site-site Wiregaurd Setup

GremlinCCS · August 10, 2024, 1:51pm

Good Day

I’m hoping someone can assist as I’ve been struggling three weeks now with something that should be basic but for some reason I cant get it to work.

So I have two sites, HQ (Server Side) 192.168.100.0/24 RB750 using the cloud DDNS and Site1 (Client Side) 192.168.20.0/24 SXRT LTE

I’m trying to get a working P2P setup between the two and have been trying IPSec, OpenVPN and Wiregaurd as everyone says Wiregaurd are the best.

My Wiregaurd Handshake ware working and the connection are running with no issue. So that works.

From HQ on the RB750 I can ping
192.168.100.111 - it self
192.168.10.1 - Wiregaurd IP on the RB750
192.168.10.2 - Wiregaurd IP on the SXRT (Site1)
192.168.20.1 - SXRT (Site1)
but cant ping 192.168.20.253 - Terminal at Site 1

From a terminal at HQ I can ping
192.168.100.111 - RB750

But not the Wiregaurd IP or anything else

From the Site on on the SXRT
192.168.20.1 - it self
192.168.10.2 - Wiregaurd IP on the SXRT
192.168.10.1 - Wiregaurd IP on the RB750 (HQ)
192.168.100.111 - RB750 (HQ)
But I cant ping 192.168.100.2 - Router at HQ

From a terminal at Site1 I can ping
192.168.20.1 - SXRT
192.168.10.2 - Wiregaurd IP on the SXRT
192.168.10.1 - Wiregaurd IP on the RB750 (HQ)
192.168.100.111 - RB750 (HQ)
But I cant ping 192.168.100.2 - Router at HQ

So I’m feeling I’m missing something. From HQ Terminal I cant really see anything except its own network and from site 1 I can see everything to the RB750 but nothing else on HQ network

Wiregaurd peers allowed Address
HQ - 192.168.10.2/32 192.168.20.0/24
Site 1 - 192.168.10.1/32 192.168.100./24

IP Adress list
HQ - 192.168.10.1/24 interface WG 192.168.100.111/24 interface bridge
Site 1 - 192.168.10.2/24 interface WG 192.168.20.1/24 interface bridge

Routes added
HQ - 192.168.20.0/24 gateway WG
Site 1- 192.168.100.0/24 gateway WG

Firewalls added
forward src-address=192.168.100.0/24 dst-address=192.168.20.0/24 allow
forward src-address=192.168.20.0/24 dst-address=192.168.100.0/24 allow
input protocol=udp dst-port=13231 allow

That’s the about the setup I have but I’m missing something as Site 1 cant get breakout at HQ and HQ well HQ cant even see Site 1.

I believe I’m missing something simple but with all the struggling I’m just not able to think of anything any more.
I have followed so many guides, manuals, videos but most are the same with maybe a firewall rule setup differently.

Any help would be much appreciated

Below are exports from both HQ and Site 1

HQ

/interface bridge
add admin-mac=D4:01:C3:04:00:00 auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=13231 mtu=1420 name=" WG-HQ"
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
/interface wireguard peers
add allowed-address=192.168.10.2/32,192.168.20.0/24 comment="Site 1 " interface=" WG-HQ" \
    name=" WG-Site1" persistent-keepalive=25s public-key=\
    "publickey"
/ip address
add address=192.168.10.1/24 interface=" WG-HQ" network=192.168.10.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-client
add comment=defconf interface=bridge
/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=bridge name=defconf
/ip dhcp-server network
add address=192.168.100.0/24 comment=defconf dns-server=192.168.100.50 gateway=\
    192.168.100.50 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.30.50 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.20.0/24 list=Visit_Site1
/ip firewall filter
add action=accept chain=input dst-port=13231 log=yes protocol=udp
add action=accept chain=forward dst-address=192.168.20.0/24 log=yes src-address=\
    192.168.100.0/24
add action=accept chain=forward dst-address=192.168.100.0/24 log=yes src-address=\
    192.168.20.0/24
add action=accept chain=input comment="defconf: accept established,related,untracked" \
    connection-state=established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid \
    disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" \
    disabled=yes dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
    connection-state=established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid \
    disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
    out-interface-list=WAN
/ip route
add disabled=no dst-address=192.168.20.0/24 gateway=" WG-HQ" routing-table=main \
    suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=\
    33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." \
    dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=\
    udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" \
    ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
    src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
    dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=\
    equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" \
    ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name=HQ
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Site 1

