Wireguard VPN Site2Site can't access LAN

ayesyev · December 19, 2024, 7:59pm

Hi there,
I’m at the end of my wits…
I need to set up VPN tunnel between two Mikrotiks, where one of them is behind FIOS router (see the pic)

Here is MikrotikB config

# 2024-12-19 19:32:56 by RouterOS 7.15.2
# software id = 7B8N-YHZ8
#
# model = RB5009UG+S+
/interface bridge
add admin-mac=F4:1E:57:3D:7C:A0 auto-mac=no comment=defconf name=bridge
add name=bridge2
/interface wireguard
add comment=DDC_tunel listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=LAN2
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp10/24 ranges=192.168.10.10-192.168.10.254
add name=dhcp2/24 ranges=192.168.2.10-192.168.2.254
/ip dhcp-server
add address-pool=dhcp10/24 interface=bridge name=defconf
add address-pool=dhcp2/24 interface=bridge2 name=dhcp2
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge2 interface=ether8
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridge2 list=LAN2
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=10.10.10.0/24,10.2.2.1/32 endpoint-address=XX.XX.XX.XX \
    endpoint-port=56000 interface=wireguard1 name=DDC_tunnel \
    persistent-keepalive=25s public-key=\
    "Gm4LSnGXWFjGWrLiEF/D+RxH3+soEO7H1OIcY9ThXU8="
/ip address
add address=192.168.10.1/24 comment=defconf interface=bridge network=\
    192.168.10.0
add address=192.168.2.1/24 interface=bridge2 network=192.168.2.0
add address=10.2.2.14 interface=wireguard1 network=10.2.2.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=1.1.1.1 gateway=192.168.2.1
add address=192.168.10.0/24 dns-server=1.1.1.1 gateway=192.168.10.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.10.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="Allow wireguard traffic" \
    dst-address-list=13231 protocol=udp
add action=accept chain=forward comment="DDC_tunnel allow" dst-address=\
    10.10.10.0/24 in-interface=wireguard1
add action=accept chain=forward comment="DDC tunnel" out-interface=wireguard1 \
    src-address=10.10.10.0/24
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=10.10.10.0/24 gateway=wireguard1 \
    routing-table=main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.10.0/24
set ssh address=192.168.10.0/24
set api disabled=yes
set winbox address=192.168.10.0/24
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Mikrotik A config

