I am quite new to MT products. I have a HAP AX3 (only a few weeks, replaced pfSense VM to isolate Network from Server) and am using stock config (QuickSET). I also have a CRS326 in SWOS for now.
I have success with WireGuard App on a Windows Client PC connecting from outside connection (via DuckDNS) and I can see the handshake in WinBox. But I can't get access the LAN subnet once connected. My intent is to get to my ProxMox Web Interface should I need to from outside the home network.
I think my main issue is I don't know how to route the WireGuard Subnet to the LAN subnet. I tried adding a new route in "routes" but I'm guessing Wireguard subnet -> RouterIP (LAN Subnet) is wrong as it comes up "USHI"
I have attached my config file as I saw was instructed earlier. i tried comparing the two against another post, but I just don't understand enough of the command line at this time to make my way through it.
Any suggestions would be greatly appreciated!
Unkis
WireGuard Subnets
You do not have the required permissions to view the files attached to this post.
Re: WireGuard Subnets
(1) Remove bridge filters is probably the most important change.
(2) Add wireguard to list members.
/interface list member
add comment=defconf interface=ether1-WAN list=WAN
add comment=defconf interface=bridge-LAN list=LAN
add interface=wireguard1 list=LAN
(3) Modify firewall rules.... Put input chain rule in right place.
Use drop all for forward chain so as to best see and control traffic flow ( aka get rid of the default dstnat rule and replace with 3 rules )
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="WireGuard VPN Allow Rule" dst-port=\
13231 protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat disabled=yes {enable if required}
add action=accept chain=forward comment="allow WG traffic" in-interface=wireguard1 dst-address=192.168.1.0/24
add action=drop chain=forward comment="drop all else"
(2) Add wireguard to list members.
/interface list member
add comment=defconf interface=ether1-WAN list=WAN
add comment=defconf interface=bridge-LAN list=LAN
add interface=wireguard1 list=LAN
(3) Modify firewall rules.... Put input chain rule in right place.
Use drop all for forward chain so as to best see and control traffic flow ( aka get rid of the default dstnat rule and replace with 3 rules )
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="WireGuard VPN Allow Rule" dst-port=\
13231 protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat disabled=yes {enable if required}
add action=accept chain=forward comment="allow WG traffic" in-interface=wireguard1 dst-address=192.168.1.0/24
add action=drop chain=forward comment="drop all else"
Re: WireGuard Subnets
@anav,
Thank you for the response. I am trying to learn about this more. Can I modify the exported config file in a text editor, upload the file in Winbox and run "restore" with the new file? Don't want to mess anything up.
Looking at my config file your comment, "remove bridge filters" does that refer to lines 33-37, delete them entirely then? Added photo.
For (2), I added wireguard1 to LAN via web interface, see attached is this correct?
For (3), I moved Wireguard rule up to position #5 from #12,
Firewall additions:
If I am correct about modifying config file in text then I paste in your changes and upload - simple. If I am wrong, I believe I can paste each line you recommended into the "Terminal" within WinBox.
Thank you for all this help!
Unkis
Thank you for the response. I am trying to learn about this more. Can I modify the exported config file in a text editor, upload the file in Winbox and run "restore" with the new file? Don't want to mess anything up.
Looking at my config file your comment, "remove bridge filters" does that refer to lines 33-37, delete them entirely then? Added photo.
For (2), I added wireguard1 to LAN via web interface, see attached is this correct?
For (3), I moved Wireguard rule up to position #5 from #12,
Firewall additions:
If I am correct about modifying config file in text then I paste in your changes and upload - simple. If I am wrong, I believe I can paste each line you recommended into the "Terminal" within WinBox.
Thank you for all this help!
Unkis
You do not have the required permissions to view the files attached to this post.
Re: WireGuard Subnets
Can you not export the config and post here ( i use notepadd++)
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys, long dhcp lease lists etc.)
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys, long dhcp lease lists etc.)
Re: WireGuard Subnets
@anav,
Sorry, maybe my comment wasn't so clear. I did use the /export previously to share my config. I too am using Notepad++. Can I make the changes in the config file that you recommended in your first post in Notepad++ and then upload that file in WinBox via the "Files" section and use the "Restore" button?
Thank you
Unkis
Sorry, maybe my comment wasn't so clear. I did use the /export previously to share my config. I too am using Notepad++. Can I make the changes in the config file that you recommended in your first post in Notepad++ and then upload that file in WinBox via the "Files" section and use the "Restore" button?
Thank you
Unkis
Re: WireGuard Subnets
I would only make changes one at a time and using the safe mode button.
Then repost.
Then repost.
Who is online
Users browsing this forum: No registered users and 12 guests