/interface bridge
add admin-mac=D4:01:C3:15:00:00 auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=13231 mtu=1420 name=WG-Site1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn0
add apn=unlimited use-network-apn=yes
/interface lte
set [ find default-name=lte1 ] allow-roaming=no apn-profiles=unlimited band="" \
    sms-read=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.20.100-192.168.20.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/queue type
add fq-codel-ecn=no kind=fq-codel name=fq-codel-ethernet-default
/queue interface
set ether1 queue=fq-codel-ethernet-default
set ether2 queue=fq-codel-ethernet-default
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/interface wireguard peers
add allowed-address=192.168.10.1/32,192.168.100.0/24 comment=HQ \
    endpoint-address=.sn.mynetname.net endpoint-port=13231 \
    interface=WG-Site1 name=WG-HQ persistent-keepalive=25s public-key=\
    "publickey"
/ip address
add address=192.168.20.1/24 comment=defconf interface=bridge network=\
    192.168.20.0
add address=192.168.10.2/24 interface=WG-Site1 network=192.168.10.0
/ip dhcp-server network
add address=192.168.20.0/24 comment=defconf dns-server=192.168.20.1 gateway=\
    192.168.20.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.20.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input dst-port=13231 protocol=udp
add action=accept chain=forward dst-address=192.168.100.0/24 src-address=\
    192.168.20.0/24
add action=accept chain=forward dst-address=192.168.20.0/24 src-address=\
    192.168.100.0/24
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=192.168.100.0/24 gateway=WG-Site1 routing-table=\
    main suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
    src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
    dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Africa/Johannesburg
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

erlinden · August 10, 2024, 1:55pm

Mikrotik has a great explanation:
https://help.mikrotik.com/docs/display/ROS/WireGuard#WireGuard-SitetoSiteWireGuardtunnel

Did you add this part to the firewall as well (don’t mind the used IP addresses…)?

Additionally, it is possible that the "forward" chain restricts the communication between the subnets as well, so such traffic should be accepted before any drop rules as well.

Office1

/ip/firewall/filter
add action=accept chain=forward dst-address=10.1.202.0/24 src-address=10.1.101.0/24
add action=accept chain=forward dst-address=10.1.101.0/24 src-address=10.1.202.0/24
Office2

/ip/firewall/filter
add action=accept chain=forward dst-address=10.1.101.0/24 src-address=10.1.202.0/24
add action=accept chain=forward dst-address=10.1.202.0/24 src-address=10.1.101.0/24

GremlinCCS · August 10, 2024, 2:17pm

Hi yes I have used the Mickrotik Help guide first and then a few other guides and videos as I’m stuck with the same out come.

Firewalls added
forward src-address=192.168.100.0/24 dst-address=192.168.20.0/24 allow
forward src-address=192.168.20.0/24 dst-address=192.168.100.0/24 allow
input protocol=udp dst-port=13231 allow

that’s the firewall rules added that you added in your comment that comes from the help.mikrotik write up

erlinden · August 10, 2024, 2:56pm

Checked your conig (better to place it inbetween code tags by using the </> button):

/ip address
add address=192.168.10.1/24 interface=" WG-HQ" network=192.168.10.0

Should be:

/ip address
add address=192.168.10.1/32 interface=" WG-HQ" network=192.168.10.0

AND

/ip address
add address=192.168.10.2/24 interface=WG-Site1 network=192.168.10.0

Should be:

/ip address
add address=192.168.10.2/32 interface=WG-Site1 network=192.168.10.0

GremlinCCS · August 10, 2024, 4:50pm

Thank you

I’ll remember the </> button for future, weren’t sure how to do that.

I’ll try to change the IP’s to 32 but not sure if that’s going to make a difference as most of the guides I looked at ad the IP’s on the 24 subnet but in wireguard they have it on 32 subnet.

But I’ll try and see if that makes any difference. I’m holding thumbs.

GremlinCCS · August 11, 2024, 9:29am

@erlinden

Thank you for the suggestion but unfortunately that also made no difference. its still exactly the same.

erlinden · August 11, 2024, 11:28am

As the wireguard interface isn’t part of the LAN interface list AND doesn’t have an accept rule on the input chain, it is blocked (hence you can’t ping it).

