Wireguard client cannot ping servername

RouterOS Beginner Basics
1

Hello Everyone,

I am trying to setup my first Mikrotik Wireguard Road Warrior VPN.

I have bridged the isp router and am doing the pppoe on the Mikrotik. I can connect with a Wireguard client and can ping the wireguard IP 192.168.0.1 and my Server IP 192.168.0.10.

I cannot however ping the server by its servername, only by it’s IP.

If anybody could help with this I would be very grateful.

Below is my config. Any other advice about what I should or should not have in their would also be appreciated.


#
# model = L009UiGS-2HaxD
# serial number = *****
/interface bridge
add admin-mac=D4:01:C3:D0:A9:98 auto-mac=no comment=defconf name=bridge
/interface wifi
set [ find default-name=wifi1 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration.mode=ap .ssid=ssid disabled=\
    no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=\
    yes
/interface wireguard
add listen-port=21269 mtu=1420 name=wg1
/interface vlan
add interface=ether1 name=vlan167 vlan-id=167
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan167 keepalive-timeout=20 \
    name=pppoe-1 user=****
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.0.101-192.168.0.199
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wifi1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-1 list=WAN
add interface=wg1 list=LAN
/interface wireguard peers
add allowed-address=192.168.77.2/32 interface=wg1 name=Lee public-key=\
    "********="
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=\
    192.168.0.0
add address=192.168.77.1/24 interface=wg1 network=192.168.77.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=\
    192.168.0.1,192.168.0.10,69.63.64.12,8.8.8.8 gateway=192.168.0.1 netmask=\
    24
/ip dns
set allow-remote-requests=yes servers=\
    192.168.0.1,192.168.0.10,69.63.64.12,8.8.8.8
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan type=A
add address=192.168.0.10 name=SERVER type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow Wireguard" dst-port=21269 \
    protocol=udp
add action=accept chain=forward comment="Allow Wireguard traffic on LAN" \
    in-interface=wg1 out-interface=bridge
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=src-nat chain=srcnat dst-address=192.168.0.0/24 src-address=\
    192.168.77.0/24 to-addresses=192.168.0.1
add action=masquerade chain=srcnat out-interface=pppoe-1 src-address=\
    192.168.77.0/24
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Africa/Johannesburg
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN



Thanks

2

How does your client config look like ?
Do you use your router as DNS server in that config ?

3

Client setup looks like this…



[Interface]
PrivateKey = ******
Address = 192.168.77.2/32
DNS = 192.168.0.10, 8.8.8.8

[Peer]
PublicKey = *****
AllowedIPs = 0.0.0.0/0
Endpoint = ******.sn.mynetname.net:21269
PersistentKeepalive = 30

4

Add wireguard interface to LAN interface list (it IS trusted so no harm considering it as LAN).

5

Thank you for your reply.

I think it is already, unless I'm mistaken

From config

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-1 list=WAN
add interface=wg1 list=LAN

and printed from

LIST INTERFACE

;;; defconf
0 LAN bridge
;;; defconf
1 WAN ether1
2 WAN pppoe-1
3 LAN wg1


I am starting to suspect it maybe has something to do with the vlan on the pppoe, but i'm just wild guessing and pulling at straws with my limited knowledge.

6

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys )
edit: I see you have, one moment while I take a look.,

\

  1. REMOVE THIS LINE or disable, it may be interfering as ISP terminatio work is already done at the pppoe tabs.
    /ip dhcp-client
    add comment=defconf interface=ether1

  2. Did you manually add netmask here… my config doesnt show it.. If so, then manually remove it.
    /ip dhcp-server network
    add address=192.168.0.0/24 comment=defconf dns-server=
    192.168.0.1,192.168.0.10,69.63.64.12,8.8.8.8 gateway=192.168.0.1 netmask=
    24     ???

  3. Your firewall rules are out of order and poorly organized…
    See fix below.
    /ip firewall filter
    add action=accept chain=input comment=
    “defconf: accept established,related,untracked” connection-state=
    established,related,untracked
    add action=drop chain=input comment=“defconf: drop invalid” connection-state=
    invalid
    add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
    add action=accept chain=input comment=
    “defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
    add action=accept chain=input comment=“Allow Wireguard” dst-port=21269
    protocol=udp
    add action=drop chain=input comment=“defconf: drop all not coming from LAN”
    in-interface-list=!LAN
    ++++++++++++++++++++++++++++++++++++++++
    add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
    connection-state=established,related hw-offload=yes
    add action=accept chain=forward comment=
    “defconf: accept established,related, untracked” connection-state=
    established,related,untracked
    add action=drop chain=forward comment=“defconf: drop invalid”
    connection-state=invalid
    add action=accept chain=forward comment=“Allow Wireguard traffic on LAN”
    in-interface=wg1 out-interface=bridge
    add action=drop chain=forward comment=
    “defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
    connection-state=new in-interface-list=WAN

Also I dont like the default rule once one changes the requirements for real traffic flows.
This is clearer and safer.
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“WG to LAN” in-interface=wg1 dst-address=192.168.0.1/24
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“Drop all else”

  1. Your sourcenat rules have duplication… cleaned up, only one rule is required.
    /ip firewall nat
    add action=masquerade chain=srcnat comment=“defconf: masquerade”
    ipsec-policy=out,none out-interface-list=WAN

You will note this rule was removed, it is not required unless you can explain your intention for it, to be evaluated…
add action=src-nat chain=srcnat dst-address=192.168.0.0/24 src-address=
192.168.77.0/24 to-addresses=192.168.0.1

The other one for wireguard was nonsensical, traffic is coming in not going out and since the wg interface is part of the LAN List,
and we have a lan to WAN forward chain rule, and the above source nat rule, any traffic from a wireguard client hitting the router and then going to the WWW
will be permitted and will be natted to the public IP of the router already.

  1. If you dont need ipv6, then disable it and remove all the firewall rules and address lists save these two
    add chain=input action=drop
    add chain=forward action=drop
7

That cleans up the router now lets get to the pinging nonsense… can you reach the server and carryout traffic is the goal, not pinging.
To reach your router after connecting via wireguard using dyndns name seems bizarre to me, simply use the IP address of the server.
That is why we have the rule allow wireguard to the home subnet.

There is no way to enter in a domain name at a far side and magically get connected to wireguard and then to the server, not possible.
Suggest IPSEC for this required flexibility.

8

Thank you very much.

All seems to be working fine now.
I can get the server by IP but not by Servername through Wireguard now. I can ping the Servername from the Mikrotik and from a device on the LAN, but only the Server IP through Wireguard. Anyway, not to serious as I have edited the Windows Hosts file to resolve the Servername to the IP. It feels very 1990’s, but its working.

Thanks again for your help, I very much appreciate it.