routing for dummies

Hello!

I have reset my router to defaults (192.168.88.1/24 LAN) and added wireguard interface wg (10.10.0.3/24). Why ping from my LAN doesn’t get routed to 10.10.0.1 (my wg peer)? Ping to 10.10.0.3 (local wg ip) works fine. I’ve read https://help.mikrotik.com/docs/display/ROS/IP+Routing and it says I just need routes, and I have one such route for wg: DAc 10.10.0.0/24 wg 0, but the pings for 10.10.0.0/24 don’t get routed through the wg interface.

I am deeply confused on what info is relevant to the question, so tell me and I’ll post it. My MT model is:

# nov/12/2023 21:13:29 by RouterOS 7.2.3
# software id = JNSB-K4XH
# model = 951G-2HnD

Draw a diagram, to indicate, WAN connections and subnets on router and where wireguard is going to/coming from.
https://forum.mikrotik.com/viewtopic.php?t=182340

Also will need full config
/export file=anynameyouwish (minus router serial number, public WANIP information, keys, long lease lists …)

The config:

# nov/12/2023 22:19:30 by RouterOS 7.2.3
# software id = JNSB-K4XH
#
# model = 951G-2HnD
/interface bridge
add admin-mac=00:0C:42:E9:06:03 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=VPNTEST wireless-protocol=802.11 wps-mode=disabled
/interface wireguard
add listen-port=51820 mtu=1420 name=wg
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=1.2.3.4 endpoint-port=51820 interface=wg public-key=xxxxx
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.10.0.3/24 interface=wg network=10.10.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Moscow
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

It’s the default home router/AP setup, there’s ISP gateway and LAN devices. I only added wg interface:

MT - ether1 is WAN, ISP-DHCP-server-assigned-IP <---NAT masquarade---> ISP gateway
   - bridge (ether2-5, wlan1) 192.168.88.1/24 <---> local devices, PCs, phones
   - wg 10.10.0.3/24 <---> connected to some peer in the internet, peer vpn IP is 10.10.0.1

Not sure what else to draw.

Yes but being vague like you are is not helpful.
Is the wireguard at the other send a SERVER of some sort, most likely with an IP of .1
What are the allowed IPs at the other, firewall rules etc…
Is it a MT in VPS like CHR>
Is it an MT at someones home
Is it a third party VPN provider and if so, did they give you a DNS as well?
etc…

Observations on Config:

(1) The allowed IPs, tells me that this is most likely a client device and the peer is a WG server.
What is missing, is that you need to set a keep alive lets say 35s.

(2) If your not using IPV6 nor plan to in the near term, Disable IPV6
and change firewall rules to two rules
add chain=input action=drop
add chain=forward action=drop

(3) tool mac-server is not a secure access method so change to NONE
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

(4) Ensure you add an additional SRCNAT RULE
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface-list=wg

The other option to do this is via the interface list and accomplishes the same thing.

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wg list=WAN

(5) That tidies up most of the config but now we need to know the requirements of traffic flow of users/devices.

Currently I dont see any routes, so assuming you have a default route selected in our IP DHCP Client.
Now you should have a route based on the IP address for the wg subnet.
dst-address=10.10.0.0/24 gateway=wg routing-table=main

This route should allow pinging of server, after you have added the sourcenat rule above. I bet the issue was that the other ends allowed IPs didnt recognize a 192.168.88.X address!!!
The sourcenat will change all your local IP addresses to 10.10.0.3 which the other end will accept.

Noted, thanks.

(4) Ensure you add an additional SRCNAT RULE
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat > out-interface-list=> wg

The other option to do this is via the interface list and accomplishes the same thing.

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wg list=WAN

Noted, but I’d rather avoid double NAT.

I bet the issue was that the other ends allowed IPs didnt recognize a 192.168.88.X address!!!

That is correct I think. I’ll change allowed IPs on server and test.

Sure, if the other end is capable of adding more allowed IPs, ( how would we know - not communicated) thats viable as well.

Confirmed, the packet was dropped by peer because it did not match allowed ips. Thanks a lot.