Hello there,
maybe someone here can lead into the right direction. So, I replaced my RB2011 with a RB5009 and reconfigured it from scratch. I got everything working so far. Capsman mit VLAN, DHCP Server, Wireguard with Mullvad etc. So I decided to reconfigure my private “Roadwarrior VPN” with Wireguard. I redid all the public and private Keys (On RB5009 and on the iPhone Client). The Handshake will not complete, whatever I change or redo. even disabling all firewall rules did not help. The other 2 VPN Tunnels (Mullvad, Keepsolid) work after testing these.
Hotspot for Guest Network is diabled atm
Wireguard Config for Private VPN:
/interface wireguard
add comment="[wireguard] vpn privat" listen-port=13231 mtu=1420 name="wg - privat"
/interface wireguard peers
add allowed-address=10.8.0.11/32 comment="[wireguard peer] private vpn - iOS" interface="wg - privat" persistent-keepalive=25s public-key=\
"9AAAYM07Y2im+DW90eaGaBBn6IahBrU+pVrTnL5v0WE="
/ip address
add address=10.8.0.1/24 comment="[iP] wireguard - private VPN" interface="wg - privat" network=10.8.0.0
Firewall Rules (far from complete atm)
/ip firewall address-list
add address=192.168.143.0/24 comment="[list] safe_networks" list=safe_networks
add address=10.8.0.0/24 list=safe_networks
add address=www.wieistmeineip.de comment="[list] route to vpn" list=to_vpn
add address=192.168.143.65 comment=" [list] homeassistant" list=homeassistant
add address=serial.sn.mynetname.net comment="[list] external WAN-IP" list=WANIP
add address=172.16.251.0/24 comment="[list] interne netze" list=interne_netze
add address=172.16.252.0/24 list=interne_netze
add address=172.16.253.0/24 list=interne_netze
add address=10.9.0.0/24 list=interne_netze
add address=192.168.143.200 comment="[list] interne dns server" list=interne_dns_server
add address=192.168.143.122 list=interne_dns_server
add address=232.0.0.0/16 comment="[list] Multiast" list=Multicast
add address=239.35.0.0/16 list=Multicast
add address=224.0.0.0/4 list=Multicast
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=accept chain=input dst-address-list=WANIP dst-port=13231 protocol=udp
add action=accept chain=input connection-state=new src-address=127.0.0.1
add action=accept chain=input src-address-list=safe_networks
add action=accept chain=input comment="[input] allow input est. rel. untracked." connection-state=established,related,untracked
add action=accept chain=input comment="[input] allow | access to dhcp server" dst-port=67 protocol=udp src-address-list=interne_netze
add action=drop chain=input comment="[input] drop" connection-nat-state=!dstnat connection-state="" log=yes log-prefix=!drop-input
add action=accept chain=forward src-address=10.8.0.0/24
add action=accept chain=forward comment="[forward] allow | interne netze zu dns server" dst-address-list=interne_dns_server dst-port=53 protocol=udp \
src-address-list=interne_netze
add action=accept chain=forward comment="[forward] allow IoT Netz to Homeassistant" dst-address-list=homeassistant src-address=172.16.253.0/24
add action=accept chain=forward comment="[forward] allow | IoT to Internet" dst-address-list=!interne_netze src-address=172.16.253.0/24
add action=drop chain=forward comment="[forward] drop | everything else from IoT Network" log=yes log-prefix="!drop IoT" src-address=172.16.253.0/24
add action=accept chain=forward comment="[forward] allow | established, related" connection-state=established,related
add action=drop chain=forward comment="[forward] drop | invalid" connection-state=invalid
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=to_vpn new-routing-mark=wg_mullvad_albania passthrough=no
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=172.16.251.0/24
add action=masquerade chain=srcnat comment="[NAT] 1und1 VDSL" out-interface="[pppoe-client] 1und1-VDSL100"
add action=dst-nat chain=dstnat comment="[DST NAT] HTTPS to reverse proxy" in-interface="[pppoe-client] 1und1-VDSL100" to-addresses=192.168.143.122
add action=masquerade chain=srcnat comment="[NAT] wireguard - keepsolid serbia" out-interface=wg-keepsolid-serbia
add action=masquerade chain=srcnat comment="[NAT] wg - mullvad vpn - albania" out-interface=wg-mullvad-albania
Does anybody see any Errors, perhaps I’m “blind” to it at the Moment.
anav
February 13, 2023, 6:16pm
2
If you knew where the problem lies, why ask… '=PP
In other words,
Adding to Anav’s (as usual extremely friendly) way of answering
Long shot from my side:serial.sn.mynetname.net ?
