HI I have setup a wireguard server that works pretty well and a wire client router using v7.1 Beta4, problem is that after creating the interface and some rules for policy base routing is like have the internet traffic does not work meaning for example if someone in the network tries to access “duckduckgo.com”, if I set up the wireclient on a PC using windows or linux all traffic works fine, this only happens with the router as client here is kind of the configuration I created:
wg genkey | tee privatekey | wg pubkey > publickey
interface wireguard add listen-port=12345 mtu=1420 name=WG1 private-key=“abc==”
interface wireguard peers add allowed-address=0.0.0.0/0 endpoint-address=SERVER_IP endpoint-address=12345 interface=WG1 persistent-keepalive=15 public-key=“SERVER_Public_Key”
ip address add address=10.XX.XX.XX/16 interface=WG1
After this set Policy based routing for full internal subnet, some host or based on content using mangle rules(this example is for the whole internal subnet):
routing table add name=Through_WG fib
ip route add dst-address=0.0.0.0/0 gateway=WG1 routing-table=Through_WG
ip firewall nat chain=srcnat src-address=192.168.150.0/24 out-interface=“WG1” action=masquerade
ip firewall mangle add chain=prerouting src-address=192.168.150.0/24 action=mark-routing routing-table=Through_WG
I think the problem is gateway=WG1 in your ip route - you can only set gateway to an interface if it is a PPP interface. For any other interface type it must be an IP address.
got it, so I added the wireguard server IP in the route, but I still have the same issue, only some traffic makes it through the wireguard tunnel, adde something like this
ip route add dst-address=0.0.0.0/0 gateway=Wirteguard_server_IP@main routing-table=Through_WG
Could it be something in firewall stopping the traffic or should it be allowed some where?
ip firewall nat chain=srcnat out-interface=“WG1” action=masquerade
Alternate to above:
If config is based on default config, can just add WG1 as a WAN interfaces
(Which has advantage of firewalling as well as Natting it)
/interface list member
add interface WG1 list=WAN
Then use a routing rule (or 2)
/routing rule
; might need this first rule to stop you being locked out from the router, when the following rule is added.
add action=lookup disabled=no src-address=192.168.150.0/24 dst-address=192.168.150.0/24 table=main
Has there been a solution for this? I have exactly the same problem.
Mikrotik site to site WG several sites do not load in browser (duckduckgo.com, yahoo.com, and others.)
Windows 11 WG client to Mikrotik server works fine.
Without seeing your config, everyone can only guess as to what your particular issue is, but here are a few things to try
a) add a src-nat (masquerade) rule to the WG interface on the client mikrotik
/ip firewall nat
add action=masquerade chain=srcnat comment=“default configuration” out-interface=wireguard1
b) MSS Clamp traffic going out the wireguard interface
/ip firewall mangle
add action=change-mss chain=forward comment=“Clamp MSS to PMTU for Outgoing packets” new-mss=clamp-to-pmtu out-interface=wireguard1 passthrough=no protocol=tcp tcp-flags=syn
most of the traffic packets are dropped due to overhead caused by wireguard headers.
here is the solution, assuming you are using default 1420 mtu for wireguard interface.
make sure to select your wireguard interface in out-interface
Hi guys, I have a tunnel made with wiregard, everything works, only I can’t create a NAT on a specific IP, I would like the router’s IP to when they connect to the router B the router B all on a specific IP on the net
Do you have a suggestion to give me?
Thank you
Yes provide a decent network diagram, to show what are the two or maybe more clients connecting to the server…
If any MT devices are involved, provide the config.
/export file=anynameyouwish ( minus router serial # and any public WANIP information keys etc…)
Need context, no network diagram.
Is this device connecting as a client to another device and what is the other device or is this devices a server for initial connections from a client router and what is this other router??
( I also see another remote connection as well )
Dont have any clue what you are trying to accomplish with sourcenat rules for single IPs and then the entire local subnet out the wireguard tunnel.
As I said, where are they going ??? The traffic flows are too vague to work on.
I created a site to site tunnel and it works, only that I would like everyone who wants to connect the router B on router B addresses them only on an internal IP.
Sorry for my English,
So as seen from the scheme, I want addresses 192.168.2.10/11/12 to see only the computer 192.168.1.170, the rest of the Network 192.168.1.0/24 must not access.
Okay so you have two routers, both MT if so you need to post both not just one.
Also do you want users on both routers to initiate a tunnel ( put another way both routers can be both client and server for initial connection )
Assuming both have publicly accessible public IPs…
I did not put the public IPs since the connection works.
The current configuration is site to site, and are on 2 mikrotik rb750gr3.
The two networks 192.168.1.0/24 and 192.168.2.0/24 both parts work, only that the computers that they provoke from 192.168.2.10-12/24
They only have to see the server 192.168.1.170/24.
I tried to create a NAT but it does not work, while before with the OpenVPN it worked, I think it is due to the fact that Wireguard works on another OSI level.
