420 name=wireguard-vpn/interface vlanadd interface=vlan-bridge name=vlan1 vlan-id=1add comment=Office interface=vlan-bridge name=vlan10 vlan-id=10add comment=IoT interface=vlan-bridge name=vlan20 vlan-id=20add comment="Guest WiFi only" interface=vlan-bridge name=vlan30 vlan-id=30/interface listadd comment=defconf name=WANadd comment=defconf name=LAN/interface wireless security-profilesset [ find default=yes ] supplicant-identity=MikroTikadd authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\ office supplicant-identity=""add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=guest \ supplicant-identity=""add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=IoT \ supplicant-identity=""add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\ Management supplicant-identity=""/interface wirelessset [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-eC \ country=switzerland disabled=no frequency=auto hide-ssid=yes \ installation=indoor mode=ap-bridge multicast-helper=full name=WLan_2Ghz \ radio-name=2GHz security-profile=office ssid=T15 vlan-id=10 vlan-mode=\ use-tag wireless-protocol=802.11 wps-mode=disabledset [ find default-name=wlan1 ] band=5ghz-n/ac channel-width=20/40/80mhz-XXXX \ country=switzerland disabled=no frequency=auto hide-ssid=yes mode=\ ap-bridge multicast-helper=full name=WLan_5Ghz radio-name=5GHz \ secondary-frequency=auto security-profile=office ssid=T15 vlan-id=10 \ vlan-mode=use-tag wireless-protocol=802.11 wps-mode=disabledadd disabled=no hide-ssid=yes mac-address=2E:C8:1B:BD:96:F2 master-interface=\ WLan_2Ghz multicast-helper=full name=guest_2Ghz security-profile=guest \ ssid=Guest vlan-id=30 vlan-mode=use-tag wps-mode=disabledadd disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=\ DE:2C:6E:1F:54:57 master-interface=WLan_5Ghz multicast-buffering=disabled \ multicast-helper=full name=guest_5Ghz security-profile=guest ssid=Guest \ vlan-id=30 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 \ wps-mode=disabledadd disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=\ 2E:C8:1B:BD:96:F1 master-interface=WLan_2Ghz multicast-buffering=disabled \ name=IoT security-profile=IoT ssid=IoT vlan-id=20 vlan-mode=use-tag \ wds-cost-range=0 wds-default-cost=0 wps-mode=disabledadd disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=\ 2E:C8:1B:BD:96:F3 master-interface=WLan_2Ghz multicast-buffering=disabled \ name=Management security-profile=Management ssid=chef vlan-mode=use-tag \ wds-cost-range=0 wds-default-cost=0 wps-mode=disabled/ip pooladd name=pool1 ranges=192.168.1.100-192.168.1.200add name=pool10 ranges=192.168.10.10-192.168.10.200add name=pool20 ranges=192.168.20.100-192.168.20.200add name=pool30 ranges=192.168.30.100-192.168.30.200/ip dhcp-serveradd address-pool=pool1 interface=vlan1 lease-script="# DNS TTL to set for DNS \ entries\r\ \n:local dnsttl \"00:15:00\";\r\ \n\r\ \n###\r\ \n# Script entry point\r\ \n#\r\ \n# Expected environment variables:\r\ \n# leaseBound 1 = lease bound, 0 = lease removed\r\ \n# leaseServerName Name of DHCP server\r\ \n# leaseActIP IP address of DHCP client\r\ \n# leaseActMAC MAC address of DHCP client\r\ \n###\r\ \n\r\ \n:local scriptName \"dhcp2dns\"\r\ \n:do {\r\ \n :local scriptObj [:parse [/system script get \$scriptName source]]\r\ \n \$scriptObj leaseBound=\$leaseBound leaseServerName=\$leaseServerName \ leaseActIP=\$leaseActIP leaseActMAC=\$leaseActMAC\r\ \n} on-error={ :log warning \"DHCP server '\$leaseServerName' lease script\ \_error\" };\r\ \n\r\ \n# \"a.b.c.d\" -> \"a-b-c-d\" for IP addresses used as replacement for mi\ ssing host names\r\ \n:local ip2Host do=\\\r\ \n{\r\ \n :local outStr\r\ \n :for i from=0 to=([:len \$inStr] - 1) do=\\\r\ \n {\r\ \n :local tmp [:pick \$inStr \$i];\r\ \n :if (\$tmp =\".