Roadwarrior Rx/Tx ok but no LAN access

RouterOS General
1

Hello!
May I ask for support for making this road warrior setup work?
There’s a Mikrotik router behind my ISP’s modem. Then some devices in the local subnet 192.168.0.0/24. If I am on the road, I would like to access some services which are running on devices in the local subnet.
I followed the official tutorial https://www.youtube.com/watch?v=vn9ky7p5ESM but some things are missing to make it work.
Same here: https://help.mikrotik.com/docs/spaces/ROS/pages/69664792/WireGuard#WireGuard-WireGuardinterfaceconfiguration
The only difference is, my wg subnet is at 172.33.0.0/24 instead of 192.168.100.0/24.
Gateway at 192.168.0.1.

I have two issues:
Issue 1) DNS provider in home subnet not working
Background: Client (Android) Peer is using split tunnel (e.g. allowed IPs is set to my local Home subnet 191.168.0.0/24)
Firewall rule was also made as in tutorial.
→ Goal: Browing to google.com does not use my tunnel. Navigate to 192.168.0.xxx will use tunnel.
The issue is: google.com is only loading if I use DNS 1.1.1.1, but not 192.168.0.1 unlike in the tutorial. I thought the firewall rule

3    ;;; Allow wireguard
      chain=input action=accept protocol=udp dst-port=13231 log=no log-prefix=""

is supposed to make this work?

Issue 2) Main issue - No internet
Background:

  • Client (Android) Peer is using split tunnel (e.g. allowed IPs is set to my local Home subnet 191.168.0.0/24)
  • Client wireguard Interace DNS 1.1.1.1
  • Rx/Tx in interface list shows some packages
    The issue is, pages don’t load
    All my config with filter rules, LAN list etc should handle this… but something seems missing.

Firewall should allow DNS lookup, but I guess here is the issue.
Maybe rule #3 and #4 are not needed because I also added the wg1 interface to LAN.

Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 2    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 3    ;;; Allow wireguard
      chain=input action=accept protocol=udp dst-port=13231 log=no log-prefix="" 

 4 X  ;;; Allow wireguard traffic
      chain=input action=accept src-address=172.33.0.0/24 log=no log-prefix="" 

 5    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1 

 6    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

 7    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

 8    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 

 9    ;;; internet traffic
      chain=forward action=accept in-interface-list=LAN out-interface-list=WAN log=no log-prefix="" 

10    ;;; allow port forwarding
      chain=forward action=accept connection-nat-state=dstnat log=no log-prefix="" 

11    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid log=no log-prefix="" 

12    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN log=no log-prefix="" 

13    ;;; Disable internet access for the IKEA TRADFRI
      chain=forward action=drop out-interface-list=!LAN src-mac-address=B8:D7:AF:2A:AE:65 log=no log-prefix="" 

14    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related 

15    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 

16 X  ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no 
      log-prefix="" 

17    ;;; drop all else
      chain=forward action=drop log=no log-prefix=""

Ignore #3. wireguard_internet is a different wg connection that goes to a VPN server somewhere.

# LIST  INTERFACE         
0 LAN   bridge            
1 WAN   ether1            
2 WAN   wireguard_internet
3 LAN   wg1




/interface wireguard print               
Flags: X - disabled; R - running 
 0  R name="wg1" mtu=1420 listen-port=13231 private-key="xcvbbbcxcbvcxbxcbvxb" 
      public-key="CLPwjoImpOaxXr341gEpErlQ0Tt8eCCGXoN54EUQVTQ="




/interface/wireguard/peers> print
Columns: INTERFACE, PUBLIC-KEY, ENDPOINT-ADDRESS, ENDPOINT-PORT, ALLOWED-ADDRESS
# INTERFACE           PUBLIC-KEY                                    ENDPOINT-ADDRESS          ENDPOINT-PORT  ALLOWED-ADDRESS 
0 wg1                 vPGI9sommeGdNHp/cHI2gOpMInWDOJnGsm6XvLvN8m4=                                        0  172.33.0.2/32




/ip/address> print
Flags: D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
#   ADDRESS            NETWORK       INTERFACE         
0   192.168.0.1/24     192.168.0.0   bridge            
2 D xxx.xxx.xxx.xxx/24 xxx.xxx.xxx.xxx  ether1            
;;; Access to home network
3   172.33.0.1/24      172.33.0.0    wg1

Any setting tips that I could try are much appreciated!

Greetings
Thoru

2

Hello. I’m not an expert but I had similar problems that you describe. Did you select the allowed apps in the phone?. I had the same problems until i did it. Also had problems with wireguard windows client because windows firewall was blocking port access.
I hope this can help.

3

Hello, thanks for the answer. I think this is unrelated to Windows because the services I want to access are not even running on it. Allowed apps, I don’t know about that. I googled it but I don’t find specific info.

4

I might have completely misunderstood your problems and configuration, but:

  1. Rule #3 looks OK, but change #4 from input to forward chain (and after that move it down a few notches to under #8).

  2. Having the WG interface bridged with the LAN interface just feels wrong.

  3. If you’re using some VPN connection for your outgoing internet traffic (the wireguard_internet), this could probably cause some issues with incoming WG connections.

