Wireguard - Problems accessing specific devices on local network

Hello guys,

I’ve been playing with wireguard the recent days and something really strange is happening. I have no problems at all to establish a connection and to get acess to the main router on which the wireguard is set. Also I’m getting access to the home server and all services that are running on it without any problesms, the smart swithch is also accessed. The problem comes when I try to access the second MT that I’m using as an AP/Switch and mostly the NVR with the access to all cameras.

The current setup is the following:

MT Main Router with dual ISP → SFP port connected to PoE switch feeding the cammeras and Eth connected to another internal switch. The rest of the devices including the MT AP are connected to this internal switch. he Camera switch is also directly connected to the NVR to reduce the points of failure.The communication between the NVR and the main network is going in direction NVR->PoE Switch->MT SFP. I do have some filtering done in the bridge which is restricting the access to the NVR through the SFP port to only certain devices and everything else is droped (probably this is not the best secure measure so I’m open to proposals here).

The wireguard is set pretty much as it is in the MT documentation page and for the test I’ve done 1:1 implementation but the problem still remained.

/interface wireguard
add listen-port=13231 name=wireguard1
/ip address
add address=192.168.100.1/24 interface=wireguard1

/interface wireguard peers
add allowed-address=192.168.100.2/32 interface=wireguard1 public-key="<paste public key from remote device here>"

/ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=13231 protocol=udp place-before=1

/interface list member
add interface=wireguard1 list=LAN

The firewall rules are pretty basic and ot top of the defconf I’m only droping TCP and UTP from outside as I’m using “Allow Remote Request”

add action=drop chain=input comment="Drop DNS from outside UDP" dst-port=53 \
    in-interface-list=WAN protocol=udp
add action=drop chain=input comment="Drop DNS from outside TCP" dst-port=53 \
    in-interface-list=WAN protocol=tcp

On the AP the only configuration is one Address for the device and one dynamic route. I’ve found that adding a route with the remote device IP and a GW the main router I’m getting access to the device, don’t know why this is needed as it is perfectly accessable from the local network. For the NVR however I could not get any access at all. I’ve tried to remove all the filtering rules, even tried to disable the firewall rules but withotu any success. It’s really strange to me that once I’m connected through wireguard, I’m getting access to pretty much everything except the second MT device and the NVR. Do you guys have any ideas what may the problem be?

From which device do you try to access and how is config there ?

You need to provide complete evidence.
a. full config of main router hosting wireguard
b. complete config of hex.
c. config of device connecting from…

MInus router serial number, any public WANIP info, keys etc…

I’ve been trying to do it from an android phone. The configuration is straightforward. Wireguard app-> interface which public key goes to the MT peer config->Addresses 192.168.100.2/32, DNS 192.178.100.1->Peer with public key = MT interface key->Allowed IPs 0.0.0.0/0->Endpoint the public IP address and respective port. We can asume that the configuration on MT router and the phone is 1:1 compared to the MT documentaiton as I tried even this for easier problem solving but it still has a problem to connect these two devices.

The Hex is the main router and the wireguard is hosted on it. The Wireguard config I’ve already shared. Apart from this there is nothing special except the two rules that I’ve mentioned, the fact that the port 1&2 are used for ISP1&ISP2 and the rest are bridged. Basic recursive failover on it. As for the config of the device, also shared. As I said I’m able to get access to the local network. I’m able to ping the IP of the remote device from a machine in the local network but the NVR is refusing any access.

Last time,

Full config of hex
Full config of second MT acting as an AP/switch

I’ve already explained the configuration but if you insist on it, here you go.

HEX

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/ip pool
add name=default-dhcp ranges=192.168.x.x-192.168.x.x
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=xx name=defconf
/ppp profile
add change-tcp-mss=yes name="name" on-up=update-route
/interface pppoe-client
add disabled=no interface=ether1-WAN1 max-mtu=1500 name=xxx

/interface bridge filter
add action=accept chain=forward dst-mac-address=\ MAC1 in-bridge=bridge in-interface=sfp \
src-mac-address=MAC2
    
add action=drop chain=forward in-bridge=bridge in-interface=sfp1 log-prefix=\
NVR
    
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1

/interface list member
add comment=defconf interface=bridge list=LAN
add interface=wireguard1 list=LAN
add comment=defconf interface=pppoe list=WAN
add interface=ether2-WAN2 list=WAN

