Since this is my first post on this forum, prior to ask about things, I’d like to say HI to you.
I am lacking some knownledge and I’d like to ask you for a help and understanding my case. I prepared small schematic (sorry about performance) of structure of my network. That’s first.
I am trying to get Wireguard working on my mt, but no luck. I tried all suggestions here and on yt posted but no luck.
Back in the days, when I managed old router (before mt) I just had to port forward, to my server with wireguard and all was fine. I suspect now is probably the same case.
Can you please give me some hints guys?
BR
Edit. I see packets flowing when I’m on wifi on my android device with following setting:
I assume your left device is a RB SXT sqG-5acD. It has an external IP 192.168.100.249 and an internal IP in the 192.168.1.0-range ?
which device do you intend to have acting as “server” (which conceptually does not exist on WG, there are only peers)
can you reach that device and port 12321 from outside ? How ?
What I find strange is that all ip-ranges are private ranges. What else is there to make sure you get to the real internet ?
What’s in front of the RB SXT ? Or are your IP-ranges here purely informational ?
I assume your left device is a RB SXT sqG-5acD. It has an external IP 192.168.100.249 and an internal IP in the 192.168.1.0-range ? > Left device is not mine, it’s ISP property. I can’t access it. I can see this device on my MT in ‘Neighbour list’ as 192.168.100.1. It is acting as gateway for my router.
which device do you intend to have acting as “server” (which conceptually does not exist on WG, there are only peers) > The right one.
can you reach that device and port 12321 from outside ? How ?
What I find strange is that all ip-ranges are private ranges. What else is there to make sure you get to the real internet ?
What’s in front of the RB SXT ? Or are your IP-ranges here purely informational ? > The left device is communicating with some sort of repeater couple hundred meters away.
Okay, maybe still possible. YOu can see the left device but its routing not just modeming…
What one needs to do is access the ISP router and port forward the WIREGUARD LISTENING PORT TO YOUR private WANIP. ( A lanip from the ISP routers perspective )
If you dont have access directly you should ask your ISP to do it for you. UDP protocol!!
‘Back in the days, when I managed old router (before mt) I just had to port forward, to my server with wireguard and all was fine. I suspect now is probably the same case.’
What is not working anymore? Port forwarding? When I’ve had my old PC acting as server, running wireguard server within my lan, the trick was to port forward udp 51820.
Two things changed from then:
no old PC with wireguard → now wireguard is on MT
no old router → my new mikrotik is now my router
When I check my external IP address on ipchicken, for instance, it’s always the same - it’s static IP.
I am a bit confused.
What device do you use as “entry point” to reach the Wireguard port (which ultimately needs to be forwarded one way or the other towards your MT router) ?
Is port forwarding functioning there ?
On new MT router, add firewall rule to allow port 51820
/ip/firewall/filter add chain=input action=accept protocol=udp in-interface-list=WAN dst-port=51820 log=no (or yes, your choice)
Move that rule above the input drop rule which blocks everything coming from WAN (or !LAN, depends if you changed it or not).
And then setup Wireguard as per instructions of Wiki.
(1) The important learning point being is that if the MT is the public facing router or even if its behind another router, (but is the server to start the connection) one has to ALLOW the listening port traffic to hit the router itself (hence INPUT CHAIN RULE) to initially establish the tunnel.
If you know the IP address traffic is coming in you can narrow it down but generally since its for establishing a VPN tunnel and the credentials will be checked, its secure in the form presented.
(2) If, on the Server Side, the peer users will be going out to the internet using the WANIP of the server, there has to be a route in place to ensure that Wireguard traffic (peer originated outbound) returning from the internet being provided on the server side is sent to the other end of the tunnel (back to the peer). This also applies to returning traffic from any interactions with subnets on the LANSIDE of the server router (perhaps the peer users are using a printer on the server side).
(3) The rest of the setup is done on the wireguard settings themselves…
I have mine setup so that I can actually reach the PEER router and configure it via winbox for example.
THat entails more work…
Don’t know where I really stuck. It must be something in firewall config - port forwarding or routing I guess - since not long time ago I was able to run wireguard and connect to it from remote location…
Edit. I think about it again and I recon I don’t need to port forwarding like I did with my old setup. I just need to access my MT from outside, but unable to do so.
Question 1: why is you wireguard listen port on the config 13231 whereas you say above it should be 51820 ?
If you’re knocking at the wrong door, it makes sense nobody opens …
Question 2:
peer definition of wireguard: where is endpoint address and port ? It should at least have the own-IP address if the ‘other side’ does not have a public IP address. It needs an address and a port to listen to.
I dont see a mismatch the listen port for wireguard and the input chain to listen for it are the same 13231?
However why is this rule in your input chain, (what purpose)? add action=accept chain=input comment=Wireguard dst-port=13231 in-interface-list=LAN protocol=udp In the forward chain what is the purpose of this rule??
add action=accept chain=forward dst-address=192.168.1.1 dst-port=13231 in-interface=ether1 protocol=udp
In the NAT chain what is the purpose of this rule??
add action=dst-nat chain=dstnat dst-address=XX.XXX.XXX.XXX dst-port=13231 protocol=udp to-addresses=10.20.50.0 to-ports=13231
If you read my post you only need
a. listening port on input chain
b. route back to the peer
Where in the conversation did all these other crap seeming rules get recommended/discussed???
