Wireguard site to site, tunnel is up, but cant access devices.

RouterOS General
1

Hello.
Connecting two sites with Wireguard. This is not the first one. Have done some successfully before. Only difference is, that there is a WAN bridge configured on one side.
Tunnel is up. There is traffic. Can even ping LAN1 devices from Router2 (no interface or IP defined). And backwards LAN2 devices from Router1.
But cant ping from router if src. address is LAN address. Same (no ping) from LAN2 device to LAN1 device and backwards.
Suspect that its related to wan bridge, but cant figure out what.
ROS 7.15.2.
Following configurations with some made up public IPs. Removed non related.
Router1

# model = CCR1009-7G-1C-1S+
/interface bridge add name=bridge-LAN port-cost-mode=short
/interface bridge add name=bridge-WAN port-cost-mode=short
/interface wireguard add listen-port=13231 mtu=1420 name=WG-TEHAS
/interface list add name=LAN
/interface list add name=WAN
/ip ipsec profile add dh-group=modp1024 enc-algorithm=3des name=lasprof
/ip ipsec peer add address=100.100.100.251/32 local-address=200.200.200.115 name=tln profile=lasprof
/ip ipsec proposal set [ find default=yes ] enc-algorithms=3des
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name="hw acc proposal"
/ip pool add name=dhcp_pool0 ranges=10.0.0.100-10.0.0.200
/ip dhcp-server add address-pool=dhcp_pool0 interface=bridge-LAN lease-time=1d name=dhcp1
/routing bgp template set default disabled=no output.network=bgp-networks
/routing ospf instance add disabled=no name=default-v2
/interface bridge port add bridge=bridge-WAN ingress-filtering=no interface=combo1 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge-LAN ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge-LAN ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge-LAN ingress-filtering=no interface=ether6 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge-WAN ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge-WAN ingress-filtering=no interface=ether1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking set udp-timeout=10s
/interface list member add interface=bridge-LAN list=LAN
/interface list member add interface=WG-TEHAS list=LAN
/interface list member add interface=bridge-WAN list=WAN
/interface ovpn-server server set auth=sha1,md5
/interface wireguard peers add allowed-address=192.168.19.4/32,192.168.10.0/24 disabled=no interface=WG-TEHAS is-responder=yes name=OFFICE2 persistent-keepalive=25s public-key="xxxxxxxxxxxx"
/ip address add address=200.200.200.114/29 comment="Router IP" interface=bridge-WAN network=200.200.200.112
/ip address add address=200.200.200.115 comment="Office WAN IP" interface=bridge-WAN network=200.200.200.115
/ip address add address=10.0.0.254/24 comment="Office LAN IP" interface=bridge-LAN network=10.0.0.0
/ip address add address=192.168.19.1/24 interface=WG-TEHAS network=192.168.19.0
/ip dhcp-server network add address=10.0.0.0/24 comment=office dns-server=10.0.0.34 gateway=10.0.0.254
/ip dns set allow-remote-requests=yes servers=DNSSERVER
/ip firewall address-list add address=192.168.1.0/24 list=vpn_list
/ip firewall address-list add address=10.0.2.0/24 list=vpn_list
/ip firewall filter add action=accept chain=input dst-port=13231 protocol=udp
/ip firewall filter add action=accept chain=input dst-address=200.200.200.115 dst-port=13231 in-interface=bridge-WAN protocol=udp src-address=201.201.201.166
/ip firewall filter add action=accept chain=input dst-port=500 protocol=udp src-address=100.100.100.251
/ip firewall filter add action=accept chain=input comment=winbox dst-port=8291 protocol=tcp src-address-list=safe_ip
/ip firewall filter add action=accept chain=input comment=ping dst-address=200.200.200.115 protocol=icmp
/ip firewall filter add action=accept chain=input comment="established ja related" connection-state=established,related
/ip firewall filter add action=drop chain=input comment="drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=input comment="drop all input from WAN" in-interface=bridge-WAN
/ip firewall filter add action=accept chain=forward dst-address=10.0.0.0/24 in-interface=bridge-WAN src-address=10.0.2.0/24
/ip firewall filter add action=accept chain=forward dst-address=10.0.0.0/24 src-address=192.168.10.0/24
/ip firewall filter add action=accept chain=forward dst-address=192.168.10.0/24 src-address=10.0.0.0/24
/ip firewall filter add action=accept chain=forward comment="establised ja related" connection-state=established,related
/ip firewall filter add action=drop chain=forward comment="drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="drop all forward not dstnat'ed" connection-nat-state=!dstnat connection-state=new in-interface=bridge-WAN
/ip firewall nat add action=src-nat chain=srcnat comment="Office net masquerade" dst-address-list=!vpn_list out-interface=bridge-WAN src-address=10.0.0.0/24 to-addresses=200.200.200.115
/ip firewall nat add action=accept chain=srcnat comment="VPN" dst-address=10.0.2.0/24 src-address=10.0.0.0/24
/ip firewall nat add action=dst-nat chain=dstnat comment="VPN SSL" dst-address=200.200.200.115 dst-port=443 protocol=tcp to-addresses=10.0.0.35 to-ports=443
/ip ipsec identity add peer=tln
/ip ipsec policy add dst-address=10.0.2.0/24 peer=tln proposal="hw acc proposal" src-address=10.0.0.0/24 tunnel=yes
/ip route add disabled=no dst-address=0.0.0.0/0 gateway=200.200.200.113
/ip route add disabled=no dst-address=192.168.10.0/24 gateway=WG-TEHAS routing-table=main suppress-hw-offload=no

Router2

# model = RB2011UiAS
/interface bridge add admin-mac=D4:CA:6D:0B:9C:88 auto-mac=no comment=defconf name=bridge port-cost-mode=short
/interface wireguard add listen-port=13231 mtu=1420 name=WG-SYS
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/ip pool add name=default-dhcp ranges=192.168.10.100-192.168.10.199
/ip dhcp-server add address-pool=default-dhcp interface=bridge lease-time=12h10m name=defconf
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether6 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether7 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether8 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether9 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge interface=ether10 internal-path-cost=10 path-cost=10
/ip firewall connection tracking set udp-timeout=10s
/ip neighbor discovery-settings set discover-interface-list=LAN
/ip settings set max-neighbor-entries=8192
/ipv6 settings set disable-ipv6=yes max-neighbor-entries=8192
/interface list member add comment=defconf interface=bridge list=LAN
/interface list member add comment=defconf interface=ether1 list=WAN
/interface list member add interface=WG-SYS list=LAN
/interface wireguard peers add allowed-address=192.168.19.0/24,10.0.0.0/24 endpoint-address=200.200.200.115 endpoint-port=13231 interface=WG-SYS name=tehas persistent-keepalive=25s public-key="xxxxxxxxxxxxx"
/ip address add address=192.168.10.1/24 comment=defconf interface=bridge network=192.168.10.0
/ip address add address=201.201.201.166/29 comment="WAN aadress" interface=ether1 network=201.201.201.160
/ip address add address=192.168.19.4/24 interface=WG-SYS network=192.168.19.0
/ip dhcp-server network add address=192.168.10.0/24 comment=defconf dns-server=192.168.10.1 gateway=192.168.10.1
/ip firewall address-list add address=192.168.19.0/24 list=mylist
/ip firewall address-list add address=10.0.0.0/24 list=mylist
/ip firewall address-list add address=10.0.10.10 list=mylist
/ip firewall filter add action=accept chain=input comment=winbox dst-port=8291 protocol=tcp src-address-list=safe_ip
/ip firewall filter add action=accept chain=input dst-port=13231 protocol=udp
/ip firewall filter add action=accept chain=input comment=Ovpn dst-port=1194 protocol=tcp src-address=110.1.0.0/16
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface=ether1
/ip firewall filter add action=accept chain=forward dst-address=192.168.10.0/24 src-address=10.0.0.0/24
/ip firewall filter add action=accept chain=forward dst-address=10.0.0.0/24 src-address=192.168.10.0/24
/ip firewall filter add action=drop chain=forward comment="drop SMB out" dst-address-list=!safe_ip dst-port=445 out-interface=ether1 protocol=tcp
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" dst-address-list=!vpn_list ipsec-policy=out,none out-interface-list=WAN
/ip route add disabled=no dst-address=0.0.0.0/0 gateway=201.201.201.161
/ip route add disabled=no distance=1 dst-address=10.0.0.0/24 gateway=WG-SYS routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ppp secret add local-address=192.168.10.1 name=leh remote-address=192.168.10.99 routes=192.168.99.0/24 service=ovpn

