Wireguard tunnel unable to use inet on the other side of tunnel....

RouterOS General
1

Hello mikrotik community,

I'm a new user on mikrotik and i'm trying to configure a wireguard tunnel between two mikrotik routers, bellow the context of this setup :

on Router mikrotik A :

  • inet <=[PUBLIC IPV4]Fibre Modem <=(eth0) ISP Router with a private network 192.168.1.1/24 <= (eth1) Mikrotik router A connected with private IP 192.168.1.2 through a bridge-lan
  • i had set a private network for wireguard 10.0.0.0/24, on the router mikrotik A, wireguard interface is using the address : 10.0.0.1

on Router mikrotik B :

  • inet <= [PUBLIC CGNAT IPV4] (lte0 USB Tethering) Mikrotik router B
  • i had set a private network for wireguard 10.0.0.0/24, wireguard interface is using the address : 10.0.0.2
  • i had also set a private wlan network on 10.2.2.0/24 which will be used by clients connected to wireless ap


    the wireguard tunnel between mikrotik A and B is up and it's working

i can connect using a test laptop on the network 10.2.2.0/24 :

  • ping 10.0.0.1 => OK
  • ping 192.168.1.1 => ping OK which is the ip address of the ISP router on mikrotik A side
  • nslookup google.com => OK
  • ping google.fr => NOK (the request is routed to the interface lte instead of wireguard interface...)

i can also use a dns relay 192.168.1.1 to resolve nameserver... (nslookup google.fr gives me a feedback from 192.168.1.1).


how can i force users connected to 10.2.2.0/24 network to use inet (PUBLIC IPV4) on mikrotik A side....??


bellow you'll find export of mikrotik A & B confs :


Thank you very much for your help :slight_smile:







Mikrotik A confs :

RouterOS 7.12.1

model = RB952Ui-5ac2nD

/interface bridge
add admin-mac=78:9A:18:4F:74:84 auto-mac=no name=bridge-lan
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard-site-a
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=ep_remote_access
supplicant-identity=""
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=
20/40/80mhz-eCee frequency=5520 mode=ap-bridge security-profile=
ep_remote_access ssid=wlan1_limited_access wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=bridge-lan interface=ether1
add bridge=bridge-lan interface=ether2
add bridge=bridge-lan interface=ether3
add bridge=bridge-lan interface=ether4
add bridge=bridge-lan interface=ether5
add bridge=bridge-lan interface=wlan1
add bridge=bridge-lan interface=wlan2
/interface wireguard peers
add allowed-address=0.0.0.0/0,::/0 comment="Site B" interface=
wireguard-site-a persistent-keepalive=25s public-key="*****"
/ip address
add address=10.0.0.1/24 interface=wireguard-site-a network=10.0.0.0
/ip dhcp-client
add interface=bridge-lan
/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge-lan src-address=
10.0.0.0/24
/ip route
add disabled=no distance=1 dst-address=10.2.2.0/24 gateway=wireguard-site-a
pref-src="" routing-table=main scope=30 suppress-hw-offload=no
target-scope=10
/system clock
set time-zone-name=Europe/Paris
/system note
set show-at-login=no


\



Mikrotik B confs :

