no access to internal services when using Wireguard on Mikrotik

RouterOS Beginner Basics
1

Hi all,

first of all, I’m not really sure if the problem I’m facing is due a misconfiguration in the VPN (therefore, in Mikrotik’s side) or if it’s on the pi-hole side.
I’ve posted also on Pi-hole’s forum https://discourse.pi-hole.net/t/i-cant-access-internal-services-when-using-wireguard/59616 because pihole running in a rpi zero is used in my setup as DNS server.

The problem I’m facing is that, when connected to Wireguard, I can browse the web but I’m not able to access the services that runs under my home server. The server is directly connected to the mikrotik router using an ethernet cable.

I’ve read that maybe adding PreUp and PreDown rules to the wireguard server config could solved it (https://askubuntu.com/questions/1294533/wireguard-handshake-works-but-no-internet-access).

Could anybody help me to debug this issue?

Thanks in advance.

2

https://forum.mikrotik.com/viewtopic.php?p=908118 ( at least steps 1,2,3)

  • wireguard settings at the other end of the connection.
  • where is the wg client located and where is the wg server located ( when doing up a diagram )
3

Sure and sorry for not giving those details in advance @anav:

  • Network diagram is attached
  • Mikrotik config
# dec/02/2022 19:35:41 by RouterOS 7.6
# software id = A0I5-RK7A
#
# model = RBD52G-5HacD2HnD

