Good morning. I configured WireGuard on my work network, everything is flying, but there is a problem with the accessibility of sites/computers through it. There is a ping, then there is no ping, but at the same time rdp itself continues to work on the same ip until closing the window, which is checked as an example.
The configuration is complicated by the fact that in front of the WG-gateway, which itself is configured in bridge mode, is the main router with LAN and internet, as it can not be upgraded to ros7 to organize WG on it. There are no firewall rules on the WG gateway itself and dhcp is disabled and it gets a static ip address from the master router. It is accessed via firewall rule from the first router via dst-nat specifying its ip and WG connection port. The routes were configured correctly. But it is not clear why there is a problem with node availability.
The first router with internet and lan has a route:
Dst. Address: 192.168.100.0/24 - this is the pool for WG
Gateway: 192.168.1.210 - this is the ip of the router itself with it
The second router as a WG gateway and in bridge mode has a route:
Dad, Dst. Address - 0.0.0.0.0/0 Gateway - 192.168.1.11
DAC, Dst. Address - 192.168.1.0.0/24 Gateway - bridge 1
DAC, Dst. Address - 192.168.100.0/24 Gateway - WG-pool
The peer settings specify Allowed Address: 192.168.100.2/32 and 192.168.1.0/24
I tried to change them as well as on /24 with /32 and both ip to write with /24 or /32, does not help.
From the second router itself, everything pings fine. What could be the problem? Please help, the overly simple wireguard setup is breaking my head lol.
If make a masquerading rule it’s ok, but you should do without it to have direct visibility of the client behind the vpn and vice versa.
There were suspicions that perhaps somewhere is already used subnet 192.168.100.0, but it seems that it is not anywhere except here, but I would like to find out somehow if it is really present and can cross here creating problems with this. Also I don’t understand why mikrotik in Client Config in peer properties generates non-existing settings for the client.
Network diagram and configs of both routers
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys etc.)
Is there any way to send it in person? I’m afraid there may be a lot of confidential information in there.
My Guess
Assuming the internet gateway is a Mikrotik and is using something similar to the default config, asymmetric routing that might be the issue.
Wg → Lan Device
and
Lan Device → MainGateway → Wg
If it is this, there are a at least a couple of options:
- On the WG mikrotik enable masquerade from wg interface to the bridge, so all devices see the WG mikrotiks IP address rather than
the wg address. - On the Internet gateway firewall, add an accept filter rule just before the drop Invalid Forward rule to allow all traffic from Lan Devices to Wg.
I didn’t think about the firewall rules, I’ll have to try that. The central mikrotik comes first, and then the computers in its local network and the wg-gateway itself. Isn’t there any way to do it without the masquerading? The goal is only to get to devices on the LAN via wg from the outside, the internet itself is not needed on the end devices.
It would be desirable, of course, to specify the domain suffix somehow, but apparently wireguard is not able to do that.
The problem itself looks like this on the wg client, ping skips, and something is unavailable
I at random tried making a dst-nat rule on the wg-gateway from the wg interface to the ip address of the central router, now everything pings without fail. However, nothing but pinging works, and if you disable mascarading on the client, it disappears too…
Perhaps something like the following in the central router.
/ip firewall filter
#existing rules …
#following rules just before existing invalid rule.
#(Put them in via terminal, then move them using winbox/webfig)
add action=accept chain=forward comment=“allow traffic between wg and lan” src-address=192.168.1.0/24 dst-address=192.168.100.0/24
add action=accept chain=forward comment=“allow traffic between wg and lan” src-address=192.168.100.0/24 dst-address=192.168.1.0/24
#existing invalid rule.
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed”
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
Thank you all for the replies, decided on my own with NETMAP rules. I created 2 rules with ip addresses of WG pool and local network, and assigned them to each other in action. But now it stopped working again. I turned on the log for these rules and noticed that all calls go to 192.168.1.255 or 255.255.255.255, as well as turning on netmap on the central router when pinging another subnet gives a response from the wg pool.
