Hello everyone,
My questions are:
Thanks in advance.
EDIT: In terms of no. 3, your diagram shows the simple one interface case.
Security wise multiple interfaces might be better but that would be more from an efficiency point of view. In firewall you can do what you want with interface or peer. Same with routing. Usually alike connections go on the same itf.
Performance wise it doesn’t matter that much.
As long as your central hub has enough processing power to handle the load, you should be fine.
I have a couple of setups carrying multiple active peers ( mostly management control and EOIP tunnels to allow ROMON). Even multiple interfaces.
Each time a central server allowing connections on a single UDP port per interface.
I created two tunnels. The first one is working normally with internet access. The second one only shows received packets, but no packets are being transmitted.
here is my config for both tunnels
*Both peer use the same port *
First one
[Interface]
PrivateKey =
Address = 172.44.0.6/24
DNS = 1.1.1.1
MTU = 1420
[Peer]
PublicKey =
AllowedIPs = 0.0.0.0/0
Endpoint = x.x.x.x:50.x.x.x
PersistentKeepalive = 15
The second one
[Interface]
PrivateKey =
Address = 172.44.0.4/24
DNS = 1.1.1.1
MTU = 1420[Peer]
PublicKey =
AllowedIPs = 0.0.0.0/0
Endpoint = x.x.x.x:50.x.x.x
PersistentKeepalive = 15
It goes without saying that you shouldn’t share keys, especially the private sides. Regenerate them once your config is working correctly.
I have no idea what this means:
Endpoint = x.x.x.x:50.x.x.x
Other then that, the fact that you are receiving packets correctly usually means that the Mikrotik-side config is incorrect. Show it, without that I can only guess as to what exactly is wrong, but the usual one is misconfiguration of the allowed-ips field. For the first peer it should be 172.144.0.6/32, for the second 172.44.0.4/32
Hello @lurker888.
I removed them…Thank you.
So, I encountered the following problem:
First, I created a WireGuard tunnel with only one peer, and the connection worked well.
Then, when I added another peer to the same interface, the connection stopped working.
It seems that the connection only works for one peer at a time.
Is there anything I need to enable or configure to make the connection work for both peers?
here is the config for both peer and interface
the first peer
the seconf one on my mobile phone and have the allowed ip
172.20.0.3/24
from mikrotik side its
so one interface on Mikrotik with two peers.
When I disable the second peer on mikrotik the first peer work well like the first time before I add the second one.
Provide export from wireguard part of your config.
Make sure to remove/obfuscate private keys and public wan ip.
Make sure on Mikrotik side the peers are configured on allowed ip with /32 as indicated above.
/24 is NOT /32
@jaclaz
the main Wireguard interface IP address is
172.20.0.1/24
the two peers are
172.20.0.2/24
172.20.0.3/24
is there is a problem with this subnet?
Since BOTH Lurker888 and Holvoeth told you explicitly to use a /32 for those peers addresses, I would start suspecting that using a /32 is needed.
Basically:
172.20.0.2/24 means ANY IP address in range 172.20.0.0-172.20.0.255
172.20.0.3/24 means ANY IP address in range 172.20.0.0-172.20.0.255
Whilst:
172.20.0.2/32 means ONLY IP 172.20.0.2
172.20.0.3/32 means ONLY IP 172.20.0.3
Exactly.
Look at it from another way…
If you put /24, you allow the complete subnet.
How does the server ( term used for ease of explanation) know then where to send a packet to ?
With /32 there is no confusion. It’s that address and nothing else.
On peer side, you can use /24 since everything from that subnet has to go into the tunnel.
So, on the MikroTik side, in IP → Addresses, I should assign the WireGuard interface an IP like 172.20.0.1/32, right?
Then for the peers (also on the MikroTik), I should set the allowed addresses as:
172.20.0.2/32 for the first peer172.20.0.3/32 for the second peerOn the client side (outside the router), do I also set their IPs as /32 like 172.20.0.2/32 and 172.20.0.3/32, or can I use something like /24 instead?
No.
IP address on interface needs to be /24.
Everything your router sees for that subnet, needs to go to that interface.
For peers they need to be /32 so there is no misunderstanding which traffic needs to go to which peer.
On client side they can be kept as /24. There is no possibility for confusion there.
I tried as you mention, still one of them work but the other doesn’t
Wireguard interface IP /24
both peer in the router /32
both peer outside the router /24
one of them work like normal bit the other not.
I will try on another newly created Wireguard interface and give you the output.
Please provide export of complete config.
From terminal
/ export file=anynameyouwish
Move file to your pc
Obfuscate sensitive parts and post back between code quotes for easier readability.
Make sure it’s clear for us when you change things, something is there and use that same translation where it appears again.
here is it.
mt.rsc (7.1 KB)
Not necessarily connected or related to the Wireguard issue, so JFYI, but:
set detect-interface-list=WAN internet-interface-list=all lan-interface-list=\
all wan-interface-list=all
is (blatantly 
) breaking Rule #5:
With all due respect …
You don’t have a working setup and you came here to ask for help.
Then why do you leave out parts which are important for us to see where the problem might be ?
Where is the interface definition for wireguard ?
As I asked, how are we supposed to know which keys are used on which peer if you simply blank them out ? How do we know what is what ?
And please post config between code quotes. I especially had to install a text editor on my tablet for opening that file.
If it was, as asked, between code quotes, I could immediatelly see it in the post.
/interface wireguard peers
add allowed-address=172.20.0.2/32 interface="WG5-Michel" public-key=
add allowed-address=172.20.0.3/32 interface="WG5-Michel" public-key=
Care to try again ?
Hello My friend @holvoetn.
All due respect for your support, I truly appreciate every comment from you and from others.
Here is my full configuration:
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=47888 mtu=1420 name="WG5-Michel"
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp_pool1 ranges=10.10.10.100-10.10.10.200
/ip dhcp-server
add address-pool=dhcp_pool1 interface=bridge lease-time=2h name=dhcp1
/port
set 0 name=serial0
/system logging action
set 0 memory-lines=5000
set 1 disk-lines-per-file=5000
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=all lan-interface-list=\
all wan-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=172.20.0.2/32 interface="WG5-Michel" public-key=8ZQrIDt9mAysCBWnXmeR0cao4QcMSKPkkHviJ7di5gM=
add allowed-address=172.20.0.3/32 interface="WG5-Michel" public-key=iectDG6ufBzyPhYmzErbkYuCSTPXQ07Sd0MN8dFs/hg=
/ip address
add address=10.10.10.1/24 comment=LAN interface=bridge network=10.10.10.0
add address=172.20.0.1/24 interface="WG5-Michel" \
network=172.20.0.0
/ip dhcp-server network
add address=10.0.0.0/24 comment=defconf dns-server=10.10.10.1 gateway=\
10.10.10.1
add address=10.10.10.0/24 dns-server=10.10.10.1 gateway=10.10.10.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=\
xx888 protocol=udp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add chain=forward
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set sip disabled=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.15.1 routing-table=main \
suppress-hw-offload=no
/ip service
set ftp disabled=yes
set ssh disabled=yes
set telnet disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN