Wireguard Tunnel established successfully, but not routed properly

BumblebeeMan · April 4, 2023, 2:51pm

Hey everyone,

I tried to configure an hAP ac to perform basic switching and being an Wireguard Endpoint. The base of my configuration is the stock CAP quickset with wireguard enabled additionally.

I have no problems to establish a wireguard tunnel between my android smartphone and the hAP ac. But whenever I establish the WG tunnel, the hAP’s itself is the only thing I’m able to access (using ping or even by opening its webfig in my smartphones browser). Neither IPs within my local network, nor within the internet can be accessed (not even a ping to 8.8.8.8 works). The hAP itself is able to connect reach the internet and my local network.

I think the routing between the WG interface and my local network isn’t configured properly.
Routes:
Bildschirmfoto vom 2023-04-04 16-45-18.png
My hAP’s config:

# apr/04/2023 16:15:14 by RouterOS 7.8
# software id = 56MP-ST5M
#
# model = RB962UiGS-5HacT2HnT
# serial number = XXXXXXXXXXXXX
/interface bridge
add admin-mac=XXXXXXXXX auto-mac=no comment=defconf name=bridgeLocal
/interface wireless
# managed by CAPsMAN
set [ find default-name=wlan1 ] ssid=MikroTik
# managed by CAPsMAN
set [ find default-name=wlan2 ] ssid=MikroTik
/interface wireguard
add listen-port=53635 mtu=1420 name=roadguard
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
add bridge=bridgeLocal comment=defconf interface=ether5
add bridge=bridgeLocal comment=defconf interface=sfp1
/interface wireguard peers
add allowed-address=192.168.88.2/24 interface=roadguard public-key="XXXXXXXXXXXXXXXXXXXXXXXX"
/interface wireless cap
# 
set bridge=bridgeLocal discovery-interfaces=bridgeLocal enabled=yes interfaces=wlan1,wlan2
/ip address
add address=192.168.88.1/24 comment="Wireguard Endpoint" interface=roadguard network=192.168.88.0
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/system clock
set time-zone-name=Europe/Berlin

My smartphones config:

Yeah, I know. My smartphone is configured to connect to an IP adress within my local network (it’s the hAPs address). When the Wireguard Setup is working properly, my gateway router (which isn’t capable of being a WG endpoint) will be configured to port forward wireguard traffic to the hAP.

Thank you very much for reading my post!

BumblebeeMan · April 7, 2023, 6:59am

Any ideas?

marsbeetle · April 7, 2023, 8:21am

In order for your WireGuard network to access the Internet you will need to configure NAT(srcnat chain) for the WireGuard network on the gateway router.

For WireGuard to access the lan try adding it to the LAN interface list:

/interface list member
add interface=wireguard list=LAN

Your peer is also not correct, it should be 192.168.88.2/32

I suggest you read the documentation - https://help.mikrotik.com/docs/display/ROS/WireGuard

anav · April 7, 2023, 2:24pm

Also → https://forum.mikrotik.com/viewtopic.php?t=182340