SMB access while on WireGuard

RouterOS General
1

Hi Folks,
I do have one dummy question, but unable to find answer on forum here, neither google helps. I did setup WireGuard on my Mikrotik, able to RDP to server on remote location but can’t access its SMB share. Same laptop (Tom_WIN11 from config) + same server (on 10.0.0.50) works fine while connected locally on the network, but not via WireGuard. I am sure there is some missing element on my setup and would appreciate if you can quickly review it. Otherwise I might spend few more hour digging with no success. My back option is to setup OpenVPN and give it a try there.
Next struggle would be wireguard on setup with loadbalanced WAN, where only WAN1 has publicIP :smiley: but with that later…
anynameyouwish.rsc (11.7 KB)

2

  1. Wouldnt call my Bridge “LAN” as LAN is already used on the router for standard nomenclature. Personal choice but at least make it
    bridge-LAN etc.

  2. Why do you have two IP pools but only one subnet ( aka the one you attach to the bridge-LAN )?

  3. Highly recommend you set this to NONE< as it creates weird issues…
    /interface detect-internet
    set detect-interface-list=all

  4. Set this to LAN_list
    /ip neighbor discovery-settings
    set discover-interface-list=none

  5. Not sure why your allowed IPs come filled with all the noise of whats on the peer device??
    Normally would look like or at least I would pair it down to the essentials…
    /interface wireguard peers
    add allowed-address=10.200.0.3/32 interface=WireGuard_VPN name=Tom_WIN11 public-key=“+++++”
    add allowed-address=10.200.0.4/32 interface=WireGuard_VPN name=Tom_iPAD public-key=“*****”
    add allowed-address=10.200.0.5/32 interface=WireGuard_VPN name=Tom_iPHONE public-key=“^^^^^^”

In any case shouldnt be preventing anything, so suspect I will find something in firewall rules.

  1. Firewall rules are much better done, if organized so that input chain is together and forward chain is together for quick reading and understanding…
    /ip firewall filter
    {input chain default rules to keep}
    add action=accept chain=input connection-state=established,related,untracked
    add action=drop chain=input connection-state=invalid
    add action=accept chain=input protocol=icmp
    add action=accept chain=input dst-address=127.0.0.1
    {admin rules}
    add action=accept chain=input comment=“WireGuard handshake” dst-port=33333 protocol=udp
    add action=accept chain=input comment=“allow internal LAN only” in-interface-list=LAN_list
    add action=drop chain=input comment=“drop all else”     { insert this last so you dont lock yourself out }
    ++++++++++++
    {default rules to keep}
    add action=fasttrack-connection chain=forward connection-state=established,related
    add action=accept chain=forward connection-state=established,related,untracked
    add action=drop chain=forward connection-state=invalid
    {admin rules}
    add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN_list out-interface-list=WAN_list
    add action=accept chain=forward comment=“Remote users to LAN” in-interface=WireGuard_VPN dst-address=10.0.0.0/24
    add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
    add action=drop chain=forward comment=“drop all else”

  2. You have your source nat rule disabled ??
    /ip firewall nat
    add action=masquerade chain=srcnat comment=“defconf: masquerade” disabled=yes
    ipsec-policy=out,none out-interface-list=WAN_list

Should be:
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” disabled=no
ipsec-policy=out,none out-interface-list=WAN_list

EDIT Okay I saw your last rule at the end LOL… I hate it when people leave messy useless noise in their config!! :wink:

  1. Forget the honeypot 3389 stuff, the idea is NOT to attract attention to your router and and 3389 does.
    The other dst nat rules will not be visible on scans as you have source address lists entered which should also limit access for the most part.
3

Hi Anav,
thanks for tips.

  1. I am a little confused as many config materials are mentioning “LAN” as in. interface, therefore my assumption was its renamed bridge interface → sample https://youtu.be/nlb7XAv57tw?si=QdLrlh5teIPrst5d&t=622
  2. Preparing to change the network from 10.0.0.0 to 10.10.10.0 so u can ignore
  3. Done thanks
  4. Done

I have reorganized firewall rules and will give it a try. thanks

4

Okay, repost config if any issues, bound to be few as changes often take few iterations, ops normal.