If this was a miss, then we need to see the config as requested.
Adding to Anav’s (as usual extremely friendly) way of answering
Long shot from my side:serial.sn.mynetname.net ?
If this was a miss, then we need to see the config as requested.
I want to use this Cloud IP Service in Order to create the Hairpin NAT Rule afterwards. The serial of the RB5009 is matching…
Will post the whole Config later on when I get home from work…
anav
February 14, 2023, 12:54pm
5
You need to be clear of the requirements and setup when you post the complete config.
Have you dropped the mulvad connection ( no longer used ) because you only have one peer and I thought you wanted to connect to your router remotely?
If you want both, suggest create a separate WG interface for your own private use ( remoting in ).
So, I found what was missing
As I decided to configure the Router from Scratch, without the default configuration, the following Filter Rule was missing…
filter add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
with this in Place the Handshake completes… Finally…
anav
February 14, 2023, 6:51pm
7
That makes no sense to me… Wireguard and that default rule are NOT related at least not normally. Since you never provided a full config, its hard to say.
I have to edit, my Client Phone connected to my WIFI again, and this caused it to connect. Will export that configuration after my Kids are in Bed. Damn Wireguard…
anav
February 14, 2023, 7:16pm
9
Understood, thanks for your patience…
here is my Config so far…
# feb/14/2023 20:18:59 by RouterOS 7.7
# model = RB5009UG+S+
/caps-man configuration
add channel.band=2ghz-b/g/n comment="[2.4GHz] vlan253 - IoT" country=germany \
datapath.local-forwarding=yes .vlan-id=253 .vlan-mode=use-tag distance=\
indoors hide-ssid=no installation=indoor mode=ap name=\
"ssid4 - vlan253 - IoT" security.authentication-types=wpa-psk,wpa2-psk \
.encryption=aes-ccm,tkip ssid=ssid4
add channel.band=2ghz-b/g/n comment="[2.4GHz] vlan252 - kinder" country=\
germany datapath.local-forwarding=yes .vlan-id=252 .vlan-mode=use-tag \
distance=indoors hide-ssid=yes installation=indoor mode=ap name=\
"ssid2 - vlan252 - kinder" security.authentication-types=wpa2-psk \
.encryption=aes-ccm ssid=ssid2
add channel.band=2ghz-g/n comment="[2.4GHz] vlan251 - gast" country=germany \
datapath.local-forwarding=yes .vlan-id=251 .vlan-mode=use-tag distance=\
indoors hide-ssid=yes installation=indoor mode=ap name=\
"ssid3 - vlan251 - gast" security.authentication-types=wpa2-psk \
.encryption=aes-ccm ssid=ssid3
add channel.band=2ghz-g/n comment="[2.4GHz] vlan1 - lan" country=germany \
datapath.client-to-client-forwarding=yes .local-forwarding=yes distance=\
indoors installation=indoor mode=ap name="ssid1 - vlan1 - lan" \
security.authentication-types=wpa2-psk .encryption=aes-ccm ssid=ssid1
add channel.band=5ghz-onlyac comment="[5GHz] vlan1 - lan" country=germany \
datapath.client-to-client-forwarding=yes .local-forwarding=yes distance=\
indoors installation=indoor mode=ap name="ssid1-5G - vlan1 - lan" \
security.authentication-types=wpa2-psk .encryption=aes-ccm ssid=ssid1-5G
add channel.band=5ghz-onlyac comment="[5GHz] vlan252 - kinder" country=\
germany datapath.local-forwarding=yes .vlan-id=252 .vlan-mode=use-tag \
distance=indoors hide-ssid=yes installation=indoor mode=ap name=\
"ssid2-5G - vlan252 - kinder" security.authentication-types=wpa2-psk \
.encryption=aes-ccm ssid=ssid2-5G
/interface bridge
add comment="[bridge] LAN" name=bridge_lan
add comment="[bridge] Trunk Port" ingress-filtering=no name=bridge_trunk \
