Wireguard

baxalo · December 23, 2023, 6:27pm

Hallo.
I’m not advanced user. I just try to learn and for now “play” with some stuffs of mt…
I have problem with installation of wireguard between mt and windows client. From windows i can ping mt wg interface but not inside lan ips.
I use the same config to another mt (in other place) and it works. The only differnce is the ros version. The one is on 7.12 and the sencond 7.13 in which i have the problem.
I have two wan (different isp) with load balance and failover. All seems to work well except the wg.
I want to mention that i use backup and restore configuration between two mt and only change wireguard config (peers) as all the other config is the same. Of course the two mt is the same, rb750gr3.
After that i update it to last version 7.13.
My configuration is:

2023-12-23 20:12:22 by RouterOS 7.13

software id = C4BI-DANT

model = RB750Gr3

serial number = XXXXXXXXX

/interface bridge
add name=LAN port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] mac-address=xxxxxxxx name=WAN1
set [ find default-name=ether2 ] mac-address=xxxxxxxx name=WAN2
set [ find default-name=ether3 ] mac-address=xxxxxxxx
set [ find default-name=ether4 ] mac-address=xxxxxxxx
set [ find default-name=ether5 ] mac-address=xxxxxxxx
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add name=WG
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip pool
add name=dhcp_pool0 ranges=192.168.0.100-192.168.0.190
/ip dhcp-server
add address-pool=dhcp_pool0 interface=LAN name=dhcp1
/port
set 0 name=serial0
/routing table
add fib name=to_WAN1
add fib name=to_WAN2
/interface bridge port
add bridge=LAN ingress-filtering=no interface=ether3 internal-path-cost=10
path-cost=10
add bridge=LAN ingress-filtering=no interface=ether4 internal-path-cost=10
path-cost=10
add bridge=LAN ingress-filtering=no interface=ether5 internal-path-cost=10
path-cost=10
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.70.3/32 interface=wireguard1 public-key=
“XXXXXXXXXXXXXXXXX”
add allowed-address=192.168.70.4/32 interface=wireguard1 public-key=
“XXXXXXXXXXXXXXXXX”
/ip address
add address=192.168.1.250/24 interface=WAN1 network=192.168.1.0
add address=192.168.2.250/24 interface=WAN2 network=192.168.2.0
add address=192.168.0.1/24 interface=LAN network=192.168.0.0
add address=192.168.70.1/24 interface=wireguard1 network=192.168.70.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-server lease
add address=192.168.0.192 client-id=xxxxxxxx mac-address=
xxxxxxxx server=dhcp1
/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip firewall mangle
add action=mark-routing chain=prerouting in-interface=LAN new-routing-mark=
to_WAN1 passthrough=no src-address=192.168.0.3
add action=mark-routing chain=prerouting in-interface=LAN new-routing-mark=
to_WAN1 passthrough=no src-address=192.168.0.10
add action=mark-routing chain=prerouting in-interface=LAN new-routing-mark=
to_WAN1 passthrough=no src-address=192.168.0.77
add action=mark-routing chain=prerouting in-interface=LAN new-routing-mark=
to_WAN1 passthrough=no src-address=192.168.0.78
add action=mark-routing chain=prerouting in-interface=LAN new-routing-mark=
to_WAN1 passthrough=no src-address=192.168.0.79
add action=mark-routing chain=prerouting in-interface=LAN new-routing-mark=
to_WAN1 passthrough=no src-address=192.168.0.80
add action=mark-routing chain=prerouting in-interface=LAN new-routing-mark=
to_WAN1 passthrough=no src-address=192.168.0.140
add action=mark-routing chain=prerouting in-interface=LAN new-routing-mark=
to_WAN1 passthrough=no src-address=192.168.0.192
add action=mark-routing chain=prerouting in-interface=LAN new-routing-mark=
to_WAN1 passthrough=no src-address=192.168.0.193
add action=mark-routing chain=prerouting in-interface=LAN new-routing-mark=
to_WAN1 passthrough=no src-address=192.168.0.248
add action=mark-routing chain=prerouting in-interface=LAN new-routing-mark=
to_WAN1 passthrough=no src-address=192.168.0.249
add action=mark-connection chain=input in-interface=WAN1 new-connection-mark=
WAN1_conn passthrough=yes
add action=mark-connection chain=input in-interface=WAN2 new-connection-mark=
WAN2_conn passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1_conn
new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_conn
new-routing-mark=to_WAN2 passthrough=yes
add action=accept chain=prerouting dst-address=192.168.1.0/24 in-interface=
LAN
add action=accept chain=prerouting dst-address=192.168.2.0/24 in-interface=
LAN
add action=mark-connection chain=prerouting dst-address-type=!local
in-interface=LAN new-connection-mark=WAN1_conn passthrough=yes
per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local
in-interface=LAN new-connection-mark=WAN2_conn passthrough=yes
per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=WAN1_conn
in-interface=LAN new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn
in-interface=LAN new-routing-mark=to_WAN2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1
add action=masquerade chain=srcnat out-interface=WAN2
add action=dst-nat chain=dstnat comment=VPN dst-port=xxxxxxxx protocol=udp
to-addresses=192.168.70.1 to-ports=xxxxxxxx
add action=dst-nat chain=dstnat comment=192.168.0.77 dst-port=xxxxxxxx protocol=
tcp to-addresses=192.168.0.77 to-ports=xxxxxxxx
add action=dst-nat chain=dstnat comment=192.168.0.78 dst-port=xxxxxxxx protocol=
tcp to-addresses=192.168.0.78 to-ports=xxxxxxxx
add action=dst-nat chain=dstnat comment=192.168.0.79 dst-port=xxxxxxxx protocol=
tcp to-addresses=192.168.0.79 to-ports=xxxxxxxx
add action=dst-nat chain=dstnat comment=192.168.0.80 dst-port=xxxxxxxx protocol=
tcp to-addresses=192.168.0.80 to-ports=xxxxxxxx
add action=dst-nat chain=dstnat comment=“192.168.0.3 server” dst-port=xxxxxxxx
protocol=tcp to-addresses=192.168.0.3 to-ports=xxxxxxxx
add action=dst-nat chain=dstnat dst-port=7024 protocol=udp to-addresses=
192.168.0.3 to-ports=xxxxxxxx
/ip route
add check-gateway=ping comment=“Routing ISP 2” disabled=no distance=1
dst-address=0.0.0.0/0 gateway=1.1.1.1 pref-src=“” routing-table=to_WAN2
scope=30 suppress-hw-offload=no target-scope=11
add check-gateway=ping comment=“Routing ISP 1” disabled=no distance=1
dst-address=0.0.0.0/0 gateway=1.0.0.1 pref-src=“” routing-table=to_WAN1
scope=30 suppress-hw-offload=no target-scope=11
add check-gateway=ping comment=“Default ISP 1” disabled=no distance=1
dst-address=0.0.0.0/0 gateway=1.0.0.1 pref-src=“” routing-table=main
scope=30 suppress-hw-offload=no target-scope=11
add check-gateway=ping comment=“Default ISP 2” disabled=no distance=2
dst-address=0.0.0.0/0 gateway=1.1.1.1 pref-src=“” routing-table=main
scope=30 suppress-hw-offload=no target-scope=11
add check-gateway=ping comment=“Failover ISP 1” disabled=no distance=2
dst-address=0.0.0.0/0 gateway=1.0.0.1 pref-src=“” routing-table=to_WAN2
scope=30 suppress-hw-offload=no target-scope=11
add check-gateway=ping comment=“Monitor ISP 1” disabled=no distance=1
dst-address=1.0.0.1/32 gateway=192.168.1.1 pref-src=“” routing-table=main
scope=10 suppress-hw-offload=no target-scope=10
add comment=“Monitor ISP 2” disabled=no distance=1 dst-address=1.1.1.1/32
gateway=192.168.2.1 pref-src=“” routing-table=main scope=10
suppress-hw-offload=no target-scope=10
add check-gateway=ping comment=“Failover ISP 2” disabled=no distance=2
dst-address=0.0.0.0/0 gateway=1.1.1.1 pref-src=“” routing-table=to_WAN1
scope=30 suppress-hw-offload=no target-scope=11
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set winbox port=xxxxxxxx
set api-ssl disabled=yes
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Athens
/system identity
set name=test
/system note
set show-at-login=no

