Hello everyone. The following is the configuration of my RouterOS. Configure the wireguard tunnel in RouterOS. My remote PC connects to RouterOS through the wireguard tunnel. The PC can communicate through wireguard, but two problems arise:
Problem 1: The remote PC cannot access the LAN network under RouterOS
Question 2: I have set the masq of the pppoe-out1 interface in the firewall. If I do not select the masq of the pppoe-out1 interface, I can divert traffic through BGP. If masq of the pppoe-out1 interface is selected, the traffic cannot be distributed through BGP.
grateful!
# 2023-12-18 17:23:58 by RouterOS 7.13
/interface bridge
add comment="defconf: local Bridge" name=bridge1 port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] comment="defconf: local NAS" \
disable-running-check=no name=ether1-NAS-Bonding
set [ find default-name=ether2 ] comment="defconf: local WAN" \
disable-running-check=no name=ether2-WAN
set [ find default-name=ether3 ] comment="defconf: local LAN" \
disable-running-check=no name=ether3-LAN
set [ find default-name=ether4 ] comment="defconf: local LAN" \
disable-running-check=no name=ether4-LAN
set [ find default-name=ether5 ] comment="defconf: local NAS" \
disable-running-check=no name=ether5-NAS-Bonding
set [ find default-name=ether6 ] comment="defconf: local LAN for VMs" \
disable-running-check=no name=ether6-LAN
/interface wireguard
add listen-port=18881 mtu=1420 name=wireguard1
/interface bonding
add mode=802.3ad name=bonding1 slaves=ether1-NAS-Bonding,ether5-NAS-Bonding
/interface pppoe-client
add add-default-route=yes comment="defconf: local PPPoE client" disabled=no \
interface=ether2-WAN name=pppoe-out1 user=
/interface list
add comment="defconf: extranet list" name=WAN
add comment="defconf: intranet list" name=LAN
add comment="onuconf: ONU list" name=ONU
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool1 ranges=10.0.0.100-10.0.0.188
/ip dhcp-server
add address-pool=pool1 bootp-support=none interface=bridge1 name=server1
/port
set 0 name=serial0
set 1 name=serial1
/queue type
add cake-diffserv=diffserv4 cake-flowmode=dual-dsthost cake-memlimit=32.0MiB \
cake-mpu=84 cake-nat=yes cake-overhead=38 cake-overhead-scheme=ethernet \
cake-rtt=50ms kind=cake name=cake-rx
add cake-ack-filter=filter cake-diffserv=diffserv4 cake-flowmode=dual-srchost \
cake-memlimit=32.0MiB cake-mpu=84 cake-nat=yes cake-overhead=38 \
cake-overhead-scheme=ethernet cake-rtt=50ms kind=cake name=cake-tx
/queue tree
add bucket-size=0.05 comment="qosconf: download queue with CAKE" max-limit=1G \
name=cake-download packet-mark=no-mark parent=bridge1 queue=cake-rx
add bucket-size=0.03 comment="qosconf: upload queue with CAKE" max-limit=80M \
name=cake-upload packet-mark=no-mark parent=pppoe-out1 queue=cake-tx
/routing table
add disabled=no fib name=BGP
/system logging action
add disk-file-count=100 disk-file-name=syslog name=syslog target=disk
/interface bridge port
add bridge=bridge1 interface=bonding1 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether3-LAN internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether4-LAN internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether6-LAN internal-path-cost=10 path-cost=10
/interface list member
add comment="defconf: extranet member" interface=pppoe-out1 list=WAN
add comment="defconf: intranet member" interface=bridge1 list=LAN
add comment="onuconf: ONU member" interface=ether2-WAN list=ONU
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=10.88.88.2/32 interface=wireguard1 private-key=\
"AB1K8lUicKfZBSxcpFF4ESK=" public-key=\
"D5dOPmdxIO+mjo/r4AEA="
/ip address
add address=10.0.0.254/24 comment="defconf: local LAN IPv4 address" \
interface=bridge1 network=10.0.0.0
add address=10.88.88.1/24 comment="defconf: local WireGuard IPv4 address" \
interface=wireguard1 network=10.88.88.0
