Dear experts,
Hope you will be fine. I have 2 Mikrotik. I want to set up Wireguard between 2 Mikrotik. Site A and Site B have Public IPs, but the ISP blocks all the ports on site B. So I want to deploy S2S between 2 routers.
Please tell me how I can do this.
thanks & Regards
Did you try using port 443?
yes but not working.
I don’t know. whats happening?
I have tried many times.
Now I want to connect my RB to my CHR. How I can connect my RB as a WG client to my CHR.
My router configuration is as follows:
/interface bridge
add admin-mac=D9:A1:51:D1:DA:72 auto-mac=no name=Bridge_WAN-1 port-cost-mode=
short
add admin-mac=A2:0C:19:20:98:B9 auto-mac=no name=Bridge_WAN-2 port-cost-mode=
short
add name=Bridge_ether2 port-cost-mode=short
/interface ethernet
set [ find default-name=ether2 ] name=ether2_WAN
set [ find default-name=ether3 ] name=ether3_Loop
set [ find default-name=ether4 ] name=ether4_Loop
set [ find default-name=ether5 ] name=ether5_LAN
/interface pppoe-client
add disabled=no interface=Bridge_WAN-1 name=1_pppoe-client1_35M+50M user=
pppoe-client1
add disabled=no interface=Bridge_WAN-2 name=2_pppoe-client2_30+50M user=
pppoe-client2
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=ether3_Loop name=vlan201_ether3 vlan-id=201
add interface=ether4_Loop name=vlan201_ether4 vlan-id=201
add interface=ether3_Loop name=vlan202_ether3 vlan-id=202
add interface=ether4_Loop name=vlan202_ether4 vlan-id=202
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
add dns-name=login.net hotspot-address=10.10.10.1 html-directory=
flash/hotspot login-by=http-pap name=hsprof1
/ip pool
add name=hotspot-pool ranges=10.10.10.100-10.10.10.250
add name=pppoe-pool ranges=172.30.30.10-172.30.30.250
/ip dhcp-server
add address-pool=hotspot-pool interface=ether5_LAN lease-time=1h name=dhcp1
/ip hotspot
add address-pool=hotspot-pool addresses-per-mac=1 disabled=no interface=
ether5_LAN name=hotspot1 profile=hsprof1
/ip hotspot user profile
add add-mac-cookie=no address-pool=hotspot-pool !mac-cookie-timeout name=
2Mbps rate-limit=2M/2M shared-users=2
add add-mac-cookie=no address-pool=hotspot-pool !mac-cookie-timeout name=
1Mbps rate-limit=1M/1M
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/ppp profile
set *0 dns-server=8.8.8.8,8.8.4.4
/routing table
add disabled=no fib name=to_wan1
add disabled=no fib name=to_wan2
/interface bridge port
add bridge=Bridge_ether2 ingress-filtering=no interface=ether2_WAN
internal-path-cost=10 path-cost=10
add bridge=Bridge_ether2 ingress-filtering=no interface=vlan201_ether3
internal-path-cost=10 path-cost=10
add bridge=Bridge_ether2 ingress-filtering=no interface=vlan202_ether3
internal-path-cost=10 path-cost=10
add bridge=Bridge_WAN-1 ingress-filtering=no interface=vlan201_ether4
internal-path-cost=10 path-cost=10
add bridge=Bridge_WAN-2 ingress-filtering=no interface=vlan202_ether4
internal-path-cost=10 path-cost=10
/interface wireguard peers
add allowed-address=10.10.11.2/32 client-address=10.10.11.2/32 client-dns=
8.8.8.8,1.1.1.1 client-endpoint=8aff099ffdd0.sn.mynetname.net interface=
wireguard1 name=Kamran persistent-keepalive=25s public-key=
“B90WckNrUP6EwlQCrpNH5EXAY+JI/3yuA4TepA5Kzjk=”
add allowed-address=10.10.11.3/32 client-address=10.10.11.3/32 client-dns=
8.8.8.8,1.1.1.1 client-endpoint=8aff099ffdd0.sn.mynetname.net interface=
wireguard1 name=“Kamran Mobile” persistent-keepalive=25s private-key=
“sBIY3IRy2F5gpiMsIj7CKTgslPmc3pLkI/YV00vLaWo=” public-key=
“qDhfRF8Q3D1+Lhib5D1dMFwithlRagZyF16ndJBDTAM=”
/ip address
add address=10.10.10.1/24 interface=ether5_LAN network=10.10.10.0
add address=172.20.20.1/24 interface=ether5_LAN network=172.20.20.0
add address=192.168.0.12/24 interface=ether5_LAN network=192.168.0.0
