Wireguard site to site, ping working but all other traffic not

fradimar · July 18, 2024, 7:09pm

Hi. I’m having trouble setting up a site-to-site wireguard network.
I am slowly learning the MikroTik world for my home network.
I’ve followed various guides, and I’ve gotten to the point where I can ping between all the devices on the two lanes.
The problem I can only ping, I can’t do anything else. if I try for example to access a web page from a pc connected to the main router to a server in the remote network, I don’t see the page.
If I try to remotely access via winbox to the router of network B from network A, it connects but I display all empty pages, no data in any page.
If I try to connect via ssh to a server in network B, no connection occurs. But the ping is perfect
Same problems if I am in network B and try to connect to network A services.

I paste my router configuration from network A, anonymized, cleared of what is not needed.
The configuration of network B is similar, same firewall rules, same routes (obviously changing the ip address class)

Router A: ax3
local network 192.168.188.0/24
wireguard network 192.168.100.0/24

Router B: 5009
local network 192.168.128.0/24
ip on wireguard network 192.168.100.11/32

I also thank you only if you have read this far.

Francesco

/interface bridge
add name=bridgeLAN port-cost-mode=short
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp_pool ranges=192.168.188.2-192.168.188.99
/ip dhcp-server
add address-pool=dhcp_pool interface=bridgeLAN name=dhcp1
/ip smb users
set [ find default=yes ] disabled=yes
/ipv6 dhcp-server option
add code=23 name=dnsserver value="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
/interface bridge port
add bridge=bridgeLAN interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridgeLAN interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridgeLAN interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridgeLAN interface=ether3
/ip firewall connection tracking
set udp-timeout=10s
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN
/interface list member
add interface=ether1 list=WAN
add comment=defconf interface=bridgeLAN list=LAN
/interface wireguard peers
add allowed-address=192.168.100.2/32 interface=wireguard1 name="xxxxx" \
    public-key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
add allowed-address=192.168.100.3/32 interface=wireguard1 name="xxxxxx" \
    private-key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" public-key=\
    "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
add allowed-address=192.168.100.11/32,192.168.128.0/24 client-address=\
    192.168.100.11/32 interface=wireguard1 name="SITE_B" public-key=\
    "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
/ip address
add address=192.168.188.1/24 interface=bridgeLAN network=192.168.188.0
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.188.0/24 dns-server=192.168.188.101 gateway=192.168.188.1
/ip dns
set allow-remote-requests=yes servers=192.168.188.101
/ip firewall address-list
add address=xxxxxxxxx.xxxxx.xxxx list=WANs
add address=192.168.188.0/24 list=LANs
/ip firewall filter
add action=accept chain=forward dst-address=192.168.128.0/24 src-address=\
    192.168.188.0/24
add action=accept chain=forward dst-address=192.168.188.0/24 src-address=\
    192.168.128.0/24
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
    protocol=udp
add action=accept chain=input in-interface=wireguard1
add action=accept chain=input connection-state=new in-interface-list=LAN
add action=accept chain=input dst-port=xxxxxx in-interface-list=LAN protocol=\
    tcp
add action=accept chain=input connection-state=established,related,untracked
add action=accept chain=input protocol=icmp
add action=drop chain=input log-prefix=DROP
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat
add action=accept chain=forward connection-state=\
    established,related,untracked
add action=drop chain=forward connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="tcp masquerade" \
    out-interface-list=WAN protocol=tcp to-ports=1050-16383
add action=masquerade chain=srcnat comment="udp masquerade" ipsec-policy=\
    out,none out-interface-list=WAN protocol=udp to-ports=1050-16383
add action=masquerade chain=srcnat comment="portless masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.188.100 src-address=192.168.188.0/24
add action=dst-nat chain=dstnat comment=xxxx dst-port=0000 protocol=tcp \
    to-addresses=192.168.188.106 to-ports=0000
add action=dst-nat chain=dstnat comment="xxxxx" dst-port=0000 \
    protocol=tcp to-addresses=192.168.188.100 to-ports=0000
add action=dst-nat chain=dstnat comment=xxxxx dst-port=00000 protocol=tcp \
    to-addresses=192.168.188.100 to-ports=0000
add action=dst-nat chain=dstnat comment=xxxx dst-port=000000 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.188.101 to-ports=\
    00000
/ip route
add disabled=no distance=1 dst-address=192.168.128.0/24 gateway=wireguard1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10

anav · July 18, 2024, 7:51pm

Assuming that Router A, 5009 is the wireguard server for handshake and Router B, is a client peer router, initiating the handshake.
Assuming Router A has a publicly reachable IP address or one can port forward from the ISP router.

I will need the config of the second router as well.

Router A:

(1) Recommend in general this be set to NONE;
/interface detect-internet
set detect-interface-list=NONE internet-interface-list=WAN

(2) Wireguard allowed IPs look fine, you dont need:

private key
the client address
the client name
They might be defaulted that way but for troubleshooting remove please ( at least the first two, dont the name poses any risks )

(3) Assuming this is an in internet facing router...... modified.