add address=192.168.1.2/24 comment="onuconf: link IPv4 address for ONU" \
interface=ether2-WAN network=192.168.1.0
/ip dhcp-server lease
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.38 gateway=10.0.0.254 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=6h max-concurrent-queries=150 \
max-udp-packet-size=8192 servers=10.0.0.38,2402:4e00::,2400:3200::1
/ip firewall address-list
add address=10.0.0.58 comment="lanconf: local proxy ipv4 (PC)" list=\
local_proxy_ipv4
add address=10.0.0.8 comment="lanconf: local proxy ipv4 (NAS)" list=\
local_proxy_ipv4
add address=10.0.0.68 comment="lanconf: local proxy ipv4 (Liu Iphone)" list=\
local_proxy_ipv4
add address=10.0.0.78 comment="lanconf: local proxy ipv4 (MAC)" list=\
local_proxy_ipv4
add address=192.168.1.1 comment="onuconf: local ONU address" list=\
local_onu_ipv4
add address=10.0.0.0/24 comment="lanconf: local LAN address" list=\
local_lan_ipv4
add address=10.0.0.38 comment="lanconf: local DNS server" list=local_dns_ipv4
add address=10.0.0.48 comment="lanconf: local Clash ipv4" list=\
local_clash_ipv4
add address=h.kevinleo.xyz comment=local_service_domain list=\
local_service_domain
add address=0.0.0.0/8 comment="defconf: RFC6890 - this network" list=\
no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890 - link local" list=\
no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: RFC5771 - multicast" list=\
no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890 - limited broadcast" \
list=no_forward_ipv4
add address=10.88.88.0/24 comment="lanconf: local proxy ipv4 (WireGuard)" \
list=local_proxy_ipv4
add address=10.88.88.0/24 comment="lanconf: local WireGuard ipv4" list=\
local_wireguard_ipv4
add address=10.88.88.0/24 comment="lanconf: local LAN address" list=\
local_lan_ipv4
/ip firewall filter
add action=accept chain=input comment="defconf:allow WireGuard" dst-port=\
18881 protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" disabled=yes \
src-address=10.88.88.0/24
add action=accept chain=input comment="defconf: accept ICMP after RAW" \
protocol=icmp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="defconf: accept all coming from LAN" \
in-interface-list=LAN
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
dst-address-list=no_forward_ipv4
/ip firewall mangle
add action=change-mss chain=forward comment="defconf: fix IPv4 mss for WAN" \
new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
add action=accept chain=prerouting comment="onuconf: To Clash" \
src-address-list=local_clash_ipv4
add action=mark-routing chain=prerouting comment="onuconf: To Clash" \
dst-address-list=!local_onu_ipv4 dst-address-type=!local dst-port=80,443 \
new-routing-mark=BGP passthrough=yes protocol=tcp src-address-list=\
local_proxy_ipv4
add action=accept chain=prerouting comment="onuconf: access to ONU" \
dst-address-list=local_onu_ipv4 src-address-list=local_lan_ipv4
add action=accept chain=prerouting comment="onuconf: WireGuard access to Lan" \
dst-address=10.0.0.0/24 src-address=10.88.88.0/24
/ip firewall nat
add action=endpoint-independent-nat chain=srcnat comment=\
"\C8\AB\D7\B6\D0\CENAT" out-interface-list=WAN protocol=udp \
randomise-ports=no
add action=endpoint-independent-nat chain=dstnat comment=\
"\C8\AB\D7\B6\D0\CENAT" in-interface-list=WAN protocol=udp \
randomise-ports=no
add action=masquerade chain=srcnat comment="onuconf: WireGuard access to Lan" \
out-interface=wireguard1
add action=masquerade chain=srcnat comment="\B5\D8\D6\B7\CE\B1\D7\B0" \
out-interface-list=WAN
add action=masquerade chain=srcnat comment="onuconf: access to ONU" \
dst-address-list=local_onu_ipv4 out-interface-list=ONU src-address-list=\
local_lan_ipv4
add action=accept chain=dstnat comment=\
"lanconf: accept local DNS server's query (UDP)" dst-port=53 \
in-interface-list=LAN protocol=udp src-address-list=local_dns_ipv4
add action=accept chain=dstnat comment=\