\") do=\\\r\ \n {\r\ \n :set tmp \"-\"\r\ \n }\r\ \n :set outStr (\$outStr . \$tmp)\r\ \n }\r\ \n :return \$outStr\r\ \n}\r\ \n\r\ \n:local mapHostName do={\r\ \n# param: name\r\ \n# max length = 63\r\ \n# allowed chars a-z,0-9,-\r\ \n :local allowedChars \"abcdefghijklmnopqrstuvwxyz0123456789-\";\r\ \n :local numChars [:len \$name];\r\ \n :if (\$numChars > 63) do={:set numChars 63};\r\ \n :local result \"\";\r\ \n\r\ \n :for i from=0 to=(\$numChars - 1) do={\r\ \n :local char [:pick \$name \$i];\r\ \n :if ([:find \$allowedChars \$char] < 0) do={:set char \"-\"};\r\ \n :set result (\$result . \$char);\r\ \n }\r\ \n :return \$result;\r\ \n}\r\ \n\r\ \n:local lowerCase do={\r\ \n# param: entry\r\ \n :local lower \"abcdefghijklmnopqrstuvwxyz\";\r\ \n :local upper \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\";\r\ \n :local result \"\";\r\ \n :for i from=0 to=([:len \$entry] - 1) do={\r\ \n :local char [:pick \$entry \$i];\r\ \n :local pos [:find \$upper \$char];\r\ \n :if (\$pos > -1) do={:set char [:pick \$lower \$pos]};\r\ \n :set result (\$result . \$char);\r\ \n }\r\ \n :return \$result;\r\ \n}\r\ \n\r\ \n:local token \"\$leaseServerName-\$leaseActMAC\";\r\ \n:local LogPrefix \"DHCP2DNS (\$leaseServerName)\"\r\ \n\r\ \n:if ( [ :len \$leaseActIP ] <= 0 ) do=\\\r\ \n{\r\ \n :log error \"\$LogPrefix: empty lease address\"\r\ \n :error \"empty lease address\"\r\ \n}\r\ \n\r\ \n:if ( \$leaseBound = 1 ) do=\\\r\ \n{\r\ \n # new DHCP lease added\r\ \n /ip dhcp-server\r\ \n #:local dnsttl [ get [ find name=\$leaseServerName ] lease-time ]\r\ \n network\r\ \n :local domain [ get [ find \$leaseActIP in address ] domain ]\r\ \n #:log info \"\$LogPrefix: DNS domain is \$domain\"\r\ \n\r\ \n :local hostname [/ip dhcp-server lease get [:pick [find mac-address=\$\ leaseActMAC and server=\$leaseServerName] 0] value-name=host-name]\r\ \n #:log info \"\$LogPrefix: DHCP hostname is \$hostname\"\r\ \n\r\ \n #Hostname cleanup\r\ \n :if ( [ :len \$hostname ] <= 0 ) do=\\\r\ \n {\r\ \n :set hostname [ \$ip2Host inStr=\$leaseActIP ]\r\ \n :log info \"\$LogPrefix: Empty hostname for '\$leaseActIP', using ge\ nerated host name '\$hostname'\"\r\ \n }\r\ \n :set hostname [\$lowerCase entry=\$hostname]\r\ \n :set hostname [\$mapHostName name=\$hostname]\r\ \n #:log info \"\$LogPrefix: Clean hostname for FQDN is \$hostname\";\r\ \n\r\ \n :if ( [ :len \$domain ] <= 0 ) do=\\\r\ \n {\r\ \n :log warning \"\$LogPrefix: Empty domainname for '\$leaseActIP', can\ not create static DNS name\"\r\ \n :error \"Empty domainname for '\$leaseActIP'\"\r\ \n }\r\ \n\r\ \n :local fqdn (\$hostname . \".