Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Wireguard handshake is succesful but client is unable to access internet

Post Reply
 
badger
just joined
Topic Author
Posts: 1
Joined: Mon Mar 18, 2024 9:16 pm

Wireguard handshake is succesful but client is unable to access internet

Tue Mar 19, 2024 1:59 am

Hello!

This is my first forum post and first Mikrotik product (I tried submitting a similar post a little while ago however it looks like it never posted). I recently purchased a hAP ax2 and connected it directly to my ISP provided router/modem combo. I got it up and running using the default Access Point configuration, and was able to setup wireguard. I was able to connect to the wireguard vpn using my phone on cellular connection and browse the internet. I then realized I wasn't able to access local devices that were connected to my ISP provided router (I believe this was due to the fact the ax2 was giving out IPs on a different subnet). I then configured my ax2 as a bridge. When directly connecting to my ax2 through the 5G WIFI interface I correctly get an IP from my ISP provided router, and I am able to see my local devices and browse the internet. However when I connect using the wire guard vpn, I am unable to access the internet. Does anyone have an idea as to what could be wrong?

(I apologize for my messy config, I want to get everything working then trim it down to the necessities)

hAP ax2 config:
Code: Select all
# 2024-03-18 19:38:06 by RouterOS 7.12.2
# model = C52iG-5HaxD2HaxD
/interface bridge
add admin-mac=XXXXXXXX auto-mac=no comment=defconf name=bridge
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40/80mhz configuration.mode=ap .ssid="Mikro5g" \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration.mode=ap .ssid=MikroTik-E74BB0 \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=10.0.1.10-10.0.1.254
/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=bridge lease-time=8h \
    name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
add bridge=bridge comment=defconf interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=LAN internet-interface-list=LAN lan-interface-list=\
    LAN wan-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=LAN
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=192.168.100.2/32 interface=wireguard1 public-key=\
    "XXXXXXXXXXXXXXXXXXXXX"
/ip address
add address=10.0.1.0/24 comment=defconf interface=bridge network=10.0.1.0
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
/ip dhcp-client
# DHCP client can not run on slave or passthrough interface!
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.0.1.0/24 comment=defconf dns-server=10.0.1.1 gateway=10.0.1.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.0.1.1 comment=defconf disabled=yes name=router.lan
/ip firewall filter
add action=accept chain=input comment="Allow wireguard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="Allow wiregurad traffic" src-address=\
    192.168.100.0/24
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-port=3389 in-interface=\
    all-ethernet protocol=tcp to-addresses=10.0.0.0/24 to-ports=3389
add action=dst-nat chain=dstnat disabled=yes dst-port=3389 in-interface=\
    all-wireless protocol=tcp to-addresses=10.0.0.0/24 to-ports=3389
add action=dst-nat chain=dstnat disabled=yes dst-port=3389 in-interface=\
    bridge protocol=tcp to-addresses=10.0.0.0/24 to-ports=3389
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=America/New_York
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN


Wireguard client config (The IP and keys should be correct as I was able to connect when I had the ax2 setup in AP mode)
Code: Select all
[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxx
Address = 192.168.100.2/32
DNS = 192.168.100.1

[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxx
AllowedIPs = 0.0.0.0/0
Endpoint = xxxxxxxxxxxxxxxxxx
Top
 
rplant
Member
Member
Posts: 314
Joined: Fri Sep 29, 2017 11:42 am

Re: Wireguard handshake is succesful but client is unable to access internet

Tue Mar 19, 2024 6:24 am

I think adding a masquerade rule to the bridge for traffic from the wireguard interface is needed.
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat comment="wireguard: masquerade" \
    out-interface=bridge src-address=192.168.100.0/24
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19403
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Wireguard handshake is succesful but client is unable to access internet

Tue Mar 19, 2024 2:18 pm

NEGATIVE, that is not required in the least!!!
Most times sourcenat is required if going out a third party VPN where they only accept one IP at their end!!!

(1) set this to NONE< known to cause issues
/interface detect-internet
set detect-interface-list=NONE

(2) You have RED entries which is not a good sign and points to a misconfiguration........

/ip dhcp-client
# DHCP client can not run on slave or passthrough interface!

SUGGEST you failed to take the WAN port off the bridge maybe ether1 ????

