Hi there,
My apologies if this has been discussed before, but I couldn't find a solution scrolling through all Wireguard topics.
Here is my problem. I've created a Wireguard tonnel from an Android phone to HAP AC3 router, which is also a WAN gateway. I can connect with Mikrotik app to the router and two other Mikrotiks working as wireless extenders in the same LAN by their local IP addresses via Wireguard (even though the app won't discover them). However, I have no Internet access on the phone via Wireguard.
My configuration is very basic.
In the phone in a Peer section I set allowed IP to 0.0.0.0/0 and the endpoint is Mikrotik's DDNS address. In the Interface section, I have set the address to 10.180.5.2/24 and DNS servers to 8.8.8.8 and 10.80.5.1, which is the address of the Wireguard server in Mikrotik.
In the router I've only added a couple of firewall rules related to Wireguard to the default config (below) and added Wireguard interface to the LAN list.
Please let me know what I'm doing wrong. Thanks!
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
2 ;;; allow WireGuard
chain=input action=accept protocol=udp dst-port=13231 log=no
log-prefix=""
3 ;;; allow Wireguard traffic
chain=forward action=accept src-address=10.180.5.0/24 log=no
log-prefix=""
4 ;;; allow IPsec NAT
chain=input action=accept protocol=udp dst-port=4500
5 ;;; allow IKE
chain=input action=accept protocol=udp dst-port=500
6 ;;; allow l2tp
7 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid in-interface-list=WAN
log=no log-prefix=""
8 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
9 X ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1 log=no log-prefix=""
10 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
11 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
12 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
13 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection hw-offload=yes
connection-state=established,related
14 ;;; defconf: accept established,related, untracked
chain=forward action=accept
connection-state=established,related,untracked
15 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
16 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new
connection-nat-state=!dstnat in-interface-list=WAN
Re: No WAN access via Wireguard
Sorry, dont read snippets.
Please post config
/export file=anynameyouwish ( minus router serial # and any public WANIP information, keys etc. )
Please post config
/export file=anynameyouwish ( minus router serial # and any public WANIP information, keys etc. )
Re: No WAN access via Wireguard
Sure. Here is the full config sans serial number and access list.
Thanks!
# 2023-08-23 11:11:32 by RouterOS 7.11
# software id = HCKX-M4JR
#
# model = RBD53iG-5HacD2HnD
# serial number =
/interface bridge
add admin-mac=18:FD:74:2C:4D:53 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode \
band=2ghz-g/n channel-width=20/40mhz-XX country=canada \
default-authentication=no disabled=no frequency=auto hw-protection-mode=\
rts-cts hw-protection-threshold=256 mode=ap-bridge name=2.4G ssid=E2500 \
wireless-protocol=unspecified wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode \
band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=canada \
default-authentication=no disabled=no distance=indoors frequency=5220 \
hw-protection-mode=rts-cts hw-protection-threshold=256 mode=ap-bridge \
name=5G ssid=E2500-5 wireless-protocol=unspecified wmm-support=enabled \
wps-mode=disabled
/interface wireless nstreme
set "2.4G" enable-polling=no
set "5G" enable-polling=no
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=\
0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d tur-thu=\
0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
/ip pool
add name=dhcp ranges=192.168.89.3-192.168.89.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/dude
set enabled=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=2.4G
add bridge=bridge comment=defconf interface=5G
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=WAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=5G list=LAN
add interface=2.4G list=LAN
/interface wireguard peers
add allowed-address=10.180.5.2/32 interface=wireguard1 persistent-keepalive=\
25s public-key="..."