\" . \$domain)\r\ \n #:log info \"\$LogPrefix: FQDN for DNS is \$fqdn\"\r\ \n\r\ \n :if ([/ip dhcp-server lease get [:pick [find mac-address=\$leaseActM\ AC and server=\$leaseServerName] 0] ]) do={\r\ \n # :log info message=\"\$LogPrefix: \$leaseActMAC -> \$hostname\"\r\ \n :do {\r\ \n /ip dns static add address=\$leaseActIP name=\$fqdn ttl=\$dnsttl\ \_comment=\$token;\r\ \n } on-error={:log error message=\"\$LogPrefix: Failure during dns r\ egistration of \$fqdn with \$leaseActIP\"}\r\ \n }\r\ \n\r\ \n} else={\r\ \n# DHCP lease removed\r\ \n /ip dns static remove [find comment=\$token];\r\ \n} " name=server1add address-pool=pool10 interface=vlan10 name=server2add address-pool=pool20 interface=vlan20 name=server3add address-pool=pool30 interface=vlan30 name=server4/portset 0 name=serial0set 1 name=serial1/interface bridge portadd bridge=vlan-bridge comment="Uplink Switch" interface=ether2add bridge=vlan-bridge comment="Reserve Uplink Switch" interface=ether3add bridge=vlan-bridge comment=Pihole interface=ether4add bridge=vlan-bridge frame-types=admit-only-untagged-and-priority-tagged \ interface=ether8 pvid=20add bridge=vlan-bridge interface=ether9 pvid=20add bridge=vlan-bridge frame-types=admit-only-untagged-and-priority-tagged \ interface=ether7 pvid=10add bridge=vlan-bridge frame-types=admit-only-vlan-tagged interface=WLan_2Ghz \ pvid=10add bridge=vlan-bridge frame-types=admit-only-vlan-tagged interface=WLan_5Ghz \ pvid=10add bridge=vlan-bridge frame-types=admit-only-vlan-tagged interface=IoT pvid=\ 20add bridge=vlan-bridge frame-types=admit-only-vlan-tagged interface=\ guest_2Ghz pvid=30add bridge=vlan-bridge interface=guest_5Ghz pvid=30add bridge=vlan-bridge frame-types=admit-only-vlan-tagged interface=\ Management/ip settingsset rp-filter=strict tcp-syncookies=yes/interface bridge vlanadd bridge=vlan-bridge tagged=vlan-bridge,ether2 untagged=ether4 vlan-ids=1add bridge=vlan-bridge tagged=\ vlan-bridge,ether2,ether3,WLan_2Ghz,WLan_5Ghz,ether4 vlan-ids=10add bridge=vlan-bridge tagged=vlan-bridge,ether2,ether3,IoT,ether4 vlan-ids=\ 20add bridge=vlan-bridge tagged=vlan-bridge,ether2,ether3,guest_2Ghz,guest_5Ghz \ vlan-ids=30/interface list memberadd comment=defconf interface=vlan20 list=LANadd comment=defconf interface=ether1 list=WANadd comment=defconf interface=vlan10 list=LANadd comment=defconf interface=vlan30 list=LANadd interface=vlan1 list=LANadd interface=WLan_5Ghz list=LANadd interface=WLan_2Ghz list=LANadd interface=guest_2Ghz list=LANadd interface=guest_5Ghz list=LANadd interface=IoT list=LANadd interface=Management list=LANadd interface=wireguard-vpn list=LAN/interface ovpn-server serverset auth=sha1,md5/interface wireguard peersadd allowed-address=192.168.40.2/32 comment="Pix" interface=wireguard-vpn \ public-key="Fo1HOsr9lDLhLToYHc41JIDZh6yOlOh0zLl7OfuyelE="/ip addressadd address=192.168.178.2/24 interface=ether1 network=192.168.178.0add address=192.168.1.1/24 interface=vlan1 network=192.168.1.0add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0add address=192.168.30.1/24 interface=vlan30 network=192.168.30.0add address=192.168.40.1/24 interface=wireguard-vpn network=192.168.40.0/ip dhcp-server leaseadd address=192.168.20.199 comment="SMA 9kW" mac-address=00:40:AD:99:22:A3 \ server=server3add address=192.168.20.198 client-id=1:0:40:ad:b0:77:b0 comment="SMA SBS 3.6" \ mac-address=00:40:AD:B0:77:B0 server=server3add address=192.168.20.197 client-id=1:a8:3:2a:31:5f:ff comment=\ "Thinkerforge Warp2 Smart Ladestation" mac-address=A8:03:2A:31:5F:FF \ server=server3add address=192.168.20.196 client-id=1:0:d0:93:49:ca:73 comment=Homemanager \ mac-address=00:D0:93:49:CA:73 server=server3add address=192.168.20.195 comment="SMA 15kW" mac-address=00:40:AD:AD:41:EE \ server=server3add address=192.168.10.200 client-id=1:0:50:b6:b5:1c:12 comment=X13 \ mac-address=00:50:B6:B5:1C:12 server=server2add address=192.168.10.143 client-id=1:c0:bd:d1:b5:77:62 