/ip address
add address=192.168.x.x/24 interface=bridge network=""
add address=192.168.x.x/24 interface=ether2-WAN2 network=""
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1-WAN1

/ip dhcp-server network
add address=192.168.x.x/24 comment=defconf dns-server=192.168.x.x gateway=\
192.168.x.x
/ip dns
set allow-remote-requests=yes servers=""
/ip dns static
add address=192.168.x.x name=router.lan 

/ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port="" protocol=udp 
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="Drop DNS from outside UDP" dst-port=53 \
    in-interface-list=WAN protocol=udp
add action=drop chain=input comment="Drop DNS from outside TCP" dst-port=53 \
    in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" \
    in-interface-list=!WAN protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=src-nat chain=srcnat comment="SRC-NAT MainLink" out-interface=\
    pppoe-out1 to-addresses=""
add action=src-nat chain=srcnat comment="SRC-NAT BackUp" out-interface=\
    ether2-WAN2 to-addresses=""
    
    /ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.x.x.x pref-src=\
    "" routing-table=main scope=30 suppress-hw-offload=no target-scope=12
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=10.x.x.x pref-src=\
    "" routing-table=main scope=30 suppress-hw-offload=no target-scope=12
add disabled=no distance=1 dst-address="" gateway="" \
    pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address="" gateway="" \
    pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping disabled=no dst-address="" gateway="" \
    pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
    target-scope=11
add check-gateway=ping disabled=no distance=2 dst-address="" \
    gateway="" pref-src="" routing-table=main scope=10 \
    suppress-hw-offload=no target-scope=11
add check-gateway=ping disabled=no distance=1 dst-address="" \
    gateway="" pref-src="" routing-table=main scope=10 \
    suppress-hw-offload=no target-scope=11
add check-gateway=ping disabled=no distance=2 dst-address="" \
    gateway="" pref-src="" routing-table=main scope=10 \
    suppress-hw-offload=no target-scope=11
add disabled=no distance=1 dst-address="" gateway="" \
    pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address="" gateway="" \
    pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
    target-scope=10

 /ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=xx
set api disabled=yes
set api-ssl disabled=yes

AP

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=""
/interface wireless
set [ find default-name=wlan1 ]......
/interface bridge port
add bridge=Bridge ingress-filtering=no interface=all
/ip neighbor discovery-settings
set discover-interface-list=none
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface ovpn-server server
set auth=sha1,md5
/interface wireless access-list
add comment=LaserPrinter interface=wlan1 mac-address=""

/ip address
add address=192.168.x.x/24 interface=Bridge network=192.168.x.x
/ip cloud
set update-time=no
/ip dns
set servers=192.168.x.x
/ip firewall service-port
set ftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes

(1) Explanations provide very little in reality… unless they are well stated requirements about needed user traffic without any mention of the config along with a detailed network diagram otherwise mostly useless

(2) About as useless as this needless editing which does not help ensure clarity in the config
/ip pool
add name=default-dhcp ranges=192.168.x.x-192.168.x.x

(3) About as useless as editing out stuff like all the wireguard settings…

(4) The self defeating prophecy of blocking MT devices from seeing each other via neighbours discovery
/ip neighbor discovery-settings
set discover-interface-list=none

(5) The use of bridge filter which in 99% of cases is really not needed, so curious as to why you are using them.
assuming the answer is the standard firewall rules dont work for an edge case need??


(6) Odd firewall rule structure, If you block all traffic not coming from LAN via this default rule…
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN

Why did you add other rules which are thus redundant??
add action=drop chain=input comment=“Drop DNS from outside UDP” dst-port=53
in-interface-list=WAN protocol=udp
add action=drop chain=input comment=“Drop DNS from outside TCP” dst-port=53
in-interface-list=WAN protocol=tcp

(7) Personally for better security
a. add accept rule with firewall address list for all admin devices to allow to config router
b. add accept rules for DNS, tcp/udp from in-interface-list=LAN
c. add last input chain rule DROP all else action=drop chain=input.

