Some basic help needed with Wireguard

taske · June 30, 2024, 6:53pm

Hello,

i looked thru a few threads already and tried various solutions but i’m having no success. I apologize in advance i realize my question is very basic but im very new to networking and mikrotik in general.
The TLDR version is : i have a mikrotik router at home. I also have a Synology NAS connected. I’ve set up wireguard on my Android phone. I am now facing 2 problems:

The phone connects fine via the wireguard but im getting no traffic to WAN
What rules must i set up if i want to be able to connect to the NAS with phone (via VLC for video streaming) - if im on local home wifi i have no issues connecting via ftps, smb etc.
The basic setup is such:
the home network is 10.20.30.0/24 with the nas being on ip 10.20.30.40
The ip addresses for wireguard are given from a pool of 192.168.33.0/24

Pasting the entire config below:

2024-06-30 20:44:03 by RouterOS 7.12.1

software id = LJPS-M6IC

model = RB750Gr3

serial number = CC210C29124E

/interface bridge
add name=LAN_BRIDGE
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add include=all name=LAN
add name=WAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile

/ip pool
add name=dhcp_pool0 ranges=10.20.30.2-10.20.30.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=LAN_BRIDGE lease-time=10m name=Dhcp_Lan
/port
set 0 name=serial0
/interface bridge port
add bridge=LAN_BRIDGE ingress-filtering=no interface=ether2
add bridge=LAN_BRIDGE ingress-filtering=no interface=ether3
add bridge=LAN_BRIDGE ingress-filtering=no interface=ether4
add bridge=LAN_BRIDGE ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=LAN_BRIDGE list=LAN
add interface=*8 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=193.168.33.15/32 interface=wireguard1 public-key=\

/ip address
add address=10.20.30.1/24 comment=LAN interface=LAN_BRIDGE network=10.20.30.0
add address=20.30.40.1/24 interface=*8 network=20.30.40.0
add address=192.168.33.1/24 interface=wireguard1 network=192.168.33.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=10.20.30.33 client-id=1:c:80:63:be:45:9a mac-address=
0C:80:63:BE:45:9A server=Dhcp_Lan
/ip dhcp-server network
add address=10.20.30.0/24 dns-server=8.8.4.4 gateway=10.20.30.1
/ip dns static
add address=159.148.172.226 name=upgrade.mikrotik.com
/ip firewall address-list
add address=192.168.11.0/24 list=logatec
/ip firewall filter
add action=accept chain=input comment=“allow wireguard” dst-port=13231
protocol=udp
add action=accept chain=input comment=“allow wireguard traffic” log=yes
src-address=192.168.33.0/24
add action=accept chain=forward in-interface=wireguard1 out-interface=
LAN_BRIDGE
add action=accept chain=forward dst-address=10.20.30.0/24 src-address=
192.168.33.0/24
add action=accept chain=forward src-address=20.30.40.0/24
add action=accept chain=forward dst-address=20.30.40.0/24 src-address=
10.20.30.0/24
add action=accept chain=input comment=“allow established connections”
connection-state=established
add action=accept chain=input comment=“allow related connections”
connection-state=related
add action=accept chain=input in-interface=ether1 protocol=icmp
add action=accept chain=input dst-port=1107 in-interface=ether1 protocol=tcp
add action=accept chain=input dst-port=8291,22,23,21 protocol=tcp
src-address-list=logatec
add action=accept chain=forward out-interface=ether1 src-address=
10.20.30.0/24
add action=drop chain=input comment=“Drop all from WAN” in-interface=ether1
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.27.0/24 src-address=
10.20.30.0/24
add action=accept chain=srcnat dst-address=192.168.88.0/24 src-address=
10.20.30.0/24
add action=accept chain=srcnat dst-address=192.168.11.0/24 src-address=
10.20.30.0/24
add action=dst-nat chain=dstnat dst-address-list=“” dst-port=1107
in-interface=ether1 protocol=tcp src-address-list=“” to-addresses=
10.20.30.40 to-ports=1107
add action=src-nat chain=srcnat out-interface=ether1 protocol=tcp
src-address=10.20.30.40 src-port=1107 to-ports=1107
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether1 src-address=
20.30.40.0/24
add action=masquerade chain=srcnat out-interface=ether1 src-address=
192.168.33.0/24
add action=accept chain=srcnat src-address=192.168.33.0/24
/ip ipsec identity

/ip ipsec policy

/ip service
set telnet disabled=yes
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Ljubljana
/system identity
set name=taskeDoma
/system note
set show-at-login=no
/system package update
set channel=testing

anav · June 30, 2024, 8:43pm

(1) Change this from
/interface list
add include=all name=LAN
add name=WAN
TO:
/interface list
add name=LAN
add name=WAN

(2) Change this from
/interface list member
add interface=LAN_BRIDGE list=LAN
add interface=*8 list=LAN <---- this means you have an error by the way…
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether1 list=WAN
TO:
/interface list member
add interface=ether1 list=WAN
add interface=LAN_BRIDGE list=LAN
add interface=wireguard1 list=LAN

(3) This is the other end of your error.
add address=20.30.40.1/24 *interface=8 network=20.30.40.0
WTFrig are you attempting to do with this subnet ???
Which you failed to disclose???

