Wireguard site-to-site + client to one side PROBLEMS

l2sverige · December 15, 2023, 2:26pm

Hi!

I have 2 locations with site-to-site connection between and public ip on both places.

I can ping devices on site B from site A and and backwards when I’m on the locations locally. (Have made routes to wireguard gateway adress)

My question is…
How can I make it possible to ping devices on site B from wireguard client connected to site A? I have made test by making a route from wireguard client address to wireguard site-2-site interface and when I look into firewall connection data I can see on site B that the ping come in, but in the computer with the client that is connected to site A I get Timeout request…

Any idea?

mantouboji · December 15, 2023, 2:30pm

give your configuration files，especially the allowedips section in all configs

anav · December 15, 2023, 2:53pm

Need to see full config not snippets… at both sites.

/export file=anynameyouwish ( minus router serial Number, any public WANIP information, keys, long dhcp lease lists etc.).

Also please confirm which site is the server for the initial handshake please.

l2sverige · December 15, 2023, 3:07pm

SITE A

2023-12-15 15:58:58 by RouterOS 7.12.1

software id = KD9G-MDYI

model = RB5009UPr+S+

serial number =

/interface bridge
add admin-mac=78:9A:18:8D:50:A3 auto-mac=no comment=defconf name=bridge
add arp=proxy-arp name=bridge-vlan vlan-filtering=yes
/interface ethernet
set [ find default-name=ether3 ] poe-out=off
set [ find default-name=ether8 ] poe-out=off
/interface wireguard
add listen-port=52020 mtu=1420 name=wg-site2site
add listen-port=13231 mtu=1420 name=wg-user
/interface vlan
add comment=Admin interface=bridge-vlan name=vlan20 use-service-tag=yes
vlan-id=20
add comment=Guest interface=bridge-vlan name=vlan30 vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.20.50-192.168.20.254
add name=dhcp_pool2 ranges=192.168.30.50-192.168.30.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
add address-pool=dhcp_pool1 interface=vlan20 lease-time=5m name=dhcp1
add address-pool=dhcp_pool2 interface=vlan30 lease-time=5m name=dhcp2
/interface ppp-client
add apn=internet name=ppp-out1 port=usb1
/interface bridge port
add bridge=bridge-vlan comment=defconf interface=ether2 pvid=30
add bridge=bridge-vlan comment=defconf interface=ether3 pvid=30
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge-vlan comment=defconf interface=ether7 pvid=30
add bridge=bridge-vlan comment=defconf interface=ether8 pvid=30
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=*F untagged=vlan20,vlan30 vlan-ids=“”
add bridge=bridge-vlan tagged=bridge-vlan,ether8 vlan-ids=20
add bridge=bridge-vlan tagged=bridge-vlan vlan-ids=30
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridge-vlan list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=xxxxxxxxxxx.sn.mynetname.net
endpoint-port=52021 interface=wg-site2site private-key=
“xxx” public-key=
“xxx”
add allowed-address=0.0.0.0/0 endpoint-port=13231 interface=wg-user
private-key=“xxx” public-key=
“xxx”
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.30.1/24 interface=vlan30 network=192.168.30.0
