WireGuard can't reach LAN

invadersMustDie · March 29, 2022, 4:47pm

I’ve been trying to solve it for few days without any success.
So here is my config.

/interface bridge
add admin-mac=08:55:31:3E:74:1B auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=XXXXXXXXX
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.88.50-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=23h name=defconf
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface wireguard peers
add allowed-address=192.168.77.0/24,192.168.88.0/24 interface=wireguard \
    persistent-keepalive=10s public-key=\
    "XXXXXXX"
add allowed-address=192.168.77.0/24,192.168.88.0/24 interface=wireguard \
    persistent-keepalive=10s public-key=\
    "XXXXXXX"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.77.1/24 interface=wireguard network=192.168.77.0
/ip arp
add address=192.168.88.254 comment=broadcast interface=bridge mac-address=\
    FF:FF:FF:FF:FF:FF
add address=192.168.88.222 interface=bridge mac-address=D0:50:99:4D:FC:2D
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=WireGuard dst-port=13231 protocol=udp
add action=accept chain=input comment=\
    "accept established,related,untracked DEFAULT!" connection-state=\
    established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment=\
    "accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface=pppoe-out1

WG Client-site from laptop
[Interface]
PrivateKey = XXXXX
Address = 192.168.77.2/32

[Peer]
PublicKey = XXXXX
AllowedIPs = 192.168.77.0/24, 192.168.88.0/24
Endpoint = XXXXX:13231
PersistentKeepalive = 10

Connection is established but I can ping only 192.168.77.1 and 192.168.88.1 from laptop. What is a problem? I’ve made a static route for 192.168.88.0/24 with 192.168.77.1 as gateway - no result. And tried to forward 88.0/24 to 77.0/24 and backward through firewall filter.

anav · March 30, 2022, 3:17pm

So the conclusion is you wish to be able to connect to your MT router (Server) from a mobile device (laptop) for the purposes of accessing devices on the LAN of the mikrotik??

Why two peer settings identical on Mikrotik?? Why keep alive ??? Why do you have the subnet on the MT LAN as an allowed IP ???
/interface wireguard peers
add allowed-address=192.168.77.0/24,192.168.88.0/24 interface=wireguard
persistent-keepalive=10s public-key=
“XXXXXXX”
add allowed-address=192.168.77.0/24,192.168.88.0/24 interface=wireguard
persistent-keepalive=10s public-key=
“XXXXXXX”

anav · March 30, 2022, 3:23pm

Not sure what you mean by static routes, but NOT required.

(1) Allowed IPs
This needs fixing
For allowed IPs at MT device,
all you need is 192.168.77.2/32

THis is already correct!!
At mobile laptop all you need for allowed IPs is
192.168.88.0/24, 192.168.77.0/24

(2) IP Routes
NO need to add any routes as the IP address for the wireguard interface ensures there is a route back to the mobile laptop dynamically
(DAC) dst-address=192.168.77.0/24 gwy=wireguard

(3) IP address structure… looks fine.

(4) Firewall rules. …look fine, or more accurately nothing I see that will prevent laptop to lan subnet traffic?

anav · March 30, 2022, 3:31pm

I think this is not required as your dhcp client settings are all done in pppoe???
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1 use-peer-dns=no

anav · March 30, 2022, 3:34pm

If you want to be able to configure the router through the wireguard tunnel this is preventing such traffic.
add action=drop chain=input comment=“drop all not coming from LAN”
in-interface-list=!LAN

Two options, add another input chain rule from in-interface=wireguard dst-port=winbox src-address=192.168.77.2

OR

add interface=wireguard list=LAN

invadersMustDie · March 31, 2022, 10:44am

The purpose is to reach media server via samba on MT side. I can reach it through LAN. So I added even two of these options 1. wireguard interface to LAN interface list and 2. input chain rule but without dst-port
And I still can’t even ping anything in LAN except 88.1 (MT)
DHCP-client was disabled it was for other stuff
Allowed IPs I’ve fixed too

anav · March 31, 2022, 11:04am

Not quite sure what you mean by via samba?
In any case there is nothing blocking in the firewall, no rules needed to be added.
If you cannot ping the server its because you have windows firewall or some software firewall or even the samba server software itself blocking the pinging.

holvoetn · March 31, 2022, 2:27pm

SMB protocol, with freeware port known as samba

jvanhambelgium · March 31, 2022, 2:52pm

Make sure your target responds to pings from another subnet.
If you test from the same LAN-space as the target machine it might reply while pinging remotely it might not.
What is this target machine ? Windows ? Linux+Samba ? Use tcpdump on the target to see if anything arrives etc,etc,etc

invadersMustDie · March 31, 2022, 7:29pm

Windows and firewall is disabled. I’ll try tcpdump

siang7711 · October 4, 2022, 3:02pm

Is there any solution here?
I’m having the same issue here, I want to access all computer under the LAN network the following services/port, but WireGuard client on my phone not able to access it.
-smb file sharing
-RDP
-VNC
-http
-https

holvoetn · October 4, 2022, 3:24pm

Best to start a new thread with clear description of your current setup (a drawing will always be helpful), export of your config of Mikrotik router, and what you already tried, how it turned out etc etc.
Also provide export of config of your phone.

anav · October 4, 2022, 4:17pm

Concur, post complete config of MT server device /export (minus serial number and any public WANIP info) and phone settings minus key info and publicWANIP info.

Just to be clear CoNFIRM WITH YES OR NO
Requirements from phone connection.,

a. reach LAN devices ?
b. configure router ?
c. reach internet via MT?