wg-draw.jpg

2

Router1

Okay, some things i dont understand.
Do you have one IP for the router, or two IPs for the router?
In other words, do you have two routes for traffic, one primary and one secondary OR.
Do you have one external IP associated with a server for example or a single subnet???
I am very unfamiliar with the concept of two different IPs, with a single route and single gateway 200.200.200.13 ??

Why the duplicate wireguard handshake input rules?

Is the route for both WANIPs covered by the single gateway 200.200.200.13 ??

Assuming your list of Safe source IPs ( for winbox access) consists of:
a. admin devices (pc,laptop/smarthphone) on both routers
b. admin remote wireguard connected devices.

Where do you get 10.0.2.0 network in forward chain rule ( its not a subnet on either router ).
Is this an ipsec subnet on the Router?

So if not terminating WAN2 on the router, whats on the other end of ethernet 1???

3

Router 2.

Okay the WG settings show that you are trying to connect NOT to the router WANIP on R1, but the other WANIP, of unknown purpose??

Same comment about Safe-IP list!

Why do you have a wireguard handshake rule on the client peer for handshake**???**
/ip firewall filter add action=accept chain=input dst-port=13231 protocol=udp

4
5

Yes. Connecting to Router1 WAN2 IP “Office network ip”.
Safe list also for management addresse not related to wireguard.
You are right. Wireguard input rule is not needed here.

6

Router1

To me seems illogical to have an IP strictly for management of the MT router.
Router management is NOT done via WANIP. Its done from internally connected devices or wireguard connected devices from behind to the router, TO THE ROUTER ( aka input chain )
If your intent is to be able to reach the ISP modem device, then perhaps there is logic.
In other words router and config managment is entirely possible with single WANIP and much confusion caused by an extra wanip with no real purpose.

The safe list is nothing more than IDENTIFYING admin devices on both the local network Router1, admin devices using wireguard, and even admin devices on router2, when you are at site2 and wish to be able to change something on the config on Router 1. Its not wireguard specific etc, its Admin specific. for the management of both routers and their networks!

\

  1. Remove persistent-keep alive on wireguard settings, its germane to client peers (at handshake).
    /interface wireguard peers add allowed-address=192.168.19.4/32,192.168.10.0/24 disabled=no interface=WG-TEHAS is-responder=yes name=OFFICE2 persistent-keepalive=25s public-key=“xxxxxxxxxxxx”

  2. Reorganize firewall rules for my sanity. Also why still using default winbox… I never publish my real winbox port on configs…
    The dst port 500 rule input chain rule → removed the private address, nonsensical as the input chain on IPSEC ports is for incoming connections not from the LAN…
    This rule was too weird to understand,
    /ip firewall filter add action=accept chain=forward dst-address=10.0.0.0/24 in-interface=bridge-WAN src-address=10.0.2.0/24
    first of all the ipsec rule you have is associated with .115 Ip address, not th .114 address.
    /ip ipsec peer add address=100.100.100.251/32 local-address=200.200.200.115 name=tln profile=lasprof
    Okay, modified it slightly removed the bridge aspect,…

/ip firewall address-list
add address=10.0.0.x list=Authorized comment=“local admin PC”
add address=10.0.0.Y list=Authorized comment=“local admin laptop”
add address=192.168.19.3 list=Authorized comment=“remote wireguard admin laptop”
add address=192.168.19.4 list=Authorized comment=“remote wireguard admin smartphone/ipad”
add address=192.168.10.A list=Authorized comment=“remote admin when at router2”