# 2024-12-19 19:41:35 by RouterOS 7.16.2
# software id = HFQU-A853
#
# model = CRS520-4XS-16XQ
/interface bridge
add arp=proxy-arp name=bridge-lan-10
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] advertise="10M-baseT-half,10M-baseT-full,100M\
    -baseT-half,100M-baseT-full,1G-baseT-full,2.5G-baseT"
set [ find default-name=ether2 ] advertise=\
    10M-baseT-full,100M-baseT-full,1G-baseT-full,2.5G-baseT rx-flow-control=\
    auto tx-flow-control=auto
set [ find default-name=qsfp28-1-1 ] arp=proxy-arp fec-mode=fec91
set [ find default-name=qsfp28-3-1 ] fec-mode=fec91
set [ find default-name=sfp28-3 ] name="sfp28-3 NAS"
set [ find default-name=sfp28-4 ] name=sfp28-4NAS
/interface wireguard
add listen-port=56000 mtu=1420 name=wireguard1
/interface bonding
add mode=802.3ad name=NAS-bonding slaves="sfp28-3 NAS,sfp28-4NAS"
/interface list
add name=LAN
/ip pool
add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254
add name=pool-lan-10 ranges=10.10.10.5-10.10.10.254
add name=pool-vpn ranges=10.1.1.2-10.1.1.50
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 name=dhcp1
add add-arp=yes address-pool=pool-lan-10 bootp-support=none interface=\
    bridge-lan-10 name=dhcp-lan-10
/port
set 0 name=serial0
/ppp profile
set *0 local-address=10.1.1.1 remote-address=pool-vpn
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge-lan-10 interface=qsfp28-1-1
add bridge=bridge-lan-10 interface=qsfp28-1-2
add bridge=bridge-lan-10 interface=qsfp28-1-3
add bridge=bridge-lan-10 interface=qsfp28-1-4
add bridge=bridge-lan-10 interface=ether1
add bridge=bridge-lan-10 interface=NAS-bonding
add bridge=bridge-lan-10 comment="DP Desktop" interface=sfp28-2
/ip neighbor discovery-settings
set lldp-med-net-policy-vlan=1
/interface list member
add interface=bridge-lan-10 list=LAN
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=10.2.2.2/32 interface=wireguard1 name=andrey public-key=\
    "PcEfySo+eCNdlqYkhXl6pOzDeCo62ZjzniYKW6G6D0g="
add allowed-address=10.2.2.14/24 interface=wireguard1 name=andrey_tunnel \
    public-key="jG78OmgReQNVgZMGGPT1NK6+AMQpBCxa4MiybbNXvSc="
/ip address
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
add address=10.10.10.1/24 interface=bridge-lan-10 network=10.10.10.0
add address=10.2.2.1/24 interface=wireguard1 network=10.2.2.0
add address=10.10.10.241 interface=NAS-bonding network=10.10.10.0
/ip dhcp-client
add interface=sfp28-1
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=10.10.10.1 domain=ddc.lan gateway=\
    10.10.10.1
add address=192.168.88.0/24 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9,149.112.112.112
/ip firewall filter
add chain=input port=1701,500,4500 protocol=udp
add chain=input protocol=ipsec-esp
add action=accept chain=forward comment="Allow home network to DC network" \
    dst-address=10.10.10.0/24 src-address=192.168.1.0/24
add action=accept chain=forward comment="Allowed communication for established\
    \_connections between DC and local networks" connection-state=\
    established,related dst-address=192.168.1.0/24 src-address=10.10.10.0/24
add action=drop chain=forward comment=\
    "Don't allow new connections from DC to local network" connection-state=\
    invalid,new dst-address=192.168.1.0/24 src-address=10.10.10.0/24
add action=accept chain=input comment="Allow Wireguard" disabled=yes \
    dst-port=56000 protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=sfp28-1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh address=10.1.1.0/24,192.168.1.0/24,10.2.2.0/24
set api disabled=yes
set api-ssl disabled=yes
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key etherboot-port=ether1

FIOS router has a port forwarding to allow Wireguard traffic through, to the Mikrotik A.
Interestingly, I can ping LAN 10.10.10.0/24 from Mikrotik A tools, but not from LAN 192.168.10.0/24.

There is an attempt to hide LAN 192.168.1.0/24 from both 10.10.10.0/24 and 192.168.10.0/24, but I must be able to reach 10.10.10.0/24 from any other LANs.
Also, a road warrior setup works just fine on Mikrotik A.

Please help!
Thank you!

anav · December 19, 2024, 8:55pm

ROUTERB

Main problem is two bridges, dont need one and shouldnt have one, simply assign the second subnet to ether8.
Why is .88 subnet hanging around??? You should get rid of all old stuff which becomes noise on the config. PLUS you are using .88 on Router A, so B should not have that at all.
Wireguard allowed IPs for actual wireguard address should be subnet .0/24 thus allowing any remote warriors to connect to A, and then connect to B. This is so the admin can remotely reach both routers for config purposes!!
Ensure wireguard address is full subnet .14**/24**
forward chain rule for wireguard using a port is removed, it makes no sense.
Instead I made a firewall address list you can use concept on both devices.
ONLY the admin needs access to the routers for config purposes.
Unless you have a good reason www under services should be disabled as its not a secure access method to router.
Set IPV6 to disabled and remove all firewall rules and address lists.