mac-address=\ C0:BD:D1:B5:77:62 server=server2add address=192.168.10.189 client-id=1:f0:9e:4a:7e:9:5f mac-address=\ F0:9E:4A:7E:09:5F server=server2add address=192.168.10.55 client-id=1:50:1e:2d:2d:9c:c4 comment="Teufel One" \ mac-address=50:1E:2D:2D:9C:C4 server=server2add address=192.168.20.192 client-id=1:2:81:85:aa:9a:87 comment=\ "Multiplus II" mac-address=02:81:85:AA:9A:87 server=server3add address=192.168.10.49 client-id=1:ea:80:4e:1b:5b:22 mac-address=\ EA:80:4E:1B:5B:22 server=server2add address=192.168.10.43 client-id=\ ff:5d:e2:6c:15:0:2:0:0:ab:11:3a:83:32:50:46:6a:ed:4f mac-address=\ 84:A9:3E:0B:15:AF server=server2add address=192.168.10.50 client-id=1:48:8f:5a:8:ac:a7 comment=\ "Switch CRS326" mac-address=48:8F:5A:08:AC:A7 server=server2add address=192.168.10.36 client-id=1:3c:7c:3f:26:95:8b mac-address=\ 3C:7C:3F:26:95:8B server=server2add address=192.168.10.159 client-id=1:2:a:12:73:41:fe comment="iPhone Caro" \ mac-address=02:0A:12:73:41:FE server=server2add address=192.168.20.190 client-id=1:34:ea:e7:6:a0:41 comment=\ "P1 Meter BKW Z\E4hler" mac-address=34:EA:E7:06:A0:41 server=server3add address=192.168.20.188 comment="Shelly 1PM (PM2)" mac-address=\ 8C:AA:B5:5F:D8:77 server=server3add address=192.168.10.16 client-id=1:f6:b8:82:4:2f:4d comment=Pixel \ mac-address=F6:B8:82:04:2F:4D server=server2add address=192.168.10.13 client-id=1:bc:e6:3f:f:82:86 mac-address=\ BC:E6:3F:0F:82:86 server=server2add address=192.168.10.19 client-id=1:c4:12:34:c:b3:f5 mac-address=\ C4:12:34:0C:B3:F5 server=server2add address=192.168.10.35 client-id=\ ff:e4:3a:18:f0:0:2:0:0:ab:11:93:b7:c:7:70:43:4b:c8 mac-address=\ C6:45:80:CE:D1:98 server=server2add address=192.168.20.186 client-id=1:2:e6:2c:ae:b:f3 comment=S19k \ mac-address=02:E6:2C:AE:0B:F3 server=server3add address=192.168.20.181 client-id=1:e4:5f:1:2b:82:ff mac-address=\ E4:5F:01:2B:82:FF server=server3/ip dhcp-server networkadd address=192.168.1.0/24 dns-server=192.168.1.100,1.1.1.1 domain=vlan1.home \ gateway=192.168.1.1 netmask=24 ntp-server=195.176.26.204add address=192.168.10.0/24 dns-server=192.168.1.100,1.1.1.1 domain=\ vlan10.home gateway=192.168.10.1 netmask=24 ntp-server=195.176.26.204add address=192.168.20.0/24 dns-server=192.168.1.100,1.1.1.1 domain=\ vlan20.home gateway=192.168.20.1 netmask=24 ntp-server=195.176.26.204add address=192.168.30.0/24 dns-server=192.168.1.100,1.1.1.1 domain=\ vlan30.home gateway=192.168.30.1 netmask=24 ntp-server=195.176.26.204/ip dnsset cache-max-ttl=1d max-concurrent-queries=400 max-concurrent-tcp-sessions=\ 100 servers=192.168.1.100,1.1.1.1/ip dns staticadd address=192.168.1.110 comment=server2-02:47:D4:8E:24:35 name=\ 192-168-1-110.vlan1.home ttl=15madd address=192.168.1.111 comment=server2-F6:27:44:E3:4B:16 name=\ 192-168-1-111.vlan1.home ttl=15madd address=192.168.1.112 comment=server2-F2:16:1F:10:31:41 name=\ 192-168-1-112.vlan1.home ttl=15madd address=192.168.1.130 comment=server2-92:62:F2:AC:75:4B name=\ 192-168-1-130.vlan1.home ttl=15madd address=192.168.1.131 comment=server2-32:DA:B0:CE:B9:F1 name=\ 192-168-1-131.vlan1.home ttl=15madd address=192.168.1.132 comment=server2-0E:EA:BF:6A:4E:35 name=\ 192-168-1-132.vlan1.home ttl=15madd address=192.168.1.133 comment=server2-7A:2B:F9:47:A3:14 name=\ 192-168-1-133.vlan1.home ttl=15madd address=192.168.1.134 comment=server2-12:41:E3:47:51:B0 name=\ 192-168-1-134.vlan1.home ttl=15madd address=192.168.1.135 comment=server2-EE:E7:80:4D:A9:A8 