/ip firewall filter
{ input chain rules }
(default rules to keep)
/add action=accept chain=input comment=“established ja related” connection-state=established,related
add action=drop chain=input comment=“drop invalid” connection-state=invalid
add action=accept chain=input protocol=icmp
(admin rules)
add action=accept chain=input comment=wireguard handshake" dst-port=13231 protocol=udp
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input comment=“admin access” src-address-list=Authorized
add action=accept chain=input comment=users to services" dst-port=53 protocol=udp in-interface-list=LAN
add action=accept chain=input comment=users to services" dst-port=53 protocol=tcp in-interface-list=LAN
add action=drop chain=input comment="drop all else" { put this rule in last }
+++++++++++++++
{ forward chain rules }
(default rules to keep)
/ip firewall filter
add action=fasttrack chain=forward comment=“establised ja related” connection-state=established,related
add action=accept chain=forward comment=“establised ja related” connection-state=established,related**,unrelated**
add action=drop chain=forward comment=“drop invalid” connection-state=invalid
(admin rules)
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward dst-address=10.0.0.0/24 in-interface=WG-TEHAS comment=“traffic from remote wg users and router 2 subnet to local LAN”
add action=accept chain=forward src-address=10.0.0.0/24 out-interface=WG-TEHAS comment=“traffic from local subnet to router 2 LAN”
add action=accept chain=forward in-interface=WG-TEHAS out-interface=WG-TEHAS comment=“relay wg remote users to router2, via router1”
add action=accept chain=forward dst-address=10.0.0.0/24 src-address=10.0.2.0/24 comment=“ipsec access to LAN”
add action=accept chain=forward connection-nat-state=dstnat comment=“allow port forwarding”
add action=drop chain=forward comment=“drop all else”

  1. NAT should look like, I think
    /ip firewall nat
    add action=src-nat chain=srcnat to addresses=200.200.200.15 out-interface-list=WAN
    add action=dst-nat chain=dstnat comment=“VPN SSL” dst-address=200.200.200.115 dst-port=443 protocol=tcp to-addresses=10.0.0.35 to-ports=443

Discussion:

/ip firewall nat
add action=src-nat chain=srcnat comment=“Office net masquerade” dst-address-list=!vpn_list out-interface=bridge-WAN src-address=10.0.0.0/24 to-addresses=200.200.200.115
add action=accept chain=srcnat comment=“VPN” dst-address=10.0.2.0/24 src-address=10.0.0.0/24
add action=dst-nat chain=dstnat comment=“VPN SSL” dst-address=200.200.200.115 dst-port=443 protocol=tcp to-addresses=10.0.0.35 to-ports=443

Question1: Why the sourcenat rule for local LAN out ipsec. The reason I ask is in the firewall rules, you only allow IPSEC to local LAN. In other words you do not show a requirement for local LAN to enter ipsec or originate traffic to ipsec. If you did you would have had this rule also
add action=accept chain=forward src-address=10.0.0.0/24 dst-address=10.0.2.0/24 comment=“LAN access to ipsec”

So either add the forward chain rule or remove the sourcenat rule!!

Question2. I do not understand the main sourcenat rule either. The VPN or vpn list has nothing to do with masquerade. In other words, masquerade is NOT firewall rules and should not be attempted to use it for such purposes. Firstly there is not ipsec traffic going out the WAN, its going out the tunnel created so masquerade rule wont affect it at all. Secondly your vpn list mentions a subnet that is not noted for ipsec or anywhere else… 192.168.1.0 which is very confusing. is this some sort of openvpn subnet? In which case again, this traffic goes through the tunnel not the local WAN once the tunnel is established.

7

You never state why you have three ports for WAN bridge, there is only one connection to the ISP.
Assuming its on combo…

model = CCR1009-7G-1C-1S+

/interface bridge add name=bridge-LAN port-cost-mode=short
/interface wireguard add listen-port=13231 mtu=1420 name=WG-TEHAS
/interface bridge port
add bridge=bridge-LAN ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge-LAN ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge-LAN ingress-filtering=no interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge-LAN ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge-LAN ingress-filtering=no interface=ether1 internal-path-cost=10 path-cost=10

/interface list member
add interface=bridge-LAN list=LAN
add interface=WG-TEHAS list=LAN
add interface=combo1 list=WAN

/ip address
add address=200.200.200.115 comment=“Office WAN IP” interface=combo1
add address=10.0.0.254/24 comment=“Office LAN IP” interface=bridge-LAN network=10.0.0.0
add address=192.168.19.1/24 interface=WG-TEHAS network=192.168.19.0
/ip neighbor discovery-settings
set discover-interface-list=LAN