/ip address
add address=192.168.89.1/24 comment=defconf interface=bridge network=\
192.168.89.0
add address=10.180.5.1/24 interface=wireguard1 network=10.180.5.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.89.253 client-id=1:54:a0:50:d3:d2:bf mac-address=\
54:A0:50:D3:D2:BF server=defconf
add address=192.168.89.233 client-id=1:b0:73:9c:81:e6:b7 mac-address=\
B0:73:9C:81:E6:B7 server=defconf
add address=192.168.89.229 client-id=1:74:4d:28:45:e1:53 mac-address=\
74:4D:28:45:E1:53 server=defconf
add address=192.168.89.223 client-id=1:d4:ca:6d:cc:5e:8a mac-address=\
D4:CA:6D:CC:5E:8A server=defconf
add address=192.168.89.237 client-id=1:d4:53:83:df:e3:b mac-address=\
D4:53:83:DF:E3:0B server=defconf
/ip dhcp-server network
add address=192.168.89.0/24 comment=defconf dns-server=192.168.89.1 gateway=\
192.168.89.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.89.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
protocol=udp
add action=accept chain=forward comment="allow Wireguard traffic" \
src-address=10.180.5.0/24
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid in-interface-list=WAN
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ppp secret
add name=vpn
/system clock
set time-zone-name=America/Toronto
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes multicast=yes use-local-clock=yes
/system ntp client servers
add address=0.north-america.pool.ntp.org
add address=1.north-america.pool.ntp.org
add address=2.north-america.pool.ntp.org
add address=3.north-america.pool.ntp.org
add address=time.google.com
/system routerboard settings
set auto-upgrade=yes
/system watchdog
set automatic-supout=no ping-timeout=5m watch-address=1.1.1.1
/tool graphing interface
add interface=bridge store-on-disk=no
add interface=bridge
add interface=5G
add interface=2.4G
add interface=ether1
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool traffic-monitor
add interface=bridge name=tmon1 traffic=received
Thanks!
# 2023-08-23 11:11:32 by RouterOS 7.11
# software id = HCKX-M4JR
#
# model = RBD53iG-5HacD2HnD
# serial number =
/interface bridge
add admin-mac=18:FD:74:2C:4D:53 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode \
band=2ghz-g/n channel-width=20/40mhz-XX country=canada \
default-authentication=no disabled=no frequency=auto hw-protection-mode=\
rts-cts hw-protection-threshold=256 mode=ap-bridge name=2.4G ssid=E2500 \
wireless-protocol=unspecified wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode \
band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=canada \
default-authentication=no disabled=no distance=indoors frequency=5220 \
hw-protection-mode=rts-cts hw-protection-threshold=256 mode=ap-bridge \
name=5G ssid=E2500-5 wireless-protocol=unspecified wmm-support=enabled \
wps-mode=disabled
/interface wireless nstreme
set "2.4G" enable-polling=no
set "5G" enable-polling=no
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=\
0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d tur-thu=\
0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
/ip pool
add name=dhcp ranges=192.168.89.3-192.168.89.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/dude
set enabled=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=2.4G
add bridge=bridge comment=defconf interface=5G
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=WAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=5G list=LAN
add interface=2.4G list=LAN
/interface wireguard peers
add allowed-address=10.180.5.2/32 interface=wireguard1 persistent-keepalive=\
25s public-key="..."
/ip address
add address=192.168.89.1/24 comment=defconf interface=bridge network=\
192.168.89.0
add address=10.180.5.1/24 interface=wireguard1 network=10.180.5.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.89.253 client-id=1:54:a0:50:d3:d2:bf mac-address=\
54:A0:50:D3:D2:BF server=defconf
add address=192.168.89.233 client-id=1:b0:73:9c:81:e6:b7 mac-address=\
B0:73:9C:81:E6:B7 server=defconf
add address=192.168.89.229 client-id=1:74:4d:28:45:e1:53 mac-address=\
74:4D:28:45:E1:53 server=defconf
add address=192.168.89.223 client-id=1:d4:ca:6d:cc:5e:8a mac-address=\
D4:CA:6D:CC:5E:8A server=defconf
add address=192.168.89.237 client-id=1:d4:53:83:df:e3:b mac-address=\
D4:53:83:DF:E3:0B server=defconf
/ip dhcp-server network
add address=192.168.89.0/24 comment=defconf dns-server=192.168.89.1 gateway=\
192.168.89.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.89.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
protocol=udp
add action=accept chain=forward comment="allow Wireguard traffic" \
src-address=10.180.5.0/24
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid in-interface-list=WAN
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ppp secret
add name=vpn
/system clock
set time-zone-name=America/Toronto
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes multicast=yes use-local-clock=yes
/system ntp client servers
add address=0.north-america.pool.ntp.org
add address=1.north-america.pool.ntp.org
add address=2.north-america.pool.ntp.org
add address=3.north-america.pool.ntp.org
add address=time.google.com
/system routerboard settings
set auto-upgrade=yes
/system watchdog
set automatic-supout=no ping-timeout=5m watch-address=1.1.1.1
/tool graphing interface
add interface=bridge store-on-disk=no
add interface=bridge
add interface=5G
add interface=2.4G
add interface=ether1
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool traffic-monitor
add interface=bridge name=tmon1 traffic=received
Re: No WAN access via Wireguard
(1) Unless you need this for something recommend setting to NONE.