vlan-filtering=yes
/interface ethernet
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
/interface pppoe-client
add add-default-route=yes comment="[PPPOE] 1&1 VDSL 100" disabled=no \
interface=ether1 name="[pppoe-client] 1und1-VDSL100" user=\
"pppoeuser"
/caps-man interface
add configuration="ssid1 - vlan1" disabled=no l2mtu=1600 mac-address=\
48:8F:5A:77:86:86 master-interface=none name=homewap01-1 radio-mac=\
48:8F:5A:77:86:86 radio-name=488F5A778686
add configuration="ssid3 - vlan251" disabled=no l2mtu=1600 \
mac-address=4A:8F:5A:77:86:86 master-interface=homewap01-1 name=\
homewap01-1-1 radio-mac=00:00:00:00:00:00 radio-name=4A8F5A778686
add configuration="ssid2 - vlan252" disabled=no l2mtu=1600 \
mac-address=4A:8F:5A:77:86:87 master-interface=homewap01-1 name=\
homewap01-1-2 radio-mac=00:00:00:00:00:00 radio-name=4A8F5A778687
add configuration="ssid4 - vlan253" disabled=no l2mtu=1600 mac-address=\
4A:8F:5A:77:86:88 master-interface=homewap01-1 name=homewap01-1-3 \
radio-mac=00:00:00:00:00:00 radio-name=4A8F5A778688
add configuration="ssid1-5G - vlan1" disabled=no l2mtu=1600 \
mac-address=48:8F:5A:77:86:87 master-interface=none name=homewap01-2 \
radio-mac=48:8F:5A:77:86:87 radio-name=488F5A778687
add configuration="ssid2-5G - vlan252" disabled=no l2mtu=1600 \
mac-address=4A:8F:5A:77:86:89 master-interface=homewap01-2 name=\
homewap01-2-1 radio-mac=00:00:00:00:00:00 radio-name=4A8F5A778689
add configuration="ssid1 - vlan1" disabled=no l2mtu=1600 mac-address=\
48:8F:5A:38:AE:96 master-interface=none name=homewap02-1 radio-mac=\
48:8F:5A:38:AE:96 radio-name=488F5A38AE96
add configuration="ssid3 - vlan251" disabled=no l2mtu=1600 \
mac-address=4A:8F:5A:38:AE:96 master-interface=homewap02-1 name=\
homewap02-1-1 radio-mac=00:00:00:00:00:00 radio-name=4A8F5A38AE96
add configuration="ssid2 - vlan252" disabled=no l2mtu=1600 \
mac-address=4A:8F:5A:38:AE:97 master-interface=homewap02-1 name=\
homewap02-1-2 radio-mac=00:00:00:00:00:00 radio-name=4A8F5A38AE97
add configuration="ssid4 - vlan253" disabled=no l2mtu=1600 mac-address=\
4A:8F:5A:38:AE:98 master-interface=homewap02-1 name=homewap02-1-3 \
radio-mac=00:00:00:00:00:00 radio-name=4A8F5A38AE98
add configuration="ssid1-5G - vlan1" disabled=no l2mtu=1600 \
mac-address=48:8F:5A:38:AE:97 master-interface=none name=homewap02-2 \
radio-mac=48:8F:5A:38:AE:97 radio-name=488F5A38AE97
add configuration="ssid2-5G - vlan252" disabled=no l2mtu=1600 \
mac-address=4A:8F:5A:38:AE:99 master-interface=homewap02-2 name=\
homewap02-2-1 radio-mac=00:00:00:00:00:00 radio-name=4A8F5A38AE99
/interface wireguard
add comment="[wireguard] keepsolid - serbia" listen-port=15279 mtu=1420 name=\
wg-keepsolid-serbia
add comment="[wireguard] mullvad vpn - albania" listen-port=51820 mtu=1420 \
name=wg-mullvad-albania
add comment="[wireguard] privat" listen-port=13231 mtu=1420 name=wg-privat
/interface vlan
add comment="[vlan1] LAN" interface=bridge_trunk name=vlan1 vlan-id=1
add comment="[vlan251] Netz" interface=bridge_trunk name=vlan251 \
vlan-id=251
add comment="[vlan252] Netz" interface=bridge_trunk name=vlan252 \
vlan-id=252
add comment="[vlan253] Netz" interface=bridge_trunk name=\
vlan253 vlan-id=253
/interface list
add comment="[WAN] pppoe interfaces" name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
add dns-name=hotspot.gast.lan hotspot-address=172.16.251.254 login-by=\
http-chap name=hs_gast_prof
/ip pool
add comment="[pool] LAN" name="[pool] lan" ranges=\
192.168.143.150-192.168.143.175
add comment="[pool] vlan251 - Netz" name="[pool] vlan251" ranges=\
172.16.251.100-172.16.251.119