/ip firewall address-list
add address=192.168.188.X list=Authorized comment=admin local device 1
add address=192.168.188.Y list=Authorized comment=admin local device 1
add address=192.168.128.A list=Authorized comment=admin remote device 1
add address=192.168.128.B list=Authorized comment=admin remote device 2
add address=192.168.100.G list="Authorized" comment=admin roadwarrior 1 - laptop"
add address=192.168.100.H list="Authorized" comment=admin roadwarrior 2 - smartphone/ipad"

If the admin at Router B or if you are visiting Router B and want to access the config of Router A, is why we have remote subnet IP addresses.
Remember if connecting from routerB , the IP will not be the wireguard IP of Router B.I add road warriors to access Router A but perhaps not all of them on this list.

YOu have road warriors connecting as well, but not all necessarily are admins.
For example you may have road warriors that only require access to the LAN subnets ( users not admins ) !!!
The flexibility in this approach is safest to reduce access to the routers.
Also the entire LAN does not require full access to the router!!!

/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
++++
add action=accept chain=input comment="WireGuard handshake" dst-port=13231 protocol=udp
add action=accept chain=input comment="admin access" in-interface-list=LAN src-address-list=Authorized
add action=accept chain=input comment="user access to services" in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment="user access to services" in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="Drop all else" { enter this rule in LAST }

add action=fasttrack-connection chain=forward connection-state=
established,related hw-offload=yes
add action=accept chain=forward connection-state=
established,related,untracked
add action=drop chain=forward connection-state=invalid
+++
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=accept chain=forward comment="Local LAN to wireguard" src-address=192.168.188.0/24 out-interface=wireguard1
add action=accept chain=forward comment="WG users to local LAN in-interface=wireguard1 dst-address=192.168.188.0/24

(4) WHY THE COMPLEX SOURCENAT RULES ?? Makes no sense...........
Keep it simple unless you have a reasonable logic?? Dont pretend masquerade is routing or firewall rules !!!

/ip firewall nat
add action=masquerade chain=srcnat comment="hairpin nat" src-address=192.168.188.0/24 dst-address=192.168.188.0/24
add action=masquerade chain=srcnat out-interface-list=WAN

(5) YOur DSTNAT is very weird and wrong.
dst port of 0000 is not valid...........???
Missing the interface associated with port forwarding.
Will assume you have a dynamic WANIP address and thus you need to use a dyndns URL, and could use mynetname via IP cloud for example.

/ip firewall address-list
add address=DYNDNSURL list=MyWAN comment="domain name for server access"

Thus your rules look like....
add action=dst-nat chain=dstnat comment=xxxx dst-port=???? protocol=tcp
dst-address-list=MyWAN to-addresses=192.168.188.106
add action=dst-nat chain=dstnat comment="xxxxx" dst-port=????
dst-address-list=MyWAN protocol=tcp to-addresses=192.168.188.100
add action=dst-nat chain=dstnat comment=xxxxx dst-port=???? protocol=tcp
dst-address-list=MyWAN to-addresses=192.168.188.100
add action=dst-nat chain=dstnat comment=xxxx dst-port=???
dst-address-list=MyWAN protocol=tcp to-addresses=192.168.188.101

Note: to=ports not required if same as dst-ports!

(6) Route for other subnet is good.

LAST WORD, there is nothing in this config that will permit local LAN users to use the internet of RouterB. They will only be allowed to access the LAN subnet on Router B.
If you have more requirements you need to detail them better.

Also you should have..
/interface list member
add interface=ether1 list=WAN
add comment=defconf interface=bridgeLAN list=LAN
add interface=wireguard1 list=LAN

fradimar · July 18, 2024, 10:37pm

Thanks for the comprehensive analysis! very helpful, now I will follow every advice step by step

Actually router A is the main one, and it is on an externally accessible network. it is externally accessible on the wireguard port. The 5009 is temporarily on an lte network with nat.

I will need the config of the second router as well.

Since I cannot be reached remotely, I have to go to the site. It is 50Km, I think I will go tomorrow morning

(2) Wireguard allowed IPs look fine, you dont need:

private key

the client address

the client name
They might be defaulted that way but for troubleshooting remove please ( at least the first two, dont the name poses any risks )

Ok. the only peer that had the private key was my laptop. it was working fine. I removed it and it still works. Client address was automatically resetting itself, and it seemed to me that the value came directly from the remote client. i deleted it after disabling the peer, now that i rehabilitated it disappeared

(3) Assuming this is an in internet facing router…Also the entire LAN does not require full access to the router!!!

All right, done

/ip firewall filter
…
add action=drop chain=input comment=“Drop all else[/i]”

I noticed a lot of drop input movement. i tried to print it out on the log and i have a lot of lines like this from two of my network devices, a nas and an android tv. are these packages that should be blocked? i don’t understand much about it
input: in:bridgeLAN out:(unknown 0), connection-state:new src-mac 70:af:24:b5:7d:1b, proto UDP, 192.168.188.135:57524->255.255.255.255:10102, len 316

(4) WHY THE COMPLEX SOURCENAT RULES ?? Makes no sense…
Keep it simple unless you have a reasonable logic?? Dont pretend masquerade is routing or firewall rules !!!

