Hello everyone, I’m not sure if I’m in the correct topic, but I have a big problem. I’ve configured my WireGuard server on a FRITZ!Box and everything works fine with OpenWrt and WireGuard clients on mobile devices. However, when I use the WireGuard client on MikroTik, the traffic doesn’t navigate properly. The persistent keep alive is set to 25, but the traffic is only in bytes. From the FRITZ!Box side, it recognizes that the site-to-site is available, but the traffic doesn’t reach the destination server IPs from the client. Besides the configuration, I’m unsure what else needs to be imported.
[Interface]
[Peer]
anav
May 6, 2024, 4:06pm
2
We need to see the MT config and also understand how the users on the MT if any are being directed out the tunnel and why?
ROUTER WIREGUARD SERVER FRIZBOX
[Interface]
[Peer]
MIKROTIK CLIENT
[Peer]
I don’t have any settings in the MikroTik firewall on my side. Can you help me better because I’m a bit inexperienced, and my friend and I are trying?
anav
May 6, 2024, 5:53pm
4
The problem is not MT centric its more like you dont understand how to setup WG period.
ROUTER WIREGUARD SERVER FRIZBOX
[Interface]
[Peer]AllowedIPs = 10.3.1.2/32,192.168.1.0/24
keep alive not required on server settings for peer.
[Interface]10.3.1.2/24
[Peer]u8bi1w0j8k3x2061.myfritz.net:59162
Hello dear, the problem is not on the server side of the WireGuard server Fritzbox, as it works on OpenWRT. The problem is only on the client side of MikroTik; the connection is established on MikroTik but it does not assign IPs. The problem is not on the server side; the modem configures itself automatically and generates by itself. And the Fritzbox server works.
The problem is only on the MikroTik client side; what can be done about it?
Thanks for response
anav
May 6, 2024, 10:01pm
6
Without seeing the complete config, hard to say
But can I send you only MikroTik side?
mt.conf client wireguard mikrotik
/interface bridgeendpoint-address=4561w0j8k3x2061.myfritz.net #error exporting "/tool/sms"
anav
May 7, 2024, 5:01pm
10
(1) Pre-shared key is not required, and is not normally used, so for troubleshooting purposes remove for now.
/interface wireguard peersendpoint-address=x2061.myfritz.net preshared-key=“=” public-key=
(2) IF you dont identify the subnet users on the fritz and give them a route on the MT, then you need to sourcenat them out the MT
/ip firewall natt out-interface-list=WAN add action=masquerade chain=srcnat out-interface=wireguard1
++++++++++++++++
Before can advise further can you confirm the entire subnet needs to be pushed out wireguard tunnel to fritz??
I’ve set up the firewalls as you instructed, but I still can’t reach the Frizbox IP when I ping it. I even removed the shared key, leaving it public, but nothing changes. When I ping 10.3.1.1, it shows a timeout error from the mentioned device, which is the Mikrotik client.
P. S. Is it important to assign an IP to WireGuard, or is it okay without?
anav
May 7, 2024, 7:06pm
12
Yes, this is necessary.add address=192.168.1.5 interface=wireguard1 network=192.168.1.0
The issue is the question I posed which you didnt answer.
Also can you confirm you have remote users hitting the fritz and needing then access to the MT router??
anav
May 7, 2024, 7:59pm
14
Post your latest config with changes included please.
I've done the setup wizard Frizbox for only one device, which is a router. The server sees it on Frizbox, the bytes TX and RX pass through Frizbox, and it shows as online from the photo, but it's on the client side that it doesn't enter connection. I also removed the pre shared key but the situation does not change
this is config:
/interface bridgeendpoint-address=example.myfritz.net #error exporting "/tool/sms"
anav
May 7, 2024, 10:11pm
16
The IP address is incorrectadd address=192.168.1.5 interface=wireguard1 network=192.168.1.0 add address=192.168.1.5**/24** interface=wireguard1 network=192.168.1.0
Remove this static DNS setting/ip dns static
The most important question has no been answered yet.
What should be the acction if the wireguard goes down, no internet for those folks???
The IP address is incorrectadd address=192.168.1.5 interface=wireguard1 network=192.168.1.0 add address=192.168.1.5**/24** interface=wireguard1 network=192.168.1.0
Remove this static DNS setting/ip dns static
The most important question has no been answered yet.
What should be the acction if the wireguard goes down, no internet for those folks???
I would like the internet on the microtik side to work and that wireguard communicates with the IPs of the frizbox class network.
The IP address is incorrectadd address=192.168.1.5 interface=wireguard1 network=192.168.1.0 add address=192.168.1.5**/24** interface=wireguard1 network=192.168.1.0
Remove this static DNS setting/ip dns static
The most important question has no been answered yet.
What should be the acction if the wireguard goes down, no internet for those folks???
Thank you solved problem… Thanks Thanks Thanks friends solved
Older answer
Thanks for responde.
anav
May 8, 2024, 11:19am
20
What are the subnets on the fritz that the users on your local MT devices need to visit??
They need to be accounted for on both allowed IPs and IP routes. Since you have 0.0.0.0/0 set as allowed IPs, which covers both the case of internet and subnets, you dont really need to adjust allowed IPs. Since your routing for internet remains local, users will not go out internet of Fritz but could later if you decided.
So all you need is to add IP routes for the remote subnets/ip routeadd dst-address=Subnet1-Fritz gateway=wireguard1 routing-table=main
Typically the allowed IPs, for lan traffic only ( no intention of internet at remote site) would beallowed-addresses=192.168.1.0/24,Subnet1-Fritz,Subnet2-Fritz