add comment="[pool] vlan252 - Netz" name="[pool] vlan252" ranges=\
172.16.252.100-172.16.252.119
add comment="[pool] vlan253 - Netz" name="[pool] vlan253" ranges=\
172.16.253.100-172.16.253.109
/ip dhcp-server
add address-pool="[pool] vlan253" comment="[dhcp server] vlan253" \
interface=vlan253 lease-time=12h name="[dhcp server] vlan253"
add address-pool="[pool] vlan251" comment=\
"[dhcp server] vlan251 - g\E4ste netz" interface=vlan251 lease-time=4h \
name="[dhcp server] vlan251"
add address-pool="[pool] vlan252" comment=\
"[dhcp server] vlan252" interface=vlan252 lease-time=8h \
name="[dhcp server] vlan252"
add address-pool="[pool] lan" comment="[dhcp server] lan" interface=\
bridge_lan lease-time=1d name="[dhcp server] lan"
/ip hotspot
add address-pool="[pool] vlan251" interface=vlan251 name=hotspot_gast \
profile=hs_gast_prof
/ip hotspot user profile
add address-pool="[pool] vlan251" name=hs_up_gast rate-limit=2M/6M
/routing table
add comment="[wireguard] keepsolid - serbia" disabled=no fib name=\
wg_keepsolid_serbia
add comment="[wireguard] mullvad-vpn albania" disabled=no fib name=\
wg_mullvad_albania
/snmp community
set [ find default=yes ] disabled=yes
add addresses=192.168.143.0/24 authentication-protocol=SHA1 \
encryption-protocol=AES name=librenms security=authorized
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
identity="319711d8eb:0:0935d44ef1fc8ccc0788ef896ec66125afbfafd735affbf2c8e\
83ec584caf83682af9f9660553a622989d64531a296b10f25d395171536c1e1aba58667e38\
dc9:a8a55006b5b28dad37c0292c3e5fffc9f38384dd4c9da75ca4b4bbd9a4a344f802ca8a\
f207c89566109f6df2a9a14ecc9482220ce0bb892412c34dda1dcbd8d8" name=zt1 \
port=9993
/zerotier interface
add allow-default=no allow-global=no allow-managed=yes disabled=no instance=\
zt1 name=zerotier-privat network=ztid
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge_lan
/caps-man provisioning
add action=create-enabled comment=2.4GHz hw-supported-modes=gn \
master-configuration="ssid1 - vlan1" name-format=identity \
slave-configurations=\
"ssid3 - vlan251,ssid2 - vlan252,ssid4 - vlan253"
add action=create-enabled comment=5GHz hw-supported-modes=ac \
master-configuration="ssid1-5G - vlan1" name-format=identity \
slave-configurations="ssid2-5G - vlan252"
/interface bridge port
add bridge=bridge_lan comment="[ether2] lan" interface=ether2
add bridge=bridge_trunk comment="[sfp+] trunk port" interface=sfp-sfpplus1
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge_trunk comment="[bridge] bridge_trunk" tagged=\
sfp-sfpplus1,bridge_trunk vlan-ids=251,252,253
/interface list member
add interface="[pppoe-client] 1und1-VDSL100" list=WAN
add interface=bridge_lan list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment="[wireguard peer] keepsolid - serbia" \
endpoint-address=endpointip endpoint-port=15279 interface=\
wg-keepsolid-serbia persistent-keepalive=25s public-key=\
"publickey"
add allowed-address=0.0.0.0/0 comment="[wg peer] mullvad vpn - albania" \
endpoint-address=endpointip endpoint-port=51820 interface=\
wg-mullvad-albania persistent-keepalive=25s public-key=\
"publickey"
add allowed-address=10.8.0.10/32 interface=wg-privat persistent-keepalive=25s \
public-key="G5IZhdgpSEk.......+14="
/ip address
add address=192.168.143.1/24 comment="[lan] 192.168.143.254/24 - ether2" \
interface=bridge_lan network=192.168.143.0
add address=172.16.251.1/24 comment="[vlan251] 172.16.251.254/24" interface=\
vlan251 network=172.16.251.0
add address=172.16.252.1/24 comment="[vlan252] 172.16.252.254/24" interface=\
vlan252 network=172.16.252.0