/interface detect-internet
set detect-interface-list=WAN
(2) Since the Bridge encompasses the ports.................. the interface list members need only be...
/interface list member
add comment=defconf interface=ether1 list=WAN
add comment=defconf interface=bridge list=LAN
add interface=wireguard1 list=LAN
(3) Your Wireguard IP settings are wrong, THere is no Keep alive setting in the server its only a setting used at the client devices
I thought you had
/interface wireguard peers
add allowed-address=10.180.5.2/32 interface=wireguard1 endpoint=XXXXXX endpoint port=13231 public-key="..." \
comment="Android phone"[/b][/i]
(4) Your firewall rules are mixed up between forward chain and input chain, much better to organize them together............
(5) If not using IPV6, then simply disable this altogether, if you are using iPV6, I should leave as have no knowledge of it.
(6) set this to NONE, not secure
/tool mac-server
set allowed-interface-list=LAN
(7) Change your forward chain rules so they are clearer.
{forward chain}
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="WG access" in-interface=wireguard1 out-interface-list=LAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat { remove or disable if not required }
add action=drop chain=forward comment="drop all else"
++++++++++++++++++++++++++++++++++++++++++
Android Device.
Interface Settings: IP address=10.180.5.2/32
Peer Settings: allowed IPs=0.0.0.0/0 endpoint=mynetname.net endpoint port=13231, persistent-keep alive=35se public key=",,,,"
/interface detect-internet
set detect-interface-list=WAN
(2) Since the Bridge encompasses the ports.................. the interface list members need only be...
/interface list member
add comment=defconf interface=ether1 list=WAN
add comment=defconf interface=bridge list=LAN
add interface=wireguard1 list=LAN
(3) Your Wireguard IP settings are wrong, THere is no Keep alive setting in the server its only a setting used at the client devices
I thought you had
/interface wireguard peers
add allowed-address=10.180.5.2/32 interface=wireguard1 endpoint=XXXXXX endpoint port=13231 public-key="..." \
comment="Android phone"[/b][/i]
(4) Your firewall rules are mixed up between forward chain and input chain, much better to organize them together............
(5) If not using IPV6, then simply disable this altogether, if you are using iPV6, I should leave as have no knowledge of it.
(6) set this to NONE, not secure
/tool mac-server
set allowed-interface-list=LAN
(7) Change your forward chain rules so they are clearer.
{forward chain}
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="WG access" in-interface=wireguard1 out-interface-list=LAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat { remove or disable if not required }
add action=drop chain=forward comment="drop all else"
++++++++++++++++++++++++++++++++++++++++++
Android Device.
Interface Settings: IP address=10.180.5.2/32
Peer Settings: allowed IPs=0.0.0.0/0 endpoint=mynetname.net endpoint port=13231, persistent-keep alive=35se public key=",,,,"
Re: No WAN access via Wireguard
I've made pretty much all the changes you've suggested. Firewall forward chain rules have been modified and rearranged. Old rules are still there but disabled. However, Internet access via Wireguard is still not working...
Please take a look at the new config below.
Thanks!
Please take a look at the new config below.
Thanks!
Code: Select all
# 2023-08-23 23:21:52 by RouterOS 7.11
# software id = HCKX-M4JR
#
# model = RBD53iG-5HacD2HnD
/interface bridge
add admin-mac=18:FD:74:2C:4D:53 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode \
band=2ghz-g/n channel-width=20/40mhz-XX country=canada \
default-authentication=no disabled=no frequency=auto hw-protection-mode=\
rts-cts hw-protection-threshold=256 mode=ap-bridge name=2.4G ssid=E2500 \
wireless-protocol=unspecified wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode \
band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=canada \
default-authentication=no disabled=no distance=indoors frequency=5220 \
hw-protection-mode=rts-cts hw-protection-threshold=256 mode=ap-bridge \
name=5G ssid=E2500-5 wireless-protocol=unspecified wmm-support=enabled \
wps-mode=disabled
/interface wireless nstreme
set "2.4G" enable-polling=no
set "5G" enable-polling=no
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=\
0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d tur-thu=\
0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
/ip pool
add name=dhcp ranges=192.168.89.3-192.168.89.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/dude
set enabled=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=2.4G
add bridge=bridge comment=defconf interface=5G
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface detect-internet
set detect-interface-list=WAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=10.180.5.2/32 comment=S10E endpoint-port=13231 interface=\
wireguard1 public-key="so65RnZTA4+bM0oQ+oWmqJM1s3c51c5xYejnUm06ZUk="
/ip address
add address=192.168.89.1/24 comment=defconf interface=bridge network=\
192.168.89.0
add address=10.180.5.1/24 interface=wireguard1 network=10.180.5.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.89.253 client-id=1:54:a0:50:d3:d2:bf mac-address=\
54:A0:50:D3:D2:BF server=defconf
add address=192.168.89.233 client-id=1:b0:73:9c:81:e6:b7 mac-address=\
B0:73:9C:81:E6:B7 server=defconf
add address=192.168.89.229 client-id=1:74:4d:28:45:e1:53 mac-address=\
74:4D:28:45:E1:53 server=defconf
add address=192.168.89.223 client-id=1:d4:ca:6d:cc:5e:8a mac-address=\
D4:CA:6D:CC:5E:8A server=defconf
add address=192.168.89.237 client-id=1:d4:53:83:df:e3:b mac-address=\
D4:53:83:DF:E3:0B server=defconf
/ip dhcp-server network
add address=192.168.89.0/24 comment=defconf dns-server=192.168.89.1 gateway=\
192.168.89.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.89.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
in-interface-list=LAN out-interface-list=WAN
add chain=forward comment="WG access" in-interface=wireguard1 \
out-interface-list=LAN
add action=accept chain=forward comment="port forwarding" \
connection-nat-state=dstnat disabled=yes
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=WAN
add action=accept chain=forward comment="allow Wireguard traffic" \
src-address=10.180.5.0/24
add action=drop chain=forward comment="drop all else"
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
protocol=udp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid in-interface-list=WAN
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ppp secret
add name=vpn
/system clock
set time-zone-name=America/Toronto
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes multicast=yes use-local-clock=yes
/system ntp client servers
add address=0.north-america.pool.ntp.org
add address=1.north-america.pool.ntp.org
add address=2.north-america.pool.ntp.org
add address=3.north-america.pool.ntp.org
add address=time.google.com
/system routerboard settings
set auto-upgrade=yes
/system watchdog
set automatic-supout=no ping-timeout=5m watch-address=1.1.1.1
/tool graphing interface
add interface=bridge store-on-disk=no
add interface=bridge
add interface=5G
add interface=2.4G
add interface=ether1
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool traffic-monitor
add interface=bridge name=tmon1 traffic=received
Last edited by BartoszP on Thu Aug 24, 2023 11:46 am, edited 1 time in total.
