Hey all
Trying connect Windows Wireguard client to L2 LAN
LAN is 192.168.20.0/24, some devices point to another gateway 192.168.20.2(ISP2) or dont have default gateway configured.
Ping 172.16.10.1 OK
RB Config
# 2023-12-01 18:11:30 by RouterOS 7.12.1
# software id =
#
/interface bridge
add arp=proxy-arp name=bridge1
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no name=ether1-wan
set [ find default-name=ether2 ] disable-running-check=no name=ether2-lan
/interface wireguard
add listen-port=13231 name=wireguard1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=ether2-lan
/interface list member
add interface=bridge1 list=LAN
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=192.168.20.0/24,172.16.10.0/24 comment=Nox endpoint-port=\
13231 interface=wireguard1 public-key=\
"/000000000000000000"
/ip address
add address=192.168.16.10/24 interface=ether1-wan network=192.168.16.0
add address=172.16.10.1/24 interface=wireguard1 network=172.16.10.0
add address=192.168.20.1/24 interface=bridge1 network=192.168.20.0
/ip dns
set servers=1.1.1.1
/ip route
add comment=ISP1 disabled=no distance=1 dst-address=0.0.0.0/0 \
gateway=192.168.16.1 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
/system clock
set time-zone-name=America/Sao_Paulo
/system identity
set name=mk-lab
Windows Client config
[Interface]
PrivateKey = 000000000000000000000000000000000
Address = 172.16.10.2/24
DNS = 1.1.1.1
[Peer]
PublicKey = 0000000000000000000000000000000000000000000
AllowedIPs = 172.16.10.0/24, 192.168.20.0/24
Endpoint = myisp:13231
PersistentKeepalive = 30
anav
December 2, 2023, 12:32pm
2
You need to understand better the use and setup of allowed IPs…https://forum.mikrotik.com/viewtopic.php?t=182340
Fixed Allowed IPs config, but still not working on devices without default route.
# 2023-12-02 20:33:04 by RouterOS 7.12.1
# software id =
#
/interface bridge
add arp=proxy-arp name=bridge1
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no name=ether1-wan
set [ find default-name=ether2 ] disable-running-check=no name=ether2-lan
/interface wireguard
add listen-port=13231 name=wireguard1
/interface list
add name=WAN
add name=LAN
/interface bridge port
add bridge=bridge1 interface=LAN
/interface list member
add interface=ether2-lan list=LAN
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=172.16.10.2/32 comment=Nox endpoint-port=13231 interface=\
wireguard1 public-key="0000000000000000000000000000"
/ip address
add address=192.168.16.1/24 interface=ether1-wan network=192.168.16.0
add address=172.16.10.1/30 interface=wireguard1 network=172.16.10.0
add address=192.168.20.1/24 interface=bridge1 network=192.168.20.0
/ip dns
set servers=1.1.1.1
add comment=ISP1 disabled=no distance=1 dst-address=0.0.0.0/0 \
gateway=192.168.16.1 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
[Interface]
PrivateKey = 0000000000000000000000
Address = 172.16.10.2/32
DNS = 172.16.10.1
[Peer]
PublicKey = 0000000000000000000000000000
AllowedIPs = 192.168.20.0/24
Endpoint = mydomain:13231
PersistentKeepalive = 30
sindy
December 3, 2023, 12:17pm
4
If you only want the roaming client to be able to connect to devices in 192.168.20.0/24 and not vice versa (i.e. you don’t need that those devices could actively initiate connections to the roaming client), /ip/firewall/nat/add src-address=172.16.10.2 dst-address=192.168.20.0/24 action=masquerade should do the trick. With this rule in place, the hosts in 192.168.20.0/24 will see the incoming connections from the roaming client as if they were initiated by the router itself so they won’t need a route to 172.16.10.2.