"lanconf: accept local DNS server's query (TCP)" dst-port=53 \
in-interface-list=LAN protocol=tcp src-address-list=local_dns_ipv4
add action=redirect chain=dstnat comment="lanconf: redirect DNS query (UDP)" \
dst-port=53 in-interface-list=LAN protocol=udp to-ports=53
add action=redirect chain=dstnat comment="lanconf: redirect DNS query (TCP)" \
dst-port=53 in-interface-list=LAN protocol=tcp to-ports=53
add action=dst-nat chain=dstnat comment="HTTP\B6\CB\BF\DA\D3\B3\C9\E4" \
dst-port=2080 in-interface-list=WAN protocol=tcp to-addresses=10.0.0.8 \
to-ports=2080
add action=dst-nat chain=dstnat comment=\
"HTTP\B1\BE\B5\D8\B6\CB\BF\DA\BB\D8\C1\F7" dst-address-list=\
local_service_domain dst-port=2080 in-interface-list=LAN protocol=tcp \
to-addresses=10.0.0.8 to-ports=2080
add action=masquerade chain=srcnat comment=\
"HTTP\B1\BE\B5\D8\B6\CB\BF\DA\BB\D8\C1\F7\CE\B1\D7\B0" dst-port=2080 \
out-interface-list=LAN protocol=tcp src-address-list=local_lan_ipv4
/ip firewall raw
add action=accept chain=prerouting comment=\
"defconf: enable for transparent firewall" disabled=yes
/ip route
add comment=BGP disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
pppoe-out1 pref-src="" routing-table=BGP scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=wireguard1 \
pref-src="" routing-table=BGP scope=30 suppress-hw-offload=no \
target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set allow-disable-external-interface=yes enabled=yes
/ip upnp interfaces
add interface=bridge1 type=internal
add interface=pppoe-out1 type=external
/ipv6 address
add advertise=no comment=\
"\D2\AA\C4\DA\B2\BF\C9\E8\B1\B8\CA\B9\D3\C3\BF\AA\C6\F4Advertise" \
from-pool=ipv6-public-pool-1 interface=bridge1
/ipv6 dhcp-client
add add-default-route=yes comment="defconf: local DHCPv6 client" interface=\
pppoe-out1 pool-name=ipv6-public-pool-1 request=prefix use-peer-dns=no
/ipv6 firewall address-list
add address=fe80::/10 comment=defconf:Local-ipv6-list list=Local-ipv6-list
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invaild" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment=\
"defconf:accept DHCPv6-Client prefix delegation" dst-port=546 protocol=\
udp src-address-list=Local-ipv6-list
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invaild" \
connection-state=invalid
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=drop chain=forward comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
/ipv6 nd
set [ find default=yes ] disabled=yes
add dns=2402:4e00::,2400:3200::1 interface=bridge1
/routing bgp connection
add as=65530 local.role=ebgp multihop=yes name=Clash remote.address=10.0.0.48 \
.as=65531 router-id=10.0.0.254 routing-table=BGP
/system clock
set time-zone-name=Asia/Shanghai
/system hardware
set allow-x86-64=yes
/system identity
set name=KevinRouterOS
/system logging
add action=syslog topics=critical
add action=syslog topics=error
add action=syslog topics=warning
add action=syslog topics=system
add action=syslog topics=script
add action=syslog topics=firewall
add action=syslog topics=interface
add action=syslog disabled=yes topics=wireguard
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=ntp.tencent.com
add address=ntp.aliyun.com
According to the rules you provided, I added them to the firewall. The added rules also allowed traffic to pass through, but the access was still not Lan.
add action=accept chain=forward comment="Allow Wiregurard to LAN" in-interface=wireguard1 out-interface-list=LAN
I’ve not used wireguard yet but I can think of one thing that might have gone wrong:
Are “allowed ips” configured properly on the PC? I mean if you’ve only specified 10.88.88.0/24 (i.e., the ip addresses on the tunnel) to be allowed through the wireguard tunnel, then the computer will not know where to send traffic destined for 10.0.0.0/24 and will naturally try its default gateway which is of course not the wireguard interface.