add address=172.16.253.1/24 comment="[vlan253] 172.16.253.254/24" interface=\
vlan253 network=172.16.253.0
add address=10.101.146.160 comment="[iP] wireguard - keepsolid - serbia" \
interface=wg-keepsolid-serbia network=wg_ip
add address=10.67.124.204 comment="[iP] mullvad vpn - albania" interface=\
wg-mullvad-albania network=wg_ip
add address=10.8.0.1/24 comment="[iP] wireguard privat" interface=wg-privat \
network=10.8.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server lease
#### DHCP Leases removed
/ip dns
set allow-remote-requests=yes servers=192.168.143.200,192.168.143.122
/ip firewall address-list
add address=192.168.143.0/24 comment="[list] safe_networks" list=\
safe_networks
add address=10.8.0.0/24 list=safe_networks
add address=xxxxxxxxxx comment="[list] route to vpn" list=to_vpn
add address=yyyyyyy list=to_vpn
add address=zzzzzzzzzzz list=to_vpn
add address=192.168.143.65 comment=" [list] homeassistant" list=homeassistant
add address=sn.sn.mynetname.net comment="[list] external WAN-IP" \
list=WANIP
add address=www.wieistmeineip.de list=to_vpn
add address=172.16.251.0/24 comment="[list] interne netze" list=interne_netze
add address=172.16.252.0/24 list=interne_netze
add address=172.16.253.0/24 list=interne_netze
add address=10.9.0.0/24 list=interne_netze
add address=192.168.143.200 comment="[list] interne dns server" list=\
interne_dns_server
add address=192.168.143.122 list=interne_dns_server
add address=xxxxxxxxxxxxx disabled=yes list=to_vpn
add address=232.0.0.0/16 comment="[list] Multiast" list=Multicast
add address=239.35.0.0/16 list=Multicast
add address=224.0.0.0/4 list=Multicast
add address=10.8.0.0/24 list=interne_netze
add address=yyyyyyyyyyyyyy list=to_vpn
add address=10.9.0.0/24 list=safe_networks
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here"
add action=accept chain=input dst-port=13231 in-interface=\
"[pppoe-client] 1und1-VDSL100" protocol=udp src-address-list=""
add action=accept chain=input comment="defconf: accept to local loopback" \
dst-address=127.0.0.1 log=yes log-prefix=!localhost
add action=accept chain=input src-address-list=safe_networks
add action=accept chain=input comment=\
"[input] allow input est. rel. untracked." connection-state=\
established,related,untracked
add action=accept chain=input comment="[input] allow | access to dhcp server" \
dst-port=67 protocol=udp src-address-list=interne_netze
add action=drop chain=input comment="[input] drop" connection-nat-state=\
!dstnat connection-state="" log=yes log-prefix=!drop-input
add action=accept chain=forward src-address=10.8.0.0/24
add action=accept chain=forward comment=\
"[forward] allow | interne netze zu dns server" dst-address-list=\
interne_dns_server dst-port=53 protocol=udp src-address-list=\
interne_netze
add action=accept chain=forward comment=\
"[forward] allow IoT Netz to Homeassistant" dst-address-list=\
homeassistant src-address=172.16.253.0/24
add action=accept chain=forward comment="[forward] allow | IoT to Internet" \
dst-address-list=!interne_netze src-address=172.16.253.0/24
add action=drop chain=forward comment=\
"[forward] drop | everything else from IoT Network" log=yes log-prefix=\
"!drop IoT" src-address=172.16.253.0/24
add action=accept chain=forward comment=\
"[forward] allow | established, related" connection-state=\
established,related
add action=drop chain=forward comment="[forward] drop | invalid" \
connection-state=invalid
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes dst-address-list=to_vpn \
new-routing-mark=wg_mullvad_albania passthrough=no
