Cannot connect Wireguard endpoint via IPv4 (IPv6 works)

Anime4000 · June 13, 2022, 4:32pm

Hi,
I have RB5009 and RB3011, I have successfully create a connection between router using Wireguard over IPv6
Wireguard over IPv6.png
However, I trying to connect over IPv4, both router attempt to connect but not connecting…
I have set IPv4 Firewall Filter (input, accept, dst port: 13231/udp)

How to make it work? Do I need to disable FastPath/NAT Acceleration?

Znevna · June 13, 2022, 5:45pm

I don’t understand the problem.
In the screenshot provided you have IPv6 endpoints and trying to make IPv4 traffic inside wireguard?
And what does not work? IPv4 endpoints?

Anime4000 · June 14, 2022, 1:00pm

Yes, IPv4 endpoint doesn’t work.

rextended · June 14, 2022, 1:04pm

Is between two local devices or between two remote devices?
Check if your IPv4 is not a private class and is NATted from ISP, and on that case, you can not do nothing, except ask your ISP.

Anime4000 · June 14, 2022, 5:45pm

Both site having Public IPv4

Site: A, RB5009
ISP: Maxis
GPON Fiber, 500/100Mbps
121.121.202.184

Site: B, RB3011
ISP: TIME
GPON Fiber, 500/500Mbps
202.185.168.118

Torch:

Site A to Site B, No Handshake:

… if I use IPv6 can connect, when I change IPv4 endpoint - never connect

holvoetn · June 14, 2022, 6:01pm

/export hide-sensitive file=whatever
For both sides.

Review for sensitive info before posting between code quotes.

Znevna · June 14, 2022, 6:03pm

Firewall? try another port? ¯_(ツ)_/¯
And please edit your public IPs, serial numbers and DDNS hosts.

Anime4000 · June 14, 2022, 6:11pm

I tried different port (27015/half-life) just to make sure ISP not filter it… didn’t work
I have remove S/N, IP Address I have is dynamic, change every 14 days

I have attached and remove sensitive data
a.log.rsc (13.5 KB)
b.log.rsc (12.1 KB)

holvoetn · June 14, 2022, 6:26pm

What interface should ip4 traffic arrive on the router ?
It’s not clear to me what interface pppoe-out1 should be … and that’s the one accepting WG in your ip4 firewall rules.

On b-router there is no itf specified, so all accepted.
On a-router it’s pppoe-out1.

PS remove sensitive info from exports. Serial number, pppoe-account names, public key (useless without private key, I know, but no need to test the waters …)

EDIT:
I see … sfp, then vlan, then pppoe-out1

Anime4000 · June 14, 2022, 6:33pm

both site is “pppoe-out1”
either I add “in interface” or not, both mikrotik wont connect

however, I have tested between remote PC wireguard to mikrotik wireguard
Remote PC A to Site A WG = Connected
Remote PC B to Site B WG = Connected

both are connected… Mikrotik A WG cannot connect IPv4 endpoint to Mikrotik B WG or vice-versa (A>B, B>A)
torch wg.png
Torch showing both is trying to connect, same issue with different port…

.

deleted old one

.

Yes, both site using GPON ONU SFP

…
if IPv6 endpoints can connect both mikrotik, it seem IPv4 FastTrack causing this issue

holvoetn · June 14, 2022, 6:43pm

Disable FastTrack.
It doesn’t work with WG.
Once you know it works, the rule can be refined.

Anime4000 · June 14, 2022, 6:48pm

Alright, I disable FastTrack on both site, I’ll let you know the results

Anime4000 · June 17, 2022, 10:06am

After run several test… Wireguard works when FastTrack/NAT Acceleration disabled!