UDM Pro wireguard with Hap client cant ping the netowrk just the gw on the UDM

Dear All!

Im not an expert in mikrotik, and i need to solve a problem

I have a ubiquiti UDM Pro and need to connect with a mikrotik hap trough wireguard.

I have made a config, from the mikrotik i cant ping the network what i need to reach, but from the connected laptop im only able to ping the GW of the network.

The config is this:

/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
/interface wireguard
add listen-port=2550 mtu=1420 name=wg1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.250.2-192.168.250.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 lease-time=8h name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether2
/interface wireguard peers
add allowed-address=
10.10.1.0/24,192.168.1.0/24,192.168.66.0/24,192.168.250.0/24
endpoint-address=address endpoint-port=51820 interface=wg1 name=
peer2 persistent-keepalive=20s public-key=
"key="
/ip address
add address=192.168.250.1/24 interface=bridge1 network=192.168.250.0
add address=10.10.1.3/24 interface=*A network=10.10.1.0
add address=10.10.1.3 interface=wg1 network=10.10.1.3
/ip dhcp-client
add default-route-tables=main interface=ether1-WAN
/ip dhcp-server network
add address=192.168.250.0/24 dns-none=yes gateway=192.168.250.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=192.168.250.0/24 list=Allowed_hosts
/ip firewall filter
add action=accept chain=input src-address-list=Allowed_hosts
add action=accept chain=input in-interface=wg1
add action=drop chain=input connection-state=!established
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN
add action=src-nat chain=srcnat disabled=yes dst-address=192.168.66.0/24
to-addresses=10.10.1.3
/ip route
add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=wg1
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.66.0/24 gateway=wg1
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.10.1.0/24 gateway=wg1
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/system clock
set time-zone-name=Europe/Budapest
/system ntp client
set enabled=yes
/system ntp client servers
add address=hu.pool.ntp.org

I tried a trace on the udm, and saw that if i ping from the hap, i go trough 10.10.1.3, but if i ping from my laptop i go directly to the ip what i want to reach but i get no aswer:

root@FSZ-Router:~# tcpdump -i wgsrv1 host 192.168.66.171
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wgsrv1, link-type RAW (Raw IP), snapshot length 262144 bytes
20:15:36.025090 IP 10.10.1.3 > 192.168.66.171: ICMP echo request, id 758, seq 5, length 36
20:15:36.025400 IP 192.168.66.171 > 10.10.1.3: ICMP echo reply, id 758, seq 5, length 36
20:15:36.856730 IP 192.168.250.253.51703 > 192.168.66.171.http: Flags [S], seq 2709851613, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
20:15:37.029817 IP 10.10.1.3 > 192.168.66.171: ICMP echo request, id 758, seq 6, length 36
20:15:37.030138 IP 192.168.66.171 > 10.10.1.3: ICMP echo reply, id 758, seq 6, length 36
20:15:37.120795 IP 192.168.250.253.54462 > 192.168.66.171.http: Flags [S], seq 3648561574, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
20:15:38.035239 IP 10.10.1.3 > 192.168.66.171: ICMP echo request, id 758, seq 7, length 36
20:15:38.035532 IP 192.168.66.171 > 10.10.1.3: ICMP echo reply, id 758, seq 7, length 36
^C
8 packets captured
8 packets received by filter
0 packets dropped by kernel
root@FSZ-Router:~# tcpdump -i wgsrv1 host 192.168.66.171
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wgsrv1, link-type RAW (Raw IP), snapshot length 262144 bytes
20:17:24.852873 IP 192.168.250.253 > 192.168.66.171: ICMP echo request, id 1, seq 1026, length 40
20:17:29.846505 IP 192.168.250.253 > 192.168.66.171: ICMP echo request, id 1, seq 1027, length 40

If someone could hint me what im not seeing i would be very grateful.

bolvar

It looks like you may be using a different path/gateway from the laptop. Another possibility is the allowed networks in the Wireguard config are set incorrectly so traffic from the laptop isn't able to utilize that connection.

To test the Wireguard config, you can temporarily allow 0.0.0.0/0 to go through the tunnel to make sure it's actually working.

Also, what does the output of "IP->route->print" look like?

I'd also check the routes on your laptop to make sure they look sane.

I hope that helps.

These should probably be:
/ip address
add address=192.168.250.1/24 interface=bridge1 network=192.168.250.0
add address=10.10.1.3/24 interface=wg1 network=10.10.1.0

The interface *A is a leftover and I presume you want the whole /24 subnet reachable on wg1, not only the /32 address 10.10.1.3 (and that entry is wrong anyway, as it is pointing to "self").

also it seems like your UDM doesn’t have a return route for 192.168.250.0/24

Dear jaclaz!

The 10.10.1.3/32 is added by the config what i imported from the ui, this is why i need to add the 10.10.1.0/24 to even work ower the wireguard, and when im creating the wireguard client im only abble to add ip not network.

I tried to add a route back, but nothing has changed.

The fun fact, if i move the device what i want to reach to the default vlan1, it works fine.

A /32 is a "special" kind of address where the first is the address given to "local interface" and the network is the "other end".

This makes little sense anyway:
add address=10.10.1.3 interface=wg1 network=10.10.1.3

If it needs to be a /32 it should be something like:
add address=10.10.1.3/32 interface=wg1 network=