add address=192.168.10.12/24 interface=ether5_LAN network=192.168.10.0
add address=192.168.1.12/24 interface=ether5_LAN network=192.168.1.0
add address=10.10.11.1/24 interface=*19 network=10.10.11.0
add address=192.168.88.12/24 interface=ether5_LAN network=192.168.88.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-server alert
add disabled=no interface=ether5_LAN valid-server=B8:69:F4:AE:BC:FE
/ip dhcp-server network
add address=10.10.10.0/24 comment=“hotspot network” gateway=10.10.10.1
/ip dns
set cache-size=10000KiB servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=10.10.10.0/24 list=LAN-IP
add address=10.10.11.0/24 list=LAN-IP
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=
“place hotspot rules here” disabled=yes
add action=drop chain=input comment=“Block Ping” in-interface=
1_pppoe-client1_35M+50M protocol=icmp
add action=accept chain=input comment=“Router Access Remotely” dst-port=
8295,8296 protocol=tcp
add action=drop chain=input comment=“Block Attack” dst-port=
25,53,87,512-515,543,544,7547,8080 protocol=tcp
add action=drop chain=input comment=“Block Attack” dst-port=
53,80,87,161,162,1900,4520-4524,8080 protocol=udp
add action=add-src-to-address-list address-list=“Port Scanners”
address-list-timeout=none-dynamic chain=input comment=
“Port Scanners to Address List " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=“Port Scanners”
address-list-timeout=none-dynamic chain=input comment=
“TCP Flag-NMAP FIN Stealth scan” protocol=tcp tcp-flags=
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=“Port Scanners”
address-list-timeout=none-dynamic chain=input comment=
“TCP Flag-FIN/SYN scan” protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=“Port Scanners”
address-list-timeout=none-dynamic chain=input comment=
“TCP Flag-RST/SYN scan” protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=“Port Scanners”
address-list-timeout=none-dynamic chain=input comment=
“TCP Flag-FIN/PSH/URG scan” protocol=tcp tcp-flags=
fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=“Port Scanners”
address-list-timeout=none-dynamic chain=input comment=
“TCP Flag-ALL/ALL scan” protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=“Port Scanners”
address-list-timeout=none-dynamic chain=input comment=
“TCP Flag-NMAP NULL scan” protocol=tcp tcp-flags=
!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment=“Dropping Port Scanners”
src-address-list=“Port Scanners”
/ip firewall mangle
add action=change-ttl chain=postrouting new-ttl=set:1 out-interface=
ether5_LAN passthrough=no src-address=10.10.10.0/24
add action=mark-connection chain=input in-interface=1_pppoe-client1_35M+50M
new-connection-mark=wan1_conn passthrough=yes
add action=mark-connection chain=input in-interface=2_pppoe-client2_30+50M
new-connection-mark=wan2_conn passthrough=yes
add action=mark-routing chain=output connection-mark=wan1_conn
new-routing-mark=to_wan1 passthrough=no
add action=mark-routing chain=output connection-mark=wan2_conn
new-routing-mark=to_wan2 passthrough=no
add action=accept chain=prerouting in-interface=1_pppoe-client1_35M+50M
add action=accept chain=prerouting in-interface=2_pppoe-client2_30+50M
add action=mark-connection chain=prerouting dst-address-type=!local
in-interface=ether5_LAN new-connection-mark=wan1_conn passthrough=yes
per-connection-classifier=both-addresses-and-ports:2/0 src-address-list=
LAN-IP
add action=mark-connection chain=prerouting dst-address-type=!local
in-interface=ether5_LAN new-connection-mark=wan2_conn passthrough=yes
per-connection-classifier=both-addresses-and-ports:2/1 src-address-list=
LAN-IP
add action=mark-routing chain=prerouting connection-mark=wan1_conn