/interface bridge
add admin-mac=C4:AD:34:42:87:54 auto-mac=no comment=defconf name=bridge
add disabled=yes name=bridge-guest
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=\
    20/40mhz-XX country=no_country_set disabled=no distance=indoors \
    frequency=auto frequency-mode=manual-txpower installation=indoor mode=\
    ap-bridge ssid=MikroTik-428758 station-roaming=enabled wireless-protocol=\
    802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=germany disabled=no distance=indoors frequency=\
    auto installation=indoor mode=ap-bridge ssid=MikroTik-428758 \
    station-roaming=enabled wireless-protocol=802.11
/interface wireguard
add listen-port=13231 mtu=1420 name=wg_MK
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=bedroom supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=profile-guest supplicant-identity=""
/interface wireless
add keepalive-frames=disabled mac-address=C6:AD:34:42:87:58 master-interface=\
    wlan1 multicast-buffering=disabled name=Kima-guest security-profile=\
    profile-guest ssid=Kima_guest wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
/ip pool
add name=dhcp ranges=192.168.88.4-192.168.88.254
add name=dhcp_pool1 ranges=192.168.80.2-192.168.80.7
/ip dhcp-server
add address-pool=dhcp interface=bridge name=local
add address-pool=dhcp_pool1 disabled=yes interface=bridge-guest name=\
    dhcp-guest
/ppp profile
set *FFFFFFFE interface-list=LAN
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
add bridge=bridge-guest ingress-filtering=no interface=Kima-guest
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=*12 list=LAN
add interface=wg_MK list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.100.2/32 comment="Google Pixel" interface=wg_MK \
    persistent-keepalive=20s public-key=\
    "Pfmi3/wQ5pWjIkEG6KsFZkedeMqqpZxf0NSkcAssMGw="
add allowed-address=192.168.100.3/32 comment="XFEL xps" interface=wg_MK \
    persistent-keepalive=20s public-key=\
    "4PU7dj42N+fo19sG09XRtaRR3BkfwUB+NJYUTrJBqDI="
add allowed-address=192.168.100.4/32 comment="XPS 13" endpoint-address="" \
    interface=wg_MK persistent-keepalive=20s public-key=\
    "isrPebjdKSYMPbkiOqXvlSc3pCcJ6JPW1i3EOrVGwUY="
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
    192.168.88.0
add address=192.168.80.1/24 disabled=yes interface=bridge-guest network=\
    192.168.80.0
add address=192.168.100.1/24 comment=Wireguard interface=wg_MK network=\
    192.168.100.0
/ip arp
add address=192.168.88.2 interface=bridge mac-address=EE:94:F6:E5:72:FA
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.88.5 client-id=\
    ff:cb:39:a:c7:0:2:0:0:ab:11:f4:43:bb:8e:29:87:24:f comment=Homeserver \
    mac-address=70:85:C2:81:A3:29 server=local
add address=192.168.88.93 client-id=1:b8:27:eb:12:95:c6 comment=waterpi \
    mac-address=B8:27:EB:12:95:C6 server=local
add address=192.168.88.23 client-id=1:0:26:18:9c:ba:13 comment=\
    "arch escritorio" mac-address=00:26:18:9C:BA:13 server=local
add address=192.168.88.7 client-id=1:54:8d:5a:75:4a:ea comment="xps xfel" \
    mac-address=54:8D:5A:75:4A:EA server=local
add address=192.168.88.50 client-id=1:EE:94:F6:E5:72:FA mac-address=\
    EE:94:F6:E5:72:FA server=local
add address=192.168.88.13 comment=xps13 mac-address=9C:B6:D0:D1:1E:DD server=\
    local use-src-mac=yes
add address=192.168.88.26 client-id=1:b4:2e:99:d0:f5:3f comment="maria pc" \
    mac-address=B4:2E:99:D0:F5:3F server=local
add address=192.168.88.111 client-id=1:b8:27:eb:ce:42:d6 comment=HyperBian \
    mac-address=B8:27:EB:CE:42:D6 server=local
add address=192.168.88.8 client-id=1:a4:50:46:35:fd:39 comment=Pocophone \
    mac-address=A4:50:46:35:FD:39 server=local
add address=192.168.88.12 client-id=1:82:cd:6b:6f:80:a4 comment=Pixel6 \
    mac-address=82:CD:6B:6F:80:A4 server=local
/ip dhcp-server network
add address=192.168.80.0/24 gateway=192.168.80.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.99 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="allow wireguard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="allow wireguard traffic" in-interface=\
    wg_MK src-address=192.168.100.0/24
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat comment="SSH arch desktop" dst-port=5023 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.88.23 to-ports=22
add action=dst-nat chain=dstnat comment="HTTPS homeserver" dst-port=443 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.88.5 to-ports=443
add action=dst-nat chain=dstnat comment="HTTP homeserver" dst-port=80 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.88.5 to-ports=80
add action=dst-nat chain=dstnat comment="SSH homeserver" dst-port=5005 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.88.5 to-ports=22
add action=dst-nat chain=dstnat comment="SSH gitlab" dst-address-list=\
    192.168.96.17 dst-port=10222 in-interface=ether1 protocol=tcp \
    to-addresses=192.168.88.5 to-ports=22
/system clock
set time-zone-name=Europe/Berlin
/system routerboard settings
set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add disabled=yes host=192.168.88.5 interval=1m timeout=1s type=simple
  • My goal is to access the services (e.g., git.elnota.space) running on the home server (elnota.space, private IP: 192.168.88.5) when I’m connected to the VPN running on Mikrotik from my laptop (private IP: 192.168.100.2) when I’m outside my Home LAN. When connected to the VPN, I can browse the web but I can’t access any of the services running on the home server by using their subdomain address (e.g., git.elnota.space).
    When I’m in my LAN, I can access those services without any issues. The same happens when I’m outside my LAN and not connected to the VPN from Mikrotik.

If more details are needed, please let me know
Network.png

4

(1) Dont need keep alive setting on MT peers… since the clients initiate the tunnel the keep alive is valid for the clients.

(2) Your bridge setup is confusing… specifically
a. why is ether2 on the bridge when it has a separate IP address.
b. where is the IP address for the main bridge?

Okay looking at this maybe there is some reasoning…
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0 { this should be the address for the bridge not ether2 }
add address=192.168.80.1/24 disabled=yes interface=bridge-guest network=192.168.80.0 { okay disabled }
add address=192.168.100.1/24 comment=Wireguard interface=wg_MK network=192.168.100.0 {good}
/ip arp
add address=192.168.88.2 interface=bridge mac-address=EE:94:F6:E5:72:FA { Not sure what you are trying to do here }

(3) Seems a tad redundant. Since the subnet already describes the sum total of possible in-interface users, it is meaningless. It would be worthwhile to put a source address list for one or a source-address-list for some incoming wireguard users BUT NOT ALL of them. In this case, there is no intent or need to only allow some of the wireguard users…
add action=accept chain=input comment=“allow wireguard traffic” in-interface= wg_MK src-address=192.168.100.0/24

