I’m trying to connect from my Linux desktop to my Mikrotik router with WireGuard and access the devices on the LAN. I followed the instructions on the Mikrotik documentation (https://help.mikrotik.com/docs/display/ROS/WireGuard#WireGuard-RoadWarriorWireGuardtunnel) and I can connect to the router. I can ping the router. I can ssh into the router. I can’t ping or access any of the numerous devices on the LAN.
Also please see my Dec 03 post about port forwarding having similar problems. We must have something mis-configured in our router but I don’t know where to start to look.
I just noticed all of these /ip arp entries that I didn't know were there. My compatriot configured this and ran some kind of a scan to get all of those. He doesn't remember exactly what he did.
Thanks for looking!
PS
For some reason now I am able to ping a lot of the devices on the LAN. Not all but a lot.
2023-12-08 21:51:43 by RouterOS 7.12.1
software id = 2NNB-MPRM
model = RB750Gr3
serial number = HDFxxxxxxxx
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:76 arp=proxy-arp auto-mac=no comment=
"defconf - proxy arp for pptp" name=bridge
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add comment="GIVES 8 ADDRESSES FOR VPN 192.168.146.196-203 " name=PPTP-POOL
ranges=192.168.146.196-192.168.146.203
/ip dhcp-server
add address-pool=PPTP-POOL disabled=yes interface=bridge lease-time=10m name=
defconf
/port
set 0 name=serial0
/ppp profile
add interface-list=LAN local-address=PPTP-POOL name=pptp remote-address=
PPTP-POOL use-encryption=required
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN lldp-med-net-policy-vlan=1
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set max-mru=1092 max-mtu=1092 use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface pptp-server server
PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
There is something wrong with your MT peer settings. /interface wireguard peers
add allowed-address=192.168.100.0/24,192.168.146.0/24 *client-address=*
192.168.100.2/32 client-dns=1.1.1.1 interface=wireguard1 public-key=
“-------------------------------------------=”
As far as I know there is NO SUCH SETTING… is this something from BACK to home VPN???
ALSO there is no such entry as client DNS… Maybe these were added in 7.13c??
One does not even need endpoint address which is probably the closest thing to what you have called client address, when setting the peer for a client (for the handshake).
FINALLY, WHY oh WHY did you put in 192168.146.0/24 ??? that is a local subnet??
SHOULD BE: /interface wireguard peers
add allowed-address=192.168.100**.2/32**
interface=wireguard1 public-key=
“-------------------------------------------=”
I’m using Winbox to work with this. Without the allowed-address=192.168.100.0/24,192.168.146.0/24 I cannot get to the router on the wireguard address 192.168.100.1 or to the LAN which is 192.168.146.0/24. I tried to take out the client-dns=1.1.1.1 but it won’t go. I’m running 7.12.1 in this router. I’m now able to get to about 90% of the devices on the LAN. The device that I am most interested in connecting to I cannot connect to or ping. I can ping it from the ARP page which makes no sense to me. The bridge has proxy-arp set for the folks that are coming in via PPTP because they insisted on using interface addresses in the LAN address block. I’ve tried turning it off or setting it to enabled and that doesn’t appear to have any effect. I’m thinking now it might be some problem in my device the the NIC having a higher metric on its route.
a. you have a perfectly legitimate Source NAT rule that covers all LAN to WAN traffic. add action=masquerade chain=srcnat comment=“defconf: masquerade”
out-interface-list=WAN
b. the wireguard is part of the lan interface list add interface=wireguard1 list=LAN
c. You do not really block any traffic on the forward chain… other than some wan traffic. add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
FINALLY what does 192.168.220.0.24 have to do with anything??
The local bridge and wireguard ARE NOT RELATED> /ip address
add address=192.168.146.195/24 comment=defconf interface=bridge network=
192.168.146.0
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
Strange to ask here but okay, Its part of the new BTH design, or the give a client a setup design (export).
Just makes sure its not part of the real config come play time as the regular allowed IPs is what is critical.