Reason: removed quote which dimmed answer, added formated code ... please use proper tags in answers
Reason: removed quote which dimmed answer, added formated code ... please use proper tags in answers
-
-
jvanhambelgium
Forum Veteran
- Posts: 993
- Joined:
- Location: Belgium
Re: No WAN access via Wireguard
logging - logging - logging
Enable logging on any rule that has a "drop" in there, and filter for you endpoint 10.180.5.2/32
There has to be some trace of a rule that seems to stop your packets from going out.
Enable logging on any rule that has a "drop" in there, and filter for you endpoint 10.180.5.2/32
There has to be some trace of a rule that seems to stop your packets from going out.
Re: No WAN access via Wireguard
You didnt remove the detect internet-list=WAN
Y0u modified both tool mac-server mac-winbox winbox server and tool mac-server when I said to modify just tool mac-server!
Fix those for testing....
++++++++++++++++++++++++++++++++++++
Also Try the following.
Disable the static DNS line you have and add a server
/ip dns static
add address=192.168.89.1 comment=defconf name=router.lan
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
++++++++++++++++++++++++++++++++++++++++++++++++++++
This I do not understand: Disable for now. The fact that you have a VPN range set to the Bridge Range??
add name=vpn ranges=192.168.89.2-192.168.89.255
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
I dont get what you are doing, why is there PPP on the bridge lan??
Suggesting you separate the normal bridge LAN and whatever vpn or ppp you are doing for what reason unknown.
PUT IT on another subnet.
Y0u modified both tool mac-server mac-winbox winbox server and tool mac-server when I said to modify just tool mac-server!
Fix those for testing....
++++++++++++++++++++++++++++++++++++
Also Try the following.
Disable the static DNS line you have and add a server
/ip dns static
add address=192.168.89.1 comment=defconf name=router.lan
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
++++++++++++++++++++++++++++++++++++++++++++++++++++
This I do not understand: Disable for now. The fact that you have a VPN range set to the Bridge Range??
add name=vpn ranges=192.168.89.2-192.168.89.255
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
I dont get what you are doing, why is there PPP on the bridge lan??
Suggesting you separate the normal bridge LAN and whatever vpn or ppp you are doing for what reason unknown.
PUT IT on another subnet.
Re: No WAN access via Wireguard
All done. As for vpn and PPP, I believe the pool gets automatically created when "vpn" option is checked in quick control panel in Winbox. I didn't set it up manually. Anyways, it's been deleted now.
But, still, no Internet...
But, still, no Internet...
Re: No WAN access via Wireguard
1. Confirm you get a handshake, the input chain rule increases by 1.
2. Confirm you can access the Router from the android, for config purposes.
3. Confirm you have a public IP address on the WAN.
2. Confirm you can access the Router from the android, for config purposes.
3. Confirm you have a public IP address on the WAN.
Re: No WAN access via Wireguard
1. Yes, I get a handshake. Not sure what you mean by the input chain rule increase, sorry.
2. Yes, I can access all the devices in the local network. As a matter of fact, all the changes you have suggested were made from Mikrotik app on Android over Wireguard tunnel from afar.
3. Yes, the router is connected directly to the cable modem and I have a public IP 135...
2. Yes, I can access all the devices in the local network. As a matter of fact, all the changes you have suggested were made from Mikrotik app on Android over Wireguard tunnel from afar.
3. Yes, the router is connected directly to the cable modem and I have a public IP 135...
Re: No WAN access via Wireguard
Suggest maybe its something on the android phone thats preventing internet access...............???
Re: No WAN access via Wireguard
Problem solved. All it needed is a working srcnat masquerade rule with the Wireguard subnet. For whatever reason, creating it via terminal or through Winbox GUI didn't work, but copying the existing rule and changing the subnet afterward worked just fine. Yet another RouterOS 7 bug, I guess.
Last edited by EugeneT on Mon Sep 04, 2023 8:10 am, edited 1 time in total.
-
-
jvanhambelgium
Forum Veteran
- Posts: 993
- Joined:
- Location: Belgium
Re: No WAN access via Wireguard
That is why I have such separate rules masq-rules for anything that needs to go out on Internet coming from eg. Wireguard or ZeroTier "zone"
So at least this gives me logging & counters in case certain things do not work and it might be easier to "pick up" along the way.