new-routing-mark=to_wan1 passthrough=yes src-address-list=LAN-IP
add action=mark-routing chain=prerouting connection-mark=wan2_conn
new-routing-mark=to_wan2 passthrough=yes src-address-list=LAN-IP
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=
“place hotspot rules here” disabled=yes
add action=masquerade chain=srcnat out-interface=1_pppoe-client1_35M+50M
add action=masquerade chain=srcnat out-interface=2_pppoe-client2_30+50M
add action=masquerade chain=srcnat comment=“masquerade hotspot network”
disabled=yes src-address=10.10.10.0/24
add action=masquerade chain=srcnat disabled=yes src-address=10.10.11.0/24
/ip hotspot walled-garden
add comment=“place hotspot rules here” disabled=yes
/ip hotspot walled-garden ip
add action=accept disabled=no dst-address=10.10.10.1 !dst-address-list
!dst-port !protocol !src-address !src-address-list
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=1_pppoe-client1_35M+50M
pref-src=”" routing-table=main scope=30 suppress-hw-offload=no
target-scope=10
add comment=WAN-1 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
1_pppoe-client1_35M+50M pref-src=“” routing-table=to_wan1 scope=30
suppress-hw-offload=no target-scope=10
add comment=WAN-2 disabled=no dst-address=0.0.0.0/0 gateway=
2_pppoe-client2_30+50M routing-table=to_wan2
add comment=WAN-2 disabled=no distance=2 dst-address=0.0.0.0/0 gateway=
2_pppoe-client2_30+50M pref-src=“” routing-table=main scope=30
suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8296
set ssh disabled=yes
set api disabled=yes
set winbox port=8295
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Asia/Karachi
/system identity
set name=“RoshanNet-Hotspot Server”
/system note
set show-at-login=no
/tool romon
set enabled=yes
Not going to attempt to understand your config… however in terms of wireguard.
Its all wrong for a client Router device.
First why are there two peers entered. The router is a client (at handshake) peer and thus should only have one entry.
Is your intent to access the other router, config both routers as a remote admin wireguard user, and or access the internet of the CHR??
add allowed-address=10.10.11.2/32 client-address=10.10.11.2/32 client-dns=
8.8.8.8,1.1.1.1 client-endpoint=8aff099ffdd0.sn.mynetname.net interface=
wireguard1 name=Kamran persistent-keepalive=25s public-key=
“B90WckNrUP6EwlQCrpNH5EXAY+JI/3yuA4TepA5Kzjk=”
WRONG, there is no second entry REMOVE…
add allowed-address=10.10.11.3/32 client-address=10.10.11.3/32 client-dns=
8.8.8.8,1.1.1.1 client-endpoint=8aff099ffdd0.sn.mynetname.net interface=
wireguard1 name=“Kamran Mobile” persistent-keepalive=25s private-key=
“sBIY3IRy2F5gpiMsIj7CKTgslPmc3pLkI/YV00vLaWo=” public-key=
“qDhfRF8Q3D1+Lhib5D1dMFwithlRagZyF16ndJBDTAM=”
+++++++++++++++++
Clearly you have a problem/error with this interface..
add address=10.10.11.1/24 interface**=*19 n**etwork=10.10.11.0
and its your wireguard interface!!!
It should read…
add address=10.10.11.1/24 interface**=wireguard1** network=10.10.11.0
Fix the first one above to:
add allowed-address=10.10.11**.0/24**,SUBNETB1,SUBNETB2 endpoint=CHR-fixed-public-IP interface=
wireguard1 name=Kamran persistent-keepalive=25s public-key=“++++++”
Note: where subnetB1,SubnetB2 represent subnets on the other router you wish to reach or those remote subnets because they are coming in to reach this routers subnets.
Unless you also intended to go out CHR for internet in which case it would be:
add allowed-address=0.0.0.0/0 endpoint=CHR-fixed-public-IP interface=
wireguard1 name=Kamran persistent-keepalive=25s public-key=“++++++”
Note you need /ip routes for any subnets that are traversing the tunnel that are not local to this router.