Wireguard not connecing into two subnest

MatoB · June 18, 2023, 7:39am

Mon Jun 12, 2023 9:01 am

Hi there,
I’ve got a question regarding wireguard problem. My WG interface is 10.255.255.1/24, in WG interface/Peers the allowed address is 10.255.255.3/32 . I have two subnets first one is 172.16.0.1/22 and the other one is 172.16.10.1/22 the problem is that I want the WG to be able to reach both of my networks, but unfortunately the interface works only with the first network 172.16.0.1/22. I have put into configuration file also the allowed address, but nothing helped. The route is set default 10.255.255.0/24 to Gateway:wireguard1
I don’t know what did I do wrong, is there anybody with any kind of idea?
Thanks a lot
Martin

anav · June 18, 2023, 11:20am

No idea without the config
/export file=anynameyouwish (minus router serial#, any public WANIP information, keys etc. )

MatoB · June 19, 2023, 6:43am

Thanks for spending your time on my problem, I'm attaching the config :

jun/19/2023 07:44:55 by RouterOS 7.9.1

software id =

model = CCR2004-16G-2S+

serial number =

/interface bridge add name=Docker
/interface bridge add arp=proxy-arp name=bridge1_STAFF
/interface ethernet set [ find default-name=ether1 ] arp=proxy-arp name=ether1_WAN_ISP
/interface ethernet set [ find default-name=ether2 ] arp=proxy-arp name=ether2_STAFF_LAN
/interface ethernet set [ find default-name=ether8 ] arp=proxy-arp name=ether8_VS_CAMERAS
/interface ethernet set [ find default-name=ether10 ] arp=proxy-arp name=ether10_STUDENTS_LAN
/interface ethernet set [ find default-name=ether11 ] arp=proxy-arp name=ether11_SIEMENS_LAN
/interface ethernet set [ find default-name=ether16 ] name=ether16_SERVIS
/interface veth add address=172.17.0.2/24 gateway=172.17.0.1 name=veth1-kuma
/interface wireguard add listen-port=13231 mtu=1420 name=wireguard1
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip pool add name="SSTP Remote" ranges=10.1.2.10-10.1.2.20
/ip pool add name=dhcp_pool3 ranges=10.10.10.200-10.10.10.254
/ip dhcp-server add address-pool=dhcp_pool3 interface=ether16_SERVIS name=dhcp1
/port set 0 name=serial0
/port set 1 name=serial1
/ppp profile add local-address=172.16.0.1 name=ovpn-profile remote-address=ovpn-pool
/ppp profile add local-address=10.1.2.1 name=SSTP-profile remote-address="SSTP Remote"
/ppp profile set *FFFFFFFE local-address=172.16.0.1 remote-address=IPSEC
/container config set registry-url=https://registry-1.docker.io tmpdir=disk1/pull
/interface bridge port add bridge=bridge1_STAFF interface=ether3
/interface bridge port add bridge=bridge1_STAFF interface=ether4
/interface bridge port add bridge=bridge1_STAFF interface=ether5
/interface bridge port add bridge=bridge1_STAFF interface=ether2_STAFF_LAN
/interface bridge port add bridge=Docker interface=veth1-kuma
/interface sstp-server server set authentication=mschap2 certificate=CRT default-profile=SSTP-profile enabled=yes
/interface wireguard peers add allowed-address=10.255.255.3/32 comment="MOBIL" interface=wireguard1 public-key=""
/interface wireguard peers add allowed-address=10.255.255.4/32 comment="HOME" interface=wireguard1 public-key=""
/interface wireguard peers add allowed-address=10.255.255.5/32 comment=PF interface=wireguard1 public-key=""
/interface wireguard peers add allowed-address=10.255.255.6/32 comment=ASinterface=wireguard1 public-key=""
/interface wireguard peers add allowed-address=10.255.255.7/32 comment=EH interface=wireguard1 public-key=""
/interface wireguard peers add allowed-address=10.255.255.8/32 interface=wireguard1 public-key=""
/interface wireguard peers add allowed-address=10.255.255.9/32 comment=JR interface=wireguard1 public-key=""
/ip address add address= comment="WAN to ISP" interface=ether1_WAN_ISP network=
/ip address add address=10.10.10.1/24 comment="SERVISNY PORT" interface=ether16_SERVIS network=10.10.10.0
/ip address add address=172.16.0.1/22 comment="STAFF NET" interface=bridge1_STAFF network=172.16.0.0
/ip address add address=192.168.15.1/24 interface=ether8_VS_CAMERAS network=192.168.15.0
/ip address add address=x.y.z..11 comment="STUDENT terminal" interface=ether1_WAN_ISP network=
/ip address add address=x.y.z..16 interface=ether1_WAN_ISP network=
/ip address add address=x.y.z..20 interface=ether1_WAN_ISP network=
/ip address add address=x.y.z..83 comment="CAMERAS CUP" interface=ether1_WAN_ISP network=x.y.z..83
/ip address add address=x.y.z..89 interface=ether1_WAN_ISP network=x.y.z..89
/ip address add address=x.y.z..90 comment=portal1 interface=ether1_WAN_ISP network=x.y.z..90
