How to access local LAN behind second Mikrotik router using WireGuard?

Hi,

I have successfully configured WireGuard on the first router and I am able to access the routers web config site. However when I try to connect to my local LAN, I am not able to get access. I tried different configurations on both 1st and second router but without success. Hope someone can advice how to get it working.

Architecture:

WWW → Router 1 (Latest RouterOS on VM - public IP: 12.34.56.789; Private IP: 10.210.0.1) ←-- [VPN Tunnel pptp-out1] --→ Router 2 (Latest RouterOS on RB4011iGS+ - IP: 192.168.50.1) → Local LAN (different networks, main has IP: 192.168.50.xxx)

Situation:

Trying to access local LAN (192.168.50.xxx), not working getting timeout. Able to access Router 1 on 10.210.0.1 through WWW and WireGuard connection on MAC.

Configuration files attached:

Configuration Router 1
Configuration Router 2
Configuration WireGuard MacOs

Thanks so much for having a look. Enjoy your day!

Kind regards,
Configuration Router 1.txt (11.3 KB)
Configuration Router 2.txt (43.1 KB)
Configuration WireGuard MacOS.txt (185 Bytes)

Hi,

Has anyone some suggestions on the correct rules to add?

Really appreciated as I am currently stuck.

Have a nice weekend.

Hopefully will get time tomorrow to look

Thanks so much for taking the time. Looking forward to your response.

Have a lovely weekend.

R1 Server for handshake

1. Why using PPTP ???

2. Missing your local subnet on IP address ??
   /ip address
   add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
   ???
   /ip dhcp-client
   add !dhcp-options interface=ether1

3. What is the purpose of this rule…
   More to the point you have a config mostly CONSUMED by different VPNs, ( i would get rid of all except wireguard and perhaps keep sstp as backku)
   So why do you allow what looks like a public IP direct access to the router??
   add address=92.60.203.156/30 list=MGMT-Allow

I am not sure what these are, but they be a problem as well!!
add address=management-jaap.odin-ict.nl list=MGMT-Allow
add address=management-bryan.odin-ict.nl list=MGMT-Allow

4. Firewall rules are very hard to read, much better to put input chain together and forward chain together…

5. I would firewall totally differently but to enable wg to lan, perhaps stick in an explicit rule??
   add action=accept chain=forward comment=“Allow WireGuard Traffic” src-address=
   192.168.100.0/24

R2 Client Router for Handshake

No wireguard settings… ???

Thanks for looking into this!

I will have to study your comments as this setup was made by someone else and I need to understand this better as well.

I had just noticed that there was something wrong with the routing after the upgrade to OS7 last week, so I decided to restore a backup incase something was changed during upgrade. After this suddenly I had access to my internal LAN. Which of course surprised me.

The different VPN’s are tunnels that are used to communicate between the two routers and also to the individual managing the first router, additionally some fall back VPN’s as well. We have not updated to WireGuard setup as the guy helping had not yet been able to implement it successfully in the past for other things and he is to busy to investigate more, so this is the reason it was not done and the reason I am trying to work on it now.

If not mistaken you are very knowledge able with setting up on configuring Mikrotik routers. Would you be interested to help me change over all the configuration to wireguard? I would be happy to compensate for your time.

Kind regards,

If its two Mikrotik routers
Primary VPN
WG.
a. use only wireguard between the routers.
b. wireguard can be give to users who need lan access remotely to both routers
c. wireguard can be used to configure/reach both routers by the admin

Backup VPN
IP-IP using ipsec secret between the routers.

This is efficient and works well and is relatively easy to implement.
I would throw out completely the dogs breakfast you have inherited.
I will put something together that seems to meet the requirements at least for router1 which appears to the be the Server Peer for handshake.

Thanks and great to hear! I will PM you.


Update: it seems this forum does not support PM. Any other way I can contact you?

check out my avatar/profile for the next while…

avatar reverted back to normal

Sorry different timezones.

I can try again within the next 30 mins.

okay its back up now.

Tanks, but I only see the 4 links and no additional info. btw I agree with these fully.

got it.

R1 Sample… ( add back in things you need )
Assuming WAN is a dynamic public IP, not a static public IP.
Lots of rough edges, but the drift is eliminate all the VPN noise and settle on wireguard and will look at what alternative we have for backup.
If Router2 also has a public IP we can put a separate wireguard interface on that one, in case the issue is R1, and thus can still access R2.
Lots of unknowns to pin down.