And in windows client:

[Interface]
PrivateKey =XXXXXXXXXXXXXXXXX
Address = 192.168.70.4/32
DNS = 192.168.70.1

[Peer]
PublicKey = XXXXXXXXXXXXXXXXXXXXXXXX
AllowedIPs = 192.168.70.0/24, 192.168.0.0/24
Endpoint = XXXXXXXX:xxxxxxxx
PersistentKeepalive = 10

sorry my bad english. thnks in advance..

anav · December 23, 2023, 9:01pm

It appear at a quick look that the wireguard settings are fine its the routers and mangles that are off.
Dont have the time too look at it indepth at the moment.

erlinden · December 24, 2023, 8:59am

Does it work if you try locally?
Any reason why there are no firewall rules? Probably because the MikroTik is behind NAT!?

Think it has to do with (one of) the mangle rules, but I’m no expert on that. Is the Wireguard service available through both ISP’s?

baxalo · December 24, 2023, 4:40pm

thnks for replay.
Mt is behind isp routers. At routers i have enable dmz to mt ip.
I don’t know what to add to firewall rules. I read a lot, i try things, no change..
Exact the same configuration works to another mt.
Now as it is the config i can reach wireguard server ip (in my case 192.168.70.1) but not the inside lan.

erlinden · December 24, 2023, 4:53pm

What is your local IP address of the Windows Client that connects to Wireguard. It has to be different from 192.168.0.0/24 address.

anav · December 24, 2023, 8:10pm

DMZ from main router, makes firewall rules even more important.
YOu should only forward needed ports from ISP router to MT such as VPN port.