/ip address add address=x.y.z..91 comment=portal2 interface=ether1_WAN_ISP network=x.y.z..91
/ip address add address=x.y.z..92 comment="WWW" interface=ether1_WAN_ISP network=x.y.z..92
/ip address add address=x.y.z..93 comment=DAWINCI interface=ether1_WAN_ISP network=x.y.z..93
/ip address add address=x.y.z..103 comment="LDAP Interway" interface=ether1_WAN_ISP network=x.y.z..103
/ip address add address=172.16.10.1/22 comment="STUDENTSKA NET" interface=ether10_STUDENTS_LAN network=172.16.8.0
/ip address add address=10.255.255.1/24 comment="WIREGUARD INTERFACE" interface=wireguard1 network=10.255.255.0
/ip address add address=172.17.0.1/24 comment="Docker VETH Interface" interface=Docker network=172.17.0.0
/ip address add address=192.168.10.1/24 interface=ether11_SIEMENS_LAN network=192.168.10.0
/ip address add address=10.1.2.1/24 comment="SSTP INTERFACE" interface=ether1_WAN_ISP network=10.1.2.0
/ip dhcp-server lease add address=10.10.10.254 client-id= mac-address= server=*2
/ip dhcp-server network add address=10.10.10.0/24 gateway=10.10.10.1
/ip dhcp-server network add address=172.16.0.0/25 gateway=172.16.0.1
/ip dns set servers=
/ip firewall address-list add address=172.16.0.0/22 comment="Internal network pool for administration" list=watching network pool allowed
/ip firewall address-list add address=164.52.24.0/24 list="attack pool1"
/ip firewall address-list add address=203.116.184.0/24 list="attack pool2"
/ip firewall address-list add address=65.49.20.0/24 list="attack pool3"
/ip firewall address-list add address=65.62.197.0/24 list="attack pool4"
/ip firewall address-list add address=185.105.247.0/24 list="attack pool5"
/ip firewall filter add action=log chain=input disabled=yes
/ip firewall filter add action=accept chain=forward comment="if packet includes connection mark allow everything" connection-mark=all from watching network allowed
/ip firewall filter add action=accept chain=input comment="Allow WireGuard" dst-port=13231 protocol=udp
/ip firewall filter add action=accept chain=input comment="allow Wireguard Traffic" src-address=10.255.255.0/24
/ip firewall filter add action=drop chain=forward comment="STUDENTI if it has SRC address 172.16.10.0/22 if its not direction WAN than dropp" out-interface=!ether1_WAN_ISP src-address=172.16.8.0/22
/ip firewall filter add action=drop chain=input comment="FORBID PING FROM STUDENT NET TO STAFF" dst-address=172.16.0.0/22 protocol=icmp src-address=172.16.8.0/22
/ip firewall filter add action=drop chain=forward comment="Siemens if it has SRC address 192.168.10.0/24 if its not direction WAN than dropp" out-interface=!ether1_WAN_ISP src-address=192.168.10.0/24
/ip firewall filter add action=drop chain=forward comment="CAMERAS if it has SRC address 192.168.15.0/24 if its not direction WAN than dropp" out-interface=!ether1_WAN_ISP src-address=192.168.15.0/24
/ip firewall filter add action=accept chain=input comment="allow SSTP traffic" src-address=10.1.2.0/24
/ip firewall filter add action=accept chain=forward comment="JR CSOB rule OUT" dst-address= dst-port=1156 out-interface=ether1_WAN_ISP protocol=tcp src-address=172.16.0.0/16
/ip firewall filter add action=accept chain=forward comment="JR CSOB rule IN" dst-address=172.16.0.0/16 dst-port=1156 in-interface=ether1_WAN_ISP protocol=tcp src-address=
/ip firewall filter add action=accept chain=forward comment="portal1 forwarrd rule" dst-address=172.16.0.150 dst-port=80,443 protocol=tcp
/ip firewall filter add action=accept chain=forward comment="LDAP INTERWAY" dst-address=172.16.0.152 dst-port=389 protocol=tcp src-address=62.168.118.66
/ip firewall filter add action=accept chain=forward comment="LDAP INTERWAY 1" dst-address=172.16.0.152 dst-port=389 protocol=tcp src-address=62.168.118.94
/ip firewall filter add action=accept chain=forward comment="CAMERAS rule" dst-address=192.168.15.3 protocol=tcp
/ip firewall filter add action=accept chain=forward comment="CUTN WWW" dst-address=172.16.0.165 dst-port=80,20,21,443 protocol=tcp
/ip firewall filter add action=accept chain=forward comment="DAWINCI WWW" dst-address=172.16.0.170 dst-port=80,210,1111,5555,7090,8888,9909,9999,8886 protocol=tcp
/ip firewall filter add action=accept chain=forward comment="DAWINCI WWW OUT" dst-address=172.16.0.170 dst-port=80,210,1111,5555,7090,8888,9909,9999,8886 protocol=tcp
/ip firewall filter add action=accept chain=forward comment="DAWINCI WWW IN" dst-port=80,210,1111,5555,7090,8888,9909,9999,8886 protocol=tcp src-address=172.16.0.170