I have a particular wan network, which requires this special tcp/udp masking over a defined port range. it is a map-e connection with the operator’s external router set to ONT mode. I have a fixed ip but shared with 3 other users, and I only have access to a small number of ports on which to route my packets. Without those rules it doesn’t work

(5) YOur DSTNAT is very weird and wrong.
dst port of 0000 is not valid…???

I masked the many services I opened by hiding the actual port numbers

dst-address-list=MyWAN

All right, done

LAST WORD, there is nothing in this config that will permit local LAN users to use the internet of RouterB. They will only be allowed to access the LAN subnet on Router B.
If you have more requirements you need to detail them better.

Perfect, I only need this site to site to access services, ssh, configuration web pages on devices in the B network subnet

add interface=wireguard1 list=LAN> [/i]

All right, done

With these changes I continue to have ping working from network A to devices on network B. If I try to access a webpage (for example the proxmox configuration webpage of a server machine) or via ssh to a server I get no response. I am afraid the problem is in the other router. I am going to the site tomorrow to investigate further

Thanks again for the analysis

Update. from my smartphone connected to the wireguard vpn of router A, with address 192.168.100.2, I can open the web services of the remote server.

fradimar · July 19, 2024, 8:23am

I am now physically in site B
On the peer configuration I had this

/interface wireguard peers
add allowed-address=192.168.188.0/24,192.168.100.0/24,
    endpoint-address=xxxxx.xxxxx.xxx endpoint-port=13231 interface=\
    "wireguard_SITE_A"  persistent-keepalive=30s \
    public-key="xxxxxxxxxxxxxxxxx"

I’ve changed 192.168.100.0/24 to 192.168.100.11/32 and everything seems to be starting to work

I replicated the same suggestions you gave me on router A.

This is the final configuration of router B

# model = RB5009UG+S+
/interface bridge
add admin-mac=78:9A:18:AD:76:E6 auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface ethernet
set [ find default-name=ether8 ] name=eth8_wireless_ap
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface lte
set [ find default-name=lte1 ] name=lte2
/interface wireguard
add listen-port=13232 mtu=1420 name=wireguard_SITE_A
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set wan-interface-list=WAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=lte2 list=WAN
add interface=wireguard_SITE_A list=LAN
add interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=\
    192.168.188.0/24,192.168.100.11/32,192.168.100.2/32,192.168.100.3/32 \
    endpoint-address=xxxx.xxx.xxx endpoint-port=13231 interface=\
    wireguard_SITE_A name="Casa Francesco" persistent-keepalive=30s \
    public-key="xxxxxxx"
/ip address
add address=192.168.128.1/24 comment=defconf interface=bridge network=\
    192.168.128.0
add address=192.168.100.11/24 interface=wireguard_SITE_A network=\
    192.168.100.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dns
set allow-remote-requests=yes servers=192.168.128.201
/ip dns static
add address=192.168.128.1 comment=defconf name=router.lan
/ip firewall address-list
add address=xxxxx.xxxx.xxxx list=public_ip
add address=xxxxx.xxxx.xxxx list="SITE_A_IP"
add address=192.168.128.xxx comment="Local smartphone francesco 1" list=\
    Authorized
add address=192.168.128.xxx comment="Local smartphone francesco 2" list=\
    Authorized
add address=192.168.128.xxx comment="Local laptop francesco" list=Authorized
add address=192.168.128.xxx comment="Local Home assistant" list=Authorized
add address=192.168.188.xxx comment="SITE_A Pixel 8 pro" list=Authorized
add address=192.168.188.xxx comment="SITE_A Tablet 1" list=Authorized
add address=192.168.188.xxx comment="SITE_A Tablet 2" list=Authorized
add address=192.168.188.xxx comment="SITE_A Pc francesco 1" list=\
    Authorized
add address=192.168.100.2 comment="Wireguard Pixel 8 pro" list=Authorized
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="WireGuard handshake" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="admin access" in-interface-list=LAN \
    src-address-list=Authorized
add action=accept chain=input comment="user access to services" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="user access to services" dst-port=53 \
    in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="Drop all else"
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward connection-state=\
    established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat
add action=accept chain=forward comment="Local LAN to wireguard" \
    out-interface=wireguard_SITE_A src-address=192.168.128.0/24
add action=accept chain=forward comment="WG users to local LAN" dst-address=\
    192.168.128.0/24 in-interface=wireguard_SITE_A
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.128.201 src-address=192.168.128.0/24
add action=dst-nat chain=dstnat comment="Home assistant https" \
    dst-address-list=public_ip dst-port=1234 protocol=tcp to-addresses=\
    192.168.128.201 to-ports=443
add action=dst-nat chain=dstnat dst-address-list=public_ip dst-port=1235 \
    protocol=tcp to-addresses=192.168.128.202 to-ports=123
/ip route
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=\
    192.168.1.254%ether1 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=192.168.188.0/24 gateway=\
    wireguard_SITE_A routing-table=main scope=30 suppress-hw-offload=\
    no target-scope=10

Thanks again