RouterOS 7.12.1

model = RB952Ui-5ac2nD

/interface bridge
add admin-mac=BA:80:3F:59:B2:9B auto-mac=no name=bridge-lan
/interface lte
set [ find default-name=lte1 ] comment="USB Tethering"
/interface wireguard
add comment="WG Interface - Site B" listen-port=51821 mtu=1420 name=
wireguard-site-b
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk group-ciphers=tkip,aes-ccm mode=
dynamic-keys name=ep_remote_access supplicant-identity=""
unicast-ciphers=tkip,aes-ccm
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=france disabled=no
installation=outdoor mode=ap-bridge mtu=1420 security-profile=
ep_remote_access ssid=wlan2_limited_access wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool4 ranges=10.2.2.1-10.2.2.254
/ip dhcp-server
add address-pool=dhcp_pool4 interface=bridge-lan name=dhcp1
/port
set 0 baud-rate=9600 data-bits=8 flow-control=none name=usb1 parity=none
stop-bits=1
/interface ppp-client
add apn=internet name=ppp-out1 port=usb1
/interface bridge port
add bridge=bridge-lan ingress-filtering=no interface=ether1
add bridge=bridge-lan ingress-filtering=no interface=ether2
add bridge=bridge-lan ingress-filtering=no interface=ether3
add bridge=bridge-lan ingress-filtering=no interface=ether4
add bridge=bridge-lan ingress-filtering=no interface=ether5
add bridge=bridge-lan ingress-filtering=no interface=wlan1
add bridge=bridge-lan ingress-filtering=no interface=wlan2
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=0.0.0.0/0,::/0 comment="Site A" endpoint-address=
mygateway-dns... endpoint-port=51820 interface=wireguard-site-b
persistent-keepalive=25s public-key="*******"
/ip address
add address=10.0.0.2/24 interface=wireguard-site-b network=10.0.0.0
add address=10.2.2.0/24 interface=bridge-lan network=10.2.2.0
/ip dhcp-client
add interface=bridge-lan
/ip dhcp-server network
add address=10.2.2.0/24 dns-server=192.168.1.1 gateway=10.2.2.0
/ip firewall nat
add action=src-nat chain=srcnat src-address=10.2.2.0/24 to-addresses=10.0.0.2
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=RouterOS
/system note
set show-at-login=no
/system ntp client
set mode=broadcast

2

Solved the issue by :

1- using a second routing table
2 - mark packets to redirect to my wireguard tunnel gateway in prerouting stage
3 - add a rule to use the secondary routing table as a golden source for packets marqued in the step before



Thank you anyway for this forum :slight_smile:

And a big thank for this documentation: https://help.mikrotik.com/docs/display/ROS/Mangle

3

Self solving is rather arrogant.

Allowed IPs on Router A works but the moment you add any peers like remote users that need access RA or RB remotely, the error will show itself more clearly.
In other words the Allowed IP settings on Router A ( the server ) would be better served as follows;

peer RB - Allowed IPs= 10.0.0.2/32,10.2.2.0/24

+++++++++++++++++++++++++++++++++++

Explanation, If you add yourself as a remote admin wanting to access both routers while away for config purposes or to access LAN devices, it will not necessarily work.
Imagine the two rules.
peer RB - Allowed IPs= 0.0.0.0/0
peer Remote1 Allowed-IPs=10.0.0.3/32 comment=admin-laptop

Any return traffic heading back to 10.0.0.3, would be matched and fit the first rule and would be sent to RB instead of peer Remote 1.
A work around would be to put peer Remote1 first in order but its a work around for a mis configuration.

Two rules of thumb here:
a. generally speaking Server Devices (for handshake) should not utilize 0.0.0.0/0 for any peer client devices…
b. when using 0.0.0.0/0 to access internet, ensure its an allowed IP setting on the peer client device…

4

YOur configs are not complete and do not show firewall rules or interface list / members etc..
So cannot comment on the rest of the config.

In your case, it would have been simpler not to mangle anything on RB
-table add fib name=useWG
-Ip route add dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=useWG
-routing rule add source address=10.2.2.0/24 action=lookup table=useWG

If RB had two subnets and you needed to have traffic between the two subnets one would need another routing rule first to ensure that traffic didnt get pushed out the tunnel.

5

I don’t understand how sharing a solution even if it’s a beginner solution could be considered arrogant O.o

Thanks for your recommendations

6

Thank god for peer reviews in science, is all I can say…
In any case, now readers will know that your ‘solution’ is slightly flawed and an explanation is provided as to why and the correct config has been provided.
Not about you or me, quite correct, its about others also looking for assistance.