name=\ 192-168-1-135.vlan1.home ttl=15madd address=192.168.1.136 comment=server2-BE:99:09:2F:54:E9 name=\ 192-168-1-136.vlan1.home ttl=15madd address=192.168.1.137 comment=server2-FE:30:F8:CA:C0:C9 name=\ 192-168-1-137.vlan1.home ttl=15madd address=192.168.1.138 comment=server2-42:6D:14:0A:CB:C2 name=\ 192-168-1-138.vlan1.home ttl=15madd address=192.168.1.139 comment=server2-4A:6B:BA:AE:65:FF name=\ 192-168-1-139.vlan1.home ttl=15madd address=192.168.1.140 comment=server2-3A:49:04:F9:5B:C9 name=\ 192-168-1-140.vlan1.home ttl=15madd address=192.168.1.141 comment=server2-8A:53:75:23:90:66 name=\ 192-168-1-141.vlan1.home ttl=15madd address=192.168.1.142 comment=server2-2E:18:F6:3E:D3:21 name=\ 192-168-1-142.vlan1.home ttl=15madd address=192.168.1.143 comment=server2-5E:83:BB:74:38:1D name=\ 192-168-1-143.vlan1.home ttl=15madd address=192.168.1.144 comment=server2-7A:73:D5:5A:DB:43 name=\ 192-168-1-144.vlan1.home ttl=15madd address=192.168.1.145 comment=server2-3A:E4:34:C1:54:05 name=\ 192-168-1-145.vlan1.home ttl=15madd address=192.168.1.146 comment=server2-9E:58:37:23:55:69 name=\ 192-168-1-146.vlan1.home ttl=15madd address=192.168.1.147 comment=server2-1A:32:21:41:9A:51 name=\ 192-168-1-147.vlan1.home ttl=15madd address=192.168.1.148 comment=server2-CE:09:A2:C3:E4:D5 name=\ 192-168-1-148.vlan1.home ttl=15madd address=192.168.1.149 comment=server2-8E:4D:C1:7A:64:91 name=\ 192-168-1-149.vlan1.home ttl=15madd address=192.168.1.150 comment=server2-12:D7:27:1D:E0:9F name=\ 192-168-1-150.vlan1.home ttl=15madd address=192.168.1.151 comment=server2-AE:FC:C3:B4:92:61 name=\ 192-168-1-151.vlan1.home ttl=15madd address=192.168.1.152 comment=server2-32:44:B4:24:6C:51 name=\ 192-168-1-152.vlan1.home ttl=15madd address=192.168.20.199 comment=server3-00:40:AD:99:22:A3 name=\ 192-168-20-199.vlan20.home ttl=15madd address=192.168.20.197 comment=server3-A8:03:2A:31:5F:FF name=\ warp2.vlan20.home ttl=15madd address=192.168.20.195 comment=server3-00:40:AD:AD:41:EE name=\ 192-168-20-195.vlan20.home ttl=15madd address=192.168.10.50 comment=server2-48:8F:5A:08:AC:A7 name=\ mikrotik.vlan10.home ttl=15madd address=192.168.10.49 comment=server2-EA:80:4E:1B:5B:22 name=\ galaxy-tab-s6-lite.vlan10.home ttl=15madd address=192.168.10.55 comment=server2-50:1E:2D:2D:9C:C4 name=\ 192-168-10-55.vlan10.home ttl=15madd address=192.168.20.198 comment=server3-00:40:AD:B0:77:B0 name=\ sma3009917376.vlan20.home ttl=15madd address=192.168.20.196 comment=server3-00:D0:93:49:CA:73 name=\ sma3004913685.vlan20.home ttl=15madd address=192.168.10.159 comment=server2-02:0A:12:73:41:FE name=\ 192-168-10-159.vlan10.home ttl=15madd address=192.168.20.200 comment=server3-C0:41:F6:1F:05:7D name=\ 192-168-20-200.vlan20.home ttl=15madd address=192.168.10.189 comment=server2-F0:9E:4A:7E:09:5F name=\ spcclt-007.vlan10.home ttl=15madd address=192.168.30.155 comment=server4-94:44:44:89:06:F9 name=\ 192-168-30-155.vlan30.home ttl=15m/ip firewall address-listadd address=192.168.1.0-192.168.10.254 list=allowed_to_routeradd address=0.0.0.0/8 comment=RFC6890 list=not_in_internetadd address=172.16.0.0/12 comment=RFC6890 list=not_in_internetadd address=192.168.0.0/16 comment=RFC6890 list=not_in_internetadd address=10.0.0.0/8 comment=RFC6890 list=not_in_internetadd address=169.254.0.0/16 comment=RFC6890 list=not_in_internetadd address=127.0.0.0/8 comment=RFC6890 list=not_in_internetadd address=224.0.0.0/4 comment=Multicast list=not_in_internetadd