No routing over wireguard (resolved)

gosha · April 7, 2025, 5:30pm

Hello!

I made the 2 RouterOS v7 with wireguard but can’t figure out why my routes does not works.

One RouterOS (CHR)

[admin@MikroTik] > /ip address/print 
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS          NETWORK       INTERFACE
0 x.y.98.150/30  x.y.98.148  ether1   
1 10.0.0.1/24      10.0.0.0      wg0      
[admin@MikroTik] > /ip route print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, s - STATIC
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#     DST-ADDRESS      GATEWAY       DISTANCE
0  As 0.0.0.0/0        x.y.98.149         1
  DAc 10.0.0.0/24      wg0                  0
1  As 10.100.1.0/24    10.0.0.3             1
  DAc x.y.98.148/30  ether1               0
[admin@MikroTik] > /ping 10.0.0.3
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                          
    0 10.0.0.3                                   56  64 1ms927us  
    1 10.0.0.3                                   56  64 1ms621us  
    sent=2 received=2 packet-loss=0% min-rtt=1ms621us avg-rtt=1ms774us max-rtt=1ms927us 

[admin@MikroTik] > /ping 10.100.1.1
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                          
    0 10.0.0.1                                   84  64 94us       host unreachable                                                                
    1 10.0.0.1                                   84  64 127us      host unreachable                                                                
    sent=2 received=0 packet-loss=100%

Second RouterOS (hAP)

[admin@MikroTik] > /ip address/print 
Flags: D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
#   ADDRESS           NETWORK       INTERFACE
;;; defconf
0   192.168.88.1/24   192.168.88.0  bridge1  
1 D 172.31.240.57/25  172.31.240.0  ether4   
2   10.0.0.3/24       10.0.0.0      wg0      
3   10.100.1.1/24     10.100.1.0    bridge1  
[admin@MikroTik] > /ip route/print   
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
    DST-ADDRESS      GATEWAY       DISTANCE
DAd 0.0.0.0/0        172.31.240.1         1
DAc 10.0.0.0/24      wg0                  0
DAc 10.100.1.0/24    bridge1              0
DAc 192.168.88.0/24  bridge1              0
DAc 172.31.240.0/25  ether4               0
[admin@MikroTik] > /ping 10.0.0.1    
  SEQ HOST                                     SIZE TTL TIME       STATUS         
    0 10.0.0.1                                   56  64 1ms811us  
    1 10.0.0.1                                   56  64 1ms770us  
    2 10.0.0.1                                   56  64 1ms714us  
    sent=3 received=3 packet-loss=0% min-rtt=1ms714us avg-rtt=1ms765us 
   max-rtt=1ms811us

I think that this is a correct routing config, why I can’t ping the hAP’s internal interface from CHR?

anserk · April 7, 2025, 6:25pm

You might want to hide your public IP address from the output above.

Did you configure WireGuard allow-address to include 10.100.1.0/24? WG will drop anything not on the allow list. This is separate from routing and firewall.

gosha · April 7, 2025, 6:36pm

You might want to hide your public IP address from the output above.

Yes, thanks.

Did you configure WireGuard allow-address to include 10.100.1.0/24?

Thank you a lot! I forgot about this!