(3) Is your dhcp-server disabled on purpose?
/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=bridge lease-time=8h \
name=defconf

(4) You can put your wireguard rules in the input chain after the loopback rule in the order........... not essential but recommended.

(5) Since you are doing port forwarding suggest take this default rule and make it better --> clearer and more secure! With three rules!
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN

add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"

(6) It would appear you are tryiing to port forward 3389 which is RDP ??
RDP is not a secure method for you to be hosting.
Suggest you can access the router remotely via Wireguard and then use RDP to reach a specific server and thus eliminating port forwarding an insecure protocol.
Just a heads up the TO address means to a server NOT to a subnet...... 10.0.0.0/24 is plain wrong!
Additionally the format for port forwardng is typically in-interface-list=WAN, (dynamic WANIP) or dst-address=actualWANIP (static wanip)

(7) If not using ipv6, DISABLE it and remove all firewall rules and associated lists.
Top
 
rplant
Member
Member
Posts: 314
Joined: Fri Sep 29, 2017 11:42 am

Re: Wireguard handshake is succesful but client is unable to access internet

Fri Mar 22, 2024 11:25 am

Hi,

The following is only if you are running the Mikrotik as a Bridge Device
inside your ISP router LAN. Acting as a Wireguard server for remote
clients, (and possibly not doing much else)

Note: Many of Anav's comments still apply.

(If you are doing something else, please ignore all this)

1. Give the Mikrotik a fixed IP address within your ISP routers Lan Address range.
The following from your config is an invalid address.

** This from your provided config is invalid**
/ip address
add address=10.0.1.0/24 comment=defconf interface=bridge network=10.0.1.0
****

Assuming the IP Range is 10.0.1.0/24, perhaps give it 10.0.1.3/24 (allowing your ISP router to be on 10.0.1.1)
In the ISP router, Port forward 13231 to the IP address of the Mikrotik.

Test the following, and make it work.
Connect to the mikrotik via wireguard, and ping 192.168.100.1 from your phone.
(If not answering, Check wireguard tx, rx, last handshake values)


Next:
You have at least a couple of options here.

1. You Nat the unencrypted traffic coming from the wireguard client into
the local Lan. (and to the internet beyond as required) Because
nothing else in your network will know what to do with a
192.168.100.2 IP address.

Good if you only want your wireguard clients to have visibility into
the LAN, but the LAN not to have visibility into your wireguard
clients.

2. You rejig the Lan and wireguard address assignments so they are
compatible with each other. (LAN usually stays the same)

I tend to use this option.
Devices on the LAN and Wireguard can connect to each other. (firewall
rules on devices permitting)

If you don't have a lots of devices on the LAN and only a few
Wireguard clients I would carve out a /27 range (30 odd devices)

eg Using the Lan Range 10.0.1.0/24
Assign 10.0.1.192/27 for Wireguard (10.0.1.192 to 10.0.223)
Assign 10.0.1.193/27 to the Mikrotik Wireguard interface.
Give 10.0.1.194/24 to your first wireguard client (And set allowed Address on Mikrotik).
Code: Select all
   /ip address
   add address=10.0.1.193/27 comment=wireguard interface=wireguard1 network=10.0.1.192

* Also need to rejig wireguard peer, not shown *

Reconfigure your ISP router DHCP server to not hand out IP addresses
in this range.
Move any statically assigned devices in this range.

Then (This bit makes it work) Enable Proxy Arp on the Bridge
interface of the Mikrotik.
Code: Select all
   /interface bridge
   set bridge arp=proxy-arp
You should now be able to ping your ISP router from your phone connected via wireguard.
(Make sure you are not using wifi on your phone, but rather 4g etc)


When any device (including ISP router) on the LAN wants to connect to
a wireguard device say 10.0.1.194, it will ARP for the mac address of
this device. The Mikrotik will respond to the ARP and give its IP
address.

Device sends packet the Mikrotik's Mac address, Mikrotik routes it to
10.0.1.194. And similarly for traffic in the other direction.

3. Another option might be to use some form of 1:1 Nat, eg NetMap.
Top
Post Reply

Who is online

Users browsing this forum: broderick, mlock, Qanon and 19 guests
  4. RouterOS
  5. Beginner Basics