# model = RB5009UG+S+
/interface bridge
add admin-mac=F4:1E:57:3D:7C:A0 auto-mac=no comment=defconf name=bridge
/interface wireguard
add comment=DDC_tunel listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=LAN2
/ip pool
add name=dhcp10/24 ranges=192.168.10.10-192.168.10.254
add name=dhcp2/24 ranges=192.168.2.10-192.168.2.254
/ip dhcp-server
add address-pool=dhcp10/24 interface=bridge name=defconf
add address-pool=dhcp2/24 interface=ether8 name=dhcp2
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=ether1 list=WAN
add comment=defconf interface=bridge list=LAN
add interface=wireguard1 list=LAN
add interface=ether8  list=LAN2
/interface wireguard peers
add allowed-address=10.2.2.0/24,10.10.10.0/24,192.168.88.0/24 endpoint-address=XX.XX.XX.XX \
    endpoint-port=56000 interface=wireguard1 name=DDC_tunnel \
    persistent-keepalive=25s public-key=\
    "Gm4LSnGXWFjGWrLiEF/D+RxH3+soEO7H1OIcY9ThXU8="
/ip address
add address=192.168.10.1/24 comment=defconf interface=bridge network=\
    192.168.10.0
add address=192.168.2.1/24 interface=ether8 network=192.168.2.0
add address=10.2.2.14/24 interface=wireguard1 network=10.2.2.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=1.1.1.1 gateway=192.168.2.1
add address=192.168.10.0/24 dns-server=1.1.1.1 gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.10.1 comment=defconf name=router.lan
[i]/ip firewall address-list  { use static dhcp leases where applicable }
add address=192.168.10.XX/32  list=AUTHORIZED comment="local admin pc"
add address=192.168.10.YY/32 list=AUTHORIZED comment="local admin smartphone/ipad/laptop"
add address=10.2.2.2/32  list=AUTHORIZED comment="remote admin laptop"
add address=10.10.10.AB/32 list=AUTHORIZED comment=" remote admin PC behind RouterA"
add address=10.10.10.DE/32 list=AUTHORIZED comment=" remote admin smartphone/ipad/laptop behind RouterA" [/i]
add address=192.168.10.0/24 list=SUBNETS comment="local subnet RouterB - bridge"
add address=192.168.2.0/24 list=SUBNETS comment="local subnet RouterB - ether2"
add address 10.10.10.0/24 list=SUBNETS comment="remote subnet RouterA - bridge"
add address=192.168.88.0/24 list=SUBNETS comment="remote subnet RouterA - ether2"
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="admin access"  src-address-list=AUTHORIZED
add action=accept chain=input comment="users to services" in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment="users to services" in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="drop all else"
++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="internet traffic"  in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="admin to subnets"  src-address-list=AUTHORIZED dst-address-list=SUBNETS
add action=accept chain=forward comment="RouterA users to RouterB" in-interface=wireguard1 dst-address=
    192.168.10.10.0/24 
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat 
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 dst-address=10.10.10.0/24 gateway=wireguard1 routing-table=main
add distance=1 dst-address=192.168.88.0/24 gateway=wireguard1 routing-table=main
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.10.0/24 DISABLED=YES
set ssh address=192.168.10.0/24
set api disabled=yes
set winbox address=192.168.10.0/24,10.10.10.0/24,10.2.2.2.0/24
set api-ssl disabled=yes
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

anav · December 19, 2024, 9:17pm

ROUTERA

Most points in Router B also applicable to Router A, changes made.
Only rule to add is relay rule for wireguard so you can come in remotely on 10.2.2.2 and then reach routerB.
Still need WAN list entry
stick to standard neighours discovery for the most part…
allowed ip for other router on wireguard settings is .14/32
Missing allowed IP for remote subnet wishing to access for local users on routerA to RouterB