/ip firewall filter add action=accept chain=forward comment="DAWINCI WWW" dst-port=80,210,1111,5555,7090,8888,9909,9999,8886 protocol=tcp src-address=172.16.0.170
/ip firewall filter add action=accept chain=forward comment="Siemens Forward rule" dst-address=192.168.10.3
/ip firewall filter add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=accept chain=input comment="Allow ping" protocol=icmp
/ip firewall filter add action=accept chain=forward comment="allow TCP" protocol=tcp
/ip firewall filter add action=accept chain=forward comment="allow udp" protocol=udp
/ip firewall filter add action=accept chain=input dst-port=443 protocol=tcp
/ip firewall filter add action=drop chain=input comment="drop attackers ip pools (vpn)" src-address-list=216.218.206.0/24
/ip firewall filter add action=drop chain=input comment="drop attackers ip pools (vpn)185.98.208.0" src-address-list=185.98.208.0/24
/ip firewall filter add action=drop chain=input comment="drop attackers ip pools (vpn) 188.167.250.0" src-address-list=188.167.250.0/24
/ip firewall filter add action=drop chain=input comment="drop attackers ip pools (vpn) new" src-address-list=164.52.24.0/24
/ip firewall filter add action=drop chain=input comment="drop attackers ip pools (vpn) new1" src-address-list=203.116.184.0/24
/ip firewall filter add action=drop chain=input comment="drop attackers ip pools (vpn) new2" src-address-list=65.49.20.0/24
/ip firewall filter add action=drop chain=input comment="drop attackers ip pools (vpn) new3" src-address-list=65.62.197.0/24
/ip firewall filter add action=drop chain=input comment="drop attackers ip pools (vpn) new4" src-address-list=185.105.247.0/24
/ip firewall filter add action=drop chain=input comment="drop attackers ip pools (vpn) new5" src-address-list=74.82.47.0/24
/ip firewall filter add action=drop chain=input comment="drop IPsec hacking attempts" src-address-list=block
/ip firewall filter add action=add-src-to-address-list address-list=!bruteforce_blacklist address-list-timeout=1d chain=input comment="drop ssh brute forcers blacklist" connection-state=new dst-port=22 protocol=tcp src-address-list=connection3
/ip firewall filter add action=add-src-to-address-list address-list=connection3 address-list-timeout=1h chain=input comment="drop ssh brute forcers connect3" connection-state=new dst-port=22 protocol=tcp src-address-list=connection2
/ip firewall filter add action=add-src-to-address-list address-list=connection2 address-list-timeout=15m chain=input comment="drop ssh brute forcers connect2" connection-state=new dst-port=22 protocol=tcp src-address-list=connection1
/ip firewall filter add action=add-src-to-address-list address-list=connection1 address-list-timeout=5m chain=input comment="drop ssh brute forcers connect1" connection-state=new dst-port=22 protocol=tcp
/ip firewall filter add action=accept chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=!bruteforce_blacklist
/ip firewall filter add action=drop chain=input comment="drop ssh brute force 0 " dst-port=22 protocol=tcp psd=21,3s,3,1
/ip firewall filter add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="drop csanner NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
/ip firewall filter add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="drop csanner SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
/ip firewall filter add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="drop csanner SYN/RST scan" protocol=tcp tcp-flags=syn,rst
/ip firewall filter add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment=" drop csanner FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
/ip firewall filter add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="drop csanner ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
/ip firewall filter add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="drop csanner NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
/ip firewall filter add action=drop chain=input comment="drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=input src-address-list="port scanners"
/ip firewall filter add action=drop chain=input in-interface=!bridge1_STAFF
/ip firewall mangle add action=mark-connection chain=prerouting comment="everything what generates 172.16.0.0/22 allowed everywhere - connection mark" new-connection-mark=all from watching network allowed passthrough=yes src-address-list=watching network pool allowed
/ip firewall nat add action=masquerade chain=srcnat comment="mask everything what goes from NET 172.16.0.0/22" out-interface=ether1_WAN_ISP src-address=172.16.0.0/22
