Wireguard Client to lan . can't access the network [SOLVED]

Greyhard · August 25, 2023, 2:39pm

Good morning, I have this scenario with a WireGuard configuration, and I can’t access the network. Could you help me?
wireguard 2.jpg

anav · August 25, 2023, 8:13pm

Please provide router config
/export file=anynameyouwish (minus router serial number, public WANIP information, keys etc.)

Confusing is your moviestar setup.
It would appear that the ISP router has a LAN subnet on either 192.168.2.0./24 or 192.168.

Which is it?

What IP address does the MT router have on the LAN.
One needs to forward the Wireguard Port or DMZ all ports to that IP address of the mT router.

Greyhard · August 27, 2023, 4:03pm

thanks for your help !!!!!

Movistar IP Public 191.84.xxx.xxx
Movistar LAN 192.168.1.1/24
( the modem configuration of movistar the provider does not allow me to modify .It only allows me to set the ip to mikrotik 192.168.1.30 and do a dmz )

wan Mikrotik 192.168.1.30
lan mikrotik 192.168.2.1/24

\

2023-08-27 12:48:42 by RouterOS 7.10.2

software id = PJ84-0H34

model = RB951G-2HnD

serial number = DE360F617

/interface bridge
add arp=proxy-arp name=LAN
/interface ethernet
set [ find default-name=ether3 ] mac-address=08:55:31:3:64:8D
set [ find default-name=ether4 ] mac-address=08:55:31:3:64:8E
set [ find default-name=ether5 ] mac-address=08:55:31:3:64:8F
/interface wireless
set [ find default-name=wlan1 ] name=wlan2 ssid=MikroTik
/interface wireguard
add listen-port=13232 mtu=1420 name=EMANUEL
add listen-port=13233 mtu=1420 name="EMANUEL ASUS"
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods=""
mode=dynamic-keys supplicant-identity=MikroTik
/ip ipsec peer

This entry is unreachable

add name=peer1 passive=yes
/ip pool
add name=dhcp_pool0 ranges=192.168.2.100-192.168.2.199
/ip dhcp-server
add address-pool=dhcp_pool0 interface=LAN name=dhcp1
/interface bridge port
add bridge=LAN ingress-filtering=no interface=ether3
add bridge=LAN ingress-filtering=no interface=ether4
add bridge=LAN ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set authentication=mschap1,mschap2 enabled=yes use-ipsec=yes
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.10.10.2/32 interface=EMANUEL public-key=
"Ir7sN/LQD6n/I8hnwY="
add allowed-address=10.10.11.3/32 interface="EMANUEL ASUS" public-key=
"P7dYdA49Ecg/+7l5gA="
/ip address
add address=192.168.2.1/24 interface=LAN network=192.168.2.0
add address=192.168.1.30/24 interface=ether2 network=192.168.1.0
add address=192.168.0.44/24 interface=ether1 network=192.168.0.0
add address=10.10.10.1/24 interface=EMANUEL network=10.10.10.0
add address=10.10.11.1/24 interface="EMANUEL ASUS" network=10.10.11.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip cloud advanced
set use-local-address=yes
/ip dhcp-server network
add address=192.168.2.0/24 gateway=192.168.2.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=drop chain=input dst-port=8291 in-interface=ether1 protocol=tcp
add action=drop chain=input dst-port=8291 in-interface=ether2 protocol=tcp
add action=accept chain=input dst-port=13233 protocol=udp
add action=accept chain=input src-address=10.10.11.0/24
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input dst-port=500,1701,4500 protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether1
src-address=192.168.2.0/24
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether2
src-address=192.168.2.0/24
/ip ipsec identity
add generate-policy=port-strict peer=peer1 remote-id=ignore
/ip route
add check-gateway=ping comment=RUTA_ESTATICA_FIBERTEL disabled=no distance=11
dst-address=0.0.0.0/0 gateway=1.1.1.1 pref-src="" routing-table=main
scope=30 suppress-hw-offload=no target-scope=11
add check-gateway=ping comment=RUTA_ESTATICA_BACKUP_MOVISTAR disabled=no
distance=10 dst-address=0.0.0.0/0 gateway=9.9.9.9 pref-src=""
routing-table=main scope=30 suppress-hw-offload=no target-scope=11
add comment=CHECK_DNS_FIBERTEL disabled=no distance=50 dst-address=1.1.1.1/32
gateway=192.168.0.1 pref-src="" routing-table=main scope=10
suppress-hw-offload=no target-scope=10
add comment=CHECK_DNS_MOVISTAR disabled=no distance=50 dst-address=9.9.9.9/32
gateway=192.168.1.1 pref-src="" routing-table=main scope=10
suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add local-address=10.0.0.10 name=Greyhard remote-address=192.168.2.54
service=l2tp
/routing bfd configuration
add disabled=no
/system clock
set time-zone-name=America/Argentina/Buenos_Aires
/system note
set show-at-login=no
/system script
add dont-require-permissions=yes name=SendToTelegram owner=Emanuel policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":
global telegramMessage\r
\n:local botid\r
\n:local chatid\r
\n\r
\nset botid "60KsNJTt4V83O5hJefc"\r
\nset chatid "-1001912921"\r
\nif ($telegramMessage != "") do={\r
\n /tool fetch url="https://api.telegram.org/bot$botid/sendMessage?ch
at_id=$chatid&text=$telegramMessage" keep-result=no\r
\n}"