ROUTERA

# model = CRS520-4XS-16XQ
/interface bridge
add arp=proxy-arp name=bridge-lan-10
/interface ethernet
set [ find default-name=ether1 ] advertise="10M-baseT-half,10M-baseT-full,100M\
    -baseT-half,100M-baseT-full,1G-baseT-full,2.5G-baseT"
set [ find default-name=ether2 ] advertise=\
    10M-baseT-full,100M-baseT-full,1G-baseT-full,2.5G-baseT rx-flow-control=\
    auto tx-flow-control=auto
set [ find default-name=qsfp28-1-1 ] arp=proxy-arp fec-mode=fec91
set [ find default-name=qsfp28-3-1 ] fec-mode=fec91
set [ find default-name=sfp28-3 ] name="sfp28-3 NAS"
set [ find default-name=sfp28-4 ] name=sfp28-4NAS
/interface wireguard
add listen-port=56000 mtu=1420 name=wireguard1
/interface bonding
add mode=802.3ad name=NAS-bonding slaves="sfp28-3 NAS,sfp28-4NAS"
/interface list
add name=WAN
add name=LAN
add name=LAN2
/ip pool
add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254
add name=pool-lan-10 ranges=10.10.10.5-10.10.10.254
add name=pool-vpn ranges=10.1.1.2-10.1.1.50
/ip dhcp-server
add address-pool=dhcp_pool0 interfac=ether2 name=dhcp1
add add-arp=yes address-pool=pool-lan-10 bootp-support=none interface=\
    bridge-lan-10 name=dhcp-lan-10
/port
set 0 name=serial0
/ppp profile
set *0 local-address=10.1.1.1 remote-address=pool-vpn
/interface bridge port
add bridge=bridge-lan-10 interface=qsfp28-1-1
add bridge=bridge-lan-10 interface=qsfp28-1-2
add bridge=bridge-lan-10 interface=qsfp28-1-3
add bridge=bridge-lan-10 interface=qsfp28-1-4
add bridge=bridge-lan-10 interface=ether1
add bridge=bridge-lan-10 interface=NAS-bonding
add bridge=bridge-lan-10 comment="DP Desktop" interface=sfp28-2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=bridge-lan-10 list=LAN
add interface=wireguard1 list=LAN
add ether2 list=LAN2
add sfp28-1 list=WAN
/interface wireguard peers
add allowed-address=10.2.2.2/32 interface=wireguard1 name=andrey public-key=\
    "PcEfySo+eCNdlqYkhXl6pOzDeCo62ZjzniYKW6G6D0g="
add allowed-address=10.2.2.14/32,192.168.10.0/24,192.168.2.0/24 interface=wireguard1 name=andrey_tunnel \
    public-key="jG78OmgReQNVgZMGGPT1NK6+AMQpBCxa4MiybbNXvSc="
/ip address
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
add address=10.10.10.1/24 interface=bridge-lan-10 network=10.10.10.0
add address=10.2.2.1/24 interface=wireguard1 network=10.2.2.0
add address=10.10.10.241 interface=NAS-bonding network=10.10.10.0
/ip dhcp-client
add interface=sfp28-1
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=10.10.10.1 domain=ddc.lan gateway=\
    10.10.10.1
add address=192.168.88.0/24 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9,149.112.112.112
/ip firewall address-list  { use static dhcp leases where applicable }
add address=192.168.10.XX/32  list=AUTHORIZED comment="remote admin pc behind RouterB"
add address=192.168.10.YY/32 list=AUTHORIZED comment="remote admin smartphone/ipad/laptop behind RouterB"
add address=10.2.2.2/32  list=AUTHORIZED comment="remote admin laptop"
add address=10.10.10.AB/32 list=AUTHORIZED comment="local admin PC "
add address=10.10.10.DE/32 list=AUTHORIZED comment="local admin smartphone/ipad/laptop" [/i]
add address=192.168.10.0/24 list=SUBNETS comment="remote subnet RouterB - bridge"
add address=192.168.2.0/24 list=SUBNETS comment="remote subnet RouterB - ether2"
add address 10.10.10.0/24 list=SUBNETS comment="local subnet RouterA - bridge"
add address=192.168.88.0/24 list=SUBNETS comment="local subnet RouterA - ether2"
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="wireguard handshake"  dst-port=56000 protocol=udp
add chain=input port=1701,500,4500 protocol=udp
add chain=input protocol=ipsec-esp
add action=accept chain=input comment="admin access"  src-address-list=AUTHORIZED
add action=accept chain=input comment="users to services" in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment="users to services" in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="drop all else"
++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="internet traffic"  in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="relay wireguard"  in-interface=wireguard1 out-interface=wireguard1
add action=accept chain=forward comment="admin to subnets"  src-address-list=AUTHORIZED dst-address-list=SUBNETS
add action=accept chain=forward comment="RouterA users to RouterB" out-interface=wireguard1 dst-address=192.168.10.0/24
add action=accept chain=forward comment="RouterB users to RouterA  in-interface=wireguard1 dst-address=10.10.10.0/24
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat 
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add dst-address=192.168.10.0/24  gateway=wireguard1 table=main
add dst-address=192.168.2.0/24  gateway=wireguard1 table=main
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh address=10.1.1.0/24,192.168.1.0/24,10.2.2.0/24
set api disabled=yes
set api-ssl disabled=yes
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key etherboot-port=ether1

