I’m trying to connect a hAP with a Wireguard config I made after reading the forum. The interface appears to come up and send handshakes back and forth, but no traffic is routed over the tunnel.
My intention is any wifi or ethernet connection (apart from ether5) will be routed over the tunnel to a VPS. I’ve checked the Wireguard portion of the config works from a phone or computer normally.
Would anyone be able to tell me where I went wrong?
# xxxx-xx-xx xx:xx:xx by RouterOS 7.10.2
# software id = XUUT-49R1
#
# model = C52iG-5HaxD2HaxD
/interface bridge
add admin-mac=48:A9:8A:68:4F:0E auto-mac=no comment=defconf name=bridge protocol-mode=none
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-ac .skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.dtim-period=255 .mode=ap .ssid=xxxx \
.tx-power=40 disabled=no security.authentication-types=wpa3-psk .encryption="" .wps=disable
/interface wireguard
add disabled=no listen-port=13231 mtu=1420 name=wireguard1
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=8h name=defconf
/port
set 0 name=serial0
/queue type
set 2 kind=fq-codel
/routing table
add disabled=no fib name=wireguard
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge interface=ether1
add bridge=bridge interface=wifi1
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=none
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=xxx.xxx.xxx.xxx endpoint-port=51820 interface=wireguard1 persistent-keepalive=2m public-key=\
"blahblahblahblahblabh="
/ip address
add address=192.168.88.4/24 interface=bridge network=192.168.88.0
add address=192.168.89.1/30 interface=ether5 network=192.168.89.0
add address=10.8.0.4 interface=wireguard1 network=10.8.0.4
/ip cloud
set update-time=no
/ip dhcp-server network
add address=10.8.0.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=10.8.0.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.4 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes use-doh-server=https://dns.nextdns.io/xxxxxx verify-doh-cert=yes
/ip dns static
add address=45.90.28.0 name=dns.nextdns.io
add address=45.90.30.0 name=dns.nextdns.io
add address=2a07:a8c0:: name=dns.nextdns.io type=AAAA
add address=2a07:a8c1:: name=dns.nextdns.io type=AAAA
/ip firewall nat
add action=masquerade chain=srcnat log=yes out-interface=wireguard1 src-address=192.168.88.0/24
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.88.1 routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=wireguard scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.8.0.0/24 gateway=wireguard1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb
set allow-guests=no interfaces=wifi2
/ip smb shares
set [ find default=yes ] disabled=yes
/routing rule
add action=lookup disabled=no src-address=192.168.88.0/24 table=wireguard
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
I would need to see the VPS wireguard settings (minus public WANIP info and keys etc…)
As far as your local device, it would ridonkulous to state users except etherport5.
You only have one subnet!!
Okay what is the case here? Your config and text are in conflict.
A> is this an Access Point/Switch acting as one
OR
B> is this acting in a router mode.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A. if its a switch there is no pool, dhcp etc for the bridge as that is provided by the upstream router.
B. if its a router then where is your WAN.
Once that is straightened out and your VPS settings are revealed will take seconds to fix.
Removed this part → /ip firewall connection tracking
set enabled=yes
Your wireguard address and network are WRONGLY formatted!
Forget DOH dns for now, traffic isnt going out router its going out wireguard tunnel!
No Requirement for sourcenat, there is no WANIP. Also you have access to VPS wg settings just ensure that 192.168.88.0/24 is included!!!
Remember the traffic when leaving VPS for internet will get sourcenatting of VPS anyway.
No requirement for route for wireguard itself as the router creates that automatically with IP address.
/interface bridge
add admin-mac=48:A9:8A:68:4F:0E auto-mac=no comment=defconf name=bridge protocol-mode=none
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-ac .skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.dtim-period=255 .mode=ap .ssid=xxxx
.tx-power=40 disabled=no security.authentication-types=wpa3-psk .encryption=“” .wps=disable
/interface wireguard
add disabled=no listen-port=13231 mtu=1420 name=wireguard1
/port
set 0 name=serial0
/queue type
set 2 kind=fq-codel
/routing table
add disabled=no fib name=wireguard
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge interface=ether1
add bridge=bridge interface=wifi
/ip neighbor discovery-settings
set discover-interface-list=MANAGE
/ip interface list
add name=MANAGE
/ip interface list members
add interface=bridge list=MANAGE
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=xxx.xxx.xxx.xxx endpoint-port=51820 interface=wireguard1 persistent-keepalive=35s public-key=
“blahblahblahblahblabh=”
/ip address
add address=192.168.89.1/30 interface=ether5 network=192.168.89.0 comment=“off bridge access”
add address=10.8.0.4/24 interface=wireguard1 network=10.8.0.0
add address=192.168.88.??/24 interface=bridge network=192.168.88.0
/ip cloud
set update-time=no
/ip dns
set allow-remote-requests=yes servers=192.168.88.1,1.1.1.1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.88.1 routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=use-wireguard scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb
set allow-guests=no interfaces=wifi2
/ip smb shares
set [ find default=yes ] disabled=yes
/routing rule
add action=lookup disabled=no src-address=192.168.88.0/24 table=use-wireguard
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MANAGE
/tool mac-server ping
set enabled=no
(1) DO NOT do dhcp client is bridge. Remove this.
Since the AP is on a private subnet, assign a static IP to the AP. aka XY. ( 192.168.88.XY/24 gateway=192.168.88.1 routing-table=main )
(2) Routing rule, REMOVE interface=bridge Should be simply… /routing rule
add action=lookup src-address=192.168.88.0/24
table=wireguard
(3) In conjunction with (1) add another route.
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.88.1 routing-table=main
(4) zStill Missing /ip neighbor discovery-settings
set discover-interface-list=MANAGE
(5) copy mistake ?? /interface list dd name=MANAGE
Something didnt seem right, assuming this is an access point switch device getting a private IP from a subnet on the upstream router?
If so, no pool, no nothing… So get rid of those settings.
Added ether5 to the MANAGE interface list.
Change DNS settings to non doh… the traffic is going out vps, not local router.
/interface bridge
add admin-mac=48:A9:8A:68:4F:0E auto-mac=no comment=defconf name=bridge protocol-mode=none
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-ac .skip-dfs-channels=disabled .width=20/40mhz-Ce configuration.beacon-interval=293ms .country="New Zealand" \
.dtim-period=255 .manager=local .mode=ap .ssid=xxxx .tx-power=40 disabled=no security.authentication-types=wpa3-psk .encryption="" .wps=disable
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add name=MANAGE
/port
set 0 name=serial0
/queue type
set 2 kind=fq-codel
/routing table
add disabled=no fib name=wireguard
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge interface=ether1
add bridge=bridge interface=wifi1
/ip neighbor discovery-settings
set discover-interface-list=MANAGE
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=bridge list=MANAGE
add interface=ether5 list=MANAGE
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=xxx.xxx.xxx.xxx endpoint-port=51820 interface=wireguard1 persistent-keepalive=35s public-key=\
"blahblah="
/ip address
add address=192.168.88.4/24 interface=bridge network=192.168.88.0
add address=192.168.89.1/30 interface=ether5 network=192.168.89.0
add address=10.8.0.4/24 interface=wireguard1 network=10.8.0.0
/ip cloud
set update-time=no
/ip dns
set allow-remote-requests=yes server=192.168.88.1
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=wireguard scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.88.1 routing-table=main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb
set allow-guests=no interfaces=wifi2
/ip smb shares
set [ find default=yes ] disabled=yes
/routing rule
add action=lookup disabled=no src-address=192.168.88.0/24 table=wireguard
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MANAGE
/tool mac-server ping
set enabled=no