/interface bridge
add name=bridge
/interface ethernet
set [ find default-name=etherX ] name=OffBridge-X
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add name=WAN
add name=LAN
/ip pool
add name=10.210.1.0/24 ranges=10.210.1.2-10.210.1.254
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/ipv6 firewall settings
add chain=input action=drop
add chain=forward action=drop
/interface list member
add interface=ether1 list=WAN
add interface=bridge list=LAN
add interface=wireguard1 list=LAN
add interface=Offbridge list=LAN
/interface wireguard peers
add allowed-address=192.168.100.2/32 interface=wireguard1 name=Laptop
public-key=“xxxxxx”
add allowed-address=192.168.100.3/32 interface=wireguard1 name=
“Nvidea Shield” public-key=“xxxxxxxx”
add allowed-address=192.168.100.4/32 interface=wireguard1 name=Mac
public-key=“xxxxxxxx”
add allowed-address=192.168.100.5/32 interface=wireguard1 name=iPhone
public-key=“xxxxxxxx”
/ip address
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
add address=10.210.1.1/24 interface=bridge network=10.210.1.0
add address=192.168.55.1/30 interface=OffBridge-X network=192.168.55.0
/ip dhcp-client
add interface=ether1 set default route=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9
/ip firewall address-list { use static dhcp leases where applicable }
add address=10.210.1.XX list=Authorized comment=“local admin device1”
add address=10.210.1.YY list=Authorized comment=“local admin device2”
add address=192.168.100.2 list=Authorized comment=“remote admin laptop”
add address=192.168.100.5 list=Authorized comment=“remote admin iphone”
add address=my.netname.net list=MyWAN { if public IP is dynamic, otherwise replace with static IP on the dstnat rules }
{ others ?? }
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=“wireguard handshake” dst-port=13231 protocol=udp
add action=accept chain=input comment=“admin access” in-interface-list=LAN src-address-list=Authorized
add action=accept chain=input comment=“users to DNS services” in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment=“users to DNS services” in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment=“drop all else” { insert this rule last }
++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“wireguard to local LAN” in-interface=wireguard1 dst-address=10.210.1.0/24
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment=“Server TYPE tcp ports” dst-address-list=MyWAN
dst-port=5000,5001,5060,5061,5090 protocol=tcp to-addresses=192.168.50.22
add action=dst-nat chain=dstnat comment=“Server TYPE udp ports” dst-address-list=MyWAN
dst-port=5060,5090,9000-10999 to-addresses=192.168.50.22
add action=dst-nat chain=dstnat dst-address=12.34.56.789 dst-port=20678
protocol=udp to-addresses=192.168.50.2 to-ports=20678
add action=dst-nat chain=dstnat comment=“Emby” dst-address-list=MyWAN
dst-port=14979,20678 protocol=tcp to-addresses=192.168.50.27
add action=dst-nat chain=dstnat comment=Nginx dst-address-list=MyWAN
dst-port=80 log=yes protocol=tcp to-addresses=192.168.50.45
add action=dst-nat chain=dstnat dst-address-list=MyWAN dst-port=443 log=yes
protocol=tcp to-addresses=192.168.50.45
add action=dst-nat chain=dstnat comment=“Mail Server” dst-address-list=MyWAN
dst-port=25 log=yes protocol=tcp to-addresses=192.168.50.19 to-ports=25
{ **** HOSTING AN UNencrypted MAIL SERVER IS A VERY BAD MOVE AND INVITING GET HACKED !!!}
add action=dst-nat chain=dstnat dst-address-list=MyWAN dst-port=110,143,465,587,993,995,4190, log=yes
protocol=tcp to-addresses=192.168.50.19
add action=dst-nat chain=dstnat comment=“Download Port” dst-address-list=MyWAN
dst-port=30415 log=yes protocol=tcp to-addresses=92.168.50.38
add action=dst-nat chain=dstnat comment=“Download Port” dst-address-list=MyWAN
dst-port=30415 log=yes protocol=udp to-addresses=92.168.50.38

/system logging action
add email-to=xxxxxx name=email target=email
/tool e-mail
set from=xxxxxx port=465 server=xxxxxx tls=yes
user=xxxxxx
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN