Struggling to create VPN network for internal access

RouterOS General
1

Hi everyone, I have been having an issue using a Wireguard tunnel to access my LAN remotely with my Mikrotik hAP ac2.
I have created my tunnel just fine and I can access the internet through it, but when I try to ping my LAN devices, I cannot get through.

This is what my network diagram looks like:

I am trying to access the server network with the 10.2.0.0/24 network from the remote workstation with IP 10.3.0.2. Ping results in “Destination host unreachable”
The solution I tried was to mark all the packets originating from 10.3.0.0/24 with a mangle rule and use a static route to try and reach 10.2.0.0/24 but it doesn’t seem to have helped

/ip firewall mangle
add action=mark-routing chain=prerouting comment="VPN TO LAN2" \
    new-routing-mark=VPN_TO_LAN passthrough=yes src-address=10.3.0.0/24

/ip route    
add disabled=no distance=1 dst-address=10.2.0.0/24 gateway=internal-wireguard \
    pref-src="" routing-table=VPN_TO_LAN scope=30 suppress-hw-offload=no \

The rest of my config is below. If anyone could point me in the right direction I would really appreciate it, I’m fairly new to networking and I’m tearing my hair out trying to get this traffic to flow correctly.

# dec/12/2022 10:35:15 by RouterOS 7.6
# software id = HZDX-EFGS
#
# model = RBD52G-5HacD2HnD
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN1
set [ find default-name=ether2 ] name=ether2-LAN1
set [ find default-name=ether3 ] arp=proxy-arp name=ether3-LAN2
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface l2tp-client
add connect-to=197.xx.xx.xx disabled=no name=liamnet-vpn use-ipsec=yes user=\
    vpnuser
/interface wireguard
add listen-port=37015 mtu=1420 name=internal-wireguard
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool0 ranges=10.1.0.2-10.1.0.254
add name=dhcp_pool1 ranges=10.2.0.2-10.2.0.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=ether2-LAN1 name=lan1_dhcp
add address-pool=dhcp_pool1 interface=ether3-LAN2 name=lan2_dhcp
/routing table
add fib name=LAN1_TO_WAN1
add fib name=LAN2_TO_VPN
add disabled=no fib name=VPN_TO_LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set default-profile=default use-ipsec=required
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.3.0.2/32 interface=internal-wireguard public-key=\
    "tgTOMm/jN020diUnFOykLOo/2ZDNjhHBG1Sw3Zgja2s="
/ip address
add address=10.1.0.1/24 interface=ether2-LAN1 network=10.1.0.0
add address=10.2.0.1/24 interface=ether3-LAN2 network=10.2.0.0
add address=10.3.0.1/24 interface=internal-wireguard network=10.3.0.0
/ip dhcp-client
add interface=ether1-WAN1
/ip dhcp-server network
add address=10.1.0.0/24 dns-server=8.8.8.8,8.8.4.4 domain=liamnet.xyz gateway=\
    10.1.0.1
add address=10.2.0.0/24 dns-server=8.8.8.8,8.8.4.4 domain=liamnet.xyz gateway=\
    10.2.0.1
/ip firewall filter
add action=drop chain=input comment="Block SSH and Telnet" dst-port=22,23 \
    protocol=tcp src-port=""
add action=accept chain=input comment="Allow UDP 37015 for WG" dst-port=37015 \
    protocol=udp
add action=accept chain=forward comment="Allow VPN traffic" out-interface=\
    liamnet-vpn
add action=accept chain=forward comment="Allow LAN traffic" src-address=\
    10.2.0.0/24
add action=accept chain=forward src-address=10.1.0.0/24
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
/ip firewall mangle
add action=accept chain=prerouting comment="Allow LAN1 to ping gateway" \
    dst-address=10.1.0.1 src-address=10.1.0.0/24
add action=accept chain=prerouting comment="Allow LAN2 to ping gateway" \
    dst-address=10.2.0.1 src-address=10.2.0.0/24
add action=mark-routing chain=prerouting comment="LAN1 to WAN1" \
    new-routing-mark=LAN1_TO_WAN1 passthrough=yes src-address=10.1.0.0/24
add action=mark-routing chain=prerouting comment="LAN2 to VPN" \
    new-routing-mark=LAN2_TO_VPN passthrough=yes src-address=10.2.0.0/24
add action=mark-routing chain=prerouting comment="VPN TO LAN2" \
    new-routing-mark=VPN_TO_LAN passthrough=yes src-address=10.3.0.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN1
add action=masquerade chain=srcnat out-interface=liamnet-vpn
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.30.0.1 pref-src=\
    "" routing-table=LAN2_TO_VPN scope=30 suppress-hw-offload=no target-scope=\
    10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.0.1 \
    routing-table=LAN1_TO_WAN1 suppress-hw-offload=no
add disabled=no distance=1 dst-address=10.2.0.0/24 gateway=internal-wireguard \
    pref-src="" routing-table=VPN_TO_LAN scope=30 suppress-hw-offload=no \
    target-scope=10
/system clock
set time-zone-name=Africa/Johannesburg
/system package update
set channel=testing
2

Prudent advice is to remove the serial number from your config…on your post above.

3

Thanks for the advice, have edited my post. I thought the hide-sensitive option would remove anything best kept for my eyes only

4

(1) Get rid of all mangle rules not required…

(2) Order is important in firewall rules as rules are checked from top to bottom and also, it is very hard to read when one looks at such a disjointed view.

Fixed for you…
/ip firewall filter
add action=drop chain=input comment=“Block SSH and Telnet” dst-port=22,23
protocol=tcp src-port=“”
add action=accept chain=input comment=“Allow UDP 37015 for WG” dst-port=37015
protocol=udp
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=forward comment=“Allow VPN traffic” out-interface=
liamnet-vpn
add action=accept chain=forward comment=“Allow LAN traffic” src-address=
10.2.0.0/24
add action=accept chain=forward src-address=10.1.0.0/24
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid

And now ordered properly…

/ip firewall filter
{default rules}
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
{user rules}
add action=accept chain=input comment="Allow UDP 37015 for WG" dst-port=37015 \
    protocol=udp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input  comment="drop all else"

Assumes you have an interface list setup…
/interface list
add name=LAN
add name=WAN
/interface list members
add interface=ether2-LAN1 list=LAN
add interface=ether3=LAN2 list=LAN
add interface=wlan1 list=LAN
add interface=wlan2 list=LAN
add interface=wireguard list=LAN
add interface=ether1-WAN1 list=WAN
add interface= Where is WAN2 ?? list=WAN { missing wan2 on the config??}

/ip firewall filter
{default rules}
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
{user rules}
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface=wireguard dst-address=10.2.0.0/24
add action=accept chain=forward comment="Allow PCs to Servers " src-address=\
    10.1.0.0/24 dst-address=10.2.0.0/24
add action=drop chain=forward comment="drop all else"

I didnt include this rule in the forward chain as I didnt understand the user requirement, who needs access where…
Its not clear who is going out vpn internet???. Also its all the more obvious as open ended firewall rules are too vague ( coming from going to should be clear )
add action=accept chain=forward comment=“Allow VPN traffic” out-interface=
liamnet-vpn

Also assumed you didnt want servers to originate traffic to pc workstations… so its just one way …
Note that by adding the wireguard to the LAN interface list, you can reach the router for config purposes ( input chain), the internet (forward chain) and the servers (forward chain).

(3) I dont understand your IP routes at all… The wireguard does not require a routing as its automatically created by assigning an IP address to the wireguard. So the incoming and return traffic to the remote PC already has a route.

There should be two routes, one for each WAN connection either entered manually by you, or in IP DHCP or PPPOE client settings where route checkbox is used…

(4) What I dont see is a clear set of two tables and ADDITIONAL routes and routing rules for pcs to wan1 and servers to wan2, besides the fact that wan2 doesnt actually seem to exist??

5

Okay, I can clarify a bit. WAN2 is actually an L2TP client which all the traffic from my server network (10.2.0.0/24) is sent through in order for my servers to have a static ip, reverse DNS etc, since I don’t have that on my connection at home. So technically I only have one WAN, but I added the L2TP VPN client as WAN2 since it’s functioning as an exit for all the traffic originating from my servers. That interface is the liamnet-vpn and this is how that is set up.

/routing table
add disabled=no fib name=LAN1_TO_WAN
add disabled=no fib name=LAN2_TO_VPN

/ip firewall mangle
add action=accept chain=prerouting comment="Allow LAN1 to ping gateway" dst-address=10.1.0.1 src-address=10.1.0.0/24
add action=accept chain=prerouting comment="Allow LAN2 to ping gateway" dst-address=10.2.0.1 src-address=10.2.0.0/24
add action=mark-routing chain=prerouting comment="LAN1 to WAN" new-routing-mark=LAN1_TO_WAN passthrough=yes src-address=10.1.0.0/24
add action=mark-routing chain=prerouting comment="LAN2 to VPN" new-routing-mark=LAN2_TO_VPN passthrough=yes src-address=10.2.0.0/24

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.30.0.1 pref-src="" routing-table=LAN2_TO_VPN scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.0.1 routing-table=LAN1_TO_WAN suppress-hw-offload=no

As you can see, traffic from the LAN1 network leaves through my home gateway and traffic from the LAN2 network leaves through the L2TP server I’m hosting on a VPS.

The thing I am trying to accomplish here is access to the servers on my LAN2 10.2.0.0/24 network from a remote PC connected via the wireguard tunnel which has the ip 10.3.0.2

So from 10.3.0.2 I should be able to access anything in the 10.2.0.0/24 network, eg ping a server at 10.2.0.2

Sorry for the confusion, I hope this clears it up as it’s my first time doing a network diagram. I have removed the mangle rules from my first post and re ordered my firewall rules as you suggested

6

okay, so the wan2 is a connection to what… a SERVER somewhere in the cloud and how do you reach that cloud VPS (through WAN1??)

Also need a complete config view
/export file=anynameyouwish (minus serial number and any public WANIP info )