So it would appear that ISP1 is your primary ISP in general and thats where via IP CLOUD DYDNS, the wireguard endpoint will go.
If ISP2 goes down then ISP2 will be up and running and identified by IP Cloud and your clients will switch after some time.
Therefore nothing funky required in mangling and straight forward routing can be done. It would only be required if you wanted VPN to only come in on WAN2 for example.

(1) Don’t use the same DNS servers for Mangling that you use for IP DNS. Secondly, why use the same DNS site if you are looking for redundancy, choose a different site for ISP2.
So the first thing is to use google and open dns servers in routes.

(2) Its also very confusing to call the bridge LAN, as LAN has many other implications in RoS and thus really a bad move.
Will change your bridge name to Bridge-LAN
and you should have WAN interface list and LAN interface list.
/interface list
add name=WAN
add name=LAN
/interface list members
add interface=Bridge-LAN list=LAN
add interface=ether1 list=WAN
add interface=ether2 list=WAN
add interface=wireguard1 list=LAN

(3) FIXED MANGLING…

(First to ensure any traffic to or from wireguard to the LAN DOESNT not get mangled…)
add chain=prerouting action=accept src-address=192.168.0.0/24 out-interface=wireguard1
add chain=prerouting action=accept dst-address=192.168.0.0/24 in-interface=wireguard1

(Then to PCC traffic coming from the Bridge…)
add action=mark-connection chain=prerouting dst-address-type=!local
in-interface-list=LAN connection-mark=no-mark new-connection-mark=WAN1_conn
per-connection-classifier=both-addresses-and-ports:2/0 passthrough=yes
add action=mark-connection chain=prerouting dst-address-type=!local
in-interface=LAN connection-mark=no-mark new-connection-mark=WAN2_conn
per-connection-classifier=both-addresses-and-ports:2/1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN1_conn
new-routing-mark=to_WAN1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN2_conn
new-routing-mark=to_WAN2 passthrough=no

DONE MANGLING>…

(4) All your dst-nat rules are wrong, if the WANIP is fixed then you need to add that as dst-address on all rules.

(5) IP ROUTES FIXED

/ip route
( first we take care of the table main routes required…)
add check-gateway=ping comment=“Primary ISP 1” distance=1 dst-address=0.0.0.0/0
gateway=8.8.8.8 routing-table=main scope=10 target-scope=12
add check-gateway=ping comment=“ISP 1” distance=1 dst-address=8.8.8.8/32
gateway=192.168.1.1 routing-table=main scope=10 target scope=11
add comment=“Failover ISP2” distance=2 dst-address=0.0.0.0/0
gateway=208.67.222.222 routing-table=main scope=10 target-scope=12
add comment=" ISP2" distance=2 dst-address=0.0.0.0/0
gateway=208.67.222.222/32 routing-table=main scope=10 target-scope=11

(Then we ensure the other Manually created table are setup… )
[add check-gateway=ping dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=to_WAN1
add check-gateway=ping dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-table=to_WAN2

baxalo · December 28, 2023, 5:44am

THANK YOU VERY MUCH…

i follow your instructions. i reconfigure from the beginning the mt at seems to work as i want.
two things i want to mention and ask..
first i didn’t use the:

add chain=prerouting action=accept src-address=192.168.0.0/24 out-interface=wireguard1
add chain=prerouting action=accept dst-address=192.168.0.0/24 in-interface=wireguard1

because the first code give me an error

couldn’t add new mangle rule-outgoing interface matching not possible in input and prerouting chains (6)

The second is that when i use

/ip firewall mangle
add action=mark-routing chain=prerouting in-interface-list=LAN new-routing-mark=\
to_WAN1 passthrough=no src-address=192.168.0.3

to force this ip go out via isp1 then i can’t ping it, access this device.

thats again for your help…

anav · December 28, 2023, 12:29pm

On the first point I will look into it, does appear confusing, I suspect you have done something else in the config that is causing the problem…
As for the second point, that was not a stated requirement and if you hide facts from creating a config then expect it to work while adding t hings, nothing can be guaranteed.

best bet is to provide a full config!
/export file=anynameyouwish ( minus router serial number, public WANIP information, any keys etc.).

That way a full understanding is provided of the facts…

anav · December 28, 2023, 1:27pm

Okay on the first point, my bad, in pre-routing the out-interface is not yet known (chosen) and thus its the wrong item to put down here.

(First to ensure any traffic to or from wireguard to the LAN DOESNT not get mangled…)
add chain=prerouting action=accept src-address=192.168.0.0/24 out-interface=wireguard1
add chain=prerouting action=accept dst-address=192.168.0.0/24 in-interface=wireguard1

Replace with:

add chain=prerouting action=accept src-address=192.168.0.0/24 dst-address=192.168.70.0/24
add chain=prerouting action=accept dst-address=192.168.0.0/24 in-interface=wireguard1