Web server not accessible with Wireguard

miankamran7100 · June 11, 2024, 2:06pm

Hello,
I have a Local Web server on my LAN. Its IP is 192.168.110.3. The DNS name is “airavenue.contegris.com”. It’s working fine on LAN.
But I have to access it remotely so I configured Wireguard. It accessible only with IP 192.12.168.110.3 and not accessible with its domain “airavenue.contegris.com”

Thanks.

/interface bridge
add name=Bridge_LAN port-cost-mode=short
add name=“Bridge_LAN Central Park” port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
/interface pppoe-client
add disabled=no interface=ether1_WAN name=PPPoE_user=0XYZZZZZC
/interface eoip
add local-address=xx.xx.xx.xx mac-address=07:72:00:1D:09:39 name=
“EoIP Tunnel_Central Park” remote-address=xx.xx.xx.xx tunnel-id=xxx
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool ranges=192.168.110.100-192.168.110.200
/ip dhcp-server
add address-pool=dhcp_pool interface=Bridge_LAN name=dhcp1
/ppp profile
add dns-server=8.8.8.8,1.1.1.1 local-address=192.168.84.1 name=sstp-profile
remote-address=VPN-pool
/routing table
add disabled=no fib name=to_L2TP
/interface bridge port
add bridge=“Bridge_LAN Central Park” interface=“EoIP Tunnel_Central Park”
internal-path-cost=10 path-cost=10
add bridge=“Bridge_LAN Central Park” interface=ether2 internal-path-cost=10
path-cost=10
add bridge=Bridge_LAN interface=ether3 internal-path-cost=10 path-cost=10
add bridge=Bridge_LAN interface=ether4 internal-path-cost=10 path-cost=10
add bridge=Bridge_LAN interface=ether5 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/interface wireguard peers

/ip address
add address=192.168.110.1/24 interface=Bridge_LAN network=192.168.110.0
add address=192.168.181.1/24 interface=wireguard1 network=192.168.181.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-server alert
add disabled=no interface=Bridge_LAN valid-server=18:FD:74:B3:A2:50
/ip dhcp-server lease
add address=192.168.110.101 always-broadcast=yes comment=“Windows 10 Laptop”
mac-address=74:70:FD:1D:CE:23
add address=192.168.110.102 always-broadcast=yes comment=“Windows 11 Laptop”
mac-address=74:E5:F9:D1:59:F2
add address=192.168.110.103 always-broadcast=yes mac-address=
00:0C:29:CC:84:1B
/ip dhcp-server network
add address=192.168.110.0/24 dns-server=192.168.110.1,8.8.8.8,8.8.4.4
gateway=192.168.110.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.110.3 name=airavenue.contegris.com
/ip firewall filter
add action=accept chain=input comment=“Router Access Remotely” dst-port=
4477,4478 protocol=tcp
add action=accept chain=input comment=“Web Allow” dst-port=53 in-interface=
Bridge_LAN protocol=tcp
add action=accept chain=input comment=“Web Allow” dst-port=53 in-interface=
Bridge_LAN protocol=udp
add action=drop chain=input comment=“Block Attack” dst-port=
25,53,87,512-515,543,544,7547,8080 protocol=tcp
add action=drop chain=input comment=“Block Attack” dst-port=
53,80,87,161,162,1900,4520-4524,8080 protocol=udp
add action=add-src-to-address-list address-list=“Port Scanners”
address-list-timeout=none-dynamic chain=input comment=
“Port Scanners to Address List " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=“Port Scanners”
address-list-timeout=none-dynamic chain=input comment=
“TCP Flag-NMAP FIN Stealth scan” protocol=tcp tcp-flags=
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=“Port Scanners”
address-list-timeout=none-dynamic chain=input comment=
“TCP Flag-FIN/SYN scan” protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=“Port Scanners”
address-list-timeout=none-dynamic chain=input comment=
“TCP Flag-RST/SYN scan” protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=“Port Scanners”
address-list-timeout=none-dynamic chain=input comment=
“TCP Flag-FIN/PSH/URG scan” protocol=tcp tcp-flags=
fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=“Port Scanners”
address-list-timeout=none-dynamic chain=input comment=
“TCP Flag-ALL/ALL scan” protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=“Port Scanners”
address-list-timeout=none-dynamic chain=input comment=
“TCP Flag-NMAP NULL scan” protocol=tcp tcp-flags=
!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment=“Dropping Port Scanners”
src-address-list=“Port Scanners”
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.110.0/24
add action=masquerade chain=srcnat src-address=192.168.181.0/24
add action=dst-nat chain=dstnat comment=“Windows 10 Laptop” dst-address=
xx.xx.xx.xx dst-port=4480 protocol=tcp to-addresses=192.168.110.103
to-ports=3389
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=PPPoE_PTCL routing-table=main
suppress-hw-offload=no
add check-gateway=ping disabled=no distance=1 dst-address=192.168.94.0/24
gateway=192.88.16.2%*F00024 pref-src=”" routing-table=main scope=30
suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.94.0/24 gateway=
192.88.16.3%*F0002D routing-table=main scope=10 suppress-hw-offload=no

erlinden · June 11, 2024, 2:36pm

Think the DNS name is resolved to its public IP address. Correct?

In that case you have to use hairpin nat/nat loopback:
https://help.mikrotik.com/docs/display/ROS/NAT#NAT-HairpinNAT
While you are at it, also do a sanity check on your current firewall…it has some room for improvement!

anav · June 11, 2024, 9:19pm

So its working as it should.

Lets review the requirements for what looks like an RDP server.
Good idea to ensure external access is done through Wireguard.
Local LAN users access Server via LANIP direct, – Good
Local LAN users access Server via DYNDNS URL - Good but not sure how seeing as you dont have the right rules in place

Observations:

(1) Dont see a purpose for this rule. Disable during testing
/ip dns static
add address=192.168.110.3 name=airavenue.contegris.com

(2) Missing wireguard handshake rule in input chain…
(3) no Hairpin NAT rule.
(4) Need to adjust DSTNAT rule to exclude any external WANIPs.
(5) firewall rules are crap , see nothing in forward chain…
(6) Your pppoe name is attached to your user name ( not separated ?? ), will assume its PPPoE_OUT1
+++++++++++++++++++++++++++++++++++++++++++++

/interface list
add name=WAN
add name=LAN

/interface list members
add interface=PPPoE_1OUT list=WAN
add interface=Bridge_LAN list=LAN
add interface=wireguard1 list=LAN

/ip firewall address-list
add address=mynetname.net list=MyWAN
/ip firewall filter
{ default rules to keep }
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
{ admin rules }
add action=accept chain=input comment=“Router Access Remotely” dst-port=
4477,4478 protocol=tcp
add action=accept chain=input comment=“wireguard handshake” dst-port=13321 protocol=udp
add action=accept chain=input comment=“Web Allow” dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment=“Web Allow” dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment=“Drop all else”
++++++++++++++++++++++++++++++
{ default rules to keep }
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
{ admin rules }
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward commment=“wg access to local LAN” in-interface=wireguard1 dst-address=192.168.110.0/24
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat in-interface-list=LAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat comment=“hairpin” src-address=192.168.110.0/24 dst-address=192.168.110.0/24
++++++++++++++++++++++++++++++++++++++++++++++++
add action=dst-nat chain=dstnat comment=“RDP Server” dst-address-list=MyWAN
dst-port=4480 protocol=tcp to-addresses=192.168.110.103 to-ports=3389

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

So in the firewall rule for port forwarding we ensure its permitted but not from the WAN side ( as we only allow local subnet access and Wireguard access both members of LAN interface)