(4) What is the purpose of this???
/ip dns static
add address=159.148.172.226 name=upgrade.mikrotik.com

(5) What is the purpose of a private address list entry here, which doesnt exist on your network??
/ip firewall address-list
add address=192.168.11.0/24 list=logatec

(6) CLEANING UP your firewall rules:
/ip firewall filter
{ default rules to keep }
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
{ admin rules }
add action=accept chain=input comment=“allow wireguard” dst-port=13231
protocol=udp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment=“drop all else” { put this rule in last so you dont lock yourself out }
+++++++++++
{ default rules to keep }
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
{ admin rules }
add action=accept chain=forward comment=“allow internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“allow wg to local subnet” in-interface=wireguard1 dst-address=10.20.30.0/24
add action=accept chain=forward comment=“allow port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”

(7) Fix NAT ( I only see the need for two rules, if you think differently tell me why! )
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
++++++
add action=dst-nat chain=dstnat dst-port=1107 in-interface=ether1
protocol=tcp to-addresses=10.20.30.40

(8) As far as your wireguard client settings the only thing required for allowed IPs is 0.0.0.0/0
Dont forget to have keep alive set to like 35s.

taske · June 30, 2024, 9:03pm

(1) Change this from - done
/interface list
add include=all name=LAN
add name=WAN
TO:
/interface list
add name=LAN
add name=WAN

(2) Change this from - Done
/interface list member
add interface=LAN_BRIDGE list=LAN
add interface=*8 list=LAN <---- this means you have an error by the way…
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether1 list=WAN
TO:
/interface list member
add interface=ether1 list=WAN
add interface=LAN_BRIDGE list=LAN
add interface=wireguard1 list=LAN

(3) This is the other end of your error. - This is a remnant of an old config i was toying with, i’ve removed it now.
add address=20.30.40.1/24 *interface=8 network=20.30.40.0
WTFrig are you attempting to do with this subnet ???
Which you failed to disclose???

(4) What is the purpose of this??? - honestly i forgot what this was about, i believe i had some issues with upgrading the firmware and this was proposed somewhere.
/ip dns static
add address=159.148.172.226 name=upgrade.mikrotik.com

(5) What is the purpose of a private address list entry here, which doesnt exist on your network?? - remnant of an old IPSec i had configured but havent deleted fully, removed it now.
/ip firewall address-list
add address=192.168.11.0/24 list=logatec

(6) CLEANING UP your firewall rules: - Done
/ip firewall filter
{ default rules to keep }
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
{ admin rules }
add action=accept chain=input comment=“allow wireguard” dst-port=13231
protocol=udp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment=“drop all else” { put this rule in last so you dont lock yourself out }
+++++++++++
{ default rules to keep }
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
{ admin rules }
add action=accept chain=forward comment=“allow internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“allow wg to local subnet” in-interface=wireguard1 dst-address=10.20.30.0/24
add action=accept chain=forward comment=“allow port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”

(7) Fix NAT ( I only see the need for two rules, if you think differently tell me why! ) - Done
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
++++++
add action=dst-nat chain=dstnat dst-port=1107 in-interface=ether1
protocol=tcp to-addresses=10.20.30.40

(8) As far as your wireguard client settings the only thing required for allowed IPs is 0.0.0.0/0 - Done
Dont forget to have keep alive set to like 35s.

Wireguard setting on Android are: IpAddresses : 192.168.33.15/32
DNS: 8.8.8.8
Port 13231
Allowed Addresses : 0.0.0.0/0
Keep alive 10s

Still no WAN traffic when connected over WG nor do i see the NAS files via VLC

New config below:

2024-06-30 23:04:49 by RouterOS 7.12.1

software id = LJPS-M6IC

model = RB750Gr3

serial number = CC210C29124E

/interface bridge
add name=LAN_BRIDGE
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add include=all name=LAN
add name=WAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.20.30.2-10.20.30.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=LAN_BRIDGE lease-time=10m name=Dhcp_Lan
/port
set 0 name=serial0
/interface bridge port
add bridge=LAN_BRIDGE ingress-filtering=no interface=ether2
add bridge=LAN_BRIDGE ingress-filtering=no interface=ether3
add bridge=LAN_BRIDGE ingress-filtering=no interface=ether4
add bridge=LAN_BRIDGE ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=LAN_BRIDGE list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether1 list=WAN
add interface=wireguard1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=193.168.33.15/32 interface=wireguard1 public-key=\