anav · December 19, 2024, 9:18pm

What was not clear to me was the purpose of the subnet on ether2 of both routers???/

ayesyev · December 20, 2024, 6:28pm

Anav, I appreciate the time you’ve spent answering my question.
I added all the changes you’ve highlighted in your answers, yet I’m still where I was yesterday…

A few questions:

RouterA is behind a FIOS router and has only firewall rules that denies any connections from 10.10.10.0/24 to 192.168.1.0/24

[admin@MikroTik] /ip/firewall/filter> print
Flags: X - disabled, I - invalid; D - dynamic
 0    chain=input protocol=udp port=1701,500,4500

 1    chain=input protocol=ipsec-esp

 2    ;;; Allow home network to DC network
      chain=forward action=accept src-address=192.168.1.0/24 dst-address=10.10.10.0/24

 3    ;;; Allowed communication for established connections between DC and local networks
      chain=forward action=accept connection-state=established,related src-address=10.10.10.0/24 dst-address=192.168.1.0/24

 4    ;;; Don''t allow new connections from DC to local network
      chain=forward action=drop connection-state=invalid,new src-address=10.10.10.0/24 dst-address=192.168.1.0/24

 5 X  ;;; Allow Wireguard
      chain=input action=accept protocol=udp dst-port=56000

Do I really need to allow traffic from WG to 10.10.10.0/24 LAN?

When I ping LAN 10.10.10.0/24 from router B, I can see it

I can’t reach those machines from behind router B, LAN 192.168.10.0/24. So, I suspect the issue is in either routing or firewall or both on the Router B.

[admin@MikroTik] /ip/firewall/filter> print
Flags: X - disabled, I - invalid; D - dynamic
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked

 2    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid

 3    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp

 4    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1

 5    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN

 6    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec

 7 X  ;;; Allow wireguard traffic
      chain=forward action=accept protocol=udp dst-address-list=13231 log=no log-prefix=""

 8    ;;; DDC_tunnel allow
      chain=forward action=accept dst-address=10.10.10.0/24 in-interface=wireguard1 log=no log-prefix=""

 9    ;;; DDC tunnel
      chain=forward action=accept src-address=10.10.10.0/24 out-interface=wireguard1 log=no log-prefix=""

10    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec

11    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related

12    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked

13    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid

14    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN

I found in some manual rules 8, 9 and not sure if they are right…
Also, here are my routes:

[admin@MikroTik] /ip/route> print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, s - STATIC, d - DHCP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#     DST-ADDRESS      GATEWAY       DISTANCE
  DAd 0.0.0.0/0        XX.XX.XX.XX         1
  DAc 10.2.2.0/24      wireguard1           0
0  As 10.10.10.0/24    wireguard1           1
  DAc 68.118.192.0/21  ether1               0
  DAc 192.168.2.0/24   ether8               0
  DAc 192.168.10.0/24  bridge               0

Hope this clarifies the issue a bit better.

Thanks again!

ayesyev · December 20, 2024, 7:57pm

Okay, the issue is solved, I missed on the Router A to add in allowed addresses the address of the LAN

add allowed-address=10.2.2.14/32,***192.168.10.0/24,192.168.2.0/24*** interface=wireguard1 name=andrey_tunnel \
    public-key="jG78OmgReQNVgZMGGPT1NK6+AMQpBCxa4MiybbNXvSc="

Thanks!