/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Add the firewall rules/nat rules from previous post and you have full access to the management of both routers from the select Authorized IPs,

8

Router 2.

model = RB2011UiAS

/ip firewall address-list
add address=10.0.0.x list=Authorized comment=“remote admin PC from R1”
add address=10.0.0.Y list=Authorized comment=“remote admin laptop from R1”
add address=192.168.19.3 list=Authorized comment=“remote wireguard admin laptop”
add address=192.168.19.4 list=Authorized comment=“remote wireguard admin smartphone/ipad”
add address=192.168.10.A list=Authorized comment=“local admin device”
/ip firewall filter
{ input chain rules }
(default rules to keep)
/add action=accept chain=input comment=“established ja related” connection-state=established,related
add action=drop chain=input comment=“drop invalid” connection-state=invalid
add action=accept chain=input protocol=icmp
(admin rules)
add action=accept chain=input comment=wireguard handshake" dst-port=13231 protocol=udp
add action=accept chain=input comment=Ovpn dst-port=1194 protocol=tcp src-address=110.1.0.0/16
add action=accept chain=input comment=“admin access” src-address-list=Authorized
add action=accept chain=input comment=users to services" dst-port=53 protocol=udp in-interface-list=LAN
add action=accept chain=input comment=users to services" dst-port=53 protocol=tcp in-interface-list=LAN
add action=drop chain=input comment="drop all else" { put this rule in last }
+++++++++++++++
{ forward chain rules }
(default rules to keep)
/ip firewall filter
add action=fasttrack chain=forward comment=“establised ja related” connection-state=established,related
add action=accept chain=forward comment=“establised ja related” connection-state=established,related,unrelated
add action=drop chain=forward comment=“drop invalid” connection-state=invalid
(admin rules)
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward dst-address=192.168.10.0/24 in-interface=WG-SYS comment=“traffic from remote wg users and router 1 subnet to local LAN”
add action=accept chain=forward src-address=192.168.10.0/24 out-interface=WG-SYS comment=“traffic from local subnet to router 1 LAN”
add action=accept chain=forward connection-nat-state=dstnat comment=“allow port forwarding”
add action=drop chain=forward comment=“drop all else”

/ip firewall nat
add action=src-nat chain=srcnat to addresses=201.201.201.66 out-interface=eth1


This rule I left out because I didnt understand its purpose!
/ip firewall filter add action=drop chain=forward comment=“drop SMB out” dst-address-list=!safe_ip dst-port=445 out-interface=ether1 protocol=tcp

What are you trying to block???


/

9

For now i will not change main config. Its remote location and in use almost 24/7. In coming days i hope to find time to try alt least some of Your setting. I’m just trying to figure out if i can wireguard or not. Router access is not relevant at the moment. Idea is that LAN2 devices have access to all LAN1 resources, servers, etc.

Router 1

In other words router and config managment is entirely possible with single WANIP and much confusion caused by an extra wanip with no real purpose.

The logic here was, that if we, for example, have multiple LANs NATed to mutiple external IPs, then let router have its own IP, not related to any of other networks.

  1. Removed keepalive
  1. This rule was too weird to understand,
    /ip firewall filter add action=accept chain=forward dst-address=10.0.0.0/24 in-interface=bridge-WAN src-address=10.0.2.0/24

Correct. In-interface removed.

  1. Question1: Why the sourcenat rule for local LAN out ipsec…

Correct. Removed.

Question2. I do not understand the main sourcenat rule either…

Honestly, made long time ago this way for ipsec. Checking.
192.168.1.0 is some other office i also plan to connect some time. Now disabled.

You never state why you have three ports for WAN bridge, there is only one connection to the ISP.

Just in case if need to connect some device straight to internet, then no separate switch device is needed. No second devices at the moment.

Router 2

This rule I left out because I didnt understand its purpose!
/ip firewall filter add action=drop chain=forward comment=“drop SMB out” dst-address-list=!safe_ip dst-port=445 out-interface=ether1 protocol=tcp

Was just tesiting some outside mediaplayer access to smb share. Disabled.

Thanks for now.