anav · August 27, 2023, 11:59pm

(1) Dont name your bridge LAN, it conflicts with standard nomenclature in RoS and common knowledge usage..

(2) Why do you have two wireguard interfaces assigned? You only need one??

(3) Thte firewall rules are very lacking, is this router public facing?? or in both cases there is an ISP router in front?

(4) Very confusing your diagram doesnt have two WANs but it appears your config does??
What is the intention with the WANs?
Which WAN is wireguard coming in on…?

Greyhard · August 28, 2023, 11:22am

Thank you very much for your answer !!

(1) Dont name your bridge LAN, it conflicts with standard nomenclature in RoS and common knowledge usage..
I will change the name

(2) Why do you have two wireguard interfaces assigned? You only need one??

I was running tests from another pc

(3) Thte firewall rules are very lacking, is this router public facing?? or in both cases there is an ISP router in front?

there is an ISP router ahead

(4) Very confusing your diagram doesnt have two WANs but it appears your config does??
What is the intention with the WANs?
Which WAN is wireguard coming in on…?

I have the provider’s router ahead of me. with nat enabled. which I can not change the configuration.

It is true I have made a failover configuration. ether2 as primary and backup link ether 1

anav · August 28, 2023, 11:39am

Okay so you have two WAN connections?
Ether2 is primary and is connected to the ISP Router → Can you forward ports from this router?

Ether1 is secondary and is connected to ??
a. same router
b. different ISP router
c. differeing ISP modem
d. soemthing else?

Greyhard · August 28, 2023, 12:11pm

Okay so you have two WAN connections?
Ether2 is primary and is connected to the ISP Router → Can you forward ports from this router?

If I can open ports from the router

Ether1 is secondary and is connected to ??
a. same router
b. different ISP router
c. differeing ISP modem
d. soemthing else?

differeing ISP modem

that modem also has nat enabled

thank you very much for your help

anav · August 28, 2023, 3:33pm

-Okay so I would use the IP cloud my netname as the URL address to use for mobile/remote users ( good looks like you do already!)
-On both ISP routers, forward port 13232 to the MT Routers LANIP on the ISP ROUTER LAN, (192.168.0.44 for ISP1 router, 192.168.1.30 for ISP2 router )
I see you can DMZ your ISP router to do so, all the more reason to have a full set of firewall rules on the router
Not clear if your backup ISP allows you do forward ports or dmz? (ether1 ??)