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=172.16.251.0/24
add action=masquerade chain=srcnat comment="[NAT] 1und1 VDSL" out-interface=\
"[pppoe-client] 1und1-VDSL100"
add action=dst-nat chain=dstnat comment="[DST NAT] HTTPS to reverse proxy" \
in-interface="[pppoe-client] 1und1-VDSL100" to-addresses=192.168.143.122
add action=masquerade chain=srcnat comment=\
"[NAT] wireguard - keepsolid serbia" out-interface=wg-keepsolid-serbia
add action=masquerade chain=srcnat comment="[NAT] wg - mullvad vpn - albania" \
out-interface=wg-mullvad-albania
/ip hotspot user
add name=admin
add name=guest profile=hs_up_gast server=hotspot_gast
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wg-keepsolid-serbia \
pref-src="" routing-table=wg_keepsolid_serbia scope=30 \
suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wg-mullvad-albania \
pref-src="" routing-table=wg_mullvad_albania scope=30 \
suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface="[pppoe-client] 1und1-VDSL100" type=external
add interface=bridge_lan type=internal
/snmp
set contact=XXXXXXXXXXX enabled=yes location=\
"YYYYYYYYYYYYYYYYYYYYYY"
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=xxxxxxxxxxxx
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.143.245
And here the Client Config [Android Phone]
[Interface]
Address = 10.8.0.10/32
DNS = 192.168.143.200
PrivateKey = GEPbKEc/3/9KH0.......twVp0ixYK5KToEWc=
[Peer]
AllowedIPs = 0.0.0.0/0
Endpoint = dns_for_external_ip:13231
PersistentKeepalive = 25
PublicKey = j8IG63P36sih...........Lj8OKs07gRQ=
anav
February 15, 2023, 12:12pm
11
So far?
(1) The ROUTER peer settings for wireguard road warrior do NOT need persistent keep alive.
(2) These two rules dont make sense to me. Why are you bothering anything about port 67 for the wireguard road warrior ???
add address=10.8.0.0/24 list=interne_netze
add action=accept chain=input comment=“[input] allow | access to dhcp server”
(3) Suggest moving these two rules up in the order so they are located as such…
add action=drop chain=input comment=“[input] drop” connection-nat-state= add action=accept chain=forward src-address=10.8.0.0/24
So far?
(1) The ROUTER peer settings for wireguard road warrior do NOT need persistent keep alive.
(2) These two rules dont make sense to me. Why are you bothering anything about port 67 for the wireguard road warrior ???
add address=10.8.0.0/24 list=interne_netze
add action=accept chain=input comment=“[input] allow | access to dhcp server”
(3) Suggest moving these two rules up in the order so they are located as such…
add action=drop chain=input comment=“[input] drop” connection-nat-state= add action=accept chain=forward src-address=10.8.0.0/24
Yes, so far.. As we say “Es gibt immer was zu tun.” (There is always something to do). The 10.8.0.0/24 is still in there from a Test I did a few days ago. Erased it from the list. Rearranged the Rules according to your Suggestion.
I see you Point with Input Chain and dstnat. This really makes no sense and should be in the forward chain. Corrected that Mistake.
Wireguard still only sends Packages from the Client and the Router does not respond, even with the actual iP and Port (dynamic IP I get from my ISP) directly entered into the Endpoint Address. That is really odd atm.
Using Zerotier atm. Works well I must admit.
From your latest export and also taking into account comments from Anav:
About that rule:
add action=accept chain=input dst-port=13231 in-interface=\
"[pppoe-client] 1und1-VDSL100" protocol=udp src-address-list=""
Can you remove in-interface (just for testing) ?
