Wireguard problems

shb256 · December 1, 2024, 3:24pm

Hi to everybody.

I ve setup a wireguard connection between two mirkotik (RB5009 and cAP ax) devices to an opnsense firewall.
Wireguard IPs
Opnsense 10.200.0.1/24
cAP ax 10.200.0.2/24
RB5009 10.200.0.3/24
The connection from RB5009 to opnsense works as expected - I can ping opnsense from mikrotik and from mikrotik to opnsense
The connection from cAP to opnsense is established, but I dont have any network activies.

Opnsense is allowing any trafic on the wireguard interface.

Wireguard config RB5009

 /interface/wireguard/peers> /interface/wireguard/peers/print 
Columns: INTERFACE, PUBLIC-KEY, ENDPOINT-ADDRESS, ENDPOINT-PORT, ALLOWED-ADDRESS, PERSISTENT-KEEPALIVE
# INTERFACE   PUBLIC-KEY                                    ENDPOINT-ADDRESS  ENDPOINT-PORT  ALLOWED-ADDRESS   PERSISTENT-KEEPALIVE
0 wireguard1  xxxxxxEo0mvBFAMZ1UTUYtxKgRGfrEu5rA3xBdIgKi4=  xx.xx.xx.93             55617  192.168.200.0/24  20s                 
                                                                                             								10.200.0.0/24                         
							                                                                                             ::/0

[admin@FW-MT]ping 10.200.0.1
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                                                                                                                                 
    0 10.200.0.1                                 56  64 10ms301us 
    1 10.200.0.1                                 56  64 11ms188us 
    sent=2 received=2 packet-loss=0% min-rtt=10ms301us avg-rtt=10ms744us max-rtt=11ms188us 

[admin@FW-MT] ping 10.200.0.3
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                                                                                                                                 
    0 10.200.0.3                                 56  64 284us     
    1 10.200.0.3                                 56  64 265us     
    sent=2 received=2 packet-loss=0% min-rtt=265us avg-rtt=274us max-rtt=284us

cAP ax

 /interface/wireguard/peers/print 
Columns: INTERFACE, PUBLIC-KEY, ENDPOINT-ADDRESS, ENDPOINT-PORT, ALLOWED-ADDRESS, PERSISTENT-KEEPALIVE
# INTERFACE   PUBLIC-KEY                                    ENDPOINT-ADDRESS  ENDPOINT-PORT  ALLOWED-ADDRESS   PERSISTENT-KEEPALIVE
0 wireguard1  xxxxxxEo0mvBFAMZ1UTUYtxKgRGfrEu5rA3xBdIgKi4=  xx.xx.xx.93             55617  10.200.0.0/24     25s                 
                                                                                            								192.168.200.0/24                      
							                                                                                             ::/0

[admin@AP-01] > ping 10.200.0.2
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                               
    0 10.200.0.2                                 56  64 156us     
    1 10.200.0.2                                 56  64 202us     
    sent=2 received=2 packet-loss=0% min-rtt=156us avg-rtt=179us max-rtt=202us 

[admin@AP-01] > ping 10.200.0.1
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                               
    0 10.200.0.1                                                   timeout                                                                                              
    sent=1 received=0 packet-loss=100%

Also opnsense says, that the devices are connected

wg1	 	XXXXXzzyNHZEcy5Z8OYYzEH5vIj02V6DhBePOmWk1Wg=	FW-MT	XX.XX.XX.191:13231	2024-12-01 16:15:54	707.46 MB	3.35 GB
wg1	 	XXXXXXLwsumMHDX//q7LYTAYq0TE8QvD64W0e4Tm30XU=	AP-01	XX.XX.XX.191:13235	2024-12-01 16:15:53	2.77 MB	1.27 MB

both mikrotik devices are behinde the same public IP but not in the same network as the opnsense firewall.

On the RB5009 i ve the possibility to switch between router and bridge, router is selected.
cAP does not have these option.

In this case I dont have created any routes because they are “directly” connected

On both mikrotik devices i ve create a rule for incomming icmp traffic on wireguard interface
Can someone point me the right direction

Thanks a lot

sindy · December 1, 2024, 8:53pm

You haven’t posted the Opnsense configuration, but by the symptoms I assume that you have set allowed-addresses on both peers to 10.200.0.0/24 or, in better case, 10.200.0.3/24 for the 5009 and 10.200.0.2/24 for the cAP ax.

Each Wireguard interface works as a small virtual router - it receives packets from the “big” router and further decides to which peer to send them. It goes through the list of peers top to bottom and sends the packet to the first peer whose allowed-addresses match the destination address of the packet. No matter whether you have set it to 10.200.0.0/24 or 10.200.0.x/24, the mask has precedence so it is always interpreted as 10.200.0.0/24. So the Wireguard “mini-router” sends packets for any destination address matching that prefix to the first (topmost) peer. To change that, you have to change the masks of allowed-addresses on the Opnsense side from /24 to /32.

shb256 · December 2, 2024, 3:43pm

Thanks a lot,

i ve been right in every single point.
I ve changed the settings as you said, and now it is working.