Routing between two Wireguard interfaces

dustojnikhummer · November 16, 2023, 9:05pm

First, a diagram

Two Mikrotiks (one hap AC2, one hap AX2), both sides have a public IP address (I plan to retire one of them, currently the tunnel is from left to right)
I have a wireguard tunnel between them. That works fine. If I’m on either 10.0.1.0 or 10.0.2.0 LAN, I can devices on both sides just fine.
The problem is when I connect via a second Wireguard interface to my 10.0.2.0 (MT2) router directly, I can’t access 10.0.1.0/24

Now, I’m not sure if it is a routing issue, a NAT issue, a firewall issue

I can reach 172.16.0.2 from my phone over WG (the left part of the MT to MT tunnel), this is as far as I get

Config of MT2 (left router), slightly redacted, the router I’m connecting via Wireguard to from my phone

# 2023-11-16 21:45:22 by RouterOS 7.10.1
# software id = 2RP5-P7Z1
#
# model = C52iG-5HaxD2HaxD
# serial number = [redacted]
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether5 ] comment=WAN
/interface wireguard
add listen-port=13232 mtu=1420 name=external
add listen-port=13231 mtu=1420 name=point_to_point
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=pool2 ranges=10.0.2.50-10.0.2.150
/ip dhcp-server
add address-pool=pool2 interface=bridge1 lease-time=10m name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=wifi2
add bridge=bridge1 interface=wifi1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=ether5 list=WAN
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=wifi1 list=LAN
add interface=wifi2 list=LAN
/interface wireguard peers
add allowed-address=172.16.0.0/30,10.0.1.0/24 comment="Mikrotik to Mikrotik Tunnel" endpoint-address=[redacted] endpoint-port=13231 interface=point_to_point persistent-keepalive=1m public-key=\
    "[redacted]"
add allowed-address=10.0.9.2/32,10.0.1.0/24,10.0.2.0/24 comment="external Peer 1" interface=external persistent-keepalive=5m public-key="[redacted]"
/ip address
add address=10.0.2.1/24 interface=bridge1 network=10.0.2.0
add address=172.16.0.2/28 interface=point_to_point network=172.16.0.0
add address=10.0.9.1/24 interface=external network=10.0.9.0
/ip dhcp-client
add interface=ether5
/ip dhcp-server config
set store-leases-disk=10m
/ip dhcp-server lease
[irrelevant]
/ip dhcp-server network
add address=10.0.2.0/24 dns-server=10.0.2.1,10.0.1.1,1.1.1.1,8.8.8.8 gateway=10.0.2.1
/ip dns
set allow-remote-requests=yes servers=10.0.2.1,10.0.1.1,1.1.1.1,8.8.8.8
/ip dns static
[irrelevant]
/ip firewall filter
add action=accept chain=input comment=XBOX-OpenNAT dst-port=52702 in-interface=ether5 protocol=udp
add action=accept chain=forward dst-port=52702 in-interface=ether5 protocol=udp
add action=accept chain=input comment="Wireguard listen" dst-port=13231 protocol=udp
add action=accept chain=input comment="Wireguard listen" dst-port=13232 protocol=udp
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="accept ICMP" in-interface-list=WAN protocol=icmp
add action=accept chain=input comment="accept ICMP" in-interface-list=LAN protocol=icmp
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=input comment="Xbox Live" dst-port=3074 in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="Xbox live" dst-port=88,500,3074,3544,4500,5730-5731,5739 in-interface-list=WAN protocol=udp
add action=accept chain=forward comment="Xbox Live" dst-port=3074 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="DNS Resolver TCP - WAN" dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="DNS Resolver UDP - WAN" dst-port=53 in-interface=ether5 in-interface-list=WAN protocol=udp
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=NAT ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="HTTPS to x230" dst-port=443 in-interface-list=WAN protocol=tcp to-addresses=10.0.2.20 to-ports=443
add action=dst-nat chain=dstnat comment="HTTP to x230" dst-port=80 in-interface-list=WAN protocol=tcp to-addresses=10.0.2.20 to-ports=80
add action=dst-nat chain=dstnat comment="X230 - wgeasy" dst-port=51822 in-interface-list=WAN log=yes protocol=udp src-port="" to-addresses=10.0.2.20 to-ports=51822
add action=dst-nat chain=dstnat comment=xboxlive disabled=yes dst-port=52702 in-interface=ether5 protocol=udp to-addresses=10.0.2.44
/ip route
add disabled=no distance=1 dst-address=10.0.1.0/24 gateway=point_to_point pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api address=10.0.2.40/32 disabled=yes
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote
/ip upnp
set enabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Prague
/system console
set [ find ] disabled=yes
/system identity
set name=MT2
/system logging
set 1 action=echo
set 2 action=echo
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes enabled=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Config of MT1 (right router), slightly redacted, the one I’m trying to reach