/ip firewall nat add action=masquerade chain=srcnat comment="mask everything what goes from NET 172.16.10.0/24" out-interface=ether1_WAN_ISP src-address=172.16.8.0/22
/ip firewall nat add action=masquerade chain=srcnat comment="mask everything what goes from NET 192.168.10.0/24" out-interface=ether1_WAN_ISP src-address=192.168.10.0/24
/ip firewall nat add action=masquerade chain=srcnat src-address=172.17.0.0/24
/ip firewall nat add action=masquerade chain=srcnat comment="mask everything what goes from NET 10.1.2.0/24" out-interface=ether1_WAN_ISP src-address=10.1.2.0/24
/ip firewall nat add action=masquerade chain=srcnat comment="mask everything what goes from NET 192.168.15.0/24" out-interface=ether1_WAN_ISP src-address=192.168.15.0/24
/ip firewall nat add action=dst-nat chain=dstnat comment="DST-NAT 1:1 CAMERAS" dst-address=x.y.z..83 dst-port=37777 protocol=tcp to-addresses=192.168.15.3 to-ports=37777
/ip firewall nat add action=src-nat chain=srcnat comment="SRC-NAT 1:1 CAMERAS" dst-port=37777 protocol=tcp src-address=192.168.15.3 to-addresses=x.y.z..83 to-ports=37777
/ip firewall nat add action=src-nat chain=srcnat comment="SRC-NAT 1:1 ESO port 80" dst-port=80 protocol=tcp src-address=172.16.0.150 to-addresses=x.y.z..90 to-ports=80
/ip firewall nat add action=src-nat chain=srcnat comment="SRC-NAT 1:1 ESO port 443" dst-port=443 protocol=tcp src-address=172.16.0.150 to-addresses=x.y.z..90 to-ports=443
/ip firewall nat add action=src-nat chain=srcnat comment="SRC-NAT 1:1 Moodle port 443" dst-port=443 protocol=tcp src-address=172.16.0.190 to-addresses=x.y.z..91 to-ports=443
/ip firewall nat add action=src-nat chain=srcnat comment="SRC-NAT 1:1 Moodle port 80" dst-port=80 protocol=tcp src-address=172.16.0.190 to-addresses=x.y.z..91 to-ports=80
/ip firewall nat add action=src-nat chain=srcnat comment="SRC-NAT 1:1 DAWINCI port 80-9999" dst-port=80-9999 protocol=tcp src-address=172.16.0.170 to-addresses=x.y.z..93 to-ports=80-9999
/ip firewall nat add action=src-nat chain=srcnat comment="SRC-NAT 1:1 CUTN WWW port 80" dst-port=80 protocol=tcp src-address=172.16.0.165 to-addresses=x.y.z..92 to-ports=80
/ip firewall nat add action=src-nat chain=srcnat comment="SRC-NAT 1:1 LDAP INTERWAY port 389" dst-port=389 protocol=tcp src-address=172.16.0.152 to-addresses=x.y.z..103 to-ports=389
/ip firewall nat add action=src-nat chain=srcnat comment="SRC-NAT 1:1 CUTN WWW port 443" dst-port=443 protocol=tcp src-address=172.16.0.165 to-addresses=x.y.z..92 to-ports=443
/ip firewall nat add action=dst-nat chain=dstnat comment="DST-NAT 1:1 Moodle port 80" dst-address=x.y.z..91 dst-port=80 protocol=tcp to-addresses=172.16.0.190 to-ports=80
/ip firewall nat add action=dst-nat chain=dstnat comment="DST-NAT 1:1 LDAP INTRWAY port 389" dst-address=x.y.z..103 dst-port=389 protocol=tcp to-addresses=172.16.0.152 to-ports=389
/ip firewall nat add action=dst-nat chain=dstnat comment="DST-NAT 1:1 Moodle port 443" dst-address=x.y.z..91 dst-port=443 protocol=tcp to-addresses=172.16.0.190 to-ports=443
/ip firewall nat add action=dst-nat chain=dstnat comment="DST-NAT 1:1 CUTN WWW port 443" dst-address=x.y.z..92 dst-port=443 protocol=tcp to-addresses=172.16.0.165 to-ports=443
/ip firewall nat add action=dst-nat chain=dstnat comment="DST-NAT 1:1 CUTN WWW port 80" dst-address=x.y.z..92 dst-port=80 protocol=tcp to-addresses=172.16.0.165 to-ports=80
/ip firewall nat add action=dst-nat chain=dstnat comment="DST-NAT 1:1 ESO port 443" dst-address=x.y.z..90 dst-port=443 protocol=tcp to-addresses=172.16.0.150 to-ports=443
/ip firewall nat add action=dst-nat chain=dstnat comment="DST-NAT 1:1 ESO port 80" dst-address=x.y.z..90 dst-port=80 protocol=tcp to-addresses=172.16.0.150 to-ports=80
/ip firewall nat add action=dst-nat chain=dstnat comment="DST-NAT 1:1 DAWINCI port 80-9999" dst-address=x.y.z..93 dst-port=80-9999 protocol=tcp to-addresses=172.16.0.170 to-ports=80-9999
/ip firewall nat add action=masquerade chain=srcnat comment="NTP NAT masquerade " dst-port=123 protocol=udp to-ports=12300-12390
/ip route add disabled=no dst-address=0.0.0.0/0 gateway=x.y.z..1 routing-table=main suppress-hw-offload=no
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set www disabled=yes
/ip service set ssh port=22
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes
/ppp secret add name=mbokor profile=SSTP-profile service=sstp
/system clock set time-zone-name=Europe/Bratislava
/system identity set name=
/system note set show-at-login=no
/system ntp client set enabled=yes
/system ntp client servers add address=90.176.21.0
/system ntp client servers add address=62.168.65.36
/tool romon set enabled=yes