(8) SourceNAT is at least half wrong.
The ppoe address is a dynamic WANIP structure. Assuming ether2 provides a static IP.
from
/ip firewall nat
add action=src-nat chain=srcnat comment=“SRC-NAT MainLink” out-interface=
pppoe-out1 to-addresses=“”
add action=src-nat chain=srcnat comment=“SRC-NAT BackUp” out-interface=
ether2-WAN2 to-addresses=“”
TO
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=src-nat chain=srcnat comment=out-interface=ether2-WAN2 to-addresses=“staticWANIP”

(9) Your routes as shown make zero sense… Not sure if due to editing or you just dont know what you want to accomplish with routes???

+++++++++++++++++++++++++++++++++++++++++++

As for hex,
(10) Never seen a bridgeport setting like this…
/interface bridge port
add bridge=Bridge ingress-filtering=no interface=all

(11) Not quite sure why you have a printer on an aCL list ???
/interface wireless access-list
add comment=LaserPrinter interface=wlan1 mac-address=“”

(12) Devoid of useful information to help pinpoint problem and of course turned neighbours discovery off.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

In summary, not able to help due to the lack of cooperation, will move on to help others.

It is pretty much the default configuration with some additions mainly in regards of dual WAN, 2 rules in the firewall that I already stated in the first post. I can connect to the most of the devices on my local network and also I can ping between the remote device IP and local devices except these two. Don’t rly think that the edited dhcp range would help much in this regards. The AP as I said is almost plain with a bridge and adress to it. There are no firewall rules. The only filtering to the NVR is in the Bridge but even if it’s removed/disabled there is no change so I’d say its not that. I’m looking for Ideas as it’s a strange case. It would make sense if I did not had access at all.

If you have wireguard it should work. If the NVR is on the same network as all the other devices (MT/AP switch is transparent), there should be no reason the NVR is any different from any device behind the HEX in terms of accessibility. The odd rules you use (on hex and ap/switch and the weird setup for the ap/switch in general are most likely the culprits.

Yes the main poin is that the wireguard is working and I’m able to reach the server, the main router and some of the other devices except the NVR and the AP. I’ve tried to provide as much information as possible without revealing any sensitive information as there are a lot of information like MAC addresses IP’s and so on.

As for your comments I’ll try to give as much information as possible.

(4) Turning off the neghbour discovery was reccomended on the MT documentation site as a tool for improving security that’s why it’s disabled. I have no problems accessing all MT devices from my local network, so I hope that should not be the problem. Ofcourse I can turn it on if this would make more sense.

(5) The bridge fiters are used to block all devices except 2-3 to reach the NVR and I’m using it again as a security measure. For this as I said in the first post I’m opened to proposals for more clean and better implementation.

(6) This is indeed something that may have remained from previous configuration where I used to have a bit different configuration. Is the defconf rule droping all including these two if the Allow remote request is enabled?( I guess so, and in this case could remove these two).

(7) Could you give an example on this one. Isn’t the default rule already doing this by droping all not coming from LAN list and accepting all from LAN?

(8) For the PPoE I’m using a script to find and replace the gateway in the route list. It is attached to a PPP profile I’m using for the ppoe interface. This is to be able to use the recursive failover

:local gtw $"remote-address"

:local rte [/ip route find dst-address~"8.8.8.8/32"]

:local rtf [/ip route find dst-address~"208.67.220.220/32"]
:if ([/ip route get $rte gateway]!=$gtw) do={
 /ip route set $rte gateway=$gtw
}

:if ([/ip route get $rtf gateway]!=$gtw) do={
 /ip route set $rtf gateway=$gtw
}

The eth2 address is static and it is actually a ADSL modem. However could change it to masquarede. Both Adresses are Static.

(9) The routes are working really well to be honest and the configuration is a recursive failover just without any mangle rules so it’s a bit modfied.

(10) Just all ports are in a single bridge and it has and IP address to it in the same subnet. It wasa working this way for years. Is there a better implementation that I can try?

(11) It’s not just the printer, basically all devices that are using allowed to connect to the main network via wifi are in the list.

(12) I’ve tried to give as much information without revealing anything sensitive. It’s still hard to edit remotely but now I’m home and I tried to add clarifications. The next thing I’m going to try is to compleatly wipe the configuration and try to rebuild it anew but it will take time and I’m trying to avoid it.

Little update on the problem:

As I suspected, it wasn’t the MT settings as a whole but the settings of the NVR. It turned out that I’ve had a typo on the GW address set on the NVR.

Logical based on the config as what you had wouldnt have prevented the connectivity.