Thus could be … (nit picking)
add action=accept chain=input comment=“allow wireguard traffic” in-interface=wg_MK

(4) By the way, you already have access covered by other looesy gooesy input chain rules..
This rule would allow all wireguard users to access the input chain as you added the wireguard interface to the LAN interface list.
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN

The problem with this rule is that it also allows ALL LAN users potentially to config the router. Suggest the following…
add action=accept chain=input in-interface-list=LAN src-address-list=authorized.

where the authorized list includes admin desktop, admin laptop, admin ipad, admin iphone on reserved mac lease on 192.168.88.0/24
AND
where the authorized list includes 192.168.100.0/24
Therefore the input chain would look like…

/ip firewall filter
{default rules}
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
{user added rules}
add action=accept chain=input comment=“allow wireguard” dst-port=13231
protocol=udp
add action=accept chain=input in-interface-list=LAN src-address-list=authorized
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp
add action=drop chain=input comment=“drop all else” { Only do this after you confirm the authorized firewall list works }

  1. Similarly there is nothing blocking your wg access to the LAN, not sure why things are not working.
    However I had to infer that from your loosey gooesy rule set. Everything is allowed except WAN basically…
    Much prefer

{Default Rules}
up to invalid
{User Rules}
add action=accept chain=forward connection-nat-state=dstnat comment=“allow port forwarding”
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface=wg_MK dst-address=192.168.88.0/24
add action=drop chain=forward comment=“drop all else”

  1. Why do you think you would be able to access by domain name…
    Even people I know who want their users to access the server not by local IP but by the Router IP (dyndns name) dont have issues…
    Do you mean those are DYNDNS names?? Like the IP cloud name of the MT Router??

Domain name I dont think work over this type of VPN
In any case if its by DYDNS Type name, try putting this rule on the router…

/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.88.0/24
add action=masquerade chain=srcnat out-interface=ether1




By domain name over wg, you many need a different type of VPN or zerotier type connectivity (which is more layer 2 type connectivity)

5

Okay this should solve the problems…

Requirements.
a. fw rules NONE
b. Dst Nat Rule yes…

add chain=dstnat action=dst-nat in-interface-list=LAN src-address=!192.168.88.5 dst-port=53 protocol=tcp to-addresses=192.168.88.5 { ip of pi }
add chain=dstnat action=dst-nat in-interface-list=LAN src-address=!192.168.88.5 dst-port=53 protocol=udp to-addresses=192.168.88.5 { ip of pi }

c. Src nat rules yes…
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.88.0/24
add action=masquerade chain=srcnat out-interface=ether1

If that does not work, then domain name over wg wont work and will ahve to use lan IP address.

6

Really appreciate the time you took to review my config and the detailed answer you gave. Thanks a lot.

Is there any potential problem of blocking the router by adding those rules you mentioned?
I’m far away from home and will not have physical access to change it back if I lose the VPN connection.

Once again, thanks in advance

7

Yes, the drop all rule at the end of the input chain can be a killer so can changing your wireguard access rules in the input chain…
Best to do them on site and leave it as it is for now.


No harm in changing other rules such as forward chain… etc…

8

Once again, thx for the reply!

I’ll come back once I’ve tried. Just to have it clear from my side, I’ll have to apply only these, right?

Requirements.
a. fw rules NONE
b. Dst Nat Rule yes.....

add chain=dstnat action=dst-nat in-interface-list=LAN src-address=!192.168.88.5 dst-port=53 protocol=tcp to-addresses=192.168.88.5 { ip of pi }
add chain=dstnat action=dst-nat in-interface-list=LAN src-address=!192.168.88.5 dst-port=53 protocol=udp to-addresses=192.168.88.5 { ip of pi }

c. Src nat rules yes.......
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.88.0/24
add action=masquerade chain=srcnat out-interface=ether1
9

Yup but also recommend you do the FORWARD Chain firewall rules ( not the input chain rules until on site)



{Default Rules}
up to invalid
{User Rules}
add action=accept chain=forward connection-nat-state=dstnat comment=“allow port forwarding”
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface=wg_MK dst-address=192.168.88.0/24
add action=drop chain=forward comment=“drop all else”

10

Understood. Thx again @anav