RouterOS -> PfSense Wireguard: No Handshake

RouterOS General
1

I’m trying to connect a Mikrotik LtAP Mini to a PfSense Box. The PfSense box is at my office and the LtAP Mini will be in the vehicle using LTE as the WAN.

The public keys on both end are correct. The PfSense box is reachable via the internet, and I have a Wireguard client on my phone that can connect to it without issue.

The PfSense Wireguard interface has an IP address of 10.200.0.1/24

On the LtAP, I assigned 10.200.0.20/24 to the Wireguard1 Interface. I disabled all fitler on the Mikrotik rules for troubleshooting. On the LtAP Peer config, I’m using a dynamic DNS domain name for the endpoint.

I have 00:00 for the last handshake time, and there’s no traffic going across the interface.

2

config

3

+1 config…

The peer settings for the phone and the LTE should be damn similar.
Dont forget the persistent-keep-alive setting etc…

4 
# may/05/2023 21:12:38 by RouterOS 7.8
# software id = SLA5-YIRL
#
# model = RB912R-2nD-LTm
# serial number = BB8D0A7BDF3E
/interface bridge
add admin-mac=34:4D:18:F8:2F:A1 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no frequency=auto installation=outdoor mode=ap-bridge ssid=\
    MikroTik-A89FA7 wireless-protocol=802.11
/interface wireguard
add disabled=yes listen-port=13231 mtu=1420 name=wireguard1
/interface list
add name=WAN
add name=LAN
/interface lte apn
add apn=Broadband default-route-distance=1 name="ATT Broadband"
add apn=altanwifi
/interface lte
set [ find default-name=lte1 ] apn-profiles=altanwifi
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=lte1 list=WAN
add interface=bridge list=LAN
/interface lte settings
set sim-slot=up
/interface wireguard peers
add allowed-address=10.200.0.1/24,192.168.0.0/16 endpoint-address=\
    rangelnet.ddns.net endpoint-port=51820 interface=wireguard1 public-key=\
    "3v...c="
/ip address
add address=192.168.88.1/16 interface=bridge network=192.168.0.0
add address=10.200.0.20/24 interface=wireguard1 network=10.200.0.0
/ip dhcp-client
add comment=defconf disabled=yes interface=bridge
/ip dhcp-server network
add address=192.168.0.0/16 dns-server=8.8.8.8 gateway=192.168.88.1 netmask=16
/ip dns
set servers=8.8.8.8
/ip firewall filter
add action=accept chain=input disabled=yes dst-port=13231 protocol=udp
add action=accept chain=input disabled=yes protocol=icmp
add action=accept chain=input connection-state=established disabled=yes
add action=accept chain=input connection-state=related disabled=yes
add action=drop chain=input disabled=yes in-interface-list=!LAN
add action=accept chain=input disabled=yes dst-port=13231 protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=192.168.0.0/16 gateway=wireguard1 \
    pref-src="" routing-table=main suppress-hw-offload=no
/system clock
set time-zone-name=America/New_York
/system gps
set port=serial0
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
5

Besides the useless firewall rules, assuming your behind another router and thus dont need any, what is really buggering up this config is your use of subnets.
If your intent is to reach a bunch of subnets on pfsense from 192.168.0.0 - 192.168.255.255 fine. I really doubt that is the case but anyway.

Your local LTE is included in that 192.168.88.0, so recommend on the LTE LAN you simply use 10.10.10.1/24 for an address.
If that was the case. then this should work.

model = RB912R-2nD-LTm

/ip pool
add name=dhcp ranges**=10.10.10.10-10.10.10.254**

_/interface wireguard peers
add allowed-address=10.200.0.1/32,192.168.0.0/16 _ { or 10.200.0.0/24 if to reach other wg clients connected to pfsense }
endpoint-address=rangelnet.ddns.net endpoint-port=51820 interface=wireguard1 public-key="3v...c="

/ip address10.10.10.1/24 interface=bridge network=10.10.10.0
add address=10.200.0.20/24 interface=wireguard1 network=10.200.0.0

/ip dhcp-server network
add address=10.10.10.0/24 dns-server=8.8.8.8 gateway=10.10.10.1

/ip route
add disabled=no distance=1 dst-address=192.168.0.0/16 gateway=wireguard1
pref-src="" routing-table=main suppress-hw-offload=no

6

That worked, however the clients connected to the LtAP can’t reach the Office LAN, while the LtAP itself can.

7

Oh I have no intention of helping with that until you fix your firewall rules which are probably part of the problem if the issue is the LTE.
Maybe your issue is on the pfsense config??

If the iphone is capable of reaching the Pfsense subnets then what is different on peer settings between the two on the pfsense for example…
You could be allowing the wiregard address x/32 from phone
You could be allowing the wireguard address y/32 from LTE but forgetting to add 192.168.88.0/24 for example…

GLuck!