I have two Mikrotik routers, a HEX S (R1) and a HAP AC (R2), located at two different locations. Both have internal LANs and internet connectivity. At present there is a working IPSEC tunnel between the two sites whereby resources from either side can reach each other.
I have recently installed ROS 7.1.1 on both routers, so that I can test the new WireGuard VPN that is supported in this version. A tunnel is established between the two sites, the routers (wireguard interface) can ping each other and other resources on the respective sides, however, the PCs etc. cannot connect to resources in the other location.
I was hoping the setup would be relatively easy, as is intended with WireGuard and the improved througput, however it has been a struggle to get this working. The standard firewall filters are in play (defconf). As I understand there is no need for NAT and this hasn’t been setup specifically for WireGuard either. For reference, I have added the WireGuard interface to the LAN interface list as well.
Anything else I am missing? It feels like that routing isn’t working as per the examples where timeout and/or host unreachable message is returned.
Any help or suggestion will be greatly appreciated.
Just wanted to test connectivity and ping (for me at least) an easy way to check quickly.
As per my previous post, pinging was done from the terminal inside of Winbox from either router. I used the tools as well, same result as when trying through a terminal. The successful tests, both the gateway address of the foreign wg interface, bridge interface and foreign host was successful whilst pinging from the terminal. I suspect the tests are successful as the wg interface is supposedly used to access the foreign resource. When excplicitly specifying interface=bridge as a second test, the unsuccessful response is displayed. This is also true when pinging from a device in either LAN or trying to RDP/SSH or trying to access a SMB shares.
Hi knob,
The issue is I have no clue WHAT THE SOURCE ADDRESS is when pinging from the router.
Remember the far side WG peer settings will filter out any none authorized incoming IP addresses.
Try pinging using TOOLS----> PING ----> Advanced TAB.
IF on R1 use 192.168.88.1 as source address to ping to R2 (192.168.10.1)
IF on R3 use 192.168.10.1 as source address to ping to R1 (192.168.88.1)
Understood re. the source address. I interpreted that that when specifying the respective interface from the terminal as part of the ping command that ROS would automatically use the IP from the adapter in question. So when pinging with interface=bridge then the 192.168.88.1/192.168.10.1 address would be used, it seems this was the case.
Both the suggestions above resulted in timeouts.
When I torch the Wireguard interface during pinging, I don’t see any traffic listed outside of the winbox session that I have across the tunnel. I’m not convinced that routing is working on either side despite the foreign subnets setup in IP/ROUTE and wireguard peers . I’ve created simple firewall passthrough filters to log the input and output chain and of course see logging whilst pinging from the wg addresses (10.0.0.1 and 10.0.0.2) of each router and then nothing when pinging from the bridge IPs (192.168.88.1 and 192.168.10.1).
Would it be helpful if I exported the config, presumably someone with a keeneye like yourselve can spot an misconfiguration?
Ping’s “interface” parameter selects outgoing interface. So when you do e.g. this on R1:
/ping address=10.0.0.2 interface=bridge
you are trying to ping 10.0.0.2 connected to R1’s bridge - and it’s not there. If you want to test how it would work from device connected to R1’s bridge, you want:
/ping address=10.0.0.2 src-address=192.168.88.1
src-address must be assigned to router, it can’t belong to another device in LAN. But router’s address is enough to verify that routes on the other side are ok.
And if you have active policy-based IPSec tunnel for 192.168.88.0/24 ↔ 192.168.10.0/24, it will steal all this traffic, it won’t be routed to WG interface.