++++++++++++++++++++
-REMOVE IP CLOUD advanced setting. This means your external users are not able to access the MT router via the ISP router. The external user traffic will not work.
-Add authorized firewall address list ( comprised of statically set leases for admin devices + wireguard remote address )
-For fixed WANIPs better to use srcnat vice masquerade for action.
-I dont understand your approach to primary backup??
If ether2 is the primary, only need to do recursive on primary becuase if its not available, the only alternative is the backup.
There is no point in recursively checking the backup!!
All traffic goes to ether2, without exceptions so nothing too fancy is required.
nothing wrong with checking two external sites to ensure connectivity on primary connection though.
Authorized firewall address list using static set admin LANIPs…

Mostly changes shown!
…

# serial number = { hidden for security }
/interface bridge
add arp=proxy-arp name=MyBridge
/interface wireguard
add listen-port=13232 mtu=1420 name=EMANUEL
/interface list
add name=WAN
add name=LAN
/interface list members
add interface=MyBridge list=LAN
add interface=EMANUEL list=LAN
add interface=ether1 list=WAN  comment=secondary
add interface=ether2 list=WAN comment=primary
/ip dhcp-server
add address-pool=dhcp_pool0 interface=MyBridge name=dhcp1
/interface bridge port
add bridge=MyBridge  ingress-filtering=no interface=ether3
add bridge=MyBridge ingress-filtering=no interface=ether4
add bridge=MyBridge ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface wireguard peers
add allowed-address=10.10.10.2/32 interface=EMANUEL public-key=\
"Ir7sN/LQD6n/I8hnwY="
/ip address
add address=192.168.2.1/24 interface=MyBridge network=192.168.2.0
add address=192.168.1.30/24 interface=ether2 network=192.168.1.0
add address=192.168.0.44/24 interface=ether1 network=192.168.0.0
add address=10.10.10.1/24 interface=EMANUEL network=10.10.10.0 comment="wireguard network"
/ip cloud advanced
set use-local-address=NO  comment=" you need users to reach ISP router "
/ip firewall address-list
add ip-address=admin-desktop
add ip-address=admin-smartphone
add ip-address=10.10.10.2/32  comment="remote admin access"
/ip firewall filter
{Input Chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="wireguard handshake"  dst-port=13232 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input dst-port=500,1701,4500 protocol=udp comment="other vpn"
add action=accept chain=input comment=admin access  in-interface-list=LAN src-address-list=Authorized
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \ 
dst-port=53  in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"  {  add this as a last rule after admin access rule in place }
{forward chain}
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat  { disable or remove if not required }
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=src-nat chain=srcnat  out-interface=ether1  to-addresses= 192.168.0.44 ipsec-policy=out,none
add action=src-nat chain=srcnat  out-interface=ether2  to-addresses= 192.168.1.30 ipsec-policy=out,none
/ip ipsec identity
add generate-policy=port-strict peer=peer1 remote-id=ignore
/ip route { single recursive }
add check-gateway=ping distance=3 dst-address=0.0.0.0/0 gateway=1.0.0.1 scope=10 target-scope=12
add distance=3 dst-address=1.0.0.1/32 gateway=192.168.1.1 scope=11 target-scope=11
add comment=SecondaryISP distance=10 dst-address=0.0.0.0/0 gateway=192.168.0.1 scope=10 target-scope=30
{ OR  two recursives }
/ip route
add check-gateway=ping distance=3 dst-address=0.0.0.0/0 gateway=1.0.0.1 scope=10 target-scope=12
add distance=3 dst-address=1.0.0.1/32 gateway=192.168.1.1 scope=10 target-scope=11
add check-gateway=ping distance=4 dst-address=0.0.0.0/0 gateway=9.9.9.9 scope=10 target-scope=12
add distance=4 dst-address=9.9.9.9/32 gateway=192.168.1.1  scope=10 target-scope=11
add comment=SecondaryISP distance=10 dst-address=0.0.0.0/0 gateway=192.168.0.1 scope=10 target-scope=30
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Greyhard · August 28, 2023, 11:41pm

the problem was solved. I really appreciate your help

anav · August 29, 2023, 12:47am

To help others, can you let us know if there was something specific or a number of changes that lead to success???

Greyhard · August 30, 2023, 11:09am

The main problem was here
-REMOVE IP CLOUD advanced setting. This means your external users are not able to access the MT router via the ISP router.
I solved it by configuring no-ip

then configure the firewall as you told me