please delete this post
100% Need full config for both
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys, dchp lease lists)
Well looking at the sparse details:
HQ:
-
Does not require keep alive, that a setting normally on the client for handshake vice server for handshake.
-
Unlike the proper extra route on the branch device, the HQ device is missing a static route for traffic to the branch subnet, aka missing dst-add=192.168.223.0/24 gateway=wg-14eme
BRANCH:
-
Better to put allowed address at 10.125.2.0/24
This allows you ad the admin to easily reach the Branch office from any remote location assuming you also have a laptop or smartphone or maybe PC at home as a wireguard client to the HQ. -
Not clear but assuming 192.168.120.0./22 is a subnet behind the HQ router.
-
The port assigned to the wireguard on the branch does not have to match the input port on the HQ router, I usually keep it different to avoid confusion of which device I am looking at.
-
Static route makes sense, for any traffic heading to a non-local subnet, the branch router needs to know about it.
Well thats quite a lot to unpack……………. Besides my earlier comments………….
- I dont understand how your vlans work as I see they have an IP address but you do not show
a. their definition (creation and which interface tied to)
b. any vlan filtering enabled on either bridge (assuming vlans on bridge)
c. any /interface bridge vlan settings?? missing.
So basically your entire config is not going to work properly and wireguard is the least of the issues.
-
Nothing untoward on wireguard settings, but again note comments I made in previous post.
-
VERY CONFUSED on your wan situation, the only ip dhcp client I can find is starlink on ether5, not noted in your WAN list, but you do have a WAN interface identified for ether9 ??
On top of that you seem to have a route to a private IP 192.168.120.2 routing table = main WHICH MAKES ABSOLUTELY no sense to me since its your bridge subnet for the bridge called lan ???
In fact, I have no way of trying to map such a convoluted and complex structure you have there.
I dont see how you get any internet.
-
In terms of wireguard, at least I see the route now for subnet on the Branch router so thats good.
add action=accept chain=srcnat dst-address=192.168.223.0/24 src-address=192.168.120.0/22 -
What is the purpose of this rule???
add action=accept chain=srcnat dst-address=192.168.223.0/24 src-address=192.168.120.0/22
And if the intent was for all traffic going out wireguard coming from .120, and heading for .223 to be given the source IP of 10.125.2.1, its still incomplete as you have not identified the out-interface which is 14eme ???
In both router setups, the incoming traffic is expected ( via allowed addresses) CHECK
In both router setups, there is a route for return traffic CHECK
hence sourcenatting is not required anyway!!
one must ensure that fw rules allow the traffic to hit some target on LAN etc….. at both ends. to enter tunnel and to exit tunnel ( at both branch and HQ ).
PS………. if starlink is the only provider, they dont give you a public IP, so adds to confusion how you are using wireguard………
Too much unclear and config complexity is beyond my scope. Note that the RoS is even telling you that your setup is not secure PPTP!!
+++++++++++++++++++++++++++
looking at FW Rules……….. YIKES,
add action=drop chain=input comment="v4: drop everything else from WAN to router" disabled=yes in-interface-list=WAN
it does not appear you block any WAN to router traffic……………
Best advice, netinstall router and start with a clean config with default rules and build slowly a clean efficient config.
ALSO, do not see any input chain rule allowing wireguard for 14eme traffic ??? Only have one for the other wireguard you got going 13231……..
I am unable to help any further……… Gluck!!