5

Thanks for the answer!
To your points one by one
3) The 2nd wireguard config for outgoing internet from my home lab is currently deactivated via a rule (src address: “192.168.0.0/24”, action: “lookup only in table”, table “via-wg”) so I think this does not influence the setup

  1. I changed from “input” to “forward” and it works! I think I tried some combinations of those without knowing what they do. But something else was not correct at the time so I missed the correct setting.
    It works at the position #4, but I will move to original post #8, so first there comes all “input” chains (except the “forward” passthrough which I keep at #1), and then the “forward” chains, which looks more logical:
  2. I don’t know. This is following the Mikrotik tutorial on Youtube. Which better alternative can you imagine? (Actually - see below - I don’t even need that rule. To be precise, there might be effects I don’t see, but it seems not required)

As a take away, would you agree one should remember this: (taken from http://forum.mikrotik.com/t/firewall-filter-chain-forward-vs-chain-input/58657/1)
Input chain, filter traffic going to the router. (DST address of the router)
Forward chain, filter traffic going through the router. (SRC and DST is not on the router)


Interesting other findings:
A) It also works with changes according to point 1), when I remove wg1 interface from LAN list. This settings seems not required.
Additionally, removing the rule #4 and adding wg1 to LAN list, does also not make it work.
B) The MikroTik tutorial seems to be wrong: According to that, I shall not have the former rule #4 (below current config rule #9). Instead, I should add

/ip firewall filter
add action=accept chain=input comment="allow WireGuard traffic" src-address=172.33.0/24 place-before=1

and put wg1 to LAN list

/interface list member
add interface=wireguard1 list=LAN

I tried that and it did not work.

Here is my relevant config that worked:

/ip/firewall/filter> print
Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 2    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 3    ;;; Allow wireguard
      chain=input action=accept protocol=udp dst-port=13231 log=no log-prefix="" 

 4 X  ;;; allow WireGuard traffic - update: don't use, does not work, even if wg1 is in LAN list
      chain=input action=accept src-address=172.33.0.0/24 log=no log-prefix="" 

 5    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1 

 6    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

 7    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

 8    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 

 9    ;;; Allow wireguard traffic - this is OK. No need to add wg1 to LAN list
      chain=forward action=accept src-address=172.33.0.0/24 dst-address=192.168.0.0/24 log=no log-prefix="" 

10    ;;; internet traffic
      chain=forward action=accept in-interface-list=LAN out-interface-list=WAN log=no log-prefix="" 

11    ;;; allow port forwarding
      chain=forward action=accept connection-nat-state=dstnat log=no log-prefix="" 

12    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid log=no log-prefix=""




/ip/address> print      
      Columns: ADDRESS, NETWORK, INTERFACE
#   ADDRESS            NETWORK       INTERFACE         
;;; defconf
0   192.168.0.1/24     192.168.0.0   bridge            
1   172.30.0.4/24      172.30.0.0    wireguard_internet
2 D xxx.xxx.xxx.xxx/24  xxx.xxx.xxx.xxx  ether1            
;;; Access to home network
3   172.33.0.1/24      172.33.0.0    wg1




/interface/list> print
Flags: * - BUILTIN
Columns: NAME
#   NAME   
;;; contains all interfaces
0 * all    
;;; contains no interfaces
1 * none   
;;; contains dynamic interfaces
2 * dynamic
;;; contains static interfaces
3 * static 
;;; defconf
4   WAN    
;;; defconf
5   LAN
6

Hello @thoru.
I’ve tried similar filters like yours in the past, changing “input” to “forward”. Everything seemed to work OK, except for static DNS entries. Can you access your devices using FQDN (Fully Qualified Domain Name)? I’m facing similar problems to yours but they happen randomly, or at least I haven’t found the root cause yet.
Thanks!

7

Yes, FQDN works. But only as long as I don’t use my pihole as a DNS.

Here is a nice writeup (German, sorry) but just ignore the pihole stuff and all the scripts, set static addresses manually.
https://indibit.de/mikrotik-dns-namensaufloesung-fqdn/

/ip/dns> print
servers: 192.168.0.1
9.9.9.9




 /ip/dns/static> print
Flags: X - DISABLED
Columns: NAME, TYPE, ADDRESS, TTL
#   NAME          TYPE  ADDRESS        TTL
;;; defconf
0   router.lan    A     192.168.0.1    1d 
1   pihole.lan    A     192.168.0.110  1d 
4   wifi.lan      A     192.168.0.2    1d




/ip/dhcp-server/network> print
Columns: ADDRESS, GATEWAY, DNS-SERVER, DOMAIN
# ADDRESS         GATEWAY      DNS-SERVER   DOMAIN
;;; defconf
0 192.168.0.0/24  192.168.0.1  192.168.0.1  home.lan
8

Thanks for the suggestion! I’ll check the DNS forwarding settings.