Problems in subnet lan bridge access to wireguard peers

RouterOS Beginner Basics
1

Hello.
I have a wireguar network and I have configured a mikrotik router as a client on this network.
The problems I have are that from another client I cannot ping the mikrotik client’s subnet.
I can ping the wireguard interface, the router interface that is on the same subnet that I cannot access.
If I go to tools ----> ping, I can ping all devices connected to this subnet.
These devices are on the ether2 interface that belongs to a bridge.
I’m sending you a copy of my current configuration.
Thanks in advance.

/interface bridge
add admin-mac=xxxxxxxxxxxxxxxxx auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface wireguard
add listen-port=1500 mtu=1420 name=wg0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
    path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wg0 list=LAN
/interface wireguard peers
add allowed-address=10.71.40.0/24,192.168.0.0/24 endpoint-address=\
    x.xxx.xxx.xxx endpoint-port=1500 interface=wg0 name=peer1 \
    persistent-keepalive=5s public-key=\
    "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
/ip address
add address=192.168.0.5/24 comment=defconf interface=bridge network=\
    192.168.0.0
add address=10.71.40.6/24 interface=wg0 network=10.71.40.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=bridge lease-time=10m \
    name=defconf
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.5 gateway=\
    192.168.0.5 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.5 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward in-interface=wg0 in-interface-list=all \
    out-interface=bridge out-interface-list=all
add action=accept chain=forward in-interface=bridge out-interface=wg0
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Madrid
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
2

If the MT is the client router, where is the Server Router? What is its config?

3

The Wireguard server is a debian server.

Config Server

[Interface]
Address = 10.71.40.1/24
ListenPort = 1500
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# vpn_1
[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
AllowedIPs = 10.71.40.6/32, 192.168.0.0/24

# cliente_2
[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
AllowedIPs = 10.71.40.7/32

Config client_2

[Interface]
Address = 10.71.40.7/24
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
AllowedIPs = 10.71.40.0/24, 192.168.0.0/24, 192.168.10.0/24
EndPoint: x.xxx.xxx.xxx:1500
PersistentKeepALive: 30

The problem is that I can’t ping subnet 192.168.0.0 of vpn_1 from anywhere.
It must be taken into account that vpn_1 is the mikrotik.

The server is debian and client_1 is a windows computer.

Thanksª!

4

Debian…
Allowed IPs for both VPn1 and Client 2 seem fine.

Client2
Allowed IPs seem fine, assuming 192.168.10.0/24 subnet is on the debian side somewhere.

Now, the Debian will need some sort of firewall rules to allow the wireguard traffic which is peer to peer from the computer, to then enter the peer to peer tunnel heading for the MT.
Also the debian routing system will have to know that the 192.168.0/24 subnet should be accessing through the Debian wireguard interface. Up to you to sort that out on debian.

MT router

(1) One mistake is identifying local subnet on Allowed IPs. this is ONLY FOR:
a. to identify external subnets coming into the router
b. to identify external subnets local user are visiting.

(2) Another mistake is not modifying the default pool of .88 for the new pool of .0
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254

(3) As stated above modify to:
/interface wireguard peers
add allowed-address=10.71.40.0/24 endpoint-address=
x.xxx.xxx.xxx endpoint-port=1500 interface=wg0 name=peer1
persistent-keepalive=35s public-key=
“xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”

(4) If you added netmask manually remove it, not required…
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.5 gateway=
192.168.0.5 netmask=24

(5) From
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.5 comment=defconf name=router.lan
TO:
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9

(6) MODIFY mostly order:

/ip firewall filte
{ default rules to keep }
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
{ Admin Rules }
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward src-address=192.168.0.0/24 out-interface=wg0 { if required }
add action=accept chain=forward in-interface=wg0 dst-address=192.168.0.0/24
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=accept chain=forward comment=“drop all else”

5

Client2
Allowed IPs seem fine, assuming 192.168.10.0/24 subnet is on the debian side somewhere.

Now, the Debian will need some sort of firewall rules to allow the wireguard traffic which is peer to peer from the computer, to then enter the peer to peer tunnel heading for the MT.
Also the debian routing system will have to know that the 192.168.0/24 subnet should be accessing through the Debian wireguard interface. Up to you to sort that out on debian.