You can test this by either adding an additional rule:

/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" disabled=no protocol=icmp src-address=192.168.100.0/24

OR

Add the wireguard interface to the LAN interface list:

/interface list member
add interface=" WG-HQ" list=LAN

anav · August 11, 2024, 3:08pm

HQ Observations:

Remove ether1 from the Bridge, its your WAN connection and has nothing to do with the bridge.
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge interface=ether1
Simplify list members to:
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=bridge list=LAN
WG peers, remove keep alive, HQ is the server not the client for handshake.
Missing IP address for the HQ subnet or subnets ???
/ip address
add address=192.168.10.1/24 interface=" WG-HQ" network=192.168.10.0
add address=192.168.100.1/24 interface=bridge network=192.168.100.0
WAN has nothing to do with bridge, and thus this is wrong and should be modifed to the following.
/ip dhcp-client
add comment=defconf interface=bridge
TO
/ip dhcp-client
add comment=defconf interface=ether1
Why are your referencing a static dns, to a subnet that does not exist on the router??
/ip dns static
add address=192.168.**30.**50 comment=defconf name=router.lan
Why is this disabled??
/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=bridge name=defconf
Firewall rules are out of order and disorganized and valid ones are disabled…???..fixed

/ip firewall address-list { static dhcp leases where applicable }
add address=192.168.100.W list=Authorized comment=“local admin PC”
add address=192.168.100.X list=Authorized comment=“local admin laptop”
add address=192.168.100.Y list=Authorized comment=“local admin smartphone/ipad”
add address=192.168.10.A list=Authorized comment=“remote wireguard admin laptop”
add address=192.168.10.B list=Authorized comment=“remote wireguard admin smartphone/ipad”
add address=192.168.20.ZZ list=Authorized comment=“Remote admin access from site SXRT”
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
add action=accept chain=input comment=“wireguard handshake” dst-port=13231 log=yes protocol=udp
add action=accept chain=input comment=“admin access” src-address-list=Authorized
add action=accept chain=input comment=“users to services” in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment=“users to services” in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment=“Drop all else” { put this rule in last }
++++++++++++
add action=accept chain=forward comment=“defconf: accept in ipsec policy” disabled=yes
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” disabled=yes
ipsec-policy=out,ipsec
add action=fasttrack chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward comment=“drop invalid” connection-state=invalid
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“WG to LAN” in-interface=" WG-HQ" dst-adress=192.168.100.0/24
add action=accept chain=forward comment=“LAN to WG” src-address=192.168.100.0/24 out-interface=" WG-HQ"
add action=accept chain=forward comment=“wireguard relay” in-interface=" WG-HQ" out-interface=" WG-HQ"
add action=accept chain=forward comment=“allow remote admin connections to local internet” in-interface=" WG-HQ" out-interface-list=WAN src-address-list=Authorized
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat disabled=yes { enable if required or remove }
add action=drop chain=forward comment=“drop all else”

Note1:
Wireguard relay is the secret sauce which allows you to connect to the HQ, as a remote wireguard user, and then from there connect to the other peers!
a. reach both the SXT LAN
b. reach the SXT router for config purposes.

anav · August 11, 2024, 3:19pm

Site SXT Observations:

FIx allowed peers should be:
/interface wireguard peers
add allowed-address=192.168.10.**0/24,**192.168.100.0/24 comment=HQ
endpoint-address=.sn.mynetname.net endpoint-port=13231
interface= name=WG-HQ persistent-keepalive=25s public-key=
“publickey”
If you manually entered netmask on this config line remove it,
/ip dhcp-server network
add address=192.168.20.0/24 comment=defconf dns-server=192.168.20.1 gateway=
192.168.20.1 netmask=24 ??
FW Rules… ( why input chain rule for wireguard, this is peer client, not peer server for handshake ??? )
Basically copy the one from the HQ router with minor changes, very efficient !