So at least this gives me logging & counters in case certain things do not work and it might be easier to "pick up" along the way.
Re: No WAN access via Wireguard
Sorry but this does not compute.
There is no requirement for a specific or separate sourcenat of wireguard in this situation.
The standard default SourceNAT rule applies just fine! The wireguard traffic will be routed out the wireguard tunnel because the hapac is aware of subnet and interface.
I do understand the logging of traffic of wireguard but that is optional but not necessary.
For the OP where it is necessary is often the reverse case, when sending users from local subnet on the MT, out a third party Wireguard VPN provider, where they only give you one IP address and thus we sourcenat all wireguard traffic to that IP address.
If you mean, coming in on android and going out the WAN of the Mikrotik, then that is a valid assertion that masquerade needs to be done as per any user behind the hapac.
Why I am confused is because your config contains the following..
a. [i]add interface=wireguard1 list=LAN[/i] { Thus any rules pertaining to LAN also apply to Wireguard incoming users..... }
b. add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN { Allows wg users to access dns of router }
c. add action=accept chain=forward comment="allow internet traffic" \ { allows wg users access to local WAN }
in-interface-list=LAN out-interface-list=WAN
FRIG NO WONDER< I missed this slight nuance but the reason........ WHY DID YOU DISABLE THIS ?????
d. /ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
ipsec-policy=out,none out-interface-list=WAN
So, the problem was config error the whole time, sorry I didnt see that............. Another reason why I personally dont like folks that keep disabled rules hanging around.
Clean config means errors found easily.
++++++++++++++++++
As an aside: If you never got rid of this rule its no longer required,,,,
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=WAN
There is no requirement for a specific or separate sourcenat of wireguard in this situation.
The standard default SourceNAT rule applies just fine! The wireguard traffic will be routed out the wireguard tunnel because the hapac is aware of subnet and interface.
I do understand the logging of traffic of wireguard but that is optional but not necessary.
For the OP where it is necessary is often the reverse case, when sending users from local subnet on the MT, out a third party Wireguard VPN provider, where they only give you one IP address and thus we sourcenat all wireguard traffic to that IP address.
If you mean, coming in on android and going out the WAN of the Mikrotik, then that is a valid assertion that masquerade needs to be done as per any user behind the hapac.
Why I am confused is because your config contains the following..
a. [i]add interface=wireguard1 list=LAN[/i] { Thus any rules pertaining to LAN also apply to Wireguard incoming users..... }
b. add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN { Allows wg users to access dns of router }
c. add action=accept chain=forward comment="allow internet traffic" \ { allows wg users access to local WAN }
in-interface-list=LAN out-interface-list=WAN
FRIG NO WONDER< I missed this slight nuance but the reason........ WHY DID YOU DISABLE THIS ?????
d. /ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
ipsec-policy=out,none out-interface-list=WAN
So, the problem was config error the whole time, sorry I didnt see that............. Another reason why I personally dont like folks that keep disabled rules hanging around.
Clean config means errors found easily.
++++++++++++++++++
As an aside: If you never got rid of this rule its no longer required,,,,
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=WAN
Re: No WAN access via Wireguard
I did not disable anything other that what you had suggested. This is part of the defconf (yes, I know it's a bad practice not to erase everything and start from scratch), so it is disabled by default. The new RouterOS v7.12 B3 doesn't even have this rule at all.
Thank you very much for your effort though!
Thank you very much for your effort though!
Re: No WAN access via Wireguard
Yup, the main thing is its fixed now and working?
I have never had a sourcenat rule disabled by default??
In any case, something to watch out for down the line.
I have never had a sourcenat rule disabled by default??
In any case, something to watch out for down the line.
Re: No WAN access via Wireguard
All it needed is a working srcnat masquerade rule with the Wireguard subnet
nobody mentions this option, but for me it was the one that was missing
was going crazy trying to solve the same problem
thank you for sharing the solution!