The subnet 192.168.10.0 is correct, it is a test subnet with another MT

Indeed in Debian I have created the routes to route to the wireguard interface.
When I do a traceroute to 192.168.0.11 from Wireguard server in DEbian this is the result:
traceroute to 192.168.0.1 (192.168.0.1), 30 hops max, 60 byte packets
1 10.71.40.6 (10.71.40.6) 10,730 ms 11,487 ms 11,480 ms
2 * * *
3 * * *
4 * * *
It reaches the MT interface on the other side of the tunnel, but does not make the jump from the wg interface on MT to the bridge interface where the final endpoint 192.168.0.1 is connected.


MT router

(1) > One mistake > is identifying local subnet on Allowed IPs. this is ONLY FOR:
a. to identify external subnets coming into the router
b. to identify external subnets local user are visiting.

Solved. Tanks!


(2) > Another mistake > is not modifying the default pool of > .88 > for the new pool of > .0
/ip pool
add name=default-dhcp ranges=> 192.168.88.10-192.168.88.254

Solved. Thanks!


(3) As stated above modify to:
/interface wireguard peers
add allowed-address=10.71.40.0/24 endpoint-address=
x.xxx.xxx.xxx endpoint-port=1500 interface=wg0 name=peer1
persistent-keepalive=> 35s > public-key=
“xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”



(4) If you added netmask manually remove it, not required…
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.5 gateway=
192.168.0.5 > netmask=24

Solved, Thanks!



(5) From
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.5 comment=defconf name=router.lan
TO:
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9

Solved. Thanks!


(6) MODIFY mostly order:

/ip firewall filte
{ default rules to keep }
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
{ Admin Rules }
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward src-address=192.168.0.0/24 out-interface=wg0 { if required }
add action=accept chain=forward in-interface=wg0 dst-address=192.168.0.0/24
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=accept chain=forward comment=“drop all else”

I have replicated what was mentioned step by step but unfortunately I am still unable to reach the equipment behind the MT in the 192.168.0.0/24 subnet

These devices are in the ether2 of the MT that belongs to a bridge.

However, it did arrive at IP 192.168.0.5, which is the router, I suppose it is because it is the MT administration interface.

Could it be that the router and the subnet cannot be in the same range???

Thanks in advance.

6

Post your latest config for review.

7 
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface wireguard
add listen-port=1500 mtu=1420 name=wg0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.0.100-192.168.0.110
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
    path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wg0 list=LAN
/interface wireguard peers
add allowed-address=10.71.40.0/24 endpoint-address= \
    endpoint-port=1500 interface=wg0 name=peer1 persistent-keepalive=35s \
    public-key=""
/ip address
add address=192.168.0.5/24 comment=defconf interface=bridge network=\
    192.168.0.0
add address=10.71.40.6/24 interface=wg0 network=10.71.40.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=bridge lease-time=10m \
    name=defconf
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.5 gateway=\
    192.168.0.5 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.5 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward dst-address=192.168.0.0/24 in-interface=wg0
add action=accept chain=forward out-interface=wg0 src-address=192.168.0.0/24
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="drop all else"
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Madrid
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

thanks!

8

(1) If you entered this manually remove it should not show on config …
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.5 gateway=
192.168.0.5 netmask=24

(2) Modify this for the moment …
FROM:
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.5 comment=defconf name=router.lan

TO:
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9
/ip dns static
add address=192.168.0.5 comment=defconf name=router.lan disabled=yes

(3) Modify Order of firewall rules stop putting them ( forward chain rules for wireguard etc ) at the top when they dont belong there…

add action=accept chain=forward dst-address=192.168.0.0/24 in-interface=wg0
add action=accept chain=forward out-interface=wg0 src-address=192.168.0.0/24
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“drop all else”

They belong at the very bottom just above the LAST Rule in the forward chain
add chain=forward action=drop comment=“drop all else”

(4) Which brings me to REMOVING THIS RULE as i stated previously. The rule above REPLACE this one.
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

++++++++++++++++++++++++++++++++++++

See if you have more luck now.