add address=10.10.10.1/30 interface=wg-site2site network=10.10.10.0
add address=10.10.20.1/30 interface=wg-user network=10.10.20.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=
192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input dst-port=13231 protocol=udp
add action=accept chain=input dst-port=52021,52020 protocol=udp
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=50080 protocol=tcp to-addresses=
192.168.30.237 to-ports=80
/ip route
add disabled=no distance=1 dst-address=192.168.40.0/24 gateway=10.10.10.2
pref-src=“” routing-table=main scope=30 suppress-hw-offload=no
target-scope=10
add disabled=no distance=1 dst-address=192.168.50.0/24 gateway=10.10.10.2
pref-src=“” routing-table=main scope=30 suppress-hw-offload=no
target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment=“defconf: unspecified address” list=bad_ipv6
add address=::1/128 comment=“defconf: lo” list=bad_ipv6
add address=fec0::/10 comment=“defconf: site-local” list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment=“defconf: ipv4-mapped” list=bad_ipv6
add address=::/96 comment=“defconf: ipv4 compat” list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment=“defconf: documentation” list=bad_ipv6
add address=2001:10::/28 comment=“defconf: ORCHID” list=bad_ipv6
add address=3ffe::/16 comment=“defconf: 6bone” list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMPv6” protocol=
icmpv6
add action=accept chain=input comment=“defconf: accept UDP traceroute” port=
33434-33534 protocol=udp
add action=accept chain=input comment=
“defconf: accept DHCPv6-Client prefix delegation.” dst-port=546 protocol=
udp src-address=fe80::/10
add action=accept chain=input comment=“defconf: accept IKE” dst-port=500,4500
protocol=udp
add action=accept chain=input comment=“defconf: accept ipsec AH” protocol=
ipsec-ah
add action=accept chain=input comment=“defconf: accept ipsec ESP” protocol=
ipsec-esp
add action=accept chain=input comment=
“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=input comment=
“defconf: drop everything else not coming from LAN” in-interface-list=
!LAN
add action=accept chain=forward comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop packets with bad src ipv6” src-address-list=bad_ipv6
add action=drop chain=forward comment=
“defconf: drop packets with bad dst ipv6” dst-address-list=bad_ipv6
add action=drop chain=forward comment=“defconf: rfc4890 drop hop-limit=1”
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment=“defconf: accept ICMPv6” protocol=
icmpv6
add action=accept chain=forward comment=“defconf: accept HIP” protocol=139
add action=accept chain=forward comment=“defconf: accept IKE” dst-port=
500,4500 protocol=udp
add action=accept chain=forward comment=“defconf: accept ipsec AH” protocol=
ipsec-ah
add action=accept chain=forward comment=“defconf: accept ipsec ESP” protocol=
ipsec-esp
add action=accept chain=forward comment=
“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=forward comment=
“defconf: drop everything else not coming from LAN” in-interface-list=
!LAN
/system clock
set time-zone-name=Europe/Stockholm
/system identity
set name=Reception
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

SITE B

2023-12-15 15:59:41 by RouterOS 7.12.1

software id = 869M-37CV

model = RB5009UPr+S+

serial number =

/interface bridge
add admin-mac=78:9A:18:8D:50:D9 auto-mac=no comment=defconf name=bridge
add arp=proxy-arp ingress-filtering=no name=bridge-vlan vlan-filtering=yes
/interface ethernet
set [ find default-name=ether8 ] poe-out=off
/interface wireguard
add listen-port=52021 mtu=1420 name=wg-site2site
/interface vlan
add comment=guest interface=bridge-vlan name=vlan40 vlan-id=40
add comment=admin interface=bridge-vlan name=vlan50 vlan-id=50
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.40.50-192.168.40.254
add name=dhcp_pool2 ranges=192.168.50.50-192.168.50.254
add name=dhcp_pool3 ranges=192.168.30.2-192.168.30.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
add address-pool=dhcp_pool1 interface=vlan40 lease-time=5m name=dhcp1
add address-pool=dhcp_pool2 interface=vlan50 lease-time=5m name=dhcp2
/interface bridge port
add bridge=bridge-vlan comment=defconf interface=ether2 pvid=50
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge-vlan comment=defconf interface=ether7 pvid=50
add bridge=bridge-vlan comment=defconf interface=ether8 pvid=50
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge-vlan tagged=bridge-vlan,ether8 vlan-ids=40
add bridge=bridge-vlan tagged=bridge-vlan untagged=ether2 vlan-ids=50
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridge-vlan list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=xxxxxxxxxxx.sn.mynetname.net
endpoint-port=52020 interface=wg-site2site private-key=
“xxx” public-key=
“xxx”
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=192.168.40.1/24 interface=vlan40 network=192.168.40.0
add address=192.168.50.1/24 interface=vlan50 network=192.168.50.0
add address=10.10.10.2/30 interface=wg-site2site network=10.10.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.40.0/24 gateway=192.168.40.1
add address=192.168.50.0/24 gateway=192.168.50.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input dst-port=52020,52021 protocol=udp
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=192.168.20.0/24 gateway=10.10.10.1 routing-table=
main suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.30.0/24 gateway=10.10.10.1
pref-src=“” routing-table=main scope=30 suppress-hw-offload=no
target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment=“defconf: unspecified address” list=bad_ipv6
add address=::1/128 comment=“defconf: lo” list=bad_ipv6
add address=fec0::/10 comment=“defconf: site-local” list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment=“defconf: ipv4-mapped” list=bad_ipv6
add address=::/96 comment=“defconf: ipv4 compat” list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment=“defconf: documentation” list=bad_ipv6
add address=2001:10::/28 comment=“defconf: ORCHID” list=bad_ipv6
add address=3ffe::/16 comment=“defconf: 6bone” list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMPv6” protocol=
icmpv6
add action=accept chain=input comment=“defconf: accept UDP traceroute” port=
33434-33534 protocol=udp
add action=accept chain=input comment=
“defconf: accept DHCPv6-Client prefix delegation.” dst-port=546 protocol=
udp src-address=fe80::/10
add action=accept chain=input comment=“defconf: accept IKE” dst-port=500,4500
protocol=udp
add action=accept chain=input comment=“defconf: accept ipsec AH” protocol=
ipsec-ah
add action=accept chain=input comment=“defconf: accept ipsec ESP” protocol=
ipsec-esp
add action=accept chain=input comment=
“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=input comment=
“defconf: drop everything else not coming from LAN” in-interface-list=
!LAN
add action=accept chain=forward comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop packets with bad src ipv6” src-address-list=bad_ipv6
add action=drop chain=forward comment=
“defconf: drop packets with bad dst ipv6” dst-address-list=bad_ipv6
add action=drop chain=forward comment=“defconf: rfc4890 drop hop-limit=1”
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment=“defconf: accept ICMPv6” protocol=
icmpv6
add action=accept chain=forward comment=“defconf: accept HIP” protocol=139
add action=accept chain=forward comment=“defconf: accept IKE” dst-port=
500,4500 protocol=udp
add action=accept chain=forward comment=“defconf: accept ipsec AH” protocol=
ipsec-ah
add action=accept chain=forward comment=“defconf: accept ipsec ESP” protocol=
ipsec-esp
add action=accept chain=forward comment=
“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=forward comment=
“defconf: drop everything else not coming from LAN” in-interface-list=
!LAN
/system clock
set time-zone-name=Europe/Stockholm
/system identity
set name=Servicehus
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

l2sverige · December 15, 2023, 6:28pm

Anyone?!?!

anav · December 15, 2023, 7:58pm

I asked you a question and you didnt answer it, also you ignored my warning about having two peers on the router with 0.0.0.0/0 for allowed Ips.
Plus you fail to have keep alive at either end.,

l2sverige · December 16, 2023, 8:53am

warning about two peers you didn’t mention ?
But my config I send was in test mode, just to have it working. from the start I didn’t have 0.0.0.0/0, it was just for testing to have all traffic going there. but that is fixed now, and I have set keep alive on the site B, but that won’t fix the problem

How can I route my traffic from Client WG(separated wg interface) on SITE A to SITE B, so when I connect my computer(client wg) to Site A I will have open line to the LAN on site B…

Is it better to have the client connecting to same wg interface as the site-to-site?

anav · December 16, 2023, 1:23pm

True dat, got mixed up with another thread…
Yes, there is no need for different interfaces. All the peers connecting to the same server can and normally all are on the same subnet
at the server device
peer1 10.10.10.2/32
peer2 10.10.10.3/32
etc…

At the peer devicesm their settings typically
peer server: 10.10.10.0/24

anav · December 16, 2023, 1:25pm

If the wireguard is setup properly, including allowed IPs to or from remote IP subnets, then the showstopper typically are
a. routes to remote subnets via wireguard interface
b. firewall routes allowing traffic from to wireguard with src and dst addresses

l2sverige · December 17, 2023, 2:44pm

Ok thank you, I will try make the client computer member of same WG and hopefully it will work then