/ip address
add address=10.20.30.1/24 comment=LAN interface=LAN_BRIDGE network=10.20.30.0
add address=192.168.33.1/24 interface=wireguard1 network=192.168.33.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=10.20.30.33 client-id=1:c:80:63:be:45:9a mac-address=
0C:80:63:BE:45:9A server=Dhcp_Lan
/ip dhcp-server network
add address=10.20.30.0/24 dns-server=8.8.4.4 gateway=10.20.30.1
/ip dns static
add address=159.148.172.226 name=upgrade.mikrotik.com
/ip firewall filter
add action=accept chain=input comment=“allow wireguard” dst-port=13231
protocol=udp
add action=accept chain=input in-interface-list=LAN
add action=accept chain=forward comment=“Allow Internet traffic”
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“Allow port forwarding”
connection-nat-state=dstnat
add action=accept chain=forward comment=“Allow Wireguard to local Subnet”
dst-address=10.20.30.0/24 in-interface=wireguard1
add action=accept chain=input comment=“allow established connections”
connection-state=established
add action=accept chain=input comment=“allow related connections”
connection-state=related
add action=accept chain=input in-interface=ether1 protocol=icmp
add action=accept chain=input dst-port=1107 in-interface=ether1 protocol=tcp
add action=accept chain=input dst-port=8291,22,23,21 protocol=tcp
src-address-list=logatec
add action=drop chain=input comment=“Drop all from WAN” in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat dst-port=1107 in-interface=ether1 protocol=
tcp to-addresses=10.20.30.40
/ip service
set telnet disabled=yes
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Ljubljana
/system identity
set name=taskeDoma
/system note
set show-at-login=no
/system package update
set channel=testing

anav · June 30, 2024, 9:32pm

You didnt make any changes from my recommendations… Suspect you posted your old config??

taske · June 30, 2024, 9:44pm

Im confused.

I’ve fixed the Interface lists, NAT rules and edited the FW rules, cleaned up the old IPSec settings and redundant ip addresses. am i missing something?

anav · June 30, 2024, 11:04pm

Well for starters you didnt answer ANY of my questions.

WTFrig are you attempting to do with this subnet ???
Which you failed to disclose???
What is the purpose of this???/ip dns static
add address=159.148.172.226 name=upgrade.mikrotik.com
What is the purpose of a private address list entry here, which doesnt exist on your network??
/ip firewall address-list
add address=192.168.11.0/24 list=logatec

\

Change this from
/interface list member
add interface=LAN_BRIDGE list=LAN
add interface=*8 list=LAN <---- this means you have an error by the way…
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether1 list=WAN
TO:
/interface list member
add interface=ether1 list=WAN
add interface=LAN_BRIDGE list=LAN
add interface=wireguard1 list=LAN

ON your new config you have this…
/interface list member
add interface=LAN_BRIDGE list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether1 list=WAN
add interface=wireguard1 list=LAN

Your firewall rules are out of order, you have extra rules not required according to your config and requirements. and you allow winbox from the internet which is a no no regardless if you think you are limiting to IP address,
Only access winbox from within the LAN or via VPN etc…

taske · July 1, 2024, 4:59am

My formatting might have been poor, sorry. I’ve tried to answer your questions in bold format in the quoted part of your reply.

I believe things should be how you specified but im still getting no internet traffic nor LAN NAS access

\

2024-07-01 06:51:42 by RouterOS 7.12.1

software id = LJPS-M6IC

model = RB750Gr3

/interface bridge
add name=LAN_BRIDGE
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add include=all name=LAN
add name=WAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.20.30.2-10.20.30.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=LAN_BRIDGE lease-time=10m name=Dhcp_Lan
/port
set 0 name=serial0
/interface bridge port
add bridge=LAN_BRIDGE ingress-filtering=no interface=ether2
add bridge=LAN_BRIDGE ingress-filtering=no interface=ether3
add bridge=LAN_BRIDGE ingress-filtering=no interface=ether4
add bridge=LAN_BRIDGE ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=LAN_BRIDGE list=LAN
add interface=ether1 list=WAN
add interface=wireguard1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=193.168.33.15/32 interface=wireguard1 public-key=\

/ip address
add address=10.20.30.1/24 comment=LAN interface=LAN_BRIDGE network=10.20.30.0
add address=192.168.33.1/24 interface=wireguard1 network=192.168.33.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=10.20.30.33 client-id=1:c:80:63:be:45:9a mac-address=
0C:80:63:BE:45:9A server=Dhcp_Lan
/ip dhcp-server network
add address=10.20.30.0/24 dns-server=8.8.4.4 gateway=10.20.30.1

/ip firewall filter
add action=accept chain=input comment=“allow established connections”
connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment=“Allow ping” in-interface=ether1
protocol=icmp
add action=accept chain=input comment=“allow wireguard” dst-port=13231
protocol=udp
add action=accept chain=input in-interface-list=LAN
add action=accept chain=forward comment=“Allow Internet traffic”
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“Allow Wireguard to local Subnet”
dst-address=10.20.30.0/24 in-interface=wireguard1
add action=accept chain=forward comment=“Allow port forwarding”
connection-nat-state=dstnat
add action=fasttrack-connection chain=forward connection-state=
established,related hw-offload=yes
add action=drop chain=input comment=“Drop all from WAN” in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat dst-port=1107 in-interface=ether1 protocol=
tcp to-addresses=10.20.30.40
/ip service
set telnet disabled=yes
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Ljubljana
/system identity
set name=taskeDoma
/system note
set show-at-login=no
/system package update
set channel=testing