WireGuard: Response packets not routed

strarsis · June 19, 2021, 8:28pm

Model: hex PoE RB960PGS
OS: routeros-7.1beta6-mipsbe (for WireGuard support)

The router was set up as a WireGuard peer (interface localnet; IP address range 192.168.9.x)
The local network on router eth0 has the IP address range 192.168.8.x.
The peers in WireGuard localnet network should be able to access the clients in local network.

Currently the WireGuard peers can ping the router and each other, but not the clients in local network.
torch shows that the ping ICMP packet indeed reaches the client in local network (192.168.8.x), and the client answers back to the 192.168.9.x peer,
but the response packet isn’t routed back to the WireGuard network, hence the pinging peer doesn’t see a ping response.

The router got an IP address added (192.168.9.4), hence a “Connected route” has been automatically added f or 192.168.9.0 to interface localnet.
This doesn’t seem to suffice as the response packets are not routed back.

The firewall also has been configured to accept packets from 192.168.8.x to 192.168.9.xand vice versa (accept action; forward chain).

Is this a bug or a missing piece of configuration?

Znevna · June 22, 2021, 10:08am

Missing piece of configuration for sure.
But post a diagram and config exports.

strarsis · June 22, 2021, 11:28pm

Config:

# jun/23/2021 00:56:54 by RouterOS 7.1beta6
# software id = 4ZPU-G4YK
#
# model = RB960PGS
# serial number = <redacted>
/interface bridge
add admin-mac=08:<redacted>:C1 auto-mac=no comment=defconf name=bridgeLocal
/interface ethernet
set [ find default-name=ether2 ] name=ipcam1 poe-out=forced-on poe-priority=1
set [ find default-name=ether1 ] name=uplink
/interface wireguard
add listen-port=13231 mtu=1420 name=localnet private-key="<redacted>"
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/routing table
add fib name=""
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,\
    romon,dude,tikapp,rest-api"
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=uplink
add bridge=bridgeLocal comment=defconf interface=ipcam1
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
add bridge=bridgeLocal comment=defconf interface=ether5
add bridge=bridgeLocal comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=uplink list=WAN
add interface=ipcam1 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=sfp1 list=LAN
/interface wireguard peers
add allowed-address=10.0.0.0/24 endpoint-address=<redacted> endpoint-port=61951 interface=\
    localnet persistent-keepalive=5m public-key="<redacted>"
/ip address
add address=10.0.0.0/24 interface=localnet network=10.0.0.0
/ip dhcp-client
add comment=defconf disabled=no interface=bridgeLocal
/ip dhcp-relay
add dhcp-server=192.168.8.1 interface=uplink name="Router main"
/ip firewall filter
add action=accept chain=forward dst-address=10.0.0.0/24 src-address=192.168.8.0/24
add action=accept chain=forward dst-address=192.168.8.0/24 src-address=10.0.0.0/24
/ip firewall nat
add action=dst-nat chain=dstnat comment=IPcam disabled=yes dst-port=8000 in-interface=localnet protocol=tcp \
    to-addresses=192.168.8.109 to-ports=80
/ip route
add disabled=no dst-address=10.0.0.0/24 gateway=localnet routing-table=main suppress-hw-offload=no
/system clock
set time-zone-name=<redacted>
/system identity
set name=poe-managed

Diagram:

The Ubuntu system (10.0.0.1) as a Wireguard peer (and Wireguard “server”) is unable to ping the ipcam.
Mikrotik torch shows that the ICMP ping packets indeed reach the IPCam (192.168.8.109) but the response packets from that IPCam back to 10.0.0.1,
albeit also shown in torch, are not routed back, hence pings will timeout:
Screenshot 2021-06-23 013858.png
(Torch on eth ipcam)

mducharme · June 23, 2021, 12:07am

I’m not sure if this is the cause of your problem, but 10.0.0.0/24 is not a valid address given that subnet mask. You should use something that doesn’t end in .255 or .0 for a /24.

strarsis · June 23, 2021, 12:58am

Thanks for your reply! Alright, I changed the IP address from 10.0.0.0 to 10.0.0.4 (/24).

However, the response packets from 192.168.109 (ipcam on eth ipcam1) to 10.0.0.1 (pinging on localnet) are still stuck, not routed back to localnet (WireGuard peer interface).

strarsis · June 23, 2021, 3:32pm

Any tricks for debugging this? Can I see how the packets are flowing in RouterOS?
Connection marking maybe missing?