But …
From your latest export and also taking into account comments from Anav:
About that rule:
add action=accept chain=input dst-port=13231 in-interface=\
"[pppoe-client] 1und1-VDSL100" protocol=udp src-address-list=""
Can you remove in-interface (just for testing) ?
But …
Disabled the whole Firewall, changed nothing. I disabled the in-interface like you suggested. Traffic coming in, but nothing happens from the Router Side it seems. Attached a Screenshot from the Rule 13231
That screenshot is outgoing traffic.
You completely removed the src-address-list entry as well ?
My focus would be on first seeing something hits that rule.
What about ISP devices in front of your device ? Are you sure the port is forwarded ?
That screenshot is outgoing traffic.
You completely removed the src-address-list entry as well ?
My focus would be on first seeing something hits that rule.
What about ISP devices in front of your device ? Are you sure the port is forwarded ?
Yes, only a Draytek Modem is used. RB5009 does the PPPOE Part…
Please show output of /ip firewall filter export.
This is the correct rule (disregarding interface list for now):
add action=accept chain=input dst-port=13231 protocol=udp
If it still shows this, nothing will pass that rule.
add action=accept chain=input dst-port=13231 protocol=udp > src-address-list=“”
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=accept chain=input dst-port=13231 log=yes log-prefix=!wireguard protocol=udp
add action=accept chain=input comment="defconf: accept to local loopback" dst-address=127.0.0.1 log=yes log-prefix=!localhost
add action=accept chain=input src-address-list=safe_networks
add action=accept chain=input comment="[input] allow input est. rel. untracked." connection-state=established,related,untracked
add action=accept chain=input comment="[input] allow | access to dhcp server" dst-port=67 protocol=udp src-address-list=interne_netze
add action=drop chain=input comment="[input] drop" log=yes log-prefix=!drop-input
add action=accept chain=forward comment="[forward] allow | established, related" connection-state=established,related
add action=accept chain=forward src-address=10.8.0.0/24
add action=accept chain=forward comment="[forward] allow | interne netze zu dns server" dst-address-list=interne_dns_server dst-port=53 \
protocol=udp src-address-list=interne_netze
add action=accept chain=forward comment="[forward] allow IoT Netz to Homeassistant" dst-address-list=homeassistant src-address=\
172.16.253.0/24
add action=accept chain=forward comment="[forward] allow | IoT to Internet" dst-address-list=!interne_netze src-address=172.16.253.0/24
add action=drop chain=forward comment="[forward] drop | everything else from IoT Network" log=yes log-prefix="!drop IoT" src-address=\
172.16.253.0/24
add action=drop chain=forward comment="[forward] drop | invalid" connection-state=invalid
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=to_vpn new-routing-mark=wg_mullvad_albania passthrough=no
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=172.16.251.0/24
add action=masquerade chain=srcnat comment="[NAT] 1und1 VDSL" out-interface="[pppoe-client] 1und1-VDSL100"
add action=dst-nat chain=dstnat comment="[DST NAT] HTTPS to reverse proxy" in-interface="[pppoe-client] 1und1-VDSL100" to-addresses=\
192.168.143.122
add action=masquerade chain=srcnat comment="[NAT] wireguard - keepsolid serbia" out-interface=wg-keepsolid-serbia
add action=masquerade chain=srcnat comment="[NAT] wg - mullvad vpn - albania" out-interface=wg-mullvad-albania
add action=masquerade chain=srcnat out-interface=wg-privat
anav
February 15, 2023, 9:29pm
19
Since the wg-privat is basically for incoming road warrior to either reach LAN, configure, router or go out routers internet ( remote to warrior ) I dont think you should or need to sourcenat it.
add action=masquerade chain=srcnat out-interface=wg-privat ??
Since the wg-privat is basically for incoming road warrior to either reach LAN, configure, router or go out routers internet ( remote to warrior ) I dont think you should or need to sourcenat it.
add action=masquerade chain=srcnat out-interface=wg-privat ??
Accepted and removed…
I’m thinking of reinstalling via netinstall and put the configuration on it again.
Finally..