# 2023-11-16 21:53:04 by RouterOS 7.11.2
# software id = 29KN-YBQP
#
# model = RBD52G-5HacD2HnD
# serial number = [redacted]
/interface bridge
add arp=proxy-arp name=FullBridge
/interface wireguard
add comment="Point to Point" listen-port=13231 mtu=1420 name=wireguard1
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp ranges=10.0.1.50-10.0.1.100
/ip dhcp-server
add address-pool=dhcp interface=FullBridge lease-time=5m name=dhcp1
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=FullBridge ingress-filtering=no interface=ether2
add bridge=FullBridge ingress-filtering=no interface=ether3
add bridge=FullBridge ingress-filtering=no interface=ether4
add bridge=FullBridge ingress-filtering=no interface=wlan1
add bridge=FullBridge ingress-filtering=no interface=wlan2
add bridge=FullBridge ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=ether1 list=WAN
add interface=FullBridge list=LAN
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=172.16.0.0/30,10.0.2.0/24 comment=Point to Point interface=wireguard1 public-key="[redacted]"
/ip address
add address=100.70.76.176/24 interface=ether1 network=100.70.76.0
add address=10.0.1.1/24 interface=FullBridge network=10.0.1.0
add address=172.16.0.1/28 interface=wireguard1 network=172.16.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=yes interface=wlan2
/ip dhcp-server lease
[irrelevant]
/ip dhcp-server network
add address=10.0.1.0/24 dns-server=10.0.1.1,1.1.1.1 gateway=10.0.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=10.0.2.1,10.0.1.1,1.1.1.1,8.8.8.8
/ip dns static
[irrelevant]
/ip firewall filter
add action=accept chain=input comment="Wireguard listen" dst-port=13231 protocol=udp
add action=accept chain=input comment="Wireguard listen" dst-port=13232 protocol=udp
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="accept ICMP" in-interface-list=WAN protocol=icmp
add action=accept chain=input comment="accept ICMP" in-interface-list=LAN protocol=icmp
add action=accept chain=input comment="accept ICMP" in-interface=wireguard1 protocol=icmp
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="Accept HTTPS" dst-port=443 protocol=tcp
add action=drop chain=input comment="DNS Resolver TCP" dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="DNS Resolver UDP" dst-port=53 in-interface=ether1 in-interface-list=WAN protocol=udp
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment="wgeasy Wireguard" dst-port=51840 in-interface=ether1 log-prefix=_CarterWireguard_ protocol=udp to-addresses=10.0.1.204 to-ports=51840
add action=dst-nat chain=dstnat comment="443 to NAS " dst-port=443 in-interface=ether1 log-prefix=_wallace_80_ protocol=tcp to-addresses=10.0.1.204 to-ports=443
add action=dst-nat chain=dstnat comment="wgeasy WebUI" disabled=yes dst-port=51841 in-interface=ether1 log-prefix=_CarterWireguard_ protocol=tcp to-addresses=10.0.1.204 to-ports=51841
add action=dst-nat chain=dstnat comment="80 to NAS" dst-port=80 in-interface=ether1 log-prefix=_wallace_80_ protocol=tcp to-addresses=10.0.1.204 to-ports=80
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=[isp_gateway]
add disabled=no distance=1 dst-address=10.0.2.0/24 gateway=wireguard1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/routing bfd configuration
add disabled=no
/system clock
set time-zone-name=Europe/Prague
/system identity
set name=MT1

I hope my question is clear.

anav · November 16, 2023, 9:44pm

Router2

ALLOWED IPs.
a. The first peer config line is from the client MT2, to the server MT1 - All looks good to me, just not sure why you used 172.16.0.0/30 vice the standard 172.16.0.0/24??
b. The second peer is from the server MT2 to the client (laptop?). Why is there a persistent keep alive? Remove it! The client allowed IPs identifying the client is WG IP is good, 10.0.9.2/32 as that is the expected incoming source address. What makes no sense to me is the other two peers. There is no traffic coming from this laptop peer on those subnets (source address) and no one is going be going to your laptop from either subnet so just remove them.