Thanks for any hint
M.

anav · June 19, 2023, 6:33pm

Those are not real networks…
Well considering a network for me has
IP pool
IP address
DHCP server
DHCP server network.

There is actually only one network, which is running on etherport16 and which YOU DO NOT MENTION as a network that needs to be reached LOL.

/ip pool add name=dhcp_pool3 ranges=10.10.10.200-10.10.10.254
/ip address add address=10.10.10.1/24 comment=“SERVISNY PORT” interface=ether16_SERVIS network=10.10.10.0
/ip dhcp-server add address-pool=dhcp_pool3 interface=ether16_SERVIS name=dhcp1
/ip dhcp-server network add address=10.10.10.0/24 gateway=10.10.10.1

Then you note you CAN reach 172.16.0.1/22 but cannot reach 172.16.10.1/22

Lets look at the first one ( which seems to be associated to your bridge )
NO POOL
/ip address add address=172.16.0.1/22 comment=“STAFF NET” interface=bridge1_STAFF network=172.16.0.0
NO dhcp-server
/ip dhcp-server network add address=172.16.0.0/25 gateway=172.16.0.1

Lets look at the second one ( seems to be associated with ether10 )
NO POOL
/ip address add address=172.16.10.1/22 comment=“STUDENTSKA NET” interface=ether10_STUDENTS_LAN network=172.16.8.0
NO dhcp-server
No dhcp-server network

Thus based on missing information I cannot predict how or if wireguard will work. I am surprized you can reach the first one at all.

Now lets look at the quagmire of FW rules you have…
Personally I would burn it, send it to Satan etc.
Nothing I see seems to be blocking and I say seems because its impossible to troubleshoot such a mess.
It would seem you have set up your router to Stop traffic as its primary purpose vice ALLOW only needed traffic.
I espouse drop all rules at end of input chain and forward chain and leave the rest of the nonsense in the garbage bin.

MatoB · June 20, 2023, 7:31am

thanks for being strait forward

Well I know what you are talking about, but let me please explain the mess. There are no pools for the STAFF and STUDENT network and no DNS entries, since we are a small university running our own AD + DHCP + DNS server. Therefore there are only the main entries from the ISP, the rest of the services are managed by the AD. Mess around the rest of the rules are caused because I need to divide and separate networks since we as a STAFF have access to everything, the other networks STUDENT, SIEMENS and CAMERAS cannot access the STAFF network either ping it. Which apparently works with these rules. On STAFF network, we have several web servers, student portals which needs to be also secured. I know it’s a mess, but we have a little bit different situation than usual. I would definitely appreciate any hint if you still have time to deal with it.
Thanks a lot