Hy all. I have a working Wireguard Mikrotik-to-Windows VPN.
From Windows side I can ping and reach the Mikrotik on office side and I can also ping and reach 2 other devices. (one of those 2 is directly connected to ether3). I can also ping and reach the second LAN (ether5 10.10.10.1/24) which is connected to a switch (Switch B). Problem is on Switch A, with lan 192.168.1.254/24.
However, I cannot ping and reach OTHER devices that are connected to the bridge (Port 2 - Switch A) that goes into a Tenda Network Switch. I’ve tried rebooting the switch but didn’t help.
Just want to make sure that MK’s side is ok before I start operating on the switch.
Thanks.
Mikrotik
ether1 - Modem
ether2 - Switch A (all devices connected to it are not reachable via VPN)
ether3 - Device
ether5 - Switch B (all devices connected to it are reachable)
/interface bridge
add admin-mac=D4:01:C3:3C:D9:BA auto-mac=no comment=defconf dhcp-snooping=yes \
name=brLAN
/interface ethernet
set [ find default-name=ether1 ] name=e1-WAN
/interface wireguard
add listen-port=14231 mtu=1420 name=wg_govoni
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool3 ranges=192.168.1.50-192.168.1.250
add name=dhcp_pool4 ranges=10.10.10.200-10.10.10.254
/ip dhcp-server
add address-pool=dhcp_pool3 interface=brLAN lease-time=10m name=dhcp1
add address-pool=dhcp_pool4 interface=ether5 lease-time=10m name=dhcp2
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE local-address=VPNPOOL remote-address=VPNPOOL
/interface sstp-client
add authentication=mschap1,mschap2 connect-to=mk.estcom.online disabled=no \
http-proxy=0.0.0.0 name=ppp-govonimain profile=default-encryption user=\
ppp-govonimain verify-server-address-from-certificate=no
/snmp community
set [ find default=yes ] name=estcom
/interface bridge port
add bridge=brLAN comment=defconf ingress-filtering=no interface=ether2
add bridge=brLAN comment=defconf ingress-filtering=no interface=ether3
add bridge=brLAN comment=defconf ingress-filtering=no interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=brLAN list=LAN
add comment=defconf interface=e1-WAN list=WAN
add comment=defconf interface=ether5 list=LAN
add interface=wg_govoni list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.2.10/32 comment=Roberto interface=wg_govoni \
public-key="XX"
add allowed-address=192.168.2.20/32 comment=Fabio disabled=yes interface=\
wg_govoni public-key="XX"
add allowed-address=192.168.2.90/32 comment=Franz interface=wg_govoni \
public-key="XX"
/ip address
add address=192.168.1.254/24 comment=defconf interface=brLAN network=\
192.168.1.0
add address=10.10.10.1/24 interface=ether5 network=10.10.10.0
add address=192.168.9.2/24 interface=e1-WAN network=192.168.9.0
add address=192.168.2.1/24 interface=wg_govoni network=192.168.2.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.10.10.1
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.254
/ip dns
set allow-remote-requests=yes cache-size=20480KiB max-concurrent-queries=300 \
max-concurrent-tcp-sessions=60 servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=XX list=ESTCOM-REMOTE
add address=XX list=ESTCOM-REMOTE
/ip firewall filter
add action=accept chain=input dst-port=14231 protocol=udp
add action=accept chain=input dst-address=192.168.1.0/24 src-address=\
192.168.2.0/24
add action=drop chain=forward dst-address=192.168.9.0/24 src-address=\
192.168.1.0/24
add action=drop chain=forward dst-address=192.168.1.0/24 src-address=\
192.168.9.0/24
add action=accept chain=input comment=VPN dst-port=8291 in-interface=e1-WAN \
protocol=tcp src-address-list=ESTCOM
add action=accept chain=input src-address-list=ESTCOM-REMOTE
add action=accept chain=input dst-port=4500,500 in-interface=e1-WAN protocol=\
tcp
add action=accept chain=input dst-port=4500,500 in-interface=e1-WAN protocol=\
udp
add action=accept chain=input in-interface=e1-WAN protocol=ipsec-esp
add action=accept chain=input in-interface=e1-WAN protocol=ipsec-ah
add action=accept chain=input in-interface=e1-WAN protocol=gre
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input src-address-list=ESTCOM-REMOTE
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip sip-timeout=3m
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=GovoniMain
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.9.254 routing-table=\
main suppress-hw-offload=no
/system ntp client servers
add address=193.204.114.232
add address=193.204.114.233
add address=8.8.8.8
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
We are not in your head and thus the ramblings of devices is moot. A network diagram would have been far more helpful.
Is the mikrotik being used as a wireguard server for handshake or are you connecting to a third part VPN etc..
How many mikrotiks are involved?
Where is the config of both MTs?
If the other side is not MT, where is at least the wg config of the other side???
From the config…
It would appear that you do not have a public IP, so have to assume its connected to an upstream router and are able to forward the wireguard port to the MT router.
It all seems good until I hit the firewall rules…and it gets messy and out of order etc…
Also, no idea what estcom remote it. but I have removed it as my assumption is that its external WANIPs, and as such should never have access to the input chain.
ESPECIALLY directly to winbox. SECURITY problem!! Why go to the problem of having VPNs, and then go do something so unsafe???
Apologies if these are just addresses from the private LAN on the ISP router where you also connect your PC and need access to the config…but I have my doubts.
Input chain rules is not the place to give local subnets access to each other…
Why TCP for ports 4500 and 500 ??? ( removed )
Understood, just wanted you to be safe, looks like all well in hand.
Ensure on client peer windows device you have persistent keep alive set.
Yes, the switch issue is weird. Its an un-managed switch right?? Check the cable from router to switch ???
I would adjust slightly the rules I gave you though add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN add action=accept chain=forward comment=" allow wg to subnet" in-interface=wg_govoni dst-address=192.168.1.0/24
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat disabled=yes { enable if required or remove }
add action=drop chain=forward comment=“drop all else”
Windows PC: 192.168.10.1/24 (Tried also different lans)
Strange thing is that if I run an IP scan from the Windows PC, I can only see 2 devices out of 40 devices. 192.168.1.51 and .92 while if I run an IP scan on the second lan (10.10.10.1/24) I can see ALL hosts in that lan.
I can clearly see the 2nd lan of the Mikrotik (10.10.10.1/24) but not the lan of the Bridge (192.168.1.1/24).
Problem seems to be on the Bridge, as I tried to move the 192.168.1.254/24 from the Bridge to ether2 (connected to Switch) and now works. I could just leave it like this, but I want to know what's causing this.