/interface wireguard peers
add allowed-address=172.16.0.0**/30**,10.0.1.0/24 comment=“Mikrotik to Mikrotik Tunnel” endpoint-address=[redacted] endpoint-port=13231 interface=point_to_point persistent-keepalive=1m public-key=
add allowed-address=10.0.9.2/32,10.0.1.0/24,10.0.2.0/24 comment=“external Peer 1” interface=external persistent-keepalive=5m public-key=“[redacted]”

I would also keep the IP address consistent, for some reason you have this one set at /28 so you have a mismatch from the above, keep it simple stup…
change to
add address=172.16.0.2/24 interface=point_to_point network=172.16.0.0

(3) Can you tell my why you have an input chain rule for both wireguard interfaces???
You should only have one for external!! Dont understand your logic>

(4) WTF serious security risk have you got going here… You want want the whole world to use your DNS…
I really want to know what crappy youtube videos you used to make this config???
add action=drop chain=input comment=“DNS Resolver TCP - WAN” dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment=“DNS Resolver UDP - WAN” dst-port=53 in-interface=ether5 in-interface-list=WAN protocol=udp

Furthermore the input chain is for the router, it has nothing to do with XBOX servers you might have on your LAN.???

_add action=accept chain=input comment=“Xbox Live” dst-port=3074 in-interface-list=WAN protocol=tcp
add action=accept chain=input comment=“Xbox live” dst-port=88,500,3074,3544,4500,5730-5731,5739 in-interface-list=WAN prot_ocol=udp

In summary…I can go no further… config is a shit show…

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

As far as IP routes, your route to Router1 is fine…

Router1

(5) Allowed IPS
Wrong, the address should be 172.16.0..2/32 ( to the peer MT client router ) the other LAN entry is good.
The address you could change frome /28 t0 /24 or change all the settings on R2 to /28 … just be consistent and less cute.

(6) Staying with allowed IPs, if you want your laptop/phone to travel from R2 to R1, then you have to let R1 know its valid source address arriving so add the allowed IP for the phone/laptop to this peer setting!! so 10.0.2.0/24,10.0.9.2/32

(7) IP routes, you need to tell the R1 where to send the return traffic for the remote remote wg user
add dst-address=10.0.9.0/24 gateway=wireguard1 routing-table=main

dustojnikhummer · November 16, 2023, 10:08pm

Much appreciated on a very detailed answer. I expected to get grilled for my shiet firewall rules, keep that grilling, please.

I assume you are talking about my External Peer 1?
a) I don’t either. I guess I figured out since it is point to point I don’t need more than 4 addresses. I will change it to /24
b) Yes the second peer is for my external device (in this case my phone), keepalive removed. Also, what two other peers?
Both are going into internet. I guess since the tunel goes from MT2 to MT1 I don’t need it on MT2, but if I wanted to swap it (from MT1 to MT2) I would need it, no? Should I disable the one for Point to Point then?
Apologies for that. As far as those DNS rules get, if i remember correctly my ISP sent me an email telling me to add those, to block any outside DNS request. Judging by your response I’m guessing that’s… wrong…

Should I just start from scratch with https://help.mikrotik.com/docs/display/ROS/Building+Your+First+Firewall ?

Seems like 6 and 7 did it! So the peer on MT1 didn’t accept traffic from 10.0.9.0/24 because it didn’t have that range in allowed addresses?

Many thanks with helping me solve this and again, sorry if my firewall rules caused you to bang your head on a table or something

anav · November 16, 2023, 10:37pm

Much appreciated on a very detailed answer. I expected to get grilled for my shiet firewall rules, keep that grilling, please.

I assume you are talking about my External Peer 1?
b) Yes the second peer is for my external device (in this case my phone), keepalive removed. Also, what two other peers?
I highlighted them in ORANGE for you LOL.
There should be no other peers on the PHONE PEER LOL!!!

\

Both are going into internet. I guess since the tunel goes from MT2 to MT1 I don’t need it on MT2, but if I wanted to swap it (from MT1 to MT2) I would need it, no? Should I disable the one for Point to Point then?

NO, but it would be easier to have just added the PHONE to the point to point wireguard interface and only have the SERVER one on MT1!!
In other words, have the PHONE connect directly as another peer on MT1,
If you needed to get to MT2 from the phone you are already covered due to allowed IPs and existing routes.
Remember the allowed iPs on MT2 are 172.16.0.0/24 so all wg users can access the router…

Apologies for that. As far as those DNS rules get, if i remember correctly my ISP sent me an email telling me to add those, to block any outside DNS request. Judging by your response I’m guessing that’s… wrong… VERY!!!

Starting point for RUles…
https://forum.mikrotik.com/viewtopic.php?t=180838

dustojnikhummer · November 16, 2023, 10:45pm

Those orange, yeah that was an “attempt” to see if the problem is allowed addresses. It was, just on the wrong router.
Yes, I could add peers to the existing interface, that is true. I will probably do that.

I will take a few hours to go through that thread, thank you.