/ip firewall address-list { static dhcp leases where applicable }
add address=192.168.100.W list=Authorized comment=“remote admin PC at HQ”
add address=192.168.100.X list=Authorized comment=“remote admin laptop at HQ”
add address=192.168.100.Y list=Authorized comment=“remote admin smartphone/ipad at HQ”
add address=192.168.10.A list=Authorized comment=“remote wireguard admin laptop”
add address=192.168.10.B list=Authorized comment=“remote wireguard admin smartphone/ipad”
add address=192.168.20.ZZ list=Authorized comment=“local admin access from site SXRT”
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
add action=accept chain=input comment=“admin access” src-address-list=Authorized
add action=accept chain=input comment=“users to services” in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment=“users to services” in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment=“Drop all else” { put this rule in last }
++++++++++++
add action=accept chain=forward comment=“defconf: accept in ipsec policy” disabled=yes
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” disabled=yes
ipsec-policy=out,ipsec
add action=fasttrack chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward comment=“drop invalid” connection-state=invalid
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“WG to LAN” in-interface=WG-Site1 dst-adress=192.168.20.0/24
add action=accept chain=forward comment=“LAN to WG” src-address=192.168.20.0/24 out-interface=WG-Site1
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat disabled=yes { enable if required or remove }
add action=drop chain=forward comment=“drop all else”

GremlinCCS · August 13, 2024, 6:44am

Hi guys

Thank you for the reply’s

I’ll try you steps later today and revert back.

GremlinCCS · August 13, 2024, 5:38pm

@erlinden

Thank you but the firewall rule and the interface change had no effect

GremlinCCS · August 13, 2024, 6:58pm

@anav
Q

The RB750 are setup as Bridge and not a router, there are no WAN port.
The RB750 aren’t the main router on site and just an add for the main purpose of creating the P2P connection. When site 1 are running and working more sites will be added. The P2P main reason are for time and attendance on remote sites and not that much of a full corporate network merge.
List members simplified
/interface list member
add interface=bridge list=LAN
add interface=" WG-HQ" list=LAN
As I don’t have a WAN port I did not add the WAN ether1
Removed
Both of them are there although 192.168.100.1/24 are 192.168.100.111/24 as its a reserved IP for the RB750, DHCP enabled
Don’t have WAN so not sure if I still need to change this. But tried anyway but getting an error of cant run on slave interface.
Honestly I have no idea where this came from. Change to 192.168.100.2 that’s the main site Router
DHCP are run from the main router
Most firewall rules were disabled to test and make sure they aren’t causing my issues.

SXT
Fixed
Fixed
Input rule for wireguard were to make sure its not my problem. Been trying many things to try and get the connection working.
All the rest I have changed to your firewall rules

Unfortunately Results are the same.

anav · August 13, 2024, 8:07pm

For the Main Site MT switch or device, do not call it a router.
Can you confirm, that the main router is forwarding the Wireguard Port to the MT device.

anav · August 13, 2024, 8:24pm

/interface list
add name=Trusted

/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=Trusted

/interface list member
add interface=bridge list=Trusted
add interface=ether5 list=Trusted
add interface=" WG-HQ" list=Trusted
/interface wireguard peers
add allowed-address=192.168.10.2/32,192.168.20.0/24 comment=“Site 1 " interface=” WG-HQ"
name=" WG-Site1"public-key=“publickey”

/ip address
add address=192.168.10.1/24 interface=" WG-HQ" network=192.168.10.0
add address=192.168.100.111/24 interface=bridge network=192.168.100.0
add address=192.168.55.1/30 interface=ether5 network=192.168.55.0

/ip dhcp-client
add interface=bridge disabled=yes { Comment not required as set the address manually }

/ip dns
set server=192.168.100.1

/ip firewall address-list
add address=192.168.100.X list=Authorized comment=“local admin device1
add address=192.168.100.Y list=Authorized comment=“local admin device2
add address=192.168.10.3 list=Authorized comment=“remote wireguard admin device”
add address=192.168.55.2 list=Authorized comment=“local off bridge emergency access”
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input comment=“drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input dst-port=13231 log=yes protocol=udp log=yes
add action=drop chain=input src-address-list=!Authorized
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.100.1
add disabled=no dst-address=192.168.20.0/24 gateway=” WG-HQ” routing-table=main
suppress-hw-offload=no
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=Trusted

/ip firewall nat
add chain=srcnat action=masquerade out-interface=bridge comment=“ensures Main router sees all incoming wireguard traffic as coming from MT device”

++++++++++++++++++++++++++++++++++++++++++++

The main router will have to have a static route, for any traffic originating on the LAN that wants to go into the tunnel
Something like

add dst-address=192.168.20.0//24 gateway=192.168.100.111