address=198.18.0.0/15 comment=RFC6890 list=not_in_internetadd address=192.0.0.0/24 comment=RFC6890 list=not_in_internetadd address=192.0.2.0/24 comment=RFC6890 list=not_in_internetadd address=198.51.100.0/24 comment=RFC6890 list=not_in_internetadd address=203.0.113.0/24 comment=RFC6890 list=not_in_internetadd address=100.64.0.0/10 comment=RFC6890 list=not_in_internetadd address=240.0.0.0/4 comment=RFC6890 list=not_in_internetadd address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\ not_in_internetadd address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=\ bad_ipv4add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=\ bad_ipv4add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=\ bad_ipv4add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4add address=192.168.0.0/16 comment="defconf: RFC6890" disabled=yes list=\ not_global_ipv4add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\ not_global_ipv4add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4add address=224.0.0.0/4 comment="defconf: RFC6890" disabled=yes list=\ bad_dst_ipv4add address=192.168.10.0/24 comment=trusted list=vlan10add address=192.168.20.0/24 comment=untrusted list=vlan20add address=192.168.30.0/24 comment=untrusted list=vlan30/ip firewall filteradd action=accept chain=input comment="allow WireGuard traffic" src-address=\ 192.168.40.0/24add action=accept chain=input comment="allow WireGuard" dst-port=13231 \ protocol=udpadd action=accept chain=input in-interface=wireguard-vpn log-prefix="[FW]"add action=accept chain=forward comment="VPN -> LAN | Netzwerkzugriff" \ in-interface=wireguard-vpn log=yes log-prefix="[FW]" out-interface=ether1add action=accept chain=input comment="default configuration" \ connection-state=established,relatedadd action=accept chain=input src-address-list=allowed_to_routeradd action=accept chain=input protocol=icmpadd action=drop chain=input log-prefix="[drop]"add action=accept chain=input comment="defconf: accept ICMP after RAW" \ protocol=icmpadd action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LANadd action=accept chain=forward comment=\ "defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsecadd action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related hw-offload=yesadd action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalidadd action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WANadd action=accept chain=forward comment="port forwarding" \ connection-nat-state=dstnatadd action=accept chain=forward dst-address-list=vlan20 src-address-list=\ vlan10add action=accept chain=forward dst-address-list=vlan30 src-address-list=\ vlan10add action=accept chain=forward comment="warp charger to evcc" dst-address=\ 192.168.10.35 src-address=192.168.20.197add action=drop chain=forward dst-address-list=vlan10 src-address-list=vlan20add action=drop chain=forward dst-address-list=vlan10 src-address-list=vlan30add action=drop chain=forward comment="defconf: drop bad forward IPs" \ src-address-list=no_forward_ipv4add action=drop chain=forward comment="defconf: drop bad forward IPs" \ dst-address-list=no_forward_ipv4/ip firewall natadd action=dst-nat chain=dstnat disabled=yes dst-port=13231 out-interface=\ vlan20 protocol=udp to-addresses=192.168.40.1add action=accept chain=srcnat comment=\ "defconf: accept all that matches IPSec policy" ipsec-policy=out,ipsecadd action=masquerade chain=srcnat comment="defconf: masquerade" log-prefix=\ "[nat]" out-interface-list=WAN/ip firewall rawadd action=accept chain=prerouting comment=\ "defconf: enable for transparent firewall" disabled=yesadd action=accept chain=prerouting comment="defconf: accept DHCP discover" \ dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=\ udp src-address=0.0.0.0 src-port=68add action=drop chain=prerouting comment="defconf: drop bogon IP's" \ src-address-list=bad_ipv4add action=drop chain=prerouting comment="defconf: drop bogon IP's" \ dst-address-list=bad_ipv4add action=drop chain=prerouting comment="defconf: drop bogon IP's" \ src-address-list=bad_src_ipv4add action=drop chain=prerouting comment="defconf: drop bogon IP's" \ dst-address-list=bad_dst_ipv4add action=drop chain=prerouting comment="defconf: drop non global from WAN" \ in-interface-list=WAN src-address-list=not_global_ipv4add action=drop chain=prerouting comment=\ "defconf: drop forward to local lan from WAN" dst-address=192.168.1.0/24 \ in-interface-list=WANadd action=drop chain=prerouting comment=\ "defconf: drop local if not from default IP range" in-interface=\ vlan-bridge in-interface-list=LANadd action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \ protocol=udpadd action=jump chain=prerouting comment="defconf: jump to TCP chain" \ jump-target=bad_tcp protocol=tcpadd action=accept chain=prerouting comment=\ "defconf: accept everything else from LAN" in-interface-list=LANadd action=accept chain=prerouting comment=\ "defconf: accept everything else from WAN" in-interface-list=WANadd action=drop chain=prerouting comment="defconf: drop the rest"add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \ tcp-flags=!fin,!syn,!rst,!ackadd action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,synadd action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rstadd action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ackadd action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urgadd action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rstadd action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urgadd action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \ protocol=tcp/ip firewall service-portset ftp disabled=yesset tftp disabled=yesset h323 disabled=yesset pptp disabled=yesset udplite disabled=yesset dccp disabled=yesset sctp disabled=yes/ip routeadd disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.178.1 \ pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \ target-scope=10/ip serviceset telnet address=192.168.0.0/16 disabled=yesset ftp address=192.168.0.0/16 disabled=yesset www address=192.168.0.0/16 disabled=yesset ssh address=192.168.0.0/16 port=2200set www-ssl address=192.168.0.0/16 certificate=webfig disabled=noset api address=192.168.0.0/16 disabled=yesset winbox address=192.168.0.0/16set api-ssl address=192.168.0.0/16 certificate=MikroTik.local/ip sshset host-key-size=4096 strong-crypto=yes/ipv6 firewall address-listadd address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=\ no_forward_ipv6add address=::1/128 comment="defconf: RFC6890 lo" list=bad_ipv6add address=::ffff:0.0.0.0/96 comment="defconf: RFC6890 IPv4 mapped" list=\ bad_ipv6/ipv6 firewall filteradd action=accept chain=input comment="defconf: accept ICMPv6 after RAW" \ protocol=icmpv6add action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=accept chain=input comment="defconf: accept UDP traceroute" port=\ 33434-33534 protocol=udpadd