Also, I’m not sure if the masquerade rule will let you get around that as return traffic will have to come from the destination ip address defined in the first place. So if an ip address from 10.0.0.0/24 subnet gets translated to 10.88.88.1 it will not be recognized on the other end (i.e., your pc). There are two possibilities here:
either masquerade works and your pc does not know what to do with a packet whose source address is 10.88.88.81 or
masquerade doesn’t work at all for return traffic and the allowed ip address field is not set properly on your pc so the wireguard interface cannot accept traffic with 10.0.0.0/24 source address (this is more likely based on what I’ve seen so far). Again though I’m only just figuring out how src nat works exactly so what I’m suggesting might be completely off
The PC “allowed ips” is 0.0.0.0/0. The PC can access the Internet through wireguard, but cannot access the LAN.
I also think there is a problem with masq, but I don’t know how to fix it.
I think it would be best to approach the issue incrementally. You could capture packets along the way and see where the issue occurs:
Issue ping from your pc to one of the devices in the LAN that allows ICMP. This is important because if ICMP is not allowed you won’t get replies anyway
Use the built-in packet sniffer in router os and export to a wireshark file (.pcap is the extension to open it on wireshark). You need to capture the interface that is facing that LAN device (e.g., ether4-LAN) with tx direction. Does the icmp from your pc show up there?
a) If it does (I think it will show up), it means that it has traversed the wireguard tunnel and is headed to your LAN device => The problem is at a later stage
b) If it does not, it meas that it has not traversed the wireguard tunnel => The problem is somewhere before that
Capture the egress direction of the LAN device’s interface to see if there is an ICMP echo reply going back to your pc. Does that reply exist?
a) If it does, it meas that the echo request has been received and processed => The problem is at a later stage
b) If it does not (I don’t think that this is the case), it means that the echo request has not been received/processes => The problem is somewhere on the LAN device (maybe a host firewall?)
This will help you narrow down the possibilities. The places I’m suggesting to do packet captures should have non-encrypted traffic so there won’t be any problem identifying the type of traffic. Now, ideally you could packet capture the tx direction from the routeros wireguard (i.e., the icmp echo reply as it goes back to your pc) but I think that would give you encrypted traffic which would be difficult to identify (haven’t tried before so I cannot be sure).
As a quick test you could try disabling:
add action=masquerade chain=srcnat comment="onuconf: WireGuard access to Lan" \
out-interface=wireguard1
this rule would hit traffic travelling over the wireguard interface and change its source ip address to 10.88.88.1. Maybe that’s what’s causing the issue (?). I’m trying to figure out the whole configuration to see if I make any more sense of it (it’s complicated and I’m still a newbie). I’ll get back to you if I figure out anything else.
For routeros you can try using the built-in packet sniffer (https://help.mikrotik.com/docs/display/ROS/Packet+Sniffer) and export to a .pcap file which you can import into wireshark. I use wireshark when I need to troubleshoot something (https://www.wireshark.org/) which works on most operating systems. TBH your config is a bit confusing to me and I would first try and make it as simple as possible. One particular problem I am having is the mix-up of address lists (e.g., local_lan_ipv4) when combined with multiple nat rules which use those address lists and the possibility that you’re hitting a rule that messes things up without even noticing (like erlinden previously said)! I just lose track trying to understand the whole picture.
If you manage to do packet captures and see under what conditions the ip addresses change (both tx from the pc to the LAN and the return traffic), you will know what the problem is and you will fix it. I think you should focus on the nat rules. Also, why use so many in the first place? Are those really required for the setup?
Hello. Below is an example of what worked for me. Change the dst & src address list to match the subnets you’re trying to reach from your own address lists. Place this in the forward chain section. Hope this helps
