Hi
I need some help.
Today I use IPSEC but would like to switch to Wireguard. I have Wireguard up and running, but I cannot ping the remote client from the LAN.
TO: /ip address
add address=172.16.46.1/24 comment=defconf interface**=bridge** network=
172.16.46.0
Based on Allowed IPs, assume you want the remote office to be able to use the internet of the Primary Office ???
( as well as access subnets on the Main Office ).
YOur WAN setup is incorrect. One can either assign an IP statically to the WAN
OR
one can use IP DHCP Client,
So make up your mind! /ip dhcp-client
add comment=defconf interface=ether1
++++++++++++++++++++++++++++++++++++++ /ip address
add address=192.168.8.254/24 interface=ether1 network=192.168.8.0
Why do you have an input chain rule for wireguard on this router, the initial handshake is made from this Remote Router to the Main Router not the other way round.
Should be removed add action=accept chain=input dst-port=13231 protocol=udp
Personal preference in firewall rules makes it clearer what is being allowed as follows: add action=accept chain=forward comment=“remote users to local LAN” in-interface=WG-Perstorp dst-address=172.16.46.0/24
src-address=172.16.45.0/24
add action=accept chain=forward comment=“local users into wireguard” out-interface=WG-Perstop src-address=172.16.46.0/24
dst-address=172.16.45.0/24
Why not expand your wireguard network, right now you only have office to office possible, by opening it, you as admin can reach both routers remotely from anywhere from a laptop or a smartphone/ipad etc…
I dont see the purpose of having this sourcenat rule at all… Should be removed. add action=accept chain=srcnat comment=Home dst-address=172.16.45.0/24
src-address=172.16.46.0/24
Better format for extra route rule /ip route
add dst-address=172.16.45.0/24 gateway=WG-Perstrop routing-table=main
Set detect-internet to NONE, its not useful and known to cause problems
Allowed IPs should be… ( never for local subnets to be identified here ) /interface wireguard peers
add allowed-address=10.20.30**.2/**30,172.16.46.0/24 interface=WG-Home name=
Perstorp public-key=“KEY”
Same as before fix… add address=172.16.45.1/24 comment=defconf interface**=bridge** network=
172.16.45.0
add action=accept chain=forward comment=“remote users to local LAN” in-interface=WG-Home dst-address=172.16.45.0/24
src-address=172.16.46.0/24
add action=accept chain=forward comment=“local users into wireguard” out-interface=WG-Home src-address=172.16.45.0/24
dst-address=172.16.46.0/24
Extra rules not needed for sourcenat
from
/ip firewall nat
add action=accept chain=srcnat comment=Perstorp dst-address=172.16.46.0/24
src-address=172.16.45.0/24
add action=masquerade chain=srcnat comment=“defconf: masquerade”
out-interface-list=WAN
add action=masquerade chain=srcnat comment=“WireGuard VPN Nat” out-interface=
WG-Home
TO /ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
out-interface-list=WAN
Routes are weird that you have setup for wireguard and not useful
/ip route
add disabled=yes distance=1 dst-address=172.16.46.0/24 gateway=bridge
pref-src=172.16.45.1 routing-table=main scope=10 suppress-hw-offload=no
target-scope=10
add disabled=no distance=1 dst-address=172.16.46.0/24 gateway=10.20.30.2
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
Change to: /ip route
add dst-address=172.16.46.0/24 gateway=WG-Home routing-table=main
++++++++++++++++++++++++++++++
overall your firewall rules need work, cleaned up better security and organized, put input chain rules together
REMOTE OFFICE CONFIG
2. Based on Allowed IPs, assume you want the remote office to be able to use the internet of the Primary Office ???
( as well as access subnets on the Main Office ).
No, it must use its own internet and Wireguard for access to subnets on the Main Office
Your WAN setup is incorrect
what do you mean?
192.168.8.254 is there to configure mobile router
Wan - mobile router - mikrotik router
100.x.x.x –> 192.168.8.254-192.168.8.1->17.16.45.0/24
but I still can’t get traffic through
A. Dont argue with me, I am quoting your own config… Argue with yourself /interface wireguard peers
add allowed-address**=0.0.0.0/0** endpoint-address=ad8a0b1629ed.sn.mynetname.net
endpoint-port=13231 interface=WG-Perstorp name=Home persistent-keepalive=
10s public-key=“87BoEzWnQ8jCo4Nxf5toH9+UwDzGCtANlHlqqyV5ul0=”
Should be /interface wireguard peers
add allowed-address=10.20.30.0/24,172.16.45.0/24endpoint-address=ad8a0b1629ed.sn.mynetname.net
endpoint-port=13231 interface=WG-Perstorp name=Home persistent-keepalive=
10s public-key=“87BoEzWnQ8jCo4Nxf5toH9+UwDzGCtANlHlqqyV5ul0=”
If you still dont get it, putting in 0.0.0.0/0 means any address will be accepted by the wireguard protocol on the office router for traffic heading into the tunnel.
When that traffic hits the main router, depending on firewall rules, will go out the main router internet. In other words, to be accurate and limiting from the outset,
we limit to appropriate wireguard subnet and remote subnets the office users need to visit.
B. Sorry, without a network diagram and specific details on your WANSETUP, it would impossible to discern exactly what your WAN setup should be.
Based on the config alone it was not clear to me that you had TWO separate WAN connections, if thats what you are now trying to say??
a. The WAN interface list membership only identified one WAN entry??
b. Ports are used on bridge except for port1, so assumed one WAN.
c. Ethernet1 your WAN connection is assigned a static WANIP on IP address.
Thus an IP DHCP client entry made zero sense to me and still makes zero sense.
So your explanation is that for some reason the MT router is NOT directly connected to an ISP modem but to another router???
Okay, thats fine, but not relevant to my point, I am saying get rid of the IP DHCP client it is NOT required.
As far as connectivity is concerned unless you post both configs with the requested changes made, it will be impossible to comment further.
Facts one can deal with, speculation not so much.
Until you make up your mind on wireguard, no progress can be made.
Which is router peer SERVER for handshake?
Which is router peer CLIENT for handshake?
You limit wireguard to one effective user (/30) WHY???.. it limits your ability as admin for both routers, to access both router while away from multiple device, laptop, smartphone, ipad… etc.. Or the admin just responsible for the remote router with same etc… at least look at 29 which yields like 6 hosts.
Ensure detect internet settings is set to NONE as it is known to potentially cause issues.
note: this will allow you as admin to connect peer to peer to the home router, and then connect from there to the remote router for whatever needs!!
For the rest of firewall rules, dont see any major issue except for the mismatch of rules. Clean it up.
Keep input chain rules together and keep forward chain rules together and any errors or wrong ordered rules will be much clearer.
For example you have a bunch of forward chain rules that should be after the default rules of fastrack and accept establish related.
Last point: ensure you modify the interface list member /interface list member
add comment=defconf interface=ether1 list=WAN
add comment=defconf interface=bridge list=LAN add interface=WG-HOME list=LAN
Sorry, but am I missing something?
I still don’t have a connection between the two lans.
Wierguard running but no ping between Home (Main Router) and Perstorp (Remote Router)
Keep the Network/Subnet in wireguard consistent so modify this /ip address add address=10.20.30.2/30 interface=WG-Perstorp network=10.20.30.0
TO: /ip address add address=10.20.30.2/29 interface=WG-Perstorp network=10.20.30.0
Firewall rules need work, for starters can you tell me WHY you have this rule… /ip firewall filter add action=accept chain=input dst-port=13231 protocol=udp???
Keep chains together much easier to read and spot problems. The relay rule is strictly for the Server Peer ( aka the other router → think of the logic all peers connect to the server for peer to peer connection. ON the server its where in fw rules we want to allow traffic to exit the tunnel and enter another tunnel outbound ( only the server peer as multiple tunnels )… and rules in the following order. /ip firewall filter add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracke
/ip firewall filter add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
/ip firewall filter add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
/ip firewall filter add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
++++++++++++++++
/ip firewall filter add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid /ip firewall filter add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
/ip firewall filter add action=accept chain=forward comment=“Remote users to local LAN” dst-address=172.16.46.0/24 in-interface=WG-Perstorp src-address=172.16.45.0/24
/ip firewall filter add action=accept chain=forward comment=“Local users into wireguard” dst-address=172.16.45.0/24 out-interface=WG-Perstorp src-address=172.16.46.0/24 /ip firewall filter add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
/ip firewall filter add action=drop chain=forward comment=“Drop all else”
/ip firewall nat add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN
I dont think any thing here was preventing local traffic getting out … will check other router.
On the Peer Server one identifes the peer client by single IP address at the allowed IPs settings!..so should be.
/interface wireguard peers add allowed-address=10.20.30**.2/32**172.16.46.0/24 comment=“remote router” interface=WG-Home name=peer1 public-key=“KEY”
Hi I’m very confused, followed your recommendations with still no traffic from server 172.16.45.200 ↔ 172.16.46.200 none of the ways.
If I try ping from Home router to Perstorp 172.16.46.1 I get a response, but ping to 172.16.46.200 I get a timeout and “Drop all else” on
Perstorp blocks traffic. “forward: in:WG-Perstorp out:bridge, connection-state:new proto ICMP (type 8, code 0), 10.20.30.1->172.16.46.200, len 56”
The same the other way around
“forward: in:WG-Home out:bridge, connection-state:new proto ICMP (type 8, code 0), 10.20.30.2->172.16.45.200, len 56”
If I disable the “Drop all else” rule I get a response.
remove this rule: → the client peer is never going to relay wireguard, ( a function at the server router only as it is the one capable of connecting client peers /ip firewall filter add action=accept chain=forward comment=“relay traffic from admin” in-interface=WG-Perstorp out-interface=WG-Perstorp
remove old noise. /ip firewall filter add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
HOME ROuter - again I dont see any issue here other than rearranging order of forward chain rules. see if that helps at all.
Other than that, since I despise capsman will blame it LOL.
Remove old rule: /ip firewall filter add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