action=accept chain=input comment=\ "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\ udp src-address=fe80::/16add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \ protocol=udpadd action=accept chain=input comment="defconf: accept IPSec AH" protocol=\ ipsec-ahadd action=accept chain=input comment="defconf: accept IPSec ESP" protocol=\ ipsec-espadd action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LANadd action=accept chain=forward comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalidadd action=drop chain=forward comment="defconf: drop bad forward IPs" \ src-address-list=no_forward_ipv6add action=drop chain=forward comment="defconf: drop bad forward IPs" \ dst-address-list=no_forward_ipv6add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \ hop-limit=equal:1 protocol=icmpv6add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" \ protocol=icmpv6add action=accept chain=forward comment="defconf: accept HIP" protocol=139add action=accept chain=forward comment="defconf: accept IKE" dst-port=\ 500,4500 protocol=udpadd action=accept chain=forward comment="defconf: accept AH" protocol=\ ipsec-ahadd action=accept chain=forward comment="defconf: accept ESP" protocol=\ ipsec-espadd action=accept chain=forward comment=\ "defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsecadd action=drop chain=forward comment=\ "defconf: drop everything else not coming from LAN" in-interface-list=\ !LAN/system clockset time-zone-name=Europe/Zurich/system identityset name=Router/system ntp clientset enabled=yes/system ntp client serversadd address=ntp11.metas.chadd address=ntp12.metas.chadd address=ntp13.metas.ch/tool bandwidth-serverset enabled=no/tool graphing interfaceadd allow-address=192.168.0.0/16/tool graphing queueadd allow-address=192.168.0.0/16/tool graphing resourceadd allow-address=192.168.0.0/16/tool mac-serverset allowed-interface-list=none/tool mac-server mac-winboxset allowed-interface-list=LAN/tool mac-server pingset enabled=no/tool romonset enabled=yes
WireGuard config trouble with Fritzbox #portforwarding #VLAN #FW pls help me (2024)
Top Articles
7 Ways to Guard Against Breckie Hill – S-Logistics
The For Breckie Hill Revealed
Helium FAQs | Party City
9 Places Where to Fill Up Balloons with Helium for Free (or Cheap!)
Wedding Planner Viet Nam
How Princesses Beatrice and Eugenie have shown 'solidarity' with Wills
Ellen Degeneres A Biography PDF, Epub Download
Best horror movies of 2024 to stream on Netflix, Max, Hulu, Shudder and more
Hillside Funeral Home Washington Nc Obituaries
Portugal vs Slovenia - Final Score - July 01, 2024
Creating and Using Rubrics - Assessment and Curriculum Support Center
UK election latest: Starmer embarks on 'reset' tour - as Tory leadership hopefuls 'coming to the fore'
Latest Posts
The 5-Second Trick For Jameliz
Issues with Your Breckie Hill - Crypto Current
Article information

Author: Trent Wehner

Last Updated:

Views: 6334

Rating: 4.6 / 5 (56 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Trent Wehner

Birthday: 1993-03-14

Address: 872 Kevin Squares, New Codyville, AK 01785-0416

Phone: +18698800304764

Job: Senior Farming Developer

Hobby: Paintball, Calligraphy, Hunting, Flying disc, Lapidary, Rafting, Inline skating

Introduction: My name is Trent Wehner, I am a talented, brainy, zealous, light, funny, gleaming, attractive person who loves writing and wants to share my knowledge and understanding with you.