I’m having Wireguard interfaces running on both sites with IP addresses 10.10.0.1/24 (R1) and 10.10.0.2/24 (R2) on those interfaces. Peers allowed addreses are 10.10.0.0/16 and 192.168.0.0/16 (supernet addresses of both sites). RouterOS is 7.6.
On R1 I got a static route to 10.10.0.0/16 with wireguard interface as gateway, on the other site it’s the same, but 192.168.0.0/16 (gateways are not specific IP’s - 10.10.0.1 and .2 but the interfaces).
I am allowing and firbiding the vlan site-to-site communication in firewall rules on both routers in forward chain (example for R1, of course on R2 the source and destination addresses are acordingly different):
at the bottom of Wireguard section I have a rule which drops every other packet (src. address 192.168.0.0/16, dst. address 10.10.0.0/16),
above I have pairs of accept rules between specific vlans between sites like:
I have taken the general idea and basic configuration from https://help.mikrotik.com/docs/display/ROS/WireGuard.
Everything works fine, but the problem is to communicate site 1 vlan 50 with “the same” vlan 50 in site 2. “The same”, because VLAN ID’s are on both sites the same (50). The same situation takes place when I try to communicate vlans 254 (I tryed it for testing purposes, don’t realy need it done with 254’s).
When I ping from 192.168.52.0/22 something in 10.10.50.0/24 R1 rule:
Src. address 192.168.52.0/22, dst. address 10.10.50.0/24
identifyes the packets, but the counter of R1 rule:
Src. address 10.10.50.0/24, dst. address 192.168.52.0/22
doesn’t count any packet. Not even one packet enters any rule in the firewall on R2 (tunnel or any other rule).
I don’t have any NAT rule and no mangling is done in this case.
I have vlan 253 in site 1 from I can ping the entire network on both sites (in site 2 there is not a vlan 253 configured and there won’t be).
I think I’m missing something basic over here, maybe someone was struggling with the same stuff or knows what is possibly wrong?
EDIT:
Not sure why image doesn’t show up, here is a simple network map for this: https://ibb.co/KWcJWG1
Okay, “no idea” is a good thing, I assume that it’s not a basic missconfiguration or bad thinking on my side, Wireguard and connecting sites is something new for me. I will precisely go throught other settings and try to find out, what is causing this behavior.
I hope I won’t need to paste the configs, because the R1 router is a bit messy, especially in firewall rules (that’s why I use the drop all rule at the bottom of site-to-site section). It was a gift
Thanks for now Anav.
Truth be told I looked at the diagram, that was clear.
Trying to read your description of the config was painful and frankly the wrong approach to describe what needs to be accomplished.
what is needed is clear statement of requirements
a. identify all users/devices, groups of users/devices including admin
b. identify all the traffic flows required.
I was rather looking for advice in basic “idea”, that’s why I described it this way.
VLAN 50 - production network with servers, printers, user computers, has to be connected between sites - cannot achieve this, but at the same time I am able to connect VLAN 50 with 254 on the other site for example.
VLAN 253 - admin network, has to “see” everything and nothing “sees” it - accomplished.
VLAN 254 - management network with router, switches and access points, only 253 can look inside, it cannot reach the same 254 on the other site - accomplished.
Is it better and more clear now?
As I said, I will try to figure it out on my own, without bothering you with configs, if I won’t succeed, I will provade them.
I did manage to work it out, but in other way, because I didn’t find out the reason in firewall or NAT settings for that earlier strange behavior I was asking about.
I’ve done a mindset and config changes:
The connection on both sites is translated to IP address of wireguard interface of specific site (10.10.0.1 or 10.10.0.2),
Firewall rules are like this:
a) on site 1 there are rules for traffic from 192.168.0.0/16 to 10.10.0.0/16,
b) on site 2 there are rules for traffic from 10.10.0.0/16 to 192.168.0.0/16,
c) there is one accept rule for allowing traffic to wireguard interface from the other side of tunnel (on both sides) - for returning traffic,
d) the drop everything else rule is still present at the bottom.
So I don’t have a pair of rules for every connection on both sides, every side is “deciding independently” - I like it this way, it